[21577] in bugtraq
Re: W2k: Unkillable Applications
daemon@ATHENA.MIT.EDU (Chris Adams)
Tue Jul 17 14:38:54 2001
Date: Tue, 17 Jul 2001 09:58:40 -0700
From: Chris Adams <chris@improbable.org>
To: <bugtraq@securityfocus.com>
Message-ID: <B779BCCF.3E83%chris@improbable.org>
In-Reply-To: <0c4501c10edc$69595260$c800000a@justin.net>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
on 2001-07-17 09:20, Justin Nelson at security@jm4n.com wrote:
>> cannot confirm that. I renamed one of my applications to
>> Winlogon.exe and succeeded to kill it without any problem
>> with taskmanager.
>
> Under Windows 2000 Pro, I made a copy of "notepad.exe" renamed to
> "winlogon.exe", and could not kill it via the Task Manager. Both the 'kill'
> command and the VC++ debugger were able to kill it.
Task Manager is really inconsistent - I renamed a copy of notepad to
winlogon.exe. If I start it and try to kill it through the "Applications"
tab of the task manager, it will be killed as normal. If I try to kill it
through the "Processes" tab, task manager won't let me.
I might be worth seeing exactly what triggers this behaviour in the task
manager - the application tab might have a different filtering criteria
(e.g. is it strictly ACL-based or might it be looking at something like the
original filename attribute in the exe header?). In any case, a malicious
attacker could simply make a program which doesn't open a window, which
would cause it not to show up in the Applications tab.
