Episode V: The Empire Hacks Back (Part 2 (aka, The Answers))

by Timothy Maletic

As seen previously on The Empire Hacks Back (http://www.ethicalhacker.net/content/view/55/2/), our heroes are running out of time.? They must escape the evil clutches of the diabolical Darth Vader in order to jump-start the rebellion, and yet their transport -- the "fastest hunk of junk in the galaxy" -- has a failing hyperdrive...

[Lando]? Looks like the hyperdrive is hosed.

[Leia]? Would it help if I got out and pushed?

[Lando]? Hello, what have we here?? It would be more helpful if you could speak Bacchi -- wait, no -- I mean Winduze.? pause? What?? You've never heard of Winduze?? If the network operating system invented by the late Jedi Master Windu.? It's the Falcon's OS, and the Professor here says that something keeps killing the hyperdrive.exe process.

<R2D2 beeps wildly.>

[C3PO]? R2D2, you know better than to trust a strange computer!? What a ridiculous idea -- Lord Vader using eponymous bots!

[Luke]? Faatheerr!

[Leia]? Quiet down, 3PO!? You're upsetting our patient.? Vader chops off his hand and now he's calling Vader his "father."? It's near the end for this young 'prentice, I'm afraid.

[Luke]? No, listen!? It's father!? I can feel his presence.? Search for processes named vaderbot.exe!

[Lando]? Oh great!? More hokey, religious mumbo-jumbo...

<R2D2 beeps wildly.>

[C3PO]? Wait!? Wait!? R2 has a command shell on the Falcon, and says there are ten vaderbot processes!? He says he's going to kill them all with a

wmic process where name="vaderbot.exe" delete

Yes!? It worked!? Wait...? What R2?? How?? Now R2 says there are ten more vaderbot processes, this time with incrementally variable process names!? R2, doesn't the Winduze wmic command accept wildcards?? Something like a shell's "*" metacharacter or SQL's "%"?? Well use it, you overweight glob of grease!!!
Excellent!? This time R2 issued the command

wmic process where "name like \"%vaderbot%\"" delete

and it worked.? [Aside to R2]? Nice work with the escaped quotes!

[Lando]? Chewie!? Punch it!

<Cue downward-spiraling-failing-machinery-sound.>

[Leia]? OK, Goldenrod, you're about to feel a great disturbance in the force!

[C3PO]? Wait!? Wait!? R2 has a new idea.? He says there are suddenly ten new processes running on the Falcon with strange, random-looking process names.? We're doomed!

Wait a minute.? R2, are Winduze processes chained via parent-child relationships like they are in Linux?? Then try killing all children of the last process you killed.? The process ID of the last process you killed was displayed as part of the output of your last wmic command.? Yes, I saw it scroll by a minute ago -- it was process ID 2485.

<Everyone waits anxiously while R2D2 beeps introspectively...>

[Luke]? That's no planet.? It's a space station.

[Leia]? Help me Obi-Wan Kenobi -- you're my only hope!

[C3PO]? He did it!? All it took this time was a deftly executed

wmic process where parentprocessid=2485 delete

Quick, Administrator Calrissian!? Engage the hyperdrive!

<Cue downward-spiraling-failing-machinery-sound.>

[Lando]? It's not my fault!

[Leia]? Who's more foolish -- the fool or...

[Obi-Wan]? That's my line!

[Lando]? Where'd this old fossil come from?!?

[Obi-Wan]? Call me a defunct process.? I'm here to tell you that the Falcon's Operating System has just spawned a new smss.exe process.? I don't understand why this OS is trusted to run mission-critical systems.? You'll never find a more wretched hive of scum and villainy...

<R2D2 beeps wildly.>

[C3PO]? But R2 says we can't kill the smss.exe process without seriously disabling the ship!??? We're doomed!

[Obi-Wan]? You cannot win, but there are alternatives to fighting.? You only need to kill one smss.exe process.? The one that is the child of the last process you killed.

<R2D2 beeps wildly.>

[C3PO]? Oh, no!? R2 says he fat-fingered a shell termination sequence!? He has to set up a new command shell, and has lost the shell history.? Now we'll never learn the process ID of the last process he killed.? We're doomed!

[Obi-Wan]? Your eyes have deceived you -- don't trust them.? Recall that smss.exe is one of the earliest processes to launch in the Winduze boot sequence.? The legitimate smss.exe should therefore have a relatively low process ID, and the parent of smss.exe will be lower still.? In fact, the parent of the legitimate ssms.exe is named "System," and will always be process ID 4.

<R2D2 beeps wildly.>

[C3PO]? That did it!? R2 added a little Boolean logic to the last wmic command to get

wmic process where "name=\"smss.exe\" and parentprocessid!=4" delete

How wonderful!? Punch it, Chewie!

<Cue star-stretching hyperspace light and magic.>
<Fade in of ghostly image of Chow Yun-Fat of Crouching Tiger.>

[Master Li Mu Bai]? Greetings, fellow Jedi.? I congratulate you on your escape.

[Obi-Wan]? Master Li!? How is this possible?

[Master Li]? Only a great disturbance in the force could bring me back from my infinite meditation.

[Leia]? Who is this clown?

[Obi-Wan]? I was apprenticed to Qui-Gon Jinn, and he in turn was apprenticed to Yoda.? But Yoda's Master was Master Li Mu Bai.? Tell us, Master Li.? Why are you here?

[Master Li]? I have come to warn you that Vader's malicious code was only the beginning.? The Emperor himself is working up new malware that will be immune to the cleansing techniques of your faithful droid.? My instructors in the mystical arts ? Jedi, Wudang, and Winduze --? were Masters Russinovich and Butler, and they taught me of ways to shield Winduze processes from termination.

One way is to shield the process from discovery.? If the malware can run with administrative privileges, it can modify core Winduze kernel functions.? Rootkits use this technique, altering kernel objects or hooking kernel functions in an effort to make themselves invisible to standard operating system utilities, such as programs that manage files or processes.

Another technique is to create a process so critical to system functionality that killing the process kills the system.? Winduze utilizes this method to protect csrss.exe.? By setting the critical process flag in the? kernel process structure, Winduze ensures that the kernel will halt whenever csrss.exe dies.? Malicious code could conceivably use this same trick.

And more speculatively, some techniques from Master Russinovich's buggy driver simulator may be harnessed for evil.? One of the bugs that the tool Notmyfault demonstrates is a driver that receives I/O requests, but neither successfully completes the requests nor responds to calls to cancel the request.? I do not know whether a process could be of any use at this near-death stage of process shutdown.? I must meditate further on this.

<To be concluded.>

Credits:
Mark Russinovich's Blog, http://www.sysinternals.com/blog%5Cblogindex.html
"Windows Rootkits of 2005," http://www.securityfocus.com/infocus/1850
Star Wars Wikiquote, http://en.wikiquote.org/wiki/Star_Wars
Bell's Beer, http://www.bellsbeer.com/