Category Archives: Windows

Image File Execution Options – evil

I always forget about this. Viruses like to stuff hundreds of entries into

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

This is a very old bypass that was put in to aid in debugging, but it can also be used to completely hijack a program. You add a key that’s the name of an executable, and then you add a string value named Debugger; the contents of this are what’s used to “debug” the program. If you put something that’s not a debugger but always present, then your program won’t run. Malware tends to stuff this with svchost.exe. So if you had

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]

then you’d be unable to run any program named mbam.exe. This is a surprisingly effective technique, especially when you add an entry “regedit.exe” preventing the Regedit.exe editor from being used. Programmers can still use reg.exe on the command-line, this seems to be immune to this interception technique. Or maybe the last time I saw this on a computer, the virus missed that loophole.

Note that there is still a semi-legitimate key to add to an entry in Image File Execution Options, and that is a REG_DWORD named DisableExceptionChainValidation. This is another hack that Microsoft added – if your program is crashing a lot, this gets set and makes things a little better. I forget why, I should look it up.

Windows + cmd.exe + Python + colored output

It’s not a make-or-break thing, but sometimes you want to make console output more readable.

And sometimes you want to know if you’re connected to a terminal or are redirecting to a file.