20096 total geeks with 3178 solutions
Recent challengers:
 Welcome, you are an anonymous user! [register] [login] Get a yourname@osix.net email address 

Articles

GEEK

User's box
Username:
Password:

Forgot password?
New account

Shoutbox
Domuk
No, not an issue with the PHP - I was responding to "AJAX not being cross site is annoying"
MaxMouse
Really? i thought that would only be important if the user had some kind of control over where the XML came from, if you hard code it (As in a PHP file) wouldn't that eliminate XSS attacks?
Domuk
Yes, but very, very necessary. AJAX requests run in the context of the browser, there'd be no security if it was cross-domain .
MaxMouse
AJAX not being cross site is annoying, all other scripts can be used in that way, having to resort to PHP to patch it is a shame.
SAJChurchey
thx MaxMouse

Donate
Donate and help us fund new challenges
Donate!
Due Date: Nov 30
November Goal: $40.00
Gross: $0.00
Net Balance: $0.00
Left to go: $40.00
Contributors


News Feeds
The Register
MySpace makes peace
with Indies
Nvidia previews
next-gen Fermi GPUs
Potty-mouths
charged for Comcast
hijack
Microsoft
Silverlight - now
with hidden Windows
bias
Apple cult leader
emails outside
world
Sony demos monster
3D TV
Wrecking CRU:
hackers cause
massive climate
data breach
Skinny Acer
notebook delivers
six-day battery
life
VTOL gyro-copter
flying car mates
with killer robot
Oracle begs EC for
more time
Slashdot
iPhone Owners
Demand To See Apple
Source Code
Proton Beams Sent
Around the LHC
Microsoft"s Lack of
Nightly Builds For
IE
Some Claim Android
App Store Worse
Than iPhone"s
Climatic Research
Unit Hacked, Files
Leaked
Aging Nuclear
Stockpile Good For
Decades To Come
Netbooks Have
Higher Failure Rate
Than Laptops
Xbox Live Class
Action Being
Investigated
Patent Issued For
Podcasting
Linus Torvalds For
Nobel Peace Prize?
Article viewer

Image File Execution Options

Written by:sefo
Published by:Nightscript
Published on:2006-02-13 11:36:22
Topic:Windows
Search OSI about Windows.More articles by sefo.
 viewed 28850 times send this article printer friendly

Digg this!
    Rate this article :
Located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,
there exists a registry key which allows the redirection of the excution of one application to another.

::Theory::

The key you create in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
must have the name of the application you want to take over.
For example you can create a new key called notepad.exe and then create a new string with the name Debugger
and value C:\WINDOWS\system32\calc.exe
Now if you try to run notepad, the calculator will be launched instead.

Moreover, if you have for example .txt files associated with notepad,
double-clicking on any text file will also run calc.exe

::Details::

Now we're going to replace the string value by C:\WINDOWS\system32\write.exe
If you run notepad or double-click on a .txt file, you will see that wordpad runs instead,
but this time it displays the contents of notepad.exe in its editor.

The reason is that write.exe (like notepad) opens directly the file specified in the second argument of its commandline.
(first argument being the name of the program itself)
So it means that when you redirect the execution of an application using this Image File Execution Options key,
the program executed instead of notepad will have the name and path of the file that has been overtaken.

As an exercise, write a program CmdLine.exe that displays it's arguments.
Now if you change the value of the string to c:\CmdLine.exe and run notepad, you will see:

  • arg 0 = c:\CmdLine.exe
  • arg 1 = C:\WINDOWS\system32\notepad.exe

    The interesting part is that if you try to double-click on a .txt file, CmdLine.exe will display an additional argument
    containing the path to the textfile!

  • arg 2 = C:\testfile.txt

    Knowing the path to the text file, it is easy to open it and check for a value or modify something and give control back to
    notepad with ShellExecute or CreateProcess providing the text file as argument.

