Resolution Image hijacking Technology page 1/3

I. Strange poisoning

After half an hour on a computer in the clerk's office of the finished inspection department, the technicians in the computer maintenance department only thought that their eyelids were not stopping because they had taken over the task from the very beginning, he has been doing nothing: the many maintenance kits he takes with him on the USB flash drive are not covered, no matter which directory he runs directly on the USB flash drive or just copies, the system reports "no file is found" or does not directly run the reaction, he first felt the fear, the file is clearly under the eyes, but they are "not found" or will not be executed. Is this machine damaged by viruses? He had to open the webpage and try to download it again, but soon he was desperate. The scan and removal tool he just downloaded was also unavailable.

In desperation, he had to say a lot of words frequently used by experts who claim to be on-site computer maintenance. In general, this sentence can immediately make most users accept the cruel reality, allow it to reinstall the system and pay 50 yuan for the system reinstallation. This sentence is: "The system file is seriously damaged and cannot be repaired. You can only reinstall the system."

After installing the system and common office software, he quickly leaves the office like a thief, for fear that it will cause any trouble if he stays for a while, but he does not know, "trouble" has been settled on the USB flash drive he just used. Back in front of his computer, he right-clicked the USB flash drive and saw the mouse busy for a little longer than usual. Then the anti-virus software and network firewall in the tray area disappeared, and he was in a panic, quickly run the super patrol police, but the system reported that "no files can be found". He suddenly stayed in front of the computer: the god of sorrow kept up with the door ......

Gu yuyun: A high foot, a high foot. This classic philosophy has been quickly extended on the Internet. At the beginning of this year, a long-standing system debugging function was applied to virus technology, which turned itself into a spokesman for the demon. Common users soon faced an inexplicable virus disaster, this is "image hijacking ".

2. I would like to see the moon ......

"Image File Execution options" is also known as "image hijack, at least it should also be known as ifeo hijack, rather than "ifeo" itself !), There is a natural reason for its existence. In the WindowsNT architecture system, ifeo is intended to cause errors when running in the default system environment.ProgramThe execution body provides special environment settings. The reason why the system manufacturer does this is a historical one. In the Windows NT era, the system uses an early heap, the memory area managed by the Application) management mechanism makes the running mechanism of some programs different from the current one. Then, as the system is updated, the vendor modifies the heap Management Mechanism of the system, by introducing a dynamic memory allocation scheme, the program can reduce memory usage and protect the program from being vulnerable to overflow. However, these changes make some programs unable to operate anymore, in order to take into account these problematic programs, Microsoft specifically designed the "ifeo" technology with a "long-term discussion" attitude. Its original intention was not "hijacking", but "Image File Execution Parameters "!

Ifeo sets some parameters related to heap allocation. When an executable program is under the control of ifeo, its memory allocation is set based on the program parameters, so how to place an executable program under the control of ifeo? The answer is simple. The windows NT architecture system reserves an interactive interface for the user, which is located in "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options" in the registry, using a project that matches the executable program file name as the control basis for program loading, a program's heap management mechanism and some auxiliary mechanisms can be finally set, microsoft probably considers that adding path control will cause judgment troubles and inflexible operations, and may also lead to registry redundancy. Therefore, ifeo uses the ignore Path Method to match the program file name it wants to control, for example, ifeo specifies. EXE "executable program file for control, no matter which directory it is in, as long as its name is also called" Xiaojin. EXE ", it can only be rolled in ifeo's Wuzhishan.

Having said that half a day is just a pure concept, how does ifeo play its role? For example, if a program file named “lk007.exe is used, because the old heap management mechanism is used, it cannot run normally or even has illegal operations in the new system. In order to allow the system to provide it with the old heap management mechanism, if ifeo is required, perform the following steps:

1. Ensure that regedit.exe is executed under the Administrator state and the following registry items are located:

Quote:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options

2. Create a sub-key named “lk007.exe under "Image File Execution options.pdf", which is case insensitive. Make sure that you create a registry key of the string type under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options \ lk007.exe \, named "disableheaplookaside ", the value is "1"

3. run lk007.exe again to check the running status. If the problem is caused by the heap management mechanism, the program runs normally. Otherwise, the problem of the program is not within the scope that ifeo can interfere, or try to use it with other parameters.

Currently, known ifeo parameters include:

Quote:
Applicationgoo
Debugger
Pageheapflags
Disableheaplookaside
Debugprocessheaponly
Pageheapsizerangestart
Pageheapsizerangeend
Pageheaprandomprobability
Pageheapdllrangestart
Pageheapdllrangeend
Globalflag
Breakondllload
Shutdownflags