C # Implementing Image hijacking

"Image hijacking", also known as "IFEO" (Image File execution Options), in WindowsNT architecture system, IFEO is intended to provide special environment settings for some program execution bodies that may throw errors when running in the default system environment. When an executable is located in the control of Ifeo, its memory allocation is set according to the parameters of the program, and the system of WINDOWSN T architecture can use this registry key to match the executable program file name as the control basis of the program loading. Finally, we can set up a program's heap management mechanism and some auxiliary mechanisms. For the sake of simplification, Ifeo uses a way to ignore the path to match the program file name it wants to control, so the program runs the problem regardless of the path it is placed on, as long as the name does not change. In "Hkey_local_machine\software\microsoft\windowsnt\currentversion\image File executionoptions", Using an executable program file name matching project as the control of the loading of the program, and finally to set up a program of heap management mechanism and some auxiliary mechanisms, and so on, probably Microsoft considering the join path control will cause the judgment trouble and the operation inflexible consequence, also can lead to the registry redundancy, Ifeo then uses the Ignore path to match the program file name that it wants to control. Instance operation edit for example, there is a program file named "Xiaojin.exe", because of the use of the old heap management mechanism, it does not work in the new system or even illegal operation, in order to let the system to provide it with the old heap management mechanism, need to Ifeo to intervene, the following steps need to be performed: 1. Ensure that Regedit.exe is executed in the administrator state and navigate to the following registry key: Hkey_local_machine\software\microsoft\windowsnt\currentversion\image File ExecutionOptions2. Create a subkey under "Image File execution Options" named "Xiaojin.exe", which is not case sensitive. Now make sure that it is under Hkey_local_machine\software\microsoft\windowsnt\currentversion\image File executionoptions\xiaojin.exe\, Establish a string-type registry key named "DisableHeapLookaside" with a value of "1" 3. Run Xiaojin.exe again to see if it is actually caused by the heap management mechanismProblem, the program runs normally, or the program problem is not part of the scope that Ifeo can interfere with, or it needs to be used with other parameters. Fundamentals of editing QUOTEWhen an NT system attempts to execute a request from a command-line executable file, it checks whether the running program is an executable file, and if so, checks the format, and then checks for the existence of: If it does not exist, it prompts the system not to find the file or "The specified path is incorrect," and so on. Of course, after these keys are removed, the program can be run! from the actual phenomenon,Ifeo directly called "image hijacking" is a bit wronged it, because most of the parameters do not cause the situation today, only one of the parameters, that is, "Debugger", will Ifeo as image hijacking, presumably because some people in the country directly apply the "image File Execution Options "abbreviation, in the relative standard from the Sysinternals terminology, the use of this technology design loopholes for illegal activities should be called" image Hijack ", this is really literally" image hijacking "! Debugger ParametersDirectly translated as "debugger", it is the first parameter to be processed in the Ifeo, its role is quite inconceivable, the system if found a program file in the Ifeo list, it will first read the debugger parameter, if the parameter is not empty, The system will take the program file named in the debugger parameter as the program execution request that the user tries to start, and only send the program that the user tries to start as the parameter of the program file named in the debugger parameter. The concept of light is probably enough for some people to understand, so let's just say, for example, that two guests are eating a buffet, and one of the guests (the user) entrusts another guest (the system) to fetch food and bring some food back to him (initiating the program request), But the system in helping the user to install a plate of food and plan to come back to find a guest on the other table (debugger parameter specified program file) Incredibly is his own primary school secret love Object! So the system directly to the user's food to put to the table where the guests to share memories of the past (the execution file image name and the initial parameter combination of the initiator request to the new command line parameters ...). ), finally eat the food is the natural debugger guests (get command line parameters), so the system is busy to perform the debugger guest start-up program request and send the most initial startup program request the user and the dish of food (all sent to debugger guests to do command line parameters) to forget. in the logic of system executionThis means that when a "iexplore.exe" that is specified as "notepad.exe" with the Ifeo key set debugger parameter is executed by the user with the command line argument "-nohome bbset" request, The system actually went to Ifeo and ran to execute Notepad.exe, while the file name and parameters of the original execution request were converted to the entire command line parameter "C:\Program files\internet Explorer\iexplore. Exe-nohome "To submit to Notepad.exe execution, so the final execution is" notepad.exe C:\Program files\internet Explorer\iexplore. Exe-nohome BBS. That is, the user originally to execute the program file name Iexplore.exe was replaced with Notepad.exe, and the original whole string command line plus iexplore.exe itself, are sent as a new command line parameters to the Notepad.exe to execute, so the user finally see the Notepad interface, and can Can appear in two cases, one is Notepad to the whole iexplore.exe as text read out, two is Notepad pop-up error message Report "File name is incorrect", This depends on whether the iexplore.exe was originally executed as a guanggansiling status request (without running command-line arguments) or with command-line arguments. Debugger The original meaning of the parameter existenceis to allow programmers to double-click the program files directly into the debugger to debug their own programs, have been debugging a program of friends may have a question, since the program starts to go through Ifeo this step, Then in the debugger click Start just by the debugger parameter sent in the program will not be because of the existence of this rule and cause a debugger process again? Microsoft is not a fool, and they take it for granted, so if a program starts with a call to the Ifeo rule depending on whether it is "called from the command line", then "invoke from the command line" how to understand it? For example, we execute taskmgr.exe at the command prompt, which is a typical execution request called from the command line, and we click on the desktop, When Taskmgr.exe is in the Common Application menu, the system treats it as an execution request passed by the Shell Explorer.exe, and it also falls within the scope of "Invoke from command line" to trigger the Ifeo rule. In order to distinguish with the user operation, the system itself loads the program, the debugger launches the program, they do not belong to "calls from the command line" the scope, thus bypassed the Ifeo, avoids this loading process endless cycle. Because of this special effect of the debugger parameter, it is also called "redirect" (redirection), and the attack that exploits it is called "redirect hijacking" (redirection Hijack), which and "image hijacking" (Image Hijack, or Ifeo Hijack) just call different, in fact are the same technical means. Substantive issuesAfter explaining the function of the debugger parameter, we take a look at "image hijacking" what is the matter, encounter the popular "image hijacking" virus system performance for common anti-virus software, firewalls, security detection tools, etc. are prompted to "can't find files" or executed did not respond, so most users can only go to reload system, But the experienced or fluke user changed the program name and found it to work again, why? The answer is that Ifeo was set up for the list of executable filenames for these popular tools, and the debugger parameter points to nonexistent files even the virus itself! ExampleTake the Super Patrol main execution file AST.exe as an example, first, there is a malicious program file named Kkk.exe to Ifeo table write AST.exe item, and set its debugger point to Kkk.exe, so the system will think Kkk.exe is AST.exe debugger, so that every time users click on the Line AST.exe, the system is actually executed as a debugger identity of the Kkk.exe, as for the AST.exe that should be executed, the moment can only be used as a Kkk.exe execution parameters to pass, and because Kkk.exe is not a debugger-nature program, even the malicious program author did not write the execution parameters of the processing code, the To be launched forever only Kkk.exe own one, the user every time click those "Can't open" security tool, actually is equal to execute again a malicious program ontology! This trick by the vast use of "image hijacking" technology in favor of malicious software, with Oso this super U-disk virus and AV terminator (random number virus, 8-letter virus) These two kill most popular security tools and anti-virus software malicious program raging Network, a moment between the whole country panic, In fact, their biggest improvement is the core of the technology is the use of Ifeo to set themselves as a variety of popular security tools debugger, the way to crack is particularly simple, just need to change the security tool executable file name, and this security tool does not care about the existence of mutex, then it can run normally, Unless you're lucky enough to change to another file name that's also blacklisted, for example, change the AST.exe to IceSword.exe.the above text from the Baidu encyclopediaLet's look at a simple implementation of C # code:

