RE: W2k: Unkillable Applications

• Previous message: twiz - Perla Enrico: "Re: 2.4.x/Slackware Init script vulnerability"
• In reply to: Frank Breedijk: "RE: W2k: Unkillable Applications"
• Next in thread: David LeBlanc: "RE: W2k: Unkillable Applications"
• Next in thread: Kaido Karner: "RE: W2k: Unkillable Applications"
• Reply: David LeBlanc: "RE: W2k: Unkillable Applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 17 Jul 2001, Frank Breedijk wrote:

> > I'm sure they could have told you that an administrator
> > can end system processes by right clicking on them and
> > choosing "Debug" and then ending the process.
>
> That feature is only available on systems with a debugger installed.
> Mine isn't
>

There's no need for a debugger. SE_DEBUG privilege is simply
disabled by default, and it must be enabled using
AdjustTokenPrivileges(). Here's the source of a small
utility I posted few years ago to ee.arvutid.microsoft,
hopefully it is self-explanatory. The source has undergone
some "formatting" by google archive, so there may be few
underscores missing.


--------------begin kill.c----------
#include <windows.h>
#include <malloc.h>
#include <stdio.h>
#include <stdarg.h>
#include <assert.h>


void usage_exit( void );
void w32_error( const char *blah, ... );


int main( int argc, char **argv )
{
	HANDLE proc, token;
	TOKEN_PRIVILEGES *p = NULL, *dummy = NULL;
	DWORD psize = 0, i = 0;

	if ( argc < 2 )
		usage_exit();

	assert( OpenProcessToken( GetCurrentProcess(),
			TOKEN_ALL_ACCESS, &token ) );

	while ( ! GetTokenInformation( token, TokenPrivileges, p,
				psize, &psize ) ) {
		if ( GetLastError() != ERROR_INSUFFICIENT_BUFFER ) {
			w32_error( "GetTokenInformation()" );
			exit( 1 );
		}
		if ( ! (p = alloca( psize ) ) ) {
			w32_error( "alloca( %u )", psize );
			exit( 1 );
		}
	}

	for ( i=0; i<p->PrivilegeCount; i++ )
		p->Privileges[ i ].Attributes |= SE_PRIVILEGE_ENABLED;

	while ( ! AdjustTokenPrivileges( token, FALSE, p, psize,
				dummy, &psize ) ) {
		if ( GetLastError() != ERROR_INSUFFICIENT_BUFFER ) {
			w32_error( "AdjustTokenPrivileges()" );
			exit( 1 );
		}
		if ( ! (dummy = alloca( psize ) ) ) {
			w32_error( "alloca( %u )", psize );
			exit( 1 );
		}
	}

	while ( --argc ) {
		proc = OpenProcess( PROCESS_TERMINATE, FALSE,
				(DWORD)atoi( argv[ argc ] ) );
		if ( proc == NULL ) {
			w32_error( "Openprocess(): PID=%s",
				argv[ argc ] );
			continue;
		}

		if ( ! TerminateProcess( proc, 1 ) ) {
			(void)CloseHandle( proc );
			w32_error( "TermnateProcess(): PID=%s", argv[ argc ] );
			continue;
		} else {
			(void)CloseHandle( proc );
			fprintf( stdout, "PID=%s killed\n", argv[ argc ] );
		}
	}

	return 0;
}

void usage_exit( void )
{
	fprintf( stderr, "Usage:\tkill <pid list>\n" );
	exit( 1 );
}

void w32_error( const char *blah, ... )
{
	char *msg;
	va_list a;

	if ( FormatMessage(
			FORMAT MESSAGE ALLOCATE BUFFER |
			FORMAT MESSAGE FROM SYSTEM,
			NULL,    GetLastError(),
			MAKELANGID(LANG NEUTRAL,
			SUBLANG_DEFAULT),
			(LPTSTR)&msg, 0, NULL ) )
	{
		va_start( a, blah );
		(void)vfprintf( stderr, blah, a );
		(void)fprintf( stderr, ": %s\n", msg );
		(void)LocalFree( msg );
		va_end( a );
	}
}

• Next message: Crist Clark: "Re: Small TCP packets == very large overhead == DoS?"
• Previous message: twiz - Perla Enrico: "Re: 2.4.x/Slackware Init script vulnerability"
• In reply to: Frank Breedijk: "RE: W2k: Unkillable Applications"
• Next in thread: David LeBlanc: "RE: W2k: Unkillable Applications"
• Next in thread: Kaido Karner: "RE: W2k: Unkillable Applications"
• Reply: David LeBlanc: "RE: W2k: Unkillable Applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 08:08:51 PDT