Comments on: Playing with utilman.exe, The Motion Picture http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/ (blog 'DidierStevens) Fri, 12 Mar 2010 08:07:51 +0000 http://wordpress.com/ hourly 1 By: Youssef Obeid http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-34238 Youssef Obeid Sat, 28 Feb 2009 08:08:14 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-34238 "If you want to hack windows system password all you need is to change osk.exe or magnify.exe by a winrar version compined with a cmd.exe . and replace this fake osk.exe by the real one in dll cache and after by the one fined in system32 so when we will press winlogon+U before accessing to the desktop we can enter to cmd.exe by clicking on on-screen-keyboard to start and we can change administrator password : net user net user administrator xxx and if we need to know the password we can crack it by ntlm and nt hashes by copying a file from a usb or a cd through cmd to the local drive c:/ using john the ripper you can know password or even you can let an ppsr.exe password protected system recovery while this program is launched you can know the password of the user and access it .. “If you want to hack windows system password all you need is to change osk.exe or magnify.exe by a winrar version compined with a cmd.exe .
and replace this fake osk.exe by the real one in dll cache and after by the one fined in system32 so when we will press winlogon+U before accessing to the desktop we can enter to cmd.exe by clicking on on-screen-keyboard to start and we can change administrator password :
net user
net user administrator xxx
and if we need to know the password we can crack it by ntlm and nt hashes by copying a file from a usb or a cd through cmd to the local drive c:/ using john the ripper you can know password or even you can let an ppsr.exe password protected system recovery while this program is launched you can know the password of the user and access it ..

]]> By: Dave http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-34153 Dave Wed, 28 Jan 2009 22:09:16 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-34153 I've revisited the utilman.exe trick and it seems that Microsoft have managed to disable it in Windows XP Pro SP3. I've just tried it on my fully patched PC and it doesn't work. I wondered if it was because I had only put the new utilman.exe (i.e. renamed version of cmd.exe) into c:\windows\system32 so I tried putting a copy into just c:\windows\system32\dllcache (it didn't automatically put a copy into c:\windows\system32, presumably because Windows realised that the "utilman.exe" wasn't the real thing) and then I tried putting a copy into both c:\windows\system32 as well as c:\windows\system32\dllcache. Nada. I put everything back as it should be and, sure enough, I could start the Utility Manager from the Windows login screen using Windows+U. I don't know if you (Didier) have any inside information from your sources about how to make the trick work again? Alternatively, I don't know if anyone else might have any clues? I see that sp0x0f3d_1p was very active in his/her (apologies as I don't know which is correct!) contribution to this topic so that might be another way of investigating. I know that you (Didier) will be able to access the contact e-mail address so you might just want to fire a quick message as I doubt that sp0x0f3d_1p will look at this thread routinely. I’ve revisited the utilman.exe trick and it seems that Microsoft have managed to disable it in Windows XP Pro SP3. I’ve just tried it on my fully patched PC and it doesn’t work. I wondered if it was because I had only put the new utilman.exe (i.e. renamed version of cmd.exe) into c:\windows\system32 so I tried putting a copy into just c:\windows\system32\dllcache (it didn’t automatically put a copy into c:\windows\system32, presumably because Windows realised that the “utilman.exe” wasn’t the real thing) and then I tried putting a copy into both c:\windows\system32 as well as c:\windows\system32\dllcache. Nada. I put everything back as it should be and, sure enough, I could start the Utility Manager from the Windows login screen using Windows+U.

I don’t know if you (Didier) have any inside information from your sources about how to make the trick work again? Alternatively, I don’t know if anyone else might have any clues? I see that sp0×0f3d_1p was very active in his/her (apologies as I don’t know which is correct!) contribution to this topic so that might be another way of investigating. I know that you (Didier) will be able to access the contact e-mail address so you might just want to fire a quick message as I doubt that sp0×0f3d_1p will look at this thread routinely.

]]> By: Thim http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-32964 Thim Mon, 16 Jun 2008 15:24:48 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-32964 anyone help how to get this work with regedit? anyone help how to get this work with regedit?

]]> By: Idetrorce http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-23207 Idetrorce Sat, 15 Dec 2007 10:58:57 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-23207 very interesting, but I don't agree with you Idetrorce very interesting, but I don’t agree with you
Idetrorce

]]> By: Didier Stevens http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-10374 Didier Stevens Thu, 28 Jun 2007 20:26:33 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-10374 Very interesting idea. The length of sfcfiles.dll doesn't necessarily have to increase. You see, there is a bit of spare room in PE files. The size of each section in a PE file is rounded (up to the nearest 0x100 multiple, if I remember correctly). So on average, you'll have 128 bytes of spare room to add your file. Very interesting idea. The length of sfcfiles.dll doesn’t necessarily have to increase. You see, there is a bit of spare room in PE files. The size of each section in a PE file is rounded (up to the nearest 0×100 multiple, if I remember correctly). So on average, you’ll have 128 bytes of spare room to add your file.

]]> By: Dave http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-10300 Dave Wed, 27 Jun 2007 18:30:42 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-10300 I've been a regular viewer here for a little while but missed this one. What an intriguing trick! Like you, I've been thinking a little laterally. There are plenty of articles around about disabling WFP, either temporarily or permanently, but what about *adding* a file to WFP? I realise that the appropriate file will have to be put into the cache, but I foresee problems editing %systemroot%\sfcfiles.dll. When utilman.exe entries are zeroed, the length of %systemroot%\sfcfiles.dll remains the same but the CRC must be changed and I can understand that. However, if I wanted to add myfile.exe to %systemroot%\sfcfiles.dll, I'd have to add it several times and that will increase the length of %systemroot%\sfcfiles.dll. Will that matter? I don't have a spare "lab" PC at present to play around and I don't feel inclined to use my working PC! I don't have any need for adding myfile.exe to WFP, I just put my brain into gear and let it run: "how does WFP really work?" and "what else can be done?". Regards Dave I’ve been a regular viewer here for a little while but missed this one. What an intriguing trick!

