Bugtraq mailing list archives
RE: W2k: Unkillable Applications
From: Toomas Kiisk <vix () cyber ee>
Date: Wed, 18 Jul 2001 16:22:13 +0200 (EET)
On Tue, 17 Jul 2001, Frank Breedijk wrote:
I'm sure they could have told you that an administrator can end system processes by right clicking on them and choosing "Debug" and then ending the process.That feature is only available on systems with a debugger installed. Mine isn't
There's no need for a debugger. SE_DEBUG privilege is simply disabled by default, and it must be enabled using AdjustTokenPrivileges(). Here's the source of a small utility I posted few years ago to ee.arvutid.microsoft, hopefully it is self-explanatory. The source has undergone some "formatting" by google archive, so there may be few underscores missing. --------------begin kill.c---------- #include <windows.h> #include <malloc.h> #include <stdio.h> #include <stdarg.h> #include <assert.h> void usage_exit( void ); void w32_error( const char *blah, ... ); int main( int argc, char **argv ) { HANDLE proc, token; TOKEN_PRIVILEGES *p = NULL, *dummy = NULL; DWORD psize = 0, i = 0; if ( argc < 2 ) usage_exit(); assert( OpenProcessToken( GetCurrentProcess(), TOKEN_ALL_ACCESS, &token ) ); while ( ! GetTokenInformation( token, TokenPrivileges, p, psize, &psize ) ) { if ( GetLastError() != ERROR_INSUFFICIENT_BUFFER ) { w32_error( "GetTokenInformation()" ); exit( 1 ); } if ( ! (p = alloca( psize ) ) ) { w32_error( "alloca( %u )", psize ); exit( 1 ); } } for ( i=0; i<p->PrivilegeCount; i++ ) p->Privileges[ i ].Attributes |= SE_PRIVILEGE_ENABLED; while ( ! AdjustTokenPrivileges( token, FALSE, p, psize, dummy, &psize ) ) { if ( GetLastError() != ERROR_INSUFFICIENT_BUFFER ) { w32_error( "AdjustTokenPrivileges()" ); exit( 1 ); } if ( ! (dummy = alloca( psize ) ) ) { w32_error( "alloca( %u )", psize ); exit( 1 ); } } while ( --argc ) { proc = OpenProcess( PROCESS_TERMINATE, FALSE, (DWORD)atoi( argv[ argc ] ) ); if ( proc == NULL ) { w32_error( "Openprocess(): PID=%s", argv[ argc ] ); continue; } if ( ! TerminateProcess( proc, 1 ) ) { (void)CloseHandle( proc ); w32_error( "TermnateProcess(): PID=%s", argv[ argc ] ); continue; } else { (void)CloseHandle( proc ); fprintf( stdout, "PID=%s killed\n", argv[ argc ] ); } } return 0; } void usage_exit( void ) { fprintf( stderr, "Usage:\tkill <pid list>\n" ); exit( 1 ); } void w32_error( const char *blah, ... ) { char *msg; va_list a; if ( FormatMessage( FORMAT MESSAGE ALLOCATE BUFFER | FORMAT MESSAGE FROM SYSTEM, NULL, GetLastError(), MAKELANGID(LANG NEUTRAL, SUBLANG_DEFAULT), (LPTSTR)&msg, 0, NULL ) ) { va_start( a, blah ); (void)vfprintf( stderr, blah, a ); (void)fprintf( stderr, ": %s\n", msg ); (void)LocalFree( msg ); va_end( a ); } }
Current thread:
- RE: W2k: Unkillable Applications, (continued)
- RE: W2k: Unkillable Applications Kaido Karner (Jul 17)
- Re: W2k: Unkillable Applications Justin Nelson (Jul 17)
- Re: W2k: Unkillable Applications Chris Adams (Jul 17)
- Re: W2k: Unkillable Applications Alun Jones (Jul 17)
- Re: W2k: Unkillable Applications Chris Adams (Jul 17)
- Re[2]: W2k: Unkillable Applications Phaedrus (Jul 17)
- Re: Re[2]: W2k: Unkillable Applications Bronek Kozicki (Jul 18)
- RE: W2k: Unkillable Applications Kaido Karner (Jul 17)
- Re[2]: W2k: Unkillable Applications Dimitry Andric (Jul 17)
- RE: W2k: Unkillable Applications Andy Cristina (Jul 17)
- RE: W2k: Unkillable Applications Toomas Kiisk (Jul 18)
- RE: W2k: Unkillable Applications David LeBlanc (Jul 19)