Post Tue Jun 13, 2006 3:52 pm

Skillz May 06 Winning Entry - Technical ... ll.exe&S=1 indicates that taskkill.exe shipped with Windows XP and Windows Server 2003. ... ll.exe&S=1 indicates that tskill.exe shipped with Windows XP and Windows Server 2003.

1) How can R2D2 kill all of the processes named "vaderbot.exe" with a single command?

Forcefully terminate processes with an image name of "vaderbot.exe":
Taskkill.exe /F /IM vaderbot.exe

2) Unfortunately, as the last vaderbot.exe process is about to be killed, it spawns a group of new Vader Bot processes, but each with a new name, called "vaderbot0.exe", "vaderbot1.exe", "vaderbot2.exe", and so on up to "vaderbot9". How can you kill all of these processes based on their process name in one command?

Forcefully terminate processes that match a filter where the image name is "vaderbot*":
Taskkill.exe /f /fi "imagename eq vaderbot*"

3) Unfortunately, as the last Vader Bot numbered process ("vaderbot9") is about to be killed, it generates a whole bunch of new Vader Bot processes, with apparently random names, such as QnV5I.exe, ENvdW.exe, 50ZXI.exe, gSGFj.exe, ayBSZ.exe, WxvYW.exe, RlZCw.exe, gUGxl.exe, YXNlI.exe, and finally, Q==.exe. How can you kill all of these processes in one command without knowing their Process IDs?

Forcefully terminate processes with any image name that match a filter where the user name the process is running under is "vader":
Taskkill.exe /f /fi "username eq vader" /IM *

4) And yes again unfortunately, as the last apparently random-named bot process is about to be killed, it generates one more process for Vader Bot, named smss.exe. How can you kill this final Vader Bot process in a single command without knowing its Process ID?

In this case, use the "tskill" command, which will kill the bogus SMSS.EXE and fail to kill the _real_ SMSS.EXE because "End Process failed for smss:Access is denied.":
Tskill.exe smss

Taskkill.exe (and Task Manager) think that all processes named "SMSS.EXE" are "critical system processes", and as such they should not be killed.

5) Finally, instead of spawning separate processes, the Vader Bot could have used other techniques to survive on the machine, continuing to run in light of R2D2's process-killing assault. Please describe techniques for malware (or even non-malicious code) to continue running without having to spawn new processes.

One probably needs to look no further than AutoRuns from Sysinternals to get a handle on what parts of Windows one can use to get code to run at various points in time. Such places are listed at the bottom of this message.

One technique that could be used is DLL injection - injecting a DLL into the address space of other processes. One can use HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls to cause a DLL to be injected (at next system boot) into all process that load USER32.DLL (most GUI apps, but few CUI apps). This technique has many disadvantages, as identified by Jeffrey Richter in "Programming Applications for Microsoft Windows Fourth Edition":

a) need to restart system for change to take effect (new processes will pick up the change, but processes already running will need to be restarted)
b) most GUI apps but few CUI apps will load the DLL
c) may want to selectively target which processes load the DLL - this technique requires one to explicitly return FALSE from DllMain if one doesn't want one's DLL loaded by the process
d) no way to unload the DLL (this may not really be a problem for malware)

Another technique that can be used to inject a DLL into the address space of another process is to use Windows Hooks (SetWindowsHookEx API - ... hookex.asp).

The CreateRemoteThread API
( ... thread.asp) can be used to run code in the address space of another process - it creates a new thread in a different process. The thread has access to all objects that the target process opens. This technique has its own considerations, but one will likely encounter and account for them if one chooses this technique.

Yet another method one could use is a "Trojan" DLL - a DLL that exports the same symbols as the target DLL. Function forwarders can assist in this. Then, the target DLL is renamed and the Trojan DLL is given the original name of the target DLL.

Additionally, it may be possible to use "Detours" ( to achieve the goal of "keeping code running without spawning new processes".

Perhaps some exploration into changing the ACL on a process would introduce difficulties in attempting to terminate it.

Finally, since Vader was able to create the "vader" account and add it to the admin group, the Vaderbots certainly already have elevated privileges. Why not take it a step further and add a kernel mode Rootkit-type component to the "Vader Bot" software? has some resources for Darth to get started. He could also get a customized version of Hacker Defender, but he may have to tap into the Emperor's coffers a bit. Once the rootkit is in place, it can modify system data structures, and manipulate information returned by system services to hide its existence, or it can simply act like the vaderbot processes were killed by removing the name(s) from the list of running processes returned by the OS.

List of locations inspected by AutoRuns:
00) HKLM\System\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\StartupPrograms
01) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
02) HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
03) HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
04) HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
05) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
06) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
07) HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
08) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
09) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
10) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
11) HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
12) HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
13) HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run
14) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
15) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
16) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
17) C:\Documents and Settings\All Users\Start Menu\Programs\Startup
18) C:\Documents and Settings\<user name>\Start Menu\Programs\Startup
19) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
20) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
21) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
22) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
23) HKCU\Software\Microsoft\Windows\CurrentVersion\Run
24) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
25) HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
26) HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
27) HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run
28) HKLM\SOFTWARE\Classes\Protocols\Filter
29) HKLM\SOFTWARE\Classes\Protocols\Handler
30) HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
31) HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
32) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
33) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
34) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
35) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
36) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
37) HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
38) HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
39) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObjects
40) HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
41) HKLM\Software\Microsoft\Internet Explorer\Toolbar
42) HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
43) HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
44) HKCU\Software\Microsoft\Internet Explorer\Extensions
45) HKLM\Software\Microsoft\Internet Explorer\Extensions
46) Task Scheduler
47) HKLM\System\CurrentControlSet\Services
48) HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
49) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
50) HKLM\Software\Microsoft\Command Processor\Autorun
51) HKCU\Software\Microsoft\Command Processor\Autorun
52) HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
53) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
54) HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
55) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
56) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
57) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
58) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
59) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
60) HKCU\Control Panel\Desktop\Scrnsave.exe
61) HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImageName
62) HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
63) HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
64) HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
65) HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
66) HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

Erik Schroeder
Last edited by don on Tue Jun 20, 2006 10:14 am, edited 1 time in total.