27089 total geeks with 3528 solutions
Recent challengers:
 Welcome, you are an anonymous user! [register] [login] Get a yourname@osix.net email address 

Articles

GEEK

User's box
Username:
Password:

Forgot password?
New account

Shoutbox
ewheregoose
[b][url=http ://www.hadel andhytte.com /]rolex da<strong><a href="http:/ /www.hadelan dhytte.com/" >rolex datejust</a> </strong> <b r> <strong><a href="http:/ /www.hadelan dhytte.com/" >rolex submariner replica</a>< /strong> <br >
ewheregoose
<strong><a href="http:/ /www.hadelan dhytte.com/" >rolex Yacht-Master II</a></stro ng> | <a href="http:/ /rolexsubmar inerreplica8 74.webs.com" >rolex Yacht-Master II</a> | <strong><a href="http:/ /www.hadelan dhytte.com/" >rolex new 2013</a></st rong> | <a href="h
ewheregoose
[b][url=http ://www.moncl er-s.org/]mo ncler sale[/url][/ b] [b][u<br><st rong><a href="http:/ /www.moncler -s.org/">mon cler sale</a></st rong> <br><s trong><a href="http:/ /www.moncler -s.org/">mon cler jackets</a>< /strong> <br ><strong><a href="http:/ /www.moncler -s
ewheregoose
erinarian might put in a one apart steroid injection to ease the itchiness on any given day until a anti-parasit ic pill kicks around. If additional parasites are generally ruled apart, the next thing is to rule out a infection, a candida or ringworm.For t
ewheregoose
<title>Pando ra Outlet TOPAZ Crystal Beads 6MM Ball Studs 925 Silver Earrings - $20.00 : pandora Jewelry, jewelrypando ra.org</titl e> <meta http-equiv=" Content-Type " content="tex t/html; charset=UTF- 8" /> <meta name="keywor ds" content="Pan dora Outlet TOPAZ

Donate
Donate and help us fund new challenges
Donate!
Due Date: Oct 31
October Goal: $40.00
Gross: $0.00
Net Balance: $0.00
Left to go: $40.00
Contributors


News Feeds
The Register
SKYPE has the HOTS
for my NAKED WIFE
Time to test your
sarcasm detectors:
It"s the UN"s
global comms
shakeup
extravaganza!
Wanna see how
Russia et al hope
to shape the
internet? ITU opens
up (a little more)
t
Google CEO Larry
Page gives Sundar
Pichai keys to the
kingdom
Cheapo telcos fined
for their cheapo
security: Financial
records on 305,000
people spill
LG taps TSMC to
bake its first-ever
mobile chip
FCC: You"ll have to
wait even longer
for faster wireless
broadband
Breaking news:
Google exec in
terrifying SKY
PLUNGE DRAMA
Revealed: The
amazing magical
innovation in the
iPad Mini 3 ? a
lick of paint
Silicon Valley
scrooges paid staff
$1.21 an hour in a
122-hour week
Slashdot
Peter Kuran:Visual
Effects Artist and
Atomic Bomb
Archivist
OwnCloud Dev
Requests Removal
From Ubuntu Repos
Over Security Holes
Microsoft Now Makes
Money From Surface
Line, Q1 Sales
Reach Almost $1
Billion
Days After
Shooting, Canada
Proposes New
Restrictions On and
Offline
AT&T Locks
Apple SIM Cards On
New iPads
Passwords: Too Much
and Not Enough
Verizon Injects
Unique IDs Into
HTTP Traffic
Secretive Funding
Fuels Ongoing Net
Neutrality
Astroturfing
Controversy
A Low Cost, Open
Source Geiger
Counter (Video)
Computer Scientist
Parachutes From
135,908 Feet,
Breaking Record
Article viewer

Image File Execution Options



Written by:sefo
Published by:Nightscript
Published on:2006-02-13 11:36:22
Topic:Windows
Search OSI about Windows.More articles by sefo.
 viewed 91346 times send this article printer friendly

Digg this!
    Rate this article :
Located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,
there exists a registry key which allows the redirection of the excution of one application to another.

::Theory::

The key you create in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
must have the name of the application you want to take over.
For example you can create a new key called notepad.exe and then create a new string with the name Debugger
and value C:\WINDOWS\system32\calc.exe
Now if you try to run notepad, the calculator will be launched instead.

Moreover, if you have for example .txt files associated with notepad,
double-clicking on any text file will also run calc.exe

::Details::

Now we're going to replace the string value by C:\WINDOWS\system32\write.exe
If you run notepad or double-click on a .txt file, you will see that wordpad runs instead,
but this time it displays the contents of notepad.exe in its editor.

The reason is that write.exe (like notepad) opens directly the file specified in the second argument of its commandline.
(first argument being the name of the program itself)
So it means that when you redirect the execution of an application using this Image File Execution Options key,
the program executed instead of notepad will have the name and path of the file that has been overtaken.

As an exercise, write a program CmdLine.exe that displays it's arguments.
Now if you change the value of the string to c:\CmdLine.exe and run notepad, you will see:

  • arg 0 = c:\CmdLine.exe
  • arg 1 = C:\WINDOWS\system32\notepad.exe

    The interesting part is that if you try to double-click on a .txt file, CmdLine.exe will display an additional argument
    containing the path to the textfile!

  • arg 2 = C:\testfile.txt

    Knowing the path to the text file, it is easy to open it and check for a value or modify something and give control back to
    notepad with ShellExecute or CreateProcess providing the text file as argument.

    ::Test Program::

    How to use the program included

    -The executable must be placed in c:\ExecOption.exe
    -Run the program by double-clicking on it. It will create the registry key.
    (open Regedit and go to Image File Execution Options to see exactly how a valid key looks like)
    -Then you can click any .txt file (size < 512)
    -When you click on a .txt, the program ExecOption.exe is launched
    -It first deletes the registry key. (which is necessary)
    -Then it hooks the program associated (of course notepad)
    Note that your firewall should warn you when ExecOption.exe runs notepad
    -And finally opens the file.
    -The registry will be cleaned when you try to open a text file
    -To set the key again, you have to run the .exe one more time

    See source code in the zip file for more details.

    Basically, here's how it works:

    GetCommandLine()

    if NumberOfParam < 2
        Create(RegistryKey)

    else if NumberOfParam > 2
        Delete(RegistryKey)
        Execute(Param2)
        WithCommandLine(Param3)
    end if


    ::Conclusion::

    This registry key is pretty evil.
    I haven't found a virus or malware using this technique yet but no doubt it will be exploited one day.
    However one might found a positive way to use this feature and I'd be curious to see what utility you can create.
    So please post a comment if you have a nice idea.

    A problem I encountered was that the .txt you open can be read, but is locked for write access by the system.
    So if anyone has an idea on how to unlock it easily please post a comment.

    Monday Morning note:
    It works fine on my XP sp1 but not on XP sp2.
    The time I wanted to give to this topic being over, I will not fix it. It comes I believe from the poor implementation of the commandline parsing procedure :)
    You can still test it of course, the program is harmless and it gives you a good idea of how things work.

  • Did you like this article? There are hundreds more.

    Comments:
    sefo
    2006-02-13 14:06:05
    Well, actually i've just found a malware using this key on an XP sp2

    http://www.bleepingcomputer.com/startups/kb32.exe-8745.html

    It's taking Explorer.exe over.
    Check it out in case... :)
    anilg
    2006-02-13 16:43:02
    Thanks sefo.. something i was loking for.. well not exactly.. a wonderful trick nonetheless!
    Anonymous
    2007-09-23 14:46:12
    Thanks for this most useful comment. My computer suddenly stopped running explorer.exe (and thus leaving me without all "my pc", "programs", "control panel" options).

