mersenneforum.org  

Go Back   mersenneforum.org > Extra Stuff > Programming

Reply
 
Thread Tools
Old 2005-09-05, 22:52   #1
TTn
 

2·5·157 Posts
Post Disable Ctrl Alt Delete Task Manager

In a visual basic form:

Code:
Imports System.Drawing
Imports System.Threading
Imports System.Reflection
Imports System.Runtime.InteropServices
Friend Class Form1
    Inherits System.Windows.Forms.Form
#Region " Windows Form Designer generated code "

    Public Sub New()
        MyBase.New()

        'This call is required by the Windows Form Designer.
        InitializeComponent()

        'Add any initialization after the InitializeComponent() call

    End Sub

    'Form overrides dispose to clean up the component list.
    Protected Overloads Overrides Sub Dispose(ByVal disposing As Boolean)
        If disposing Then
            If Not (components Is Nothing) Then
                components.Dispose()
            End If
        End If
        MyBase.Dispose(disposing)
    End Sub

    'Required by the Windows Form Designer
    Private components As System.ComponentModel.IContainer

    'NOTE: The following procedure is required by the Windows Form Designer
    'It can be modified using the Windows Form Designer. 
    'Do not modify it using the code editor.
    Friend WithEvents Button1 As System.Windows.Forms.Button
    Friend WithEvents Button2 As System.Windows.Forms.Button

    <System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()
        Me.Button1 = New System.Windows.Forms.Button
        Me.Button2 = New System.Windows.Forms.Button
        Me.SuspendLayout()
        '
        'Button1
        '
        Me.Button1.Location = New System.Drawing.Point(88, 72)
        Me.Button1.Name = "Button1"
        Me.Button1.Size = New System.Drawing.Size(128, 24)
        Me.Button1.TabIndex = 1
        Me.Button1.Text = "Disable task manager."
        '
        'Button2
        '
        Me.Button2.Location = New System.Drawing.Point(88, 112)
        Me.Button2.Name = "Button2"
        Me.Button2.Size = New System.Drawing.Size(128, 24)
        Me.Button2.TabIndex = 2
        Me.Button2.Text = "Enable Task manager"
        '
        'Form1
        '
        Me.AutoScaleBaseSize = New System.Drawing.Size(5, 13)
        Me.ClientSize = New System.Drawing.Size(292, 266)
        Me.Controls.Add(Me.Button2)
        Me.Controls.Add(Me.Button1)
        Me.Name = "Form1"
        Me.Text = "                 Ctrl + Alt + Delete"
        Me.ResumeLayout(False)

    End Sub

#End Region

    Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Integer) As Integer
    Public Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Integer) As Integer
    Private Declare Sub keybd_event Lib "user32.dll" (ByVal bVk As Byte, ByVal bScan As Byte, ByVal dwFlags As Integer, ByVal dwExtraInfo As Integer)
    Private Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Integer, ByVal nCode As Integer, ByVal wParam As Integer, ByVal lParam As KBDLLHOOKSTRUCT) As Integer
    Public Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Integer, ByVal lpfn As KeyboardHookDelegate, ByVal hmod As Integer, ByVal dwThreadId As Integer) As Integer

    Public Structure KBDLLHOOKSTRUCT
        Public vkCode As Integer
        Public scanCode As Integer
        Public flags As Integer
        Public time As Integer
        Public dwExtraInfo As Integer
    End Structure

    Public Delegate Function KeyboardHookDelegate(ByVal Code As Integer, ByVal wParam As Integer, ByRef lParam As KBDLLHOOKSTRUCT) As Integer
    <MarshalAs(UnmanagedType.FunctionPtr)> Private callback As KeyboardHookDelegate
    Public KeyboardHandle As Integer

    ' Low-Level Keyboard Constant
    Const HC_ACTION As Integer = 0

    ' Virtual Keys
    Const KEYEVENTF_KEYUP As Short = &H2
    Const VK_SHIFT As Integer = &H10
    Const VK_CONTROL = &H11
    Const VK_DELETE = &H2E
    Const VK_MENU = &H12
    Const VK_ESCAPE As Integer = &H1B
    Const WH_KEYBOARD_LL As Integer = 13&

    'This function allows keys to be detected and dealt with.
    Public Function IsHooked(ByRef Hookstruct As KBDLLHOOKSTRUCT) As Boolean
        On Error Resume Next

