Didier Stevens

Tuesday 1 May 2012

Update: TaskManager.xls V0.1.3 Killer Shellcode

Filed under: My Software,Shellcode,Update — Didier Stevens @ 10:49

My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).

Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.

Here I’m using the command “e ep64″: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:

The result is that notepad will terminate itself.

When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.

FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.

TaskManager_V0_1_3.zip (https)
MD5: 38DED14A7A468923C3552A6135CC570C
SHA256: CABD1F73C8D069A85EA439D7AFF736723B5759A6ED929FB3F21A4ADD3D0605BC

7 Comments »

  1. [...] Nouvelle version de TaskManager.xls. [...]

    Pingback by .:[ d4 n3wS ]:. » TaskManager.xls — Monday 7 May 2012 @ 7:39

  2. very good project, thanks for your work didier

    Comment by dragonjar — Saturday 12 May 2012 @ 18:01

  3. [...] I wrote shellcode that calls ExitProcess for my TaskManager.xls spreadsheet. [...]

    Pingback by ExitProcess Shellcode « Didier Stevens — Monday 14 May 2012 @ 0:19

  4. [...] Update: TaskManager.xls V0.1.3 Killer Shellcode TaskManager.xls가 64비트에서도 잘 동작하도록 수정되었고 프로세스 중지/실행/종료, 쉘코드 인젝션 명령도 추가했다.. [...]

    Pingback by [May 2012] FI Newsletter | FORENSIC INSIGHT — Friday 8 June 2012 @ 4:40

  5. Symantec flag this version of TaskManager as containing malware Bloodhound.Macro.Prinj

    http://www.symantec.com/security_response/writeup.jsp?docid=2011-112409-5255-99

    I’m presuming that your distro isn’t actually infected, but that the injection scheme used matches an existing malware sample – but you might want to work with them to eliminate this. Then again, maybe we ought to be alerted to such shellcode injections – someone could take this and produce malware that’s hard to distinguish.

    https://www.virustotal.com/file/cabd1f73c8d069a85ea439d7aff736723b5759a6ed929fb3f21a4add3d0605bc/analysis/

    Comment by James Beckett — Monday 23 July 2012 @ 14:30

  6. Yup – extracted the VB script, and created a new Excel file with just the ExecuteShellcodeByID function and the PROCESS_* Consts, and that gets quarantined immediately upon saving. Doesn’t even matter what the actual shellcode is.

    Comment by James Beckett — Monday 23 July 2012 @ 15:02

  7. @James Good to know, thanks for sharing.

    Comment by Didier Stevens — Tuesday 24 July 2012 @ 9:22


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 228 other followers

%d bloggers like this: