Image hijacking Principle

Windows Image hijacking Technology (ifeo)

Basic symptoms: A friend may have encountered such a situation. A normal program cannot run no matter where it is stored, or if it has been repaired by a program re-installed disk, or the error message is "file not found" or the response is not directly run, or for example, running program a becomes execution B (possibly a virus ), however, it can run normally after being renamed.

The system that suffers from the popular "image hijacking" virus shows that common anti-virus software, firewalls, security detection tools, and so on all prompt "file not found" or no response is executed, as a result, most users can only reinstall the system. However, experienced users who are busy modifying the program name will find that the program runs normally again ~~

Since we are introducing image hijacking Technology (ifeo), let's first introduce:

[{
Editlemmapara ('HTTP: // baike.baidu.com/edit/', 1008480, 1); Return false;
} "Href =" http://baike.baidu.com/view/1008480.htm# "> edit this section]

1. What is image hijacking (ifeo )?

1. The so-called image hijacking ifeo is the image file execution options

(In fact, it should be called "image hijack ".)

It is in the Registry

HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options

Ifeo is intended to provide special environment settings for some program execution bodies that may cause errors when running in the default system environment. This item is mainly used for program debugging and is of little significance to general users. By default, only Administrators and Local systems have the permission to read and write modifications.

When an executable program is under ifeo control, its memory allocation is set based on the program parameters, in contrast, the system of the ingress wsn t-architecture can use this registry key to use a project that matches the executable program file name as the control basis for program loading, finally, we can set up a program's heap management mechanism and some auxiliary mechanisms. For the sake of simplification, ifeo uses the ignore Path Method to match the program file name it wants to control. Therefore, no matter which path the program is placed, as long as the name does not change, it runs out of problems.

First, let's take a look at how to modify the Registry to achieve random startup.

Viruses, worms, and Trojans are still using well-known and over-used registry key values, as shown below:

HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run

HKLM/software/Microsoft/Windows NT/CurrentVersion/Windows/appinit_dlls

HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Winlogon/notify

HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runonce

HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservicesonce

And so on.

2. Another hijacking method is to create the same export function as the system DLL in the target program directory, and the execution content is

F = loadlibrary (byref "C:/Windows/system32/" + dllname)

F = getprocaddress (byval F, byref procname)

! JMP F

'(Powerbasic)

, You can do some bad things during DLL initialization to change the original application.

[{
Editlemmapara ('HTTP: // baike.baidu.com/edit/', 1008480, 2); Return false;
} "Href =" http://baike.baidu.com/view/1008480.htm# "> edit this section]

Ii. Usage Details:

Let's take a look at another friend on the Internet for a test:

Start-run-Regedit, expand:

HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options/

Then select Image File Execution options and create a new item. Then, change this item to 123.exe.

Select 123.exe, and the right side is blank by default. Right click to create a new "string character" and rename it "Debugger"

This step should be done well, and then press Enter... Double-click the key to modify the data value (actually the path )..

Change it to C:/Windows/system32/cmd.exe

(Note: C: it is a system disk. If your system is installed on D, change it to D: if it is an NT or 2 K system, change windows to WINNT, as mentioned below, and so on ...)

Okay. Experiment .~ .

Then, find an extension name named exe. (here I will take icesword.exeas an experiment tutorial and change it to 123.exe...

And then run it... Hey .. When the DOS operation box appears, it looks strange without knowing it.

A simple prank...

Similarly, viruses and other such methods can also be used to redirect names such as anti-software and security tools to the virus path.

Therefore, if the redirection item is not cleared after you clear the virus, the function of ifeo cannot run the same program that is not damaged!

Get the virus lost

Like the above, if we redirect the virus program, the virus will not run, and the answer is yes.

Windowsregistryeditorversion5.00

[HKEY_LOCAL_MACHINE/software/Microsoft/WindowsNT/CurrentVersion/imagefileexecutionoptions/sppoolsv.exe]

Debugger424123.exe

[HKEY_LOCAL_MACHINE/software/Microsoft/WindowsNT/CurrentVersion/imagefileexecutionoptions/logo_1.exe]

Debugger424123.exe

Save the above Code as a suffix. reg file, double-click it, take the golden swine virus and Vig virus as an example, so that even if these viruses are running with the system in the system startup item, but because of image hijacking

In this case, the system prompts you to find the virus file (logo_1.exeand sppoolsv.exe ).

[{
Editlemmapara ('HTTP: // baike.baidu.com/edit/', 1008480, 3); Return false;
} "Href =" http://baike.baidu.com/view/1008480.htm# "> edit this section]

III. Basic principles of image hijacking:

Quote:

When the NT system tries to execute an executable file running request called from the command line, it first checks whether the running program is an executable file. If yes, it then checks the format, then, the system checks whether there is a problem .. If it does not exist, it will prompt that the system cannot find the file or "the specified path is incorrect ..

Of course, after deleting these keys, the program can run!

[Source from Network Technology Forum:]

From the actual situation, calling ifeo "image hijacking" is a bit embarrassing, because most of the parameters in it won't lead to this situation today, and there is only one parameter in the box, that is, "Debugger", which regards ifeo as image hijacking, probably because some people in China directly use the abbreviation "Image File Execution options, in a relatively standardized terminology from sysinternals, the use of this technical design vulnerability for illegal activities should be called "image hijack ", this is the true "image hijacking "!