        ' ctrl alt delete, can be detected here. The task manager is closed.
        If (Hookstruct.vkCode = VK_DELETE) And CBool(GetAsyncKeyState(VK_MENU) And &H8000) And CBool(GetAsyncKeyState(VK_CONTROL) And &H8000) Then
            Do
                Application.DoEvents()
                SendKeys.Flush()
                Dim clt() As Process = Process.GetProcessesByName("taskmgr")
                For Each p As Process In clt

                    'kill task manager and rip from memory
                    p.Kill()

                    'Thanks to Dan Appleman, who doesn't know why either.
                    Application.DoEvents()
                    SendKeys.Flush()

                    'Return Task Manager function here, to replace memory.
                    'Simulate Ctrl Shift Esc to call task managers back to duty.
                    keybd_event(VK_CONTROL, 0, 0, 0)
                    keybd_event(VK_SHIFT, 0, 0, 0)
                    keybd_event(VK_ESCAPE, 0, 0, 0)
                    keybd_event(VK_ESCAPE, 0, KEYEVENTF_KEYUP, 0)
                    keybd_event(VK_SHIFT, 0, KEYEVENTF_KEYUP, 0)
                    keybd_event(VK_CONTROL, 0, KEYEVENTF_KEYUP, 0)
                    'END--Ctrl Alt Delete has been essentially blocked here from bringing up the task manager.
                    'If you want to personalize your own application's task manager.
                    'Call MyTaskMangerReplacement(1) 
                    Application.DoEvents()
                    SendKeys.Flush()
                    Exit Do
                Next
                Application.DoEvents()
                SendKeys.Flush()
            Loop
        End If

        'disable task manager for, control shift esc.
        If (Hookstruct.vkCode = VK_ESCAPE) And CBool(GetAsyncKeyState(VK_CONTROL) And &H8000) And CBool(GetAsyncKeyState(VK_SHIFT) And &H8000) Then
            Return True
        End If

        Return False
    End Function

    'Call this to hook keyboard
    Public Sub HookKeyboard()
        callback = New KeyboardHookDelegate(AddressOf KeyboardCallback)
        KeyboardHandle = SetWindowsHookEx(WH_KEYBOARD_LL, callback, Marshal.GetHINSTANCE([Assembly].GetExecutingAssembly.GetModules()(0)).ToInt32, 0)
    End Sub

    ' UnhookKeyboard is very important to include in the form's unload.
    Public Sub UnhookKeyboard()
        If (Hooked()) Then
            Call UnhookWindowsHookEx(KeyboardHandle)
        End If
    End Sub

    'Indicates hook success.
    Private Function Hooked()
        Hooked = KeyboardHandle <> 0
    End Function

    Public Function KeyboardCallback(ByVal Code As Integer, ByVal wParam As Integer, ByRef lParam As KBDLLHOOKSTRUCT) As Integer
        If (Code = HC_ACTION) Then
            If (IsHooked(lParam)) Then
                Return 1
            End If
        End If
        Return CallNextHookEx(KeyboardHandle, Code, wParam, lParam)
    End Function

    Private Sub Form1_Closed(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.Closed
        On Error Resume Next

        'unhook keyboard control
        UnhookKeyboard()
    End Sub

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        HookKeyboard()
    End Sub

    Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
        On Error Resume Next
        UnhookKeyboard()
    End Sub
End Class

Last fiddled with by TTn on 2005-09-05 at 22:54
  Reply With Quote
Old 2005-12-21, 11:44   #2
TTn
 

3·661 Posts
Default intercept the PATRIOT ACT

By the way, this is a system wide keyboard hook, with the ability to intercept, and modify windows messages.
For example to grab any password before it is encrypted.

I've been also working on ways to detect, this type of interception and/or modification, so steps can be made against it.
I've deemed this work CLASSIFIED, for good reason, but it can be made available to those that properly identify themselves.

So far, the most promising work done, is that to do with the "OWNER" copy of Windows XP. I discovered this hybrid as having a UNIQUE set of priveledges. I have extensively looked into the PUBLIC existence of this type of windows user, and have found that it does not exist.
  Reply With Quote
Old 2005-12-21, 12:27   #3
BotXXX
 
BotXXX's Avatar
 
Aug 2003
Europe

C216 Posts
Default

And why do you want to disable the Task Manager???
BotXXX is offline   Reply With Quote
Old 2005-12-21, 13:06   #4
TTn
 

202708 Posts
Default security

To prove that a hardware interupt can be handled at the application level.
In code guru forums this is a very common question.
All the moderators and super mods thought it was impossible.

Also if you want to customize a specifically designed and more secure task manager to come up instead when your particular application is running or whenever else. Think about it, the keyboard is forced to fire the interupt, for which msgina.dll handles. Since she can be handled then this is a security risk.

