Bugtraq: Re[2]: W2k: Unkillable Applications

[Dimitry Andric <dim () xs4all nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2001-07-17 at 18:58:40 Chris Adams wrote:

CA> I might be worth seeing exactly what triggers this behaviour in the task
CA> manager - the application tab might have a different filtering criteria
CA> (e.g. is it strictly ACL-based or might it be looking at something like the
CA> original filename attribute in the exe header?).

The names of the executables are hardcoded in taskmgr.exe, and form
the following list:

services.exe
smss.exe
winlogon.exe
csrss.exe

If the name of an executable in the Processes tab matches any of this
list, Task Manager refuses to kill it. In short, renname your trojan
to any of the above. ;-)

It is a strangely implemented feature, because you might consider many
other processes not in this list "critical system processes", such as
lsass.exe, svchost.exe, etc. You can try to kill these, but you will
simply get Access Denied, since Task Manager tries OpenProcess(),
which fails.

Cheers,
- --
Dimitry Andric <dim () xs4all nl>
PGP Key: http://www.xs4all.nl/~dim/dim.asc
Fingerprint: 7AB462D2CE35FC6D42394FCDB05EA30A2E2096A3

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
Comment: http://www.gn.apc.org/duncan/stoa_cover.htm

iQA/AwUBO1SNErBeowouIJajEQKJzwCfaqkiAHPd+b/F1QQb3hoy2e2vhTAAn0d8
JRcFko4dUhFxsVkYVwtsFtQn
=CigK
-----END PGP SIGNATURE-----