27280 total geeks with 3532 solutions
Recent challengers:
  • macfij level 8 - 01:14PM
  • srn reverser 5 - 12:11PM
  • srn reverser 4 - 09:45PM
 Welcome, you are an anonymous user! [register] [login] Get a yourname@osix.net email address 

Articles

GEEK

User's box
Username:
Password:

Forgot password?
New account

Shoutbox
timsattemme
[b][url=http ://www.class core.net/]om ega watc<strong> <a href="http:/ /www.classco re.net/">ome ga watches on sale</a></st rong> <br> <strong><a href="http:/ /www.classco re.net/">ome ga watches replica</a>< /strong> <br >
timsattemme
[b][url=http ://www.outle tdj.com/]buy cheap n<strong><a href="http:/ /www.outletd j.com/">buy cheap new balance shoes</a></s trong> <br> <strong><a href="http:/ /www.outletd j.com/">new balance shoes</a></s trong> <br>
timsattemme
<strong><a href="http:/ /watchreplic a.weddinghot shop.com/">h igh quality replica watches for men</a></str ong> | <strong><a href="http:/ /watchreplic a.weddinghot shop.com/">w atches</a></ strong> | <strong><a href="http:/ /watchreplic a.weddinghot shop.com/">s wis
timsattemme
[b][url=http ://www.salet iffanyshopri ngs.com/]tif <strong><a href="http:/ /www.saletif fanyshopring s.com/">tiff any jewelry</a>< /strong> <br > <strong><a href="http:/ /www.saletif fanyshopring s.com/">tiff any & co</a></stro ng> <br>
timsattemme
<ul><li><str ong><a href="http:/ /www.saletif fanyshopring s.com/">tiff any outlet online</a></ strong> </li ><li><strong ><a href="http:/ /www.saletif fanyshopring s.com/">tiff any outlet</a></ strong> </li ><li><strong ><a href="http:/ /www.saletif fanyshopring s.com/">t

Donate
Donate and help us fund new challenges
Donate!
Due Date: Dec 31
December Goal: $40.00
Gross: $0.00
Net Balance: $0.00
Left to go: $40.00
Contributors


News Feeds
The Register
Movie industry"s
evil plan to
destroy the
internet is going
precisely nowhere
Judge spanks SCO in
ancient ownership
of Unix lawsuit
How much for a
wrist job? A tenner
normally, but for
this one, over $30k
India"s heavy
launch rocket
passes flight test
Hack hijacks
electric
skateboards, dumps
hipsters in the
gutter
Microsoft begins
war against fake
phone tech support
scams
NBN Co reveals
product roadmap and
Telstra planning
deal
Forget Google"s
robot cars, now
it"s on to ANDROID
cars
Kiwi hacker
"menace" pops home
detention tracker
cuffs
Johnson &
Johnson snatches
your .baby for $3m
Slashdot
Review: The
BlackBerry Classic
Is One of the Best
Phones of 2009
FBI Confirms Open
Investigation Into
Gamergate
Satellite Captures
Glowing Plants From
Space
Investigation:
Apple Failing To
Protect Chinese
Factory Workers
Critical Git
Security
Vulnerability
Announced
Marissa Mayer"s
Reinvention of
Yahoo! Stumbles
Ars Reviews Skype
Translator
Extracting Data
From the Microsoft
Band
"Team America" Gets
Post-Hack Yanking
At Alamo
Drafthouse, Too
Grinch
Vulnerability Could
Put a Hole In Your
Linux Stocking
Article viewer

Image File Execution Options



Written by:sefo
Published by:Nightscript
Published on:2006-02-13 11:36:22
Topic:Windows
Search OSI about Windows.More articles by sefo.
 viewed 92089 times send this article printer friendly

Digg this!
    Rate this article :
Located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,
there exists a registry key which allows the redirection of the excution of one application to another.

::Theory::

The key you create in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
must have the name of the application you want to take over.
For example you can create a new key called notepad.exe and then create a new string with the name Debugger
and value C:\WINDOWS\system32\calc.exe
Now if you try to run notepad, the calculator will be launched instead.

Moreover, if you have for example .txt files associated with notepad,
double-clicking on any text file will also run calc.exe

::Details::

Now we're going to replace the string value by C:\WINDOWS\system32\write.exe
If you run notepad or double-click on a .txt file, you will see that wordpad runs instead,
but this time it displays the contents of notepad.exe in its editor.

The reason is that write.exe (like notepad) opens directly the file specified in the second argument of its commandline.
(first argument being the name of the program itself)
So it means that when you redirect the execution of an application using this Image File Execution Options key,
the program executed instead of notepad will have the name and path of the file that has been overtaken.

As an exercise, write a program CmdLine.exe that displays it's arguments.
Now if you change the value of the string to c:\CmdLine.exe and run notepad, you will see:

  • arg 0 = c:\CmdLine.exe
  • arg 1 = C:\WINDOWS\system32\notepad.exe

    The interesting part is that if you try to double-click on a .txt file, CmdLine.exe will display an additional argument
    containing the path to the textfile!