I've made these steps to have knowledge of it, to develop against it for my applications security.

Last fiddled with by TTn on 2005-12-21 at 13:14
  Reply With Quote
Old 2005-12-21, 13:40   #5
rogue
 
rogue's Avatar
 
"Mark"
Apr 2003
Between here and the

22×52×59 Posts
Default

There are other ways to start the task manager that do not require the keyboard...

I suspect the people who really want to do this are the same ones that attach a distributed computing project executable to a virus and then prevent users from finding out about it...

Last fiddled with by rogue on 2005-12-21 at 13:41
rogue is online now   Reply With Quote
Old 2005-12-21, 14:06   #6
xilman
Bamboozled!
 
xilman's Avatar
 
"π’‰Ίπ’ŒŒπ’‡·π’†·π’€­"
May 2003
Down not across

2·32·569 Posts
Default

Quote:
Originally Posted by rogue
There are other ways to start the task manager that do not require the keyboard...

I suspect the people who really want to do this are the same ones that attach a distributed computing project executable to a virus and then prevent users from finding out about it...
Indeed. I hardly ever start the task manager in that manner. Almost always, I right click on the task bar.

There again, I don't use Windows much these days, and when I do it's almost always through a RDP client.

Paul
xilman is offline   Reply With Quote
Old 2005-12-21, 16:12   #7
TTn
 

8,641 Posts
Default

No problem:

Dim tWnd As Integer = 0
Dim bWnd As Integer = 0
On Error Resume Next
tWnd = FindWindow("Shell_TrayWnd", vbNullString)
bWnd = FindWindowEx(tWnd, bWnd, "BUTTON", vbNullString)

The task bar can be hidden, closed and replaced as well
ShowWindow(tWnd, 0)
ShowWindow(bWnd, 0)
PostMessage(bWnd, WM_CLOSE, 0, 0)
'Call MyTaskBarToTheScene(1)


The ctrl alt delete combo is the hardest to have overcome.
The rest are fairly trivial, all you have to do is set it to a timer looking for the TaskManager window, (pre-initialized for the process). This way there is no flicker.

rogue,
If you are implying 15k, is such a project why would I publicly announce it. In future versions, a security pack will be available to those who choose it.
Right now I've used what's called as "Defensive programming techniques" in light of the possible threats.

Last fiddled with by TTn on 2005-12-21 at 16:15
  Reply With Quote
Old 2005-12-21, 16:42   #8
rogue
 
rogue's Avatar
 
"Mark"
Apr 2003
Between here and the

22×52×59 Posts
Default

Quote:
Originally Posted by TTn
rogue,
If you are implying 15k, is such a project why would I publicly announce it. In future versions, a security pack will be available to those who choose it.
Right now I've used what's called as "Defensive programming techniques" in light of the possible threats.
I wasn't directing it at you, but at some dnet users who were using stealth techniques to run the dnet client.

How do you know that users of your software (current or future) won't use this to do the same?

BTW, you still haven't explained what you mean by "threats".
rogue is online now   Reply With Quote
Old 2005-12-21, 18:59   #9
TTn
 

208F16 Posts
Default

Quote:
I wasn't directing it at you, but at some dnet users who were using stealth techniques to run the dnet client.
Oh ok.

Quote:
How do you know that users of your software (current or future) won't use this to do the same?
I don't follow you here.
I am at least 3 steps ahead of the game, if that's what you mean.
Simply using this code in another app, won't work on my app if my security pack is in place.

Quote:
BTW, you still haven't explained what you mean by "threats".
Any threat to the execution of an application that I create at this level.
It could even be used for a terrorist threat, and is why the work is classified only available to the few I trust.
  Reply With Quote
Old 2005-12-21, 19:39   #10
xilman
Bamboozled!
 
xilman's Avatar
 
"π’‰Ίπ’ŒŒπ’‡·π’†·π’€­"
May 2003
Down not across

2·32·569 Posts
Default

Quote:
Originally Posted by TTn
The rest are fairly trivial, all you have to do is set it to a timer looking for the TaskManager window, (pre-initialized for the process). This way there is no flicker.
I am clearly missing something important.

Why can't I just fire up %SYSTEMROOT%\system32\taskmgr.exe and have done with it?

Even if the system-supplied binary has been corrupted somehow, I can just as easily run a copy brought in from another system. And don't give me any guff about window titles, etc. Such things are trivial to modify.

Personally, I invariably have SFU installed on a Windows box. That gives me another bunch of tools (ps(1) for instance) to monitor what's going on with my machine.