    Deleting the key mentioned in this article (a malware) did the trick!

    Thanks a lot again.
    Anonymous
    2007-09-24 21:18:00
    I have found a malware using this exploit, it maps regedit.exe, msconfig and the .exe of your antivirus to adamrf.exe.
    Anonymous
    2008-09-24 20:38:03
    i have a very nasty malware that uses this key! if you want it, contact me. schnaps@gmail.com
    Anonymous
    2009-01-17 03:19:55
    klomp.exe uses this
    Anonymous
    2009-01-22 12:52:14
    I incountered a maleware named "Kazme__Gheya" that had used this registry key.
    Anonymous
    2009-04-22 08:58:22
    My computer suddenly stopped running explorer.exe and thus leaving me without all "my pc", "programs", "control panel" options. Deleting the key mentioned in this article (a malware) did the trick! flash games
    Anonymous
    2009-05-27 02:18:39
    SysInternals Proccess Explorer uses this technique to set self as the default Control+Alt+Del handler.
    Anonymous
    2009-06-15 21:13:25
    it work with me
    for the good ideas ... you can change the "classical" windows applications like notepad to another improved application like notepad++
    Anonymous
    2009-07-07 12:12:50
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etc <a href="http://gotomypcfree.vox.com/">on your pc</a>.
    Anonymous
    2009-07-07 12:13:05
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etcon your pc
    Anonymous
    2009-08-07 02:33:32
    default Control+Alt+Del handler.
    buy clomid
    Anonymous
    2009-10-04 14:29:28
    I have found a malware using this exploit too.
    monster truck games
    Anonymous
    2009-12-13 15:42:00
    I also got a malware today, taking over all popular browsers (including Firefox, Opera, Safari, and Chrome) and redirecting them to the Internet Explorer. It to me hours to find out what that is and solve it. WTF Microsoft!
    Anonymous
    2010-01-15 06:14:37
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etc

    airport bus New York
    Anonymous
    2010-01-15 09:07:37

    Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information.

    web design nyc
    Anonymous
    2010-01-16 06:34:12

    Well, this is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche. Your blog provided us valuable information to work on. You have done a marvellous job!
    Movers Bronx
    Anonymous
    2010-01-28 03:32:09
    These kind of post are always inspiring and I prefer to read quality content so I happy to find many good point here in the post, writing is simply great, thank you for the post.


    Brochure Printing
    Anonymous
    2010-02-11 05:27:09
    Very nice and helpful information has been given in this article. I like the way you explain the things. Keep posting. Thanks.Medical Spa New York
    Anonymous
    2010-02-21 17:59:24
    This is a great tutorial about the image file execution options ! Thanks for the links.
    <a href="http://blackonyxearringstore.com">black onyx earrings</a> | <a href="http://hardtailyogapants.com">hardtail yoga pants</a>
    Anonymous
    2010-02-21 17:59:51
    This is a great tutorial about the image file execution options ! Thanks for the links.

    black onyx earrings
    hardtail yoga pants
    Anonymous
    2010-12-21 19:41:41
    Or worse yet... fire up some keylogger (or other software), then launch the originally intended application with the parameters given so that the user does not see any odd behaviour.
    Anonymous
    2011-01-28 11:35:03
    fghfghfghf
    Anonymous
    2011-02-15 09:32:10
    Anonymous
    2011-03-02 21:15:02
    Hello friends,this is a nice site and I wanted to post a note to let you know, good job! Thanks
    http://www.truckgames27.us
    Anonymous
    2011-03-02 21:16:13
    Hello friends,this is a nice site and I wanted to post a note to let you know, good job! Thanks
    http://www.truckgames27.us
    Anonymous
    2011-03-11 16:56:27