    ::Test Program::

    How to use the program included

    -The executable must be placed in c:\ExecOption.exe
    -Run the program by double-clicking on it. It will create the registry key.
    (open Regedit and go to Image File Execution Options to see exactly how a valid key looks like)
    -Then you can click any .txt file (size < 512)
    -When you click on a .txt, the program ExecOption.exe is launched
    -It first deletes the registry key. (which is necessary)
    -Then it hooks the program associated (of course notepad)
    Note that your firewall should warn you when ExecOption.exe runs notepad
    -And finally opens the file.
    -The registry will be cleaned when you try to open a text file
    -To set the key again, you have to run the .exe one more time

    See source code in the zip file for more details.

    Basically, here's how it works:

    GetCommandLine()

    if NumberOfParam < 2
        Create(RegistryKey)

    else if NumberOfParam > 2
        Delete(RegistryKey)
        Execute(Param2)
        WithCommandLine(Param3)
    end if


    ::Conclusion::

    This registry key is pretty evil.
    I haven't found a virus or malware using this technique yet but no doubt it will be exploited one day.
    However one might found a positive way to use this feature and I'd be curious to see what utility you can create.
    So please post a comment if you have a nice idea.

    A problem I encountered was that the .txt you open can be read, but is locked for write access by the system.
    So if anyone has an idea on how to unlock it easily please post a comment.

    Monday Morning note:
    It works fine on my XP sp1 but not on XP sp2.
    The time I wanted to give to this topic being over, I will not fix it. It comes I believe from the poor implementation of the commandline parsing procedure :)
    You can still test it of course, the program is harmless and it gives you a good idea of how things work.
    • Did you like this article? There are hundreds more.

    Comments:
    sefo
    2006-02-13 14:06:05
    Well, actually i've just found a malware using this key on an XP sp2

    http://www.bleepingcomputer.com/startups/kb32.exe-8745.html

    It's taking Explorer.exe over.
    Check it out in case... :)
    anilg
    2006-02-13 16:43:02
    Thanks sefo.. something i was loking for.. well not exactly.. a wonderful trick nonetheless!
    Anonymous
    2007-09-23 14:46:12
    Thanks for this most useful comment. My computer suddenly stopped running explorer.exe (and thus leaving me without all "my pc", "programs", "control panel" options).

    Deleting the key mentioned in this article (a malware) did the trick!

    Thanks a lot again.
    Anonymous
    2007-09-24 21:18:00
    I have found a malware using this exploit, it maps regedit.exe, msconfig and the .exe of your antivirus to adamrf.exe.
    Anonymous
    2008-09-24 20:38:03
    i have a very nasty malware that uses this key! if you want it, contact me. schnaps@gmail.com
    Anonymous
    2009-01-17 03:19:55
    klomp.exe uses this
    Anonymous
    2009-01-22 12:52:14
    I incountered a maleware named "Kazme__Gheya" that had used this registry key.
    Anonymous
    2009-04-22 08:58:22
    My computer suddenly stopped running explorer.exe and thus leaving me without all "my pc", "programs", "control panel" options. Deleting the key mentioned in this article (a malware) did the trick! flash games
    Anonymous
    2009-05-27 02:18:39
    SysInternals Proccess Explorer uses this technique to set self as the default Control+Alt+Del handler.
    Anonymous
    2009-06-09 09:59:49
    I was told about this registry option a few years ago, apparently the intended purpose is aid in debugging some of the more complex process interactions. eg. Process A starts the short lived Process B to perform some calculation and you want to debug Process B. You can use this registry option to intercept Process B and start a debugger which in turn starts Process B and breaks.
    Anonymous
    2009-06-15 21:13:25
    it work with me
    for the good ideas ... you can change the "classical" windows applications like notepad to another improved application like notepad++
    Anonymous
    2009-07-07 12:12:50
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etc <a href="http://gotomypcfree.vox.com/">on your pc</a>.
    Anonymous
    2009-07-07 12:13:05
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etcon your pc
    Anonymous
    2009-07-16 08:12:39
    I had a virus on XP SP3, and it has written keys with all known antivirus program and system tools like regedit, and has os disabled the starting the antivirus program. The virus was removed by other antivirus program, but this registry keys was not deleted. It has simply added "Debugger"="ntsd -d" and so they were disabled.