Here is the output of "ps A" running on my Windows 2003 Advanced Server machine:

Code:
   PID TTY     TIME CMD
    65 -    0:00.02 zzInterix
   195 n00  0:00.20 csh
   259 -    0:00.10 cron
   321 -    0:00.01 init
   517 n00  0:00.02 ps
   897 -    0:00.00 inetd
  1153 -    0:00.05 sshd
     0 S00 36:44.69 IdleProcess
     4 S00  5:01.49 SystemProcess
   312 S00  0:00.16 smss.exe
   360 S00  0:03.31 csrss.exe
   384 S00  0:11.34 winlogon.exe
   428 S00  0:16.44 services.exe
   440 S00  0:10.57 lsass.exe
   644 S00  0:00.38 svchost.exe
   716 S00  0:09.50 svchost.exe
   776 S00  0:00.91 svchost.exe
   792 S00  0:00.34 svchost.exe
   804 S00  0:51.66 svchost.exe
   972 S00  0:00.25 spoolsv.exe
  1004 S00  0:00.29 msdtc.exe
  1124 S00  0:00.07 nfsclnt.exe
  1164 S00  0:00.03 svchost.exe
  1216 S00  0:30.37 inetinfo.exe
  1232 S00  0:01.04 InoRpc.exe
  1320 S00  0:23.36 InoRT.exe
  1344 S00  3:49.08 InoTask.exe
  1420 S00  0:01.15 mdm.exe
  1460 S00  0:00.01 svchost.exe
  1584 S00  0:00.09 rshsvc.exe
  1700 S00  0:22.74 WMServer.exe
  1804 S00  0:00.01 PSXRUN.EXE
  1828 S00  0:01.90 psxss.exe
  1836 S00  0:00.54 mapsvc.exe
  1860 S00  0:00.64 nfssvc.exe
  1920 S00  0:01.32 svchost.exe
  2804 S00  0:05.26 svchost.exe
  3092 S00  0:01.21 wmiprvse.exe
  3488 S00  0:00.27 logon.scr
  3800 S01  0:04.57 csrss.exe
  3824 S01  0:02.46 winlogon.exe
  4004 S01  0:00.09 rdpclip.exe
  4076 S01  4:53.23 Explorer.EXE
   348 S01  0:00.91 realmon.exe
   164 S01  0:00.28 posix.exe
  1444 S01  1:22.57 nfsGUI.exe
  1676 S01  0:11.74 nfsnetclient.exe
  2004 S01  0:00.02 cmd.exe
  4064 S01 56:43.47 LineSiever.exe
  2572 S01  0:04.38 taskmgr.exe
  3068 S01  0:01.54 mmc.exe
  1600 S00  0:00.15 wmiprvse.exe
Note the taskmgr.exe and the NFSNET client software.

I really can't make any sense of your threat model. You need to explain it further before I understand what you are trying to protect against.

Of course, this is just an intellectual exercise for me, as I rarely make much use of Windows boxes since leaving Microsoft Research. (BTW, do you still not believe my claim that I was at MSR for almost 7 years? I remember you had difficulty believing it earlier.)

Paul
xilman is offline   Reply With Quote
Old 2005-12-21, 19:42   #11
alpertron
 
alpertron's Avatar
 
Aug 2002
Buenos Aires, Argentina

33·72 Posts
Default

Quote:
Originally Posted by TTn
To prove that a hardware interupt can be handled at the application level.
In code guru forums this is a very common question.
All the moderators and super mods thought it was impossible.
If I cannot access the task manager, I would assume that my computer has a virus. Anyway your attempts above does not cover the case that I start a DOS command prompt and type taskmgr.

Anyway the code does not capture interrupts. It is just reading the system keyboard queue. I assume (but I didn't test it) that when I use the Windows API to inject keys to the queue your code will catch the keys, but there is no interrupt involved.
alpertron is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
dealing with nfs and Ctrl-C second stage) cubaq YAFU 2 2017-04-11 12:19
Ctrl-C problem cubaq YAFU 19 2017-03-11 12:10
Desktop Window Manager frequently crashing - anyone else experiencing this? ixfd64 Lounge 10 2016-01-13 23:44
Win ME State Manager bayanne Software 2 2004-02-06 19:35
Couldn't open service control manager smoffat Software 12 2002-09-13 23:57

All times are UTC. The time now is 12:26.

Mon Sep 21 12:26:01 UTC 2020 up 11 days, 9:36, 1 user, load averages: 2.13, 1.71, 1.51

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.