Using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using Microsoft.Win32;
Namespace Set image hijacking
{
    public partial class Form1:form
    {
         public Form1 ()
        {
    initializecomponent ();
       }
  [stathread]
  static void Main ()
  {

Application.enablevisualstyles ();
Application.setcompatibletextrenderingdefault (FALSE);
Application.Run (New Form1 ());
}
private void Form1_Load (object sender, EventArgs e)
{
Timer1. Enabled = true;//Start timer

}

private void dra ()//timer cycle time, mainly used to draw the time, and this article is not very related
{
Graphics gr = this. CreateGraphics ();
Brush BR1 = new SolidBrush (color.green);
Brush br = new SolidBrush (color.red);
Gr. FillRectangle (BR1, 20, 20, 120, 40);
Gr. DrawString ("Image hijacking", New Font ("Arial", "N"), br,21,21);
Gr. FillRectangle (BR1, 150, 20, 120, 40);
Gr. DrawString (DateTime.Now.ToLongTimeString (), New Font ("Regular script", "n"), BR, 151, 20);
}

private void Timer1_Tick (object sender, EventArgs e)
{

DRA ();

}

private void Button1_Click (object sender, EventArgs e)//Set image hijacking, core of this article
{
int s=0;
for (int i = 0; i < ComboBox1.Items.Count; i++)
{
string []name=new string [ComboBox1.Items.Count];
Name[i]= Combobox1.items[i]. ToString ();
if (name[i] = = Combobox1.text)
{
s++;
}
}
if (s==0)
{
COMBOBOX1.ITEMS.ADD (Combobox1.text);

}
Else
{

           }
                Try
                 {
                     RegistryKey Reg ;
                     reg = Registry.localmachine;

                     reg = Reg. CreateSubKey (@ "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution options\" + comboBox1.Text);
                     Reg. SetValue ("Debugger", Combobox2.text);
                     Reg. Close ();
                     MessageBox.Show ("Image hijacking succeeded! "," hint ", MessageBoxButtons.OK, MessageBoxIcon.Information);
                     Refresh ();

               }
                catch (Exception Ex)
                {
                     MessageBox.Show (ex. Message);
               }
           }
          
       

        private void button2_click (object sender, EventArgs e)//de-image hijacking, the core of this article
        {
             try
            {
                 RegistryKey reg;
                reg = Registry.localmachine;

                Reg. Deletesubkeytree (@ "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution options\" + comboBox1.Text,true );
               
                 Reg. Close ();
                MessageBox.Show ( "Save the image successfully!" "," hint ", MessageBoxButtons.OK, MessageBoxIcon.Information);
                Refresh ();

           }
            catch (Exception ex)
             {
                 MessageBox.Show (ex. Message);
           }
       }

private void Checkbox1_checkedchanged (object sender, EventArgs e)
{
if (checkbox1.checked)
{
Label1. Text = "Save image name:";
}
}

}
}

C # Implementing Image hijacking