[21589] in bugtraq
Re[2]: W2k: Unkillable Applications
daemon@ATHENA.MIT.EDU (Dimitry Andric)
Tue Jul 17 18:28:27 2001
Date: Tue, 17 Jul 2001 22:07:55 +0200
From: Dimitry Andric <dim@xs4all.nl>
Reply-To: Dimitry Andric <dim@xs4all.nl>
Message-ID: <88114848.20010717220755@xs4all.nl>
To: Chris Adams <chris@improbable.org>
Cc: bugtraq@securityfocus.com
In-Reply-To: <B779BCCF.3E83%chris@improbable.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2001-07-17 at 18:58:40 Chris Adams wrote:
CA> I might be worth seeing exactly what triggers this behaviour in the task
CA> manager - the application tab might have a different filtering criteria
CA> (e.g. is it strictly ACL-based or might it be looking at something like the
CA> original filename attribute in the exe header?).
The names of the executables are hardcoded in taskmgr.exe, and form
the following list:
services.exe
smss.exe
winlogon.exe
csrss.exe
If the name of an executable in the Processes tab matches any of this
list, Task Manager refuses to kill it. In short, renname your trojan
to any of the above. ;-)
It is a strangely implemented feature, because you might consider many
other processes not in this list "critical system processes", such as
lsass.exe, svchost.exe, etc. You can try to kill these, but you will
simply get Access Denied, since Task Manager tries OpenProcess(),
which fails.
Cheers,
- --
Dimitry Andric <dim@xs4all.nl>
PGP Key: http://www.xs4all.nl/~dim/dim.asc
Fingerprint: 7AB462D2CE35FC6D42394FCDB05EA30A2E2096A3
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
Comment: http://www.gn.apc.org/duncan/stoa_cover.htm
iQA/AwUBO1SNErBeowouIJajEQKJzwCfaqkiAHPd+b/F1QQb3hoy2e2vhTAAn0d8
JRcFko4dUhFxsVkYVwtsFtQn
=CigK
-----END PGP SIGNATURE-----