  • arg 2 = C:\testfile.txt

    Knowing the path to the text file, it is easy to open it and check for a value or modify something and give control back to
    notepad with ShellExecute or CreateProcess providing the text file as argument.

    ::Test Program::

    How to use the program included

    -The executable must be placed in c:\ExecOption.exe
    -Run the program by double-clicking on it. It will create the registry key.
    (open Regedit and go to Image File Execution Options to see exactly how a valid key looks like)
    -Then you can click any .txt file (size < 512)
    -When you click on a .txt, the program ExecOption.exe is launched
    -It first deletes the registry key. (which is necessary)
    -Then it hooks the program associated (of course notepad)
    Note that your firewall should warn you when ExecOption.exe runs notepad
    -And finally opens the file.
    -The registry will be cleaned when you try to open a text file
    -To set the key again, you have to run the .exe one more time

    See source code in the zip file for more details.

    Basically, here's how it works:

    GetCommandLine()

    if NumberOfParam < 2
        Create(RegistryKey)

    else if NumberOfParam > 2
        Delete(RegistryKey)
        Execute(Param2)
        WithCommandLine(Param3)
    end if


    ::Conclusion::

    This registry key is pretty evil.
    I haven't found a virus or malware using this technique yet but no doubt it will be exploited one day.
    However one might found a positive way to use this feature and I'd be curious to see what utility you can create.
    So please post a comment if you have a nice idea.

    A problem I encountered was that the .txt you open can be read, but is locked for write access by the system.
    So if anyone has an idea on how to unlock it easily please post a comment.

    Monday Morning note:
    It works fine on my XP sp1 but not on XP sp2.
    The time I wanted to give to this topic being over, I will not fix it. It comes I believe from the poor implementation of the commandline parsing procedure :)
    You can still test it of course, the program is harmless and it gives you a good idea of how things work.

  • Did you like this article? There are hundreds more.

    Comments:
    sefo
    2006-02-13 14:06:05
    Well, actually i've just found a malware using this key on an XP sp2

    http://www.bleepingcomputer.com/startups/kb32.exe-8745.html

    It's taking Explorer.exe over.
    Check it out in case... :)
    anilg
    2006-02-13 16:43:02
    Thanks sefo.. something i was loking for.. well not exactly.. a wonderful trick nonetheless!
    Anonymous
    2007-09-23 14:46:12
    Thanks for this most useful comment. My computer suddenly stopped running explorer.exe (and thus leaving me without all "my pc", "programs", "control panel" options).

    Deleting the key mentioned in this article (a malware) did the trick!

    Thanks a lot again.
    Anonymous
    2007-09-24 21:18:00
    I have found a malware using this exploit, it maps regedit.exe, msconfig and the .exe of your antivirus to adamrf.exe.
    Anonymous
    2008-09-24 20:38:03
    i have a very nasty malware that uses this key! if you want it, contact me. schnaps@gmail.com
    Anonymous
    2009-01-17 03:19:55
    klomp.exe uses this
    Anonymous
    2009-01-22 12:52:14
    I incountered a maleware named "Kazme__Gheya" that had used this registry key.
    Anonymous
    2009-04-22 08:58:22
    My computer suddenly stopped running explorer.exe and thus leaving me without all "my pc", "programs", "control panel" options. Deleting the key mentioned in this article (a malware) did the trick! flash games
    Anonymous
    2009-05-27 02:18:39
    SysInternals Proccess Explorer uses this technique to set self as the default Control+Alt+Del handler.
    Anonymous
    2009-06-15 21:13:25
    it work with me
    for the good ideas ... you can change the "classical" windows applications like notepad to another improved application like notepad++
    Anonymous
    2009-07-07 12:12:50
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etc <a href="http://gotomypcfree.vox.com/">on your pc</a>.
    Anonymous
    2009-07-07 12:13:05
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etcon your pc
    Anonymous
    2009-08-07 02:33:32
    default Control+Alt+Del handler.
    buy clomid
    Anonymous
    2009-10-04 14:29:28
    I have found a malware using this exploit too.
    monster truck games
    Anonymous
    2009-12-13 15:42:00
    I also got a malware today, taking over all popular browsers (including Firefox, Opera, Safari, and Chrome) and redirecting them to the Internet Explorer. It to me hours to find out what that is and solve it. WTF Microsoft!
    Anonymous
    2010-01-15 06:14:37
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etc

    airport bus New York
    Anonymous
    2010-01-15 09:07:37

    Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information.

    web design nyc
    Anonymous
    2010-01-16 06:34:12

    Well, this is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche. Your blog provided us valuable information to work on. You have done a marvellous job!
    Movers Bronx
    Anonymous
    2010-01-28 03:32:09
    These kind of post are always inspiring and I prefer to read quality content so I happy to find many good point here in the post, writing is simply great, thank you for the post.


