Geeks With Blogs

ex-blog Information security world

Dana Epp posted interesting article about using Image File Execution options in the Windows registry to redirecting a process loading:

By simply mapping the executable name to a different debugger source, you can actually load something else entirely.

Let me give you a proof of concept:

  1. Start the Registry Editor: Click Start, click Run, and then type regedt32.
  2. Locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
  3. To this hive, add the SOURCE exe as a key. Lets use notepad.exe: (Right click and select New, and then Key (Add the key and name it notepad.exe)
  4. To the notepad.exe key, add a new REG_SZ (string) value called Debugger, and point it to c:\windows\system32\cmd.exe
  5. Start up notepad (Click Start, click Run, and then type notepad)
  6. Notice that a new cmd window opened instead [more in Dana's blog entry]

BTW, Mark Russinovich's ProcessExplorer is using this technique to replace default Task Manager (check your HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe key)

Posted on Tuesday, March 22, 2005 9:58 AM Security | Back to top

Copyright © John Doe | Powered by: