Tuesday, March 11, 2008

Image File Execution Options

This is an old and interesting trick. See the reference below.

The "Image File Execution Options" is a registry key used to setup for debugger. To do so:
  1. Start regedit.exe
  2. Goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  3. Create a key for your executable file. Eg. test.exe
  4. Create a new string entry under the key you created called "Debugger" and put full path to your debugger as the value.
From now on, every time you execute "test.exe", the system will start the debugger with "test.exe" as the first parameter.

Start to smell something? Can we replace a well-known executable file with something malicious? For example, create a key for an antivirus and debugged by a malware.

Yes, you can. In fact it is a very common trick used by some malware to disable the well-known antivirus application. The main reason why this trick works is because Windows never verify that the debugger is truly a debugger.

Mark Russinovich and Bryce Cogswell use this technique to implement the "Replace Task Manager" feature of their Process Explorer utility. Get Process Explorer, enable the option in the "Options" menu, and check HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe - the debugger value points to procexp.exe.

What if I've two executable files pointing each other as debugger, like calc.exe and notepad.exe? What will happen then? Try yourself with this sample registry script:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]

Some MSDN references:
  • Junfeng Zhang's Windows Programming Notes at http://blogs.msdn.com/junfeng/archive/2004/04/28/121871.aspx
  • greggm's weblog at http://blogs.msdn.com/greggm/archive/2005/02/21/377663.aspx
  • Image File Execution Options: Good, Evil, Fun at http://mygreenpaste.blogspot.com/2005/07/image-file-execution-options-good-evil.html
  • Abusing "Image File Execution Options" at http://isc.sans.org/diary.html?storyid=4039