(Since 20th June 2008 14:35 IST)
Friday, June 20, 2008
Monday, January 28, 2008
One of the most irritating thing that many viruses do is that they deny access to Windows Task Manager in Windows XP (not sure about other OS).
A simple solution is to remove:
DisableTaskMgr
From:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
This can by done either using registry editor or by executing the following command:
REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
But many viruses keep updating this value in the registry and hence the above method may work only temporarily.
Then what can we do ?
Well a better solution is to modify your task manager itself. I've currently tried only with the taskmgr.exe of Windows XP Professional with SP2. For other versions this tutorial may not work exactly. Sorry for that.
Here are the steps:
STEP 1:
Copy taskmgr.exe from %windir%\system32\ to any folder, say Desktop.
STEP 2:
Now get a decent Hex Editor. Many are available for free. I Used XVI32 Hex Editor. You can get it from http://www.softpedia.com/get/Programming/File-Editors/XVI32.shtml
STEP 3:
Using the Hex Editor open the copy of taskmgr.exe in your desktop and jump to the offset address 18721 (0x4921).
To jump to the given offset in XVI32, press Ctrl+G. A "Go to address" window should open.
Now, select "decimal" radio button and type 18721 in the text box. Select "absolute" in Go mode. Click on OK.
There You'll find the following Bytes (Hex):
39 9D 20 FC FF FF 74
(If you don't find these bytes, then it means that your having a different version of taskmgr.exe . Probably you don't have SP2.)
All You need to do is replace this with this (Hex):
90 90 90 90 90 90 EB
STEP 4:
Save your file with suitable name, say taskmgr_new.exe
Thats all, your now ready with the task manager that works for you always.
To check if you've done everything correctly, use this method:
Run the command:
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
and pressing your Ctrl+Alt+Del should give you an error message like this**:
But Your taskmgr_new.exe would work!
If the newly cracked task manager doesn't work or causes any problem, check the steps and try to do form the beginning. It will work and i've tried it on systems with Windows XP SP2.
**To Remove this restriction, use the following command:
REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
How Does It Work ?
In Machine Language,
39 9D 20 FC FF FF
represents
CMP DWORD PTR SS:[EBP-3E0],EBX ; Two values are compared here
then
74 4B
represents
JE SHORT taskmgr.01005574 ; Jump execution to some other address if the above compared values are equal
Now what we want is a permanent jump (to skip the code where there is call to MessageBox API and then process terminates)
So to make it jump permamently, we don't need to do the comparison at all. So we need to remove that. This can be done using NOP (No-Operation) having op-code (operation code) 0x90. So we replace all these 6 bytes with NOP and to make the jump permament, we replace JE (0x74) with JMP (0xEB)
(I used OllyDbg to crack - A Screenshot)
A simple solution is to remove:
DisableTaskMgr
From:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
This can by done either using registry editor or by executing the following command:
REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
But many viruses keep updating this value in the registry and hence the above method may work only temporarily.
Then what can we do ?
Well a better solution is to modify your task manager itself. I've currently tried only with the taskmgr.exe of Windows XP Professional with SP2. For other versions this tutorial may not work exactly. Sorry for that.
I AM NOT RESPONSIBLE IF YOU DID SOMETHING WRONG, I AM NOT REPONSIBLE FOR ANY DAMAGE. YOU FOLLOW THIS TUTORIAL AT YOUR OWN RISK.
Here are the steps:
STEP 1:
Copy taskmgr.exe from %windir%\system32\ to any folder, say Desktop.
STEP 2:
Now get a decent Hex Editor. Many are available for free. I Used XVI32 Hex Editor. You can get it from http://www.softpedia.com/get/Programming/File-Editors/XVI32.shtml
STEP 3:
Using the Hex Editor open the copy of taskmgr.exe in your desktop and jump to the offset address 18721 (0x4921).
To jump to the given offset in XVI32, press Ctrl+G. A "Go to address" window should open.
Now, select "decimal" radio button and type 18721 in the text box. Select "absolute" in Go mode. Click on OK.
There You'll find the following Bytes (Hex):
39 9D 20 FC FF FF 74
(If you don't find these bytes, then it means that your having a different version of taskmgr.exe . Probably you don't have SP2.)
All You need to do is replace this with this (Hex):
90 90 90 90 90 90 EB
STEP 4:
Save your file with suitable name, say taskmgr_new.exe
Thats all, your now ready with the task manager that works for you always.
To check if you've done everything correctly, use this method:
Run the command:
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
and pressing your Ctrl+Alt+Del should give you an error message like this**:
But Your taskmgr_new.exe would work!
If the newly cracked task manager doesn't work or causes any problem, check the steps and try to do form the beginning. It will work and i've tried it on systems with Windows XP SP2.
**To Remove this restriction, use the following command:
REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
How Does It Work ?
In Machine Language,
39 9D 20 FC FF FF
represents
CMP DWORD PTR SS:[EBP-3E0],EBX ; Two values are compared here
then
74 4B
represents
JE SHORT taskmgr.01005574 ; Jump execution to some other address if the above compared values are equal
Now what we want is a permanent jump (to skip the code where there is call to MessageBox API and then process terminates)
So to make it jump permamently, we don't need to do the comparison at all. So we need to remove that. This can be done using NOP (No-Operation) having op-code (operation code) 0x90. So we replace all these 6 bytes with NOP and to make the jump permament, we replace JE (0x74) with JMP (0xEB)
This is just a very brief explanation. If you are new to cracking and want to learn more, I recommend http://www.hackthissite.org/ and http://www.hellboundhackers.org/
(I used OllyDbg to crack - A Screenshot)
Subscribe to:
Posts (Atom)