End Task

Discussion in 'ProcessGuard' started by spy1, Jan 27, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    26 Jan 17:52:54 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task
    26 Jan 17:52:58 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task
    26 Jan 17:55:37 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task
    26 Jan 17:55:37 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task
    26 Jan 17:55:38 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task
    26 Jan 17:55:43 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task

    Okay, this was evidentally something I was trying to "End Task" on - is this a situation where you have to wait until you have a problem closing something, then give it permission to do so through PG?

    Am I able to do this on a case-by-case basis - or, if I give explorer.exe "end task" permission, isn't it global? And would that result in a vulnerability or not? (I know explorer.exe is itself protected by PG). Pete
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pete, :D
    Could it be the case that another App needs to be added to the list? Maybe an App linked through Explorer.
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Or perhaps adding what task explorer.exe was trying to terminate to the log entry? Pete
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I think that is what I meant Pete :)
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Done.

    After a couple of hours of analysis in ntdll.dll and its stack we finally managed to find a way to determine which process was being terminated (this is a lot trickier than it sounds, especially as End Task doesn't work by process ID, but Window Handles instead, and as we're working at the kernel-level - not user-level - the parameters that are parsed to the EndTask function don't really trickle down to the level we're at).

    Anyway that's all finished now so now finally you can see which task was the target of the End Task termination (this will be in the next public release, Jason has already added the code):
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    In the meantime - Pilli was right - I had to add the app's exe (which turned out to be Kazaa++ :D ) to the list in PG. problem solved. Pete
     
Thread Status:
Not open for further replies.