    Thank you sefo!
    Anonymous
    2009-08-07 02:33:32
    default Control+Alt+Del handler.
    buy clomid
    Anonymous
    2009-10-04 14:29:28
    I have found a malware using this exploit too.
    monster truck games
    Anonymously add a comment: (or register here)
    (registration is really fast and we send you no spam)
    BB Code is enabled.
    Captcha Number:


    Blogs: (People who have posted blogs on this subject..)
    greengrub22
    Blog entry for Mon 24th Dec 11pm on Mon 24th Dec 11pm
    I am trying to make a batch file that will open the run menu. My problem is that I do not know the source for the run menu. I know this is probly something simple. Here is what I got... ........................................ ....... @echo off star
    bb
    SVN as windows service calling post-commit hanging as not asynchronous on Wed 19th Dec 1pm
    As any script you put inside post-commit.bat seems to be called synchronously, and doesnt inform the svn client that the commit has finished until the script has finished. I had to write a calling application which just starts the script in a new thread.
    shmad123
    Blog entry for Thu 1st Mar 6am on Thu 1st Mar 6am
    Hi my name is adam LOL

    Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)
    Microsoft by abhijangda

    Quiz based on the Microsoft Operating System
    Reverse Engineering basics by sefo

    I tried to cover the range of skills you will need to understand a win32 executable. Some of the following questions will take some time to answer. Do the test when you have enough free time.

    Related Links:
    New MS Shell Will Not Be In Longhorn
    sootman writes Remember that new Windows shell? Looks like itll be yet another technology that wont make it into Longhorn. It will take three to five years to fully develop and deliver, said Microsoft Senior Vice President Bob Muglia this week at Tec..
    Test Driving Linux
    Michael J. Ross writes As Windows users hear more about Linux, they may be intrigued to give it a try, if only to learn what the buzz is about. But a major hurdle, possibly the most daunting, is how to obtain and install Linux on their PCs without di..
    Microsoft preps critical Windows patch
    Next weeks security bulletin will deliver 10 fixes, at least one high-priority patch for Microsofts OS among them...
    Critical Windows patch coming from Microsoft
    Next weeks security bulletin will deliver 10 fixes, at least one high-priority patch for Microsofts OS among them...
    Windows to Have Better CLI
    MickyJ writes The command line interface to the Windows Server OS will be changed to the new Monad Shell (MSH), in a phased implementation to take place over the next three to five years. It will exceed what has been delivered in Linux and Unix for m..
    The ThinkPad X41 Tablet, which goes on sale early next week, is the first computer in the ThinkPad family to incorporate a version of Windows XP that is customized for many pen-based tablet functions...
    HOW TO: Convert a Mac into a X86
    inventgeek writes With the recent announcements Apple has made regarding its operating environment, Inventgeek.com has a mod that seems rather fitting. They have converted a Mac G3 to an Intel P4 System capable of running Windows or Linux. Full how t..
    Microsoft to Ship Modified Windows XP
    A version of the OS without Windows Media Player will be available in Europe next week...
    Is Intel a safe bet for Apple security?
    Macs have largely been immune to the viruses that plague Windows PCs. Experts pitch in on whether the Intel chip switch will change that...
    Microsoft Plans Hypervisor for Longhorn
    ninjee writes Microsoft reiterated plans to launch its own Windows-based hypervisor software for running multiple operating systems. Bob Muglia, senior vice president in the Windows Server Division, said on Tuesday that the software will be built dir..
    Steps to SEVERLY speed up the boot time of Vista
    [Bahasa Indonesia] Mendengarkan secara diam-diam Percakapan Telepon di Komputer
    Eavesdrop Telephone Conversations on Computer
    Basics To A Faster Computer
    Windows 2000 Administration 104
    Windows 2000 Administration 103
    Windows 2000 Administration 102
    Windows 2000 Administration 101
    Sharing in Windows
    Press CTRL + ALT + DEL To Login

         
    Your Ad Here
     
    Copyright Open Source Institute, 2006