The debugger parameter is directly translated as the "Debugger", which is the first parameter to be processed in ifeo. Its function is incredible. If the system finds a program file in the ifeo list, it will first read the debugger parameter. If this parameter is not blank, the system will process the program file name specified in the debugger parameter as the execution request of the program you are trying to start, instead, send the program you are trying to start as the parameter of the program file name specified in the debugger parameter! This concept is probably not enough for some people to understand, so let's simply put, for example, if two guests have a buffet together, one of the guests (users) entrusts another guest (system) when you get the food, you can help yourself bring the food back (the request to start the program ), however, when the system installed a plate of food for the user and planned to return, it found that there was a guest on the other table (the program file specified by the debugger parameter) who was a crush object in his primary school! Therefore, the system directly places the food that was originally to be given to the user to the guests to recall the past (convert the execution file image of the Startup Program request and the initial parameter combination into a new command line parameter ...... ), The final food is naturally the debugger guest (GET command line parameters ), at this point, the system is busy executing the debugger guest's boot program request and forgetting the user who sent the most initial boot program request and the food (both sent to the debugger guest for command line parameters.

When the user uses the command line parameter "-nohome bbs.nettf.netmask for execution, the system crashes to ifeothen and runs notepad.exe. The file name and parameters of the original execution request are converted to the entire command line parameter" C: /program files/Internet Explorer/iw.e. exe-nohome bbs.nettf.netmask to submit to notepad.exefor execution. The final execution is notepad.exe C:/program files/Internet Explorer/iexplore. exe-nohome bbs.nettf.netmask, that is, the user's original program file name iexplore.exeis replaced by notepad.exe, and the original whole string of command line plus The supervisor was originally executed as a request in the status of the light pole Commander (without running command line parameters) or with command line parameters.

The debugger parameter is intended to allow programmers to directly access the debugger to debug their own programs by double-clicking the program file. Friends who have debugged the program may have a question, since the ifeo step is required when the program is started, so when you click in the debugger to start the program that has just been sent in by the debugger parameter, isn't it because of this rule that causes another debugger process? Microsoft is not a fool. They naturally take this into consideration. Therefore, whether a program will call the ifeo rule at startup depends on whether it "calls from the command line, how can we understand "call from command line? In this way, the ifeo rule is triggered in the range of "calling from command line. To distinguish it from user operations, programs loaded by the system and those started in the debugger do not fall within the scope of "calling from the command line", thus bypassing ifeo, this avoids endless loops in the loading process.

Due to this special role of the debugger parameter, it is also called "redirection", and the attack using it is also called "redirection hijack ), unlike image hijack (or ifeo hijack), image hijack is actually the same technical means.

After explaining the role of the debugger parameter, let's take a look at what "image hijacking" is like, the system that suffers from the popular "image hijacking" virus shows that common anti-virus software, firewalls, security detection tools, and so on all prompt "file not found" or no response is executed, as a result, most users can only reinstall the system. However, experienced users who change the program name and find that the program runs properly again. Why? The answer is that ifeo is manually set a list of executable file names for these popular tools, and the debugger parameter points to a non-existent file or even the virus itself!

When you click the security tools that cannot be opened, you actually execute another malicious program! .

[{
Editlemmapara ('HTTP: // baike.baidu.com/edit/', 1008480, 4); Return false;
} "Href =" http://baike.baidu.com/view/1008480.htm# "> edit this section]

4. Specific cases of image hold:

Reference an analysis case of JM's jzb770325001 Moderator:

Quote:

In the spectacular ifeo of Wei, some famous ones have gone down:

HKLM/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options/avp.exe

HKLM/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options/agentsvr.exe

HKLM/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options/ccenter.exe

HKLM/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options/rav.exe

From this case, we can see the power of this technology! Many soft killing processes and some auxiliary soft killing tools are all held, so that all the soft killing processes you encounter cannot run!

Imagine how terrible it would be if more viruses were used here!

[{
Editlemmapara ('HTTP: // baike.baidu.com/edit/', 1008480, 5); Return false;
} "Href =" http://baike.baidu.com/view/1008480.htm# "> edit this section]

5. How can we solve and prevent "image hijacking "?

Method 1: Restriction method (search from network)

It needs to modify the Image File Execution options. You must have the permission to read the file .. One idea becomes ..

Open the Registry Editor and go to [HKEY_LOCAL_MACHINE/software/Microsoft/WindowsNT/CurrentVersion/imagefileexecutionoptions/. Right-click the item and choose permission> advanced. You can cancel the write permissions of administrator and system users.

Method 2: cutting corners

Open the Registry Editor, go to [HKEY_LOCAL_MACHINE/software/Microsoft/WindowsNT/CurrentVersion/, and delete the "imagefileexecutionoptions" item.

Method 3: Use Microsoft sysinternals suite

The simpler method is to use autoruns in sysinternals Suite (a Microsoft tool set) and click its "image hijacks" tab to view the hijacked program items.

Method 4: Permission Elimination

There is also a practice circulating on the Internet that makes it hard for novice users to understand, that is, to disable the write permission for the ifeo list. The specific operations are as follows:

Execute the 32bit Registration Table editor regedt32.exe

Go to HKLM/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options;

Ensure that the focus is on Image File Execution options and select "security"-"permission ";

Remove all "write" permissions in the displayed user list and exit.

In this way, any write operation on ifeo becomes invalid, and the immune effect is also achieved. This method is good for general users, unless there are some special programs that need to write heap management parameters to it. We recommend that you disable this option to prevent all ifeo virus attacks.