    Brochure Printing
    Anonymous
    2010-02-11 05:27:09
    Very nice and helpful information has been given in this article. I like the way you explain the things. Keep posting. Thanks.Medical Spa New York
    Anonymous
    2010-02-21 17:59:24
    This is a great tutorial about the image file execution options ! Thanks for the links.
    <a href="http://blackonyxearringstore.com">black onyx earrings</a> | <a href="http://hardtailyogapants.com">hardtail yoga pants</a>
    Anonymous
    2010-02-21 17:59:51
    This is a great tutorial about the image file execution options ! Thanks for the links.

    black onyx earrings
    hardtail yoga pants
    Anonymous
    2010-12-21 19:41:41
    Or worse yet... fire up some keylogger (or other software), then launch the originally intended application with the parameters given so that the user does not see any odd behaviour.
    Anonymous
    2011-01-28 11:35:03
    fghfghfghf
    Anonymous
    2011-02-15 09:32:10
    Anonymous
    2011-03-02 21:15:02
    Hello friends,this is a nice site and I wanted to post a note to let you know, good job! Thanks
    http://www.truckgames27.us
    Anonymous
    2011-03-02 21:16:13
    Hello friends,this is a nice site and I wanted to post a note to let you know, good job! Thanks
    http://www.truckgames27.us
    Anonymous
    2011-03-11 16:56:27

    An interesting discussion is worth comment. I think that you should write more on this topic, it might not be a taboo subject but generally people are not enough to speak on such topics. To the next. Cheers
    klitschko vs solis
    solis vs klitschko
    klitschko solis fight
    Anonymous
    2011-04-07 16:05:57
    I think that is a very useful site also shares a very nice thank you to everyone who contributed
    <a href="http://www.giochi1.org">Giochi</a>
    ajith123
    2011-05-03 16:48:32
    The biggest advantage of advertising your website on Facebook is that it offers multiple ways to maximize the return on your advertising investment.Advertising website on facebook
    Anonymous
    2011-05-31 11:03:08
    Finally can copy!<a href="http://www.insanityworkoutdvdset.com">insanity workout dvd</a>
    Anonymous
    2011-06-03 11:27:40
    Anonymous
    2011-06-03 11:28:36
    Anonymous
    2011-06-03 11:29:23
    I wonder how you got so good. This is really a fascinating blog, lots of stuff that I can get into. One thing I just want to say is that your Blog is so perfect!
    Generic Viagra
    Kamagra
    Anonymous
    2011-06-09 09:14:33
    Anonymous
    2011-06-28 14:28:30
    Really very nice information shared liked reading it.
    <a href="http://www.medexpressrx.com">viagra online</a>|<a href="http://www.medexpressrx.com/generic-viagra.aspx">Generic Viagra</a>
    Anonymous
    2011-06-28 14:29:25
    Excellent stuff discussed nice post.
    viagra online|Generic Viagra
    Anonymous
    2011-06-28 23:54:57
    vere goooood thank you
    <a title="&#1583;&#1585;&#1583;&#1588;&#1577;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1577;</a>
    <a title="&#1588;&#1575;&#1578; &#1605;&#1589;&#1585;&#1610;" href="http://www.m9ryh.com">&#1588;&#1575;&#1578; &#1605;&#1589;&#1585;&#1610;</a>
    <a title="&#1583;&#1585;&#1583;&#1588;&#1607; &#1605;&#1589;&#1585;&#1610;&#1607;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1607; &#1605;&#1589;&#1585;&#1610;&#1607;</a>
    <a title="&#1605;&#1589;&#1585;&#1610;&#1607;" href="http://www.m9ryh.com">&#1605;&#1589;&#1585;&#1610;&#1607;</a>
    Anonymous
    2011-06-28 23:56:45
    vere god
    http://www.osix.net] click here [/pop]
    Anonymous
    2011-06-28 23:59:03
    <a title="&#1583;&#1585;&#1583;&#1588;&#1577;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1577;</a>|http://www.xn----0mcg1bu2dvamg3b.com
    Anonymous
    2011-06-30 14:32:57
    good job Mobile Computing || Networking solutions || Handheld Computers
    Anonymously add a comment: (or register here)
    (registration is really fast and we send you no spam)
    BB Code is enabled.
    Captcha Number:


    Blogs: (People who have posted blogs on this subject..)
    greengrub22
    Blog entry for Mon 24th Dec 11pm on Mon 24th Dec 11pm
    I am trying to make a batch file that will open the run menu. My problem is that I do not know the source for the run menu. I know this is probly something simple. Here is what I got... ........................................ ....... @echo off star
    bb
    SVN as windows service calling post-commit hanging as not asynchronous on Wed 19th Dec 1pm
    As any script you put inside post-commit.bat seems to be called synchronously, and doesnt inform the svn client that the commit has finished until the script has finished. I had to write a calling application which just starts the script in a new thread.
    shmad123
    Blog entry for Thu 1st Mar 6am on Thu 1st Mar 6am
    Hi my name is adam LOL

    Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)
    Microsoft by abhijangda

    Quiz based on the Microsoft Operating System
    Reverse Engineering basics by sefo

    I tried to cover the range of skills you will need to understand a win32 executable. Some of the following questions will take some time to answer. Do the test when you have enough free time.


         
    Your Ad Here
     
    Copyright Open Source Institute, 2006