Image File Execution options key as an Attack Vector on Windows

Dana Epp posted interesting article about using Image File Execution options in the Windows registry to redirecting a process loading:

By simply mapping the executable name to a different debugger source, you can actually load something else entirely.

Let me give you a proof of concept:

  1. _Start the Registry Editor: Click Start, click Run, and then type regedt32.
    _
  2. _Locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
    _
  3. _To this hive, add the SOURCE exe as a key. Lets use notepad.exe: (Right click and select New, and then Key (Add the key and name it notepad.exe)
    _
  4. _To the notepad.exe key, add a new REG_SZ (string) value called Debugger, and point it to c:\windows\system32\cmd.exe
    _
  5. _Start up notepad (Click Start, click Run, and then type notepad)
    _
  6. Notice that a new cmd window opened instead \more in [Dana's blog entry]

BTW, Mark Russinovich's ProcessExplorer is using this technique to replace default Task Manager (check your HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe key)

This article is part of the GWB Archives. Original Author: John Doe

New on Geeks with Blogs