    An interesting discussion is worth comment. I think that you should write more on this topic, it might not be a taboo subject but generally people are not enough to speak on such topics. To the next. Cheers
    klitschko vs solis
    solis vs klitschko
    klitschko solis fight
    Anonymous
    2011-04-07 16:05:57
    I think that is a very useful site also shares a very nice thank you to everyone who contributed
    <a href="http://www.giochi1.org">Giochi</a>
    ajith123
    2011-05-03 16:48:32
    The biggest advantage of advertising your website on Facebook is that it offers multiple ways to maximize the return on your advertising investment.Advertising website on facebook
    Anonymous
    2011-05-31 11:03:08
    Finally can copy!<a href="http://www.insanityworkoutdvdset.com">insanity workout dvd</a>
    Anonymous
    2011-06-03 11:27:40
    Anonymous
    2011-06-03 11:28:36
    Anonymous
    2011-06-03 11:29:23
    I wonder how you got so good. This is really a fascinating blog, lots of stuff that I can get into. One thing I just want to say is that your Blog is so perfect!
    Generic Viagra
    Kamagra
    Anonymous
    2011-06-09 09:14:33
    Anonymous
    2011-06-28 14:28:30
    Really very nice information shared liked reading it.
    <a href="http://www.medexpressrx.com">viagra online</a>|<a href="http://www.medexpressrx.com/generic-viagra.aspx">Generic Viagra</a>
    Anonymous
    2011-06-28 14:29:25
    Excellent stuff discussed nice post.
    viagra online|Generic Viagra
    Anonymous
    2011-06-28 23:54:57
    vere goooood thank you
    <a title="&#1583;&#1585;&#1583;&#1588;&#1577;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1577;</a>
    <a title="&#1588;&#1575;&#1578; &#1605;&#1589;&#1585;&#1610;" href="http://www.m9ryh.com">&#1588;&#1575;&#1578; &#1605;&#1589;&#1585;&#1610;</a>
    <a title="&#1583;&#1585;&#1583;&#1588;&#1607; &#1605;&#1589;&#1585;&#1610;&#1607;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1607; &#1605;&#1589;&#1585;&#1610;&#1607;</a>
    <a title="&#1605;&#1589;&#1585;&#1610;&#1607;" href="http://www.m9ryh.com">&#1605;&#1589;&#1585;&#1610;&#1607;</a>
    Anonymous
    2011-06-28 23:56:45
    vere god
    http://www.osix.net] click here [/pop]
    Anonymous
    2011-06-28 23:59:03
    <a title="&#1583;&#1585;&#1583;&#1588;&#1577;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1577;</a>|http://www.xn----0mcg1bu2dvamg3b.com
    Anonymous
    2011-06-30 14:32:57
    good job Mobile Computing || Networking solutions || Handheld Computers
    Anonymously add a comment: (or register here)
    (registration is really fast and we send you no spam)
    BB Code is enabled.
    Captcha Number:


    Blogs: (People who have posted blogs on this subject..)
    greengrub22
    Blog entry for Mon 24th Dec 11pm on Mon 24th Dec 11pm
    I am trying to make a batch file that will open the run menu. My problem is that I do not know the source for the run menu. I know this is probly something simple. Here is what I got... ........................................ ....... @echo off star
    bb
    SVN as windows service calling post-commit hanging as not asynchronous on Wed 19th Dec 1pm
    As any script you put inside post-commit.bat seems to be called synchronously, and doesnt inform the svn client that the commit has finished until the script has finished. I had to write a calling application which just starts the script in a new thread.
    shmad123
    Blog entry for Thu 1st Mar 6am on Thu 1st Mar 6am
    Hi my name is adam LOL

    Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)
    Microsoft by abhijangda

    Quiz based on the Microsoft Operating System
    Reverse Engineering basics by sefo

    I tried to cover the range of skills you will need to understand a win32 executable. Some of the following questions will take some time to answer. Do the test when you have enough free time.


         
    Your Ad Here
     
    Copyright Open Source Institute, 2006