Similar tags: image hijacking, (Image File execution Options), "Image Hijact" "If I want to double-click the program ' Notepad.exe ' program, the system execution is really ' cmd.exe ', how to implement?" " We should first explore what happens when we click on ' notepad.exe ': We double-click ' Notepad.exe ', the system determines ' notepad.exe ' is an executable, and then requests the memory space/loader/execution program for the program. No, in fact, before applying for memory space for the program, the system also makes a IFEO decision on ' notepad.exe ' (Let's call it this way), and the operation is: Open the Registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows nt\currentversion\image File Execution Options "key, and then find out if there is a program with the same name as the executor, that is, ' notepad.exe ', the Zijian, if not present (you are lucky), then really run ' Notepad.exe ' program, if there is a Zijian named ' notepad.exe ', the system will look for the Kang named ' Debugger ' and the item value of ' Debugger ' is ' cmd.exe ', then the system will actually run ' The ' Cmd.exe ' program in the Debugger ' key value, and the original program ' notepad.exe ' is only passed as a parameter to ' cmd.exe '. That is, the last execution of ' cmd.exe notepad.exe '. Since there is such a big loophole, why does it exist? What does the Ifeo registry key do? Originally, in the Windows NT era, the system uses an early heap (heap, application-managed memory area) management mechanism, so that some programs operating mechanism and the current difference, and then with the system update, the vendor modified the system heap management mechanism, by introducing dynamic memory allocation scheme, Let the program to the memory less, in the security also protect the program is not easy to overflow, but these changes have led to some programs can no longer work, in order to take account of these problems of the program, Microsoft to "a" "IFEO" attitude specifically designed "technology", its original intention is not "hijacking", but " Image file Execution Parameters "! For example, when you want to run a "a.exe" program that uses the old heap management mechanism, it will not work properly on the new system. At this point, you open the registry in the "Hkey_local_machine\software\microSoft\windows nt\currentversion\image File Execution Options "Create a new" A.exe "Zijian, and then create a new string registry key within the child health" DisableHeapLookaside "with a value of 1. After saving the registry, running "A.exe" Again is unx successful? (not yet?) The cause of the error is not Ifeo can control the scope of ... Or try it with the other parameters). ifeo is not only the "Debugger" parameter, the following are Ifeo parameters: Applicationgoo
1#include"stdafx.h"2#include <Windows.h>3 4 #pragmaComment (lib, "Advapi32.lib")5 6 int_tmain (intARGC, _tchar*argv[])7 {8 LONG Lrst;9 HKEY HKEY;Ten if(Error_success! =RegCreateKeyEx ( One HKEY_LOCAL_MACHINE, AL"software\\microsoft\\windows nt\\currentversion\\image File execution Options\\notepad.exe", - 0L, - NULL, the Reg_option_non_volatile, - key_all_access, - NULL, -&HKey, + NULL)) - { +wprintf (L"RegCreateKeyEx failed.\n"); A return 0; at } - -Lrst = RegSetValueEx (HKey, L"Debugger",0L, REG_SZ, (CONST byte*) L"Cmd.exe",sizeof(L"Cmd.exe")); - if(Error_success! =Lrst) - { -wprintf (L"RegSetValueEx failed.\n"); in } - to RegCloseKey (HKey); + return 0; -}
Image Hijacking Ifeo
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
