A Rough Analysis of a registry entry

By tombkeeper@whitecell.org

[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options]

You may not be familiar with this entry in the registry, because it is mainly used for program debugging.
Not significant. By default, only Administrators and local systems have the permission to read and write data. Generally, users are read-only.

First, make an experiment: Create a new sub-item named test.exe under this item, and then create a string value named "Debugger ",
Set the numeric value to cmd.exe/c echo.pdf, and rename an exefile to cmdtest.exe.
When using the Export test.execompare command, the screen output is not the output of test.exe, but like this:

E:> test
Test

E:> test.exe
Test.exe

When Windows NT executes an executable file running request called from a command line, it first checks whether
Is an executable file. If yes, what format is used, then check whether the file exists:

[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsImageName]

If yes, the system first tries to read the key value:

[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsImageName]
"Debugger" = "debug_prog"

If "debug_prog ImageName" exists, run the following command:

Cmd.exe/c echo test
Cmd.exe/c echo test.exe

If "debug_prog" is set to a program not in the search path, an interesting prompt is displayed: "System
The file E: est.exe "is not found ". Test.exe on the example is in the current directory. What is not found here is actually
It is the "debug_prog ". You only need to set the test.exefield, so that test.exe does not exist and no prompt is displayed.
"The system cannot find the file", and no output is returned on the console.

The system checks this key value before running any executable program. This feature can be used to place backdoors.
This is not mentioned in the previous Windows security documents. If you have a Windows 2000 Security Check Column
Table, please add it.

The values supported by this item are as follows in Windows 2000:

ApplicationGoo
Debugger
PageHeapFlags
DisableHeapLookAside
DebugProcessHeapOnly
PageHeapSizeRangeStart
PageHeapSizeRangeEnd
PageHeapRandomProbability
PageHeapDllRangeStart
PageHeapDllRangeEnd
GlobalFlag
BreakOnDllLoad

The work of these items is only related to the file name and the path.

Among them, Debugger mentioned above. DisableHeapLookAside can be used to correct the running time of some applications.
. Since Windows NT SP4, Windows uses the new heap management mechanism, the new dynamic
Memory Allocation makes the application occupy less memory (it also makes it more difficult to write Exploit), but some applications
If the sequence cannot run normally under this mechanism, it will be suspended or error. In this case, create an item with the file name and
If DisableHeapLookAside is set to "1", the system will force the application to not use the new heap management mechanism. (Base
In general, the system's heap overflow Exploit does not expire after the application changes its running mode? Then, the key
In a sense, the program uses this method to defend against overflow attacks .)

For more information about DisableHeapLookAside, refer to Microsoft Knowledge Base: Q252902, Q195008, Q195009.

Interestingly, during installation of Windows 2000, The DisableHeapLookAside file names are preset:

Enc98.EXE
F32main.exe
Prwin8.EXE
Ps80.EXE
Qfinder. EXE
Qpw. EXE
Ua80.EXE
Wpwin8.EXE

Probably Microsoft has received a report about exceptions to these applications running :-).

BreakOnDllLoad is used to debug DLL, such as an ISAPI. You can set a breakpoint as soon as the DLL is loaded.
See Debugging IIS5 ISAPI Applications with VC ++ by Rick Strahl.

ApplicationGoo I did not find the relevant information, but according to Microsoft's preset values, this item stores files
. I guess whether to use this to match a specific version of the file.

Although I know they do exist, I cannot find any relevant information, even in
I didn't mention it in MSDN. Fortunately, their names are basically clear about their usage:-), they are all used to control heap.
I hope these values will be helpful to those who are studying Windows heap overflow.

Additional information:

In XP, ShutdownFlags is also supported under this item. The following is Microsoft's description:

Leak Detection when the Process Is Exiting

Leak detection is made every time a process is cleanly exiting.
It doesnt work if the process is terminated with TerminateProcess ()
Or TerminateThread ()/ExitThread () for the last thread in the process;
But for most applications this is not a problem.

To enable leak detection when the process is exiting, set the registry key as follows:

[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsImageName]
"ShutdownFlags" = "3"

Due to my limited level and serious shortage of information in this area, there must be many problems in this article.
You are welcome to write a letter:
Tombkeeper@whitecell.org
Or access:
Http://www.whitecell.org/forums>
Tell me your findings.

About us:

WSS (Whitecell Security Systems), a non-profit civil technology organization dedicated to various system Security
Comprehensive technology research. Stick to the traditional hacker spirit and pursue the pure technology.

WSS home: http://www.whitecell.org/
WSS Forum: http://www.whitecell.org/forum/