Like you, I’ve been thinking a little laterally. There are plenty of articles around about disabling WFP, either temporarily or permanently, but what about *adding* a file to WFP? I realise that the appropriate file will have to be put into the cache, but I foresee problems editing %systemroot%\sfcfiles.dll. When utilman.exe entries are zeroed, the length of %systemroot%\sfcfiles.dll remains the same but the CRC must be changed and I can understand that. However, if I wanted to add myfile.exe to %systemroot%\sfcfiles.dll, I’d have to add it several times and that will increase the length of %systemroot%\sfcfiles.dll. Will that matter? I don’t have a spare “lab” PC at present to play around and I don’t feel inclined to use my working PC!

I don’t have any need for adding myfile.exe to WFP, I just put my brain into gear and let it run: “how does WFP really work?” and “what else can be done?”.

Regards

Dave

]]> By: Didier Stevens http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-1298 Didier Stevens Tue, 27 Mar 2007 20:30:47 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-1298 Looks interesting. If you do make the prog, please send it to me. Looks interesting. If you do make the prog, please send it to me.

]]> By: sp0x0f3d_1p http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-1186 sp0x0f3d_1p Mon, 26 Mar 2007 06:14:45 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-1186 yeah,i know,but you have already shown how to write launcher to attach process at current desktop.so the main goal of tech i described is to run the attack without rebooting and overwiting system files...so you dont have to bypass any windos file protection...and more..if it's impossible to get launcher on the target sys it's possible to override the call of utilman and pass some arguments to our intercepting prog(cmd for example)and to run smth. But in most cases we will be able to deliver the launcher to the target system.and even more...if you patch dll or overwite util man..and after that target will check system integrity..you will be detected...and if you yo use debugger interception..nothing will break system untegrity coz using that registry key is legal from the point of view of most AV and other sec software. But if you still want to break WFP you could use more stealth tech.we assume that you already have Admin Rights on target system.so you could easily bypass WFP and again without modifying any dll..you just have to openprocess() winlogon and to cut its handles to c:\windows(dir) c:\windows\system32(dir) and dllcahe(dir) and now untill next reboot WFP will be blind to your activity..and after rbooting it will not detect that you changed smth. Waiting for your comments. best Regards, Sp00f. PS i'm gonna write small prog utilizing the tech described..could send you if you are interested. yeah,i know,but you have already shown how to write launcher to attach process at current desktop.so the main goal of tech i described is to run the attack without rebooting and overwiting system files…so you dont have to bypass any windos file protection…and more..if it’s impossible to get launcher on the target sys it’s possible to override the call of utilman and pass some arguments to our intercepting prog(cmd for example)and to run smth.
But in most cases we will be able to deliver the launcher to the target system.and even more…if you patch dll or overwite util man..and after that target will check system integrity..you will be detected…and if you yo use debugger interception..nothing will break system untegrity coz using that registry key is legal from the point of view of most AV and other sec software.
But if you still want to break WFP you could use more stealth tech.we assume that you already have Admin Rights on target system.so you could easily bypass WFP and again without modifying any dll..you just have to openprocess() winlogon and to cut its handles to c:\windows(dir) c:\windows\system32(dir) and dllcahe(dir) and now untill next reboot WFP will be blind to your activity..and after rbooting it will not detect that you changed smth.
Waiting for your comments.
best Regards, Sp00f.
PS i’m gonna write small prog utilizing the tech described..could send you if you are interested.

]]> By: Didier Stevens http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-1067 Didier Stevens Sat, 24 Mar 2007 07:39:17 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-1067 I'll have to try this. We use this key to debug programs, but it didn't occur to me to use it for utilman. Your example with notepad will launch notepad on the services desktop, so you will not see it on your desktop. I’ll have to try this. We use this key to debug programs, but it didn’t occur to me to use it for utilman. Your example with notepad will launch notepad on the services desktop, so you will not see it on your desktop.

]]> By: sp0x0f3d_1p http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-998 sp0x0f3d_1p Thu, 22 Mar 2007 15:05:08 +0000 http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/#comment-998 Hi there,thank you for that trooly cool trick. I wanna suggest you kind of technique to backdoor the system not modifying any file. Here is very interesting regkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options using it you could easily backdoor a system. just create there key named utilman.exe and string param in it named Debugger. Value of this param is the path to file you wanna launch instead of utilman.exe. so Finaly it'll look like: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe] "Debugger"="\"C:\\windows\\notepad.exe\"" So notepad will be launched instead of utilman.exe. Best Regards, Sp00f Hi there,thank you for that trooly cool trick.
I wanna suggest you kind of technique to backdoor the system not modifying any file.

Here is very interesting regkey:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

using it you could easily backdoor a system.
just create there key named utilman.exe and string param in it named Debugger. Value of this param is the path to file you wanna launch instead of utilman.exe. so

Finaly it’ll look like:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe]
“Debugger”=”\”C:\\windows\\notepad.exe\”"

So notepad will be launched instead of utilman.exe.

Best Regards, Sp00f

]]>