Image file execution Options(Malware Persistance method)
So i was roaming on Wikileaks and found a malware persistance technique called "Image File Execution Options"
which took my attention also it is really easy to use.
The operating system can be configured to automatically start a debugger everytime a given application is launched.To set this up we just need to simply create a registry key. So if i want to launch calculator everytime someone tried to launch notepad.exe.
So lets give this a try .we will use the following reg command to create a debugger key for notepad.exe.
Run cmd and type
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options notepad.exe" /v Debugger /t REG_SZ /d c:\Windows\system32\calc.exe
that's it now run notepad and you will see calculator , Notepad never even starts. So Notepad would have start if the calc.exe was an actual debugger .The attacker can solve this by putting debugger functionality into their code. Or after the malware starts it can delete the Debugger key and relaunch the original process so it starts normally.
so while this is a really cool trick as attacker just have to sit back and wait for you to retrigger the infection of your machine.
which took my attention also it is really easy to use.
The operating system can be configured to automatically start a debugger everytime a given application is launched.To set this up we just need to simply create a registry key. So if i want to launch calculator everytime someone tried to launch notepad.exe.
So lets give this a try .we will use the following reg command to create a debugger key for notepad.exe.
Run cmd and type
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options notepad.exe" /v Debugger /t REG_SZ /d c:\Windows\system32\calc.exe
that's it now run notepad and you will see calculator , Notepad never even starts. So Notepad would have start if the calc.exe was an actual debugger .The attacker can solve this by putting debugger functionality into their code. Or after the malware starts it can delete the Debugger key and relaunch the original process so it starts normally.
so while this is a really cool trick as attacker just have to sit back and wait for you to retrigger the infection of your machine.
TO DETECT~
reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options notepad.exe"
TO DELETE~
reg del "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options notepad.exe"
so go on try it out yourself in Next Post i will automate it using python and we will do much more than this trick.
Happy Hacking :)
Hack > Eat > Sleep > Repeat
Comments
Post a Comment