My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).
Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.
Here I’m using the command “e ep64”: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:
The result is that notepad will terminate itself.
When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.
FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.
TaskManager_V0_1_3.zip (https)
MD5: 38DED14A7A468923C3552A6135CC570C
SHA256: CABD1F73C8D069A85EA439D7AFF736723B5759A6ED929FB3F21A4ADD3D0605BC
Didier Stevens 
[…] Nouvelle version de TaskManager.xls. […]
Pingback by .:[ d4 n3wS ]:. » TaskManager.xls — Monday 7 May 2012 @ 7:39
very good project, thanks for your work didier
Comment by dragonjar — Saturday 12 May 2012 @ 18:01
[…] I wrote shellcode that calls ExitProcess for my TaskManager.xls spreadsheet. […]
Pingback by ExitProcess Shellcode « Didier Stevens — Monday 14 May 2012 @ 0:19
[…] Update: TaskManager.xls V0.1.3 Killer Shellcode TaskManager.xls가 64비트에서도 잘 동작하도록 수정되었고 프로세스 중지/실행/종료, 쉘코드 인젝션 명령도 추가했다.. […]
Pingback by [May 2012] FI Newsletter | FORENSIC INSIGHT — Friday 8 June 2012 @ 4:40
Symantec flag this version of TaskManager as containing malware Bloodhound.Macro.Prinj
http://www.symantec.com/security_response/writeup.jsp?docid=2011-112409-5255-99
I’m presuming that your distro isn’t actually infected, but that the injection scheme used matches an existing malware sample – but you might want to work with them to eliminate this. Then again, maybe we ought to be alerted to such shellcode injections – someone could take this and produce malware that’s hard to distinguish.
https://www.virustotal.com/file/cabd1f73c8d069a85ea439d7aff736723b5759a6ed929fb3f21a4add3d0605bc/analysis/
Comment by James Beckett — Monday 23 July 2012 @ 14:30
Yup – extracted the VB script, and created a new Excel file with just the ExecuteShellcodeByID function and the PROCESS_* Consts, and that gets quarantined immediately upon saving. Doesn’t even matter what the actual shellcode is.
Comment by James Beckett — Monday 23 July 2012 @ 15:02
@James Good to know, thanks for sharing.
Comment by Didier Stevens — Tuesday 24 July 2012 @ 9:22
EXCEL2013 (64 bits) crashes when calling the function LookupAccountSid() needed to fill “user” column (List Processes)
Comment by Anonymous — Friday 30 December 2016 @ 17:46