[21601] in bugtraq
RE: W2k: Unkillable Applications
daemon@ATHENA.MIT.EDU (Toomas Kiisk)
Wed Jul 18 12:00:36 2001
Date: Wed, 18 Jul 2001 16:22:13 +0200 (EET)
From: Toomas Kiisk <vix@cyber.ee>
To: Frank Breedijk <FrankB@InterXion.com>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <9DEF5AE699246E48BBBC3B9469681C0010C9E2@NL-AMS-06.office.interxion.net>
Message-ID: <Pine.LNX.4.33.0107181603170.3831-100000@ondatra.tartu-labor>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 17 Jul 2001, Frank Breedijk wrote:
> > I'm sure they could have told you that an administrator
> > can end system processes by right clicking on them and
> > choosing "Debug" and then ending the process.
>
> That feature is only available on systems with a debugger installed.
> Mine isn't
>
There's no need for a debugger. SE_DEBUG privilege is simply
disabled by default, and it must be enabled using
AdjustTokenPrivileges(). Here's the source of a small
utility I posted few years ago to ee.arvutid.microsoft,
hopefully it is self-explanatory. The source has undergone
some "formatting" by google archive, so there may be few
underscores missing.
--------------begin kill.c----------
#include <windows.h>
#include <malloc.h>
#include <stdio.h>
#include <stdarg.h>
#include <assert.h>
void usage_exit( void );
void w32_error( const char *blah, ... );
int main( int argc, char **argv )
{
HANDLE proc, token;
TOKEN_PRIVILEGES *p = NULL, *dummy = NULL;
DWORD psize = 0, i = 0;
if ( argc < 2 )
usage_exit();
assert( OpenProcessToken( GetCurrentProcess(),
TOKEN_ALL_ACCESS, &token ) );
while ( ! GetTokenInformation( token, TokenPrivileges, p,
psize, &psize ) ) {
if ( GetLastError() != ERROR_INSUFFICIENT_BUFFER ) {
w32_error( "GetTokenInformation()" );
exit( 1 );
}
if ( ! (p = alloca( psize ) ) ) {
w32_error( "alloca( %u )", psize );
exit( 1 );
}
}
for ( i=0; i<p->PrivilegeCount; i++ )
p->Privileges[ i ].Attributes |= SE_PRIVILEGE_ENABLED;
while ( ! AdjustTokenPrivileges( token, FALSE, p, psize,
dummy, &psize ) ) {
if ( GetLastError() != ERROR_INSUFFICIENT_BUFFER ) {
w32_error( "AdjustTokenPrivileges()" );
exit( 1 );
}
if ( ! (dummy = alloca( psize ) ) ) {
w32_error( "alloca( %u )", psize );
exit( 1 );
}
}
while ( --argc ) {
proc = OpenProcess( PROCESS_TERMINATE, FALSE,
(DWORD)atoi( argv[ argc ] ) );
if ( proc == NULL ) {
w32_error( "Openprocess(): PID=%s",
argv[ argc ] );
continue;
}
if ( ! TerminateProcess( proc, 1 ) ) {
(void)CloseHandle( proc );
w32_error( "TermnateProcess(): PID=%s", argv[ argc ] );
continue;
} else {
(void)CloseHandle( proc );
fprintf( stdout, "PID=%s killed\n", argv[ argc ] );
}
}
return 0;
}
void usage_exit( void )
{
fprintf( stderr, "Usage:\tkill <pid list>\n" );
exit( 1 );
}
void w32_error( const char *blah, ... )
{
char *msg;
va_list a;
if ( FormatMessage(
FORMAT MESSAGE ALLOCATE BUFFER |
FORMAT MESSAGE FROM SYSTEM,
NULL, GetLastError(),
MAKELANGID(LANG NEUTRAL,
SUBLANG_DEFAULT),
(LPTSTR)&msg, 0, NULL ) )
{
va_start( a, blah );
(void)vfprintf( stderr, blah, a );
(void)fprintf( stderr, ": %s\n", msg );
(void)LocalFree( msg );
va_end( a );
}
}
