Image File Execution Options – evil

I always forget about this. Viruses like to stuff hundreds of entries into

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

This is a very old bypass that was put in to aid in debugging, but it can also be used to completely hijack a program. You add a key that’s the name of an executable, and then you add a string value named Debugger; the contents of this are what’s used to “debug” the program. If you put something that’s not a debugger but always present, then your program won’t run. Malware tends to stuff this with svchost.exe. So if you had

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
"Debugger"="svchost.exe"

then you’d be unable to run any program named mbam.exe. This is a surprisingly effective technique, especially when you add an entry “regedit.exe” preventing the Regedit.exe editor from being used. Programmers can still use reg.exe on the command-line, this seems to be immune to this interception technique. Or maybe the last time I saw this on a computer, the virus missed that loophole.

Note that there is still a semi-legitimate key to add to an entry in Image File Execution Options, and that is a REG_DWORD named DisableExceptionChainValidation. This is another hack that Microsoft added – if your program is crashing a lot, this gets set and makes things a little better. I forget why, I should look it up.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>