Patching Taskmgr.exe

Wednesday, February 22 2006 @ 01:22 PM CET

Contributed by: Devoney

Level : newbie

Type: Patching
Victim: Taskmgr.exe
Protection: register value
Tool: Ollydbg

Intro:
Ever had the problem when you try to start taskmanager it says it has been disabled by your administrator? Well that can be solved, off course ;) There is place in the registry where you can disable or enable the use of Taskmg.exe (I am talking about the original one which comes with your windows installation).



Get to work:
Fire up ollydbg and open taskmgr.exe, (probably located in the system or system32 folder in your windows installation map). Get to the main window (press ALT + C to get there). You see a lot of code. Now go to the following line:

010039EB |. FF15 28100001 CALL DWORD PTR DS:[; RegOpenKeyExW

How did I get to this line? I was just searching for this api, since I know the security works by communicated with the registry to check if you are allowed to use Taskmgr.exe. You can not set a breakpoint on every reference of this api in ollydbg because it will generate some memory access errors (or something like that). So get to the line ;) Right mouse button in the main window -> Goto -> Expression. Fill in the address of the line. Which will be 010039EB. Press ok. You can set a breakpoint here and check if ollydbg breaks.

So this line you have found gets a value out the registry (which probably checks if you are allowed to access the taskmgr.exe). Take a look at the two lines below 010039EB.

010039F1 |. 85C0 TEST EAX,EAX 010039F3 |. 74 6F JNZ SHORT TASKMGR.01003A64

It checks the returned value of EAX, and it doesn’t jump when they returned value is zero. Look a bit further down the code and you will run into this line:

01003A09 |. 68 98160001 PUSH TASKMGR.01001698 ; |ValueName = "DisableTaskMgr" 01003A0E |. FF75 EC PUSH DWORD PTR SS:[EBP-14] ; |hKey 01003A11 |. FF15 2C100001 CALL DWORD PTR DS:[; RegQueryValueExW

You see it has a text line: DiableTaskMgr. That doesn’t sound very good. Now take a look at the conditional jump we saw earlier. If it DOES jump, it jumps to line 01003A64 and skips the lines which will disable you taskmgr.exe. So change that jump to JMP or JE so it does jump to skip the security check ;). (Change it by clicking on the code or by selecting the line and press SPACEBAR).

Now rightmouse button in the mainwindow -> Copy to executable -> All modifications.
Press copy call, a new window will pop-up. Right mouse button in that window and choose to save your file! Now open up your file and it should work now!

Outro:
I have included the original Taskmg.exe, the tutorial itself in .Doc format and the patched version (called Taskmgr_patched.exe) Hopefully you learned something and understood me. Please place a comment if you have found this tutorial usefull or if you have any questions about it.

Grtz Devoney,
Share Your Knowledge Download package: attachment

0 comments



http://www.reversing.be/article.php?story=20060119132215236