Technical Analysis of image hijacking

I.Strange poisoning
After half an hour of hard work on a computer in the office, the engineer in the e-brain only thought that his eyelids were constantly jumping because he had been idle since he took over the task: the many maintenance kits he was proud to carry with his USB flash drive were completely annihilated on this machine, no matter whether he was running on the USB flash drive or copying them to any directory at will, the system reports "no file is found" or does not directly run the reaction, he first felt the fear, the file is clearly under the eyes, but they are "not found" or will not be executed. Is this machine damaged by viruses? He had to open the webpage and try to download it again, but soon he was desperate. The scan and removal tool he just downloaded was also unavailable.
In desperation, he had to say with the expectation of many clerks: "The system file is seriously damaged and cannot be repaired. You can only reinstall it ."
After installing the system and common office software, he quickly leaves the office like a thief, for fear that it will cause any trouble if he stays for a while, but he does not know, "trouble" has been settled on the USB flash drive he just used. Back in front of his computer, he right-clicked the USB flash drive and saw the mouse busy for a little longer than usual. Then the anti-virus software and network firewall in the tray area disappeared, and he was in a panic, quickly run the super patrol police, but the system reported that "no files can be found". He suddenly stayed in front of the computer: the god of sorrow kept up with the door ......
Gu yuyun: A high foot, a high foot. This classic philosophy has been quickly extended on the Internet. At the beginning of this year, a long-standing system debugging function was applied to virus technology, which turned itself into a spokesman for the demon. Common users soon faced an inexplicable virus disaster, this is "image hijacking ".
II.I would like to see the moon ......
"Image File Execution options" is also known as "image hijack". At least it should also be called ifeo hijack instead of "ifeo" itself !), There is a natural reason for its existence. In the WindowsNT architecture system, ifeo is intended to provide special environment settings for program execution bodies that may cause errors when running in the default system environment. The reason why the system vendor does this is a historical one, in the Windows NT era, the system uses an early stack heap (memory region managed by applications) management mechanism to make some programs run differently from the current one, then, with the system upgrading, the vendor modified the system's stack management mechanism. By introducing a dynamic memory allocation scheme, the program reduced its memory usage, in terms of security, the protection program is not easy to overflow, but these changes have led to some programs that will no longer function. In order to take into account these problematic programs, microsoft specifically designed the "ifeo" technology with a "long-term" attitude. Its original intention was not "hijacking", but "Image File Execution Parameters "!
Ifeo sets some parameters related to stack allocation. When an executable program is under the control of ifeo, its memory allocation is set based on the program parameters, so how to place an executable program under the control of ifeo? The answer is simple. The windows NT architecture system reserves an interactive interface for the user, which is located in "HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options" in the registry, using a project that matches the executable program file name as the control basis for program loading, a program's stack management mechanism and some auxiliary mechanisms can be finally set, microsoft probably considers that adding path control will cause judgment troubles and inflexible operations, and may also lead to registry redundancy. Therefore, ifeo uses the ignore Path Method to match the program file name it wants to control, for example, ifeo specifies. EXE "executable program file for control, no matter which directory it is in, as long as its name is also called" AAA. EXE ", it can only be rolled in ifeo's Wuzhishan.
Having said that half a day is just a pure concept, how does ifeo play its role? For example, if a program file named “lk007.exe is used, because the old stack management mechanism is used, it cannot run normally or even has illegal operations in the new system. In order to allow the system to provide it with the old stack management mechanism, if ifeo is required, perform the following steps:
1. Ensure that regedit.exe is executed under the Administrator state and the following registry items are located:
HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options
2. Create a sub-key named “lk007.exe under "Image File Execution options.pdf", which is case insensitive. Make sure that you create a registry entry named "disableheaplookaside" under HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options/lk007.exe ", the value is "1"
3. run lk007.exe again to check the running status. If the problem is caused by the stack management mechanism, the program runs normally. Otherwise, the problem of the program is not within the scope that ifeo can interfere, or try to use it with other parameters.
Currently, known ifeo parameters include:
Applicationgoo
Debugger
Pageheapflags
Disableheaplookaside
Debugprocessheaponly
Pageheapsizerangestart
Pageheapsizerangeend
Pageheaprandomprobability
Pageheapdllrangestart
Pageheapdllrangeend
Globalflag
Breakondllload
Shutdownflags
To put it bluntly, ifeo is essentially a product designed by system vendors to provide a security measure for software that may run in early design models, it is expanded to form a simple program for debugging programs. For example, the "breakondllload" parameter can be set to set breakpoints when a DLL is loaded, so that programmers can easily debug ISAPI interfaces; parameters with the "range" character are used to limit the heap size.
There is a parameter that causes today's situation: debugger. Perhaps Microsoft originally intended to allow programmers to directly call the debugger to debug an ifeo Control List by double-clicking an executable file, debugging can be realized without opening the debugger and loading files, which improves work efficiency.
In order for ifeo to affect any program startup request, the priority of ifeo is set high in the NT architecture. Basically, when the user requests to execute a program, the system first checks whether the program file can be executed, and then goes to the ifeo entry to pair the file name. After the ifeo step is passed, the process does not actually start to apply for memory creation.
If the system matches the currently running file name in the ifeo program list, it will read the parameters under the file name. These parameters have default values before being set manually, and they also have priority, "Debugger" has the highest priority, so it is the first read parameter. If this parameter is not set, it is not processed by default. If this parameter is set, the situation becomes complicated ......
III.The culprit "Debugger"
We should have understood the nature of ifeo. From the actual phenomenon, it is a bit embarrassing to call ifeo "image hijacking, most of the parameters will not cause this situation today. There is only one of them, that is, "Debugger", which treats ifeo as an image hijacking, this is probably because some people in China directly use the abbreviation "Image File Execution options". In sysinternals, the use of this technical design vulnerability for illegal activities should be called "image hijack", which is truly "image hijacking "!
The debugger parameter is directly translated as the "Debugger", which is the first parameter to be processed in ifeo. Its function is incredible. If the system finds a program file in the ifeo list, it will first read the debugger parameter. If this parameter is not blank, the system will process the program file name specified in the debugger parameter as the execution request of the program you are trying to start, instead, send the program you are trying to start as the parameter of the program file name specified in the debugger parameter! This concept is probably not enough for some people to understand, so let's simply put, for example, if two guests have a buffet together, one of the guests (users) entrusts another guest (system) when you get the food, you can help yourself bring the food back (the request to start the program ), however, when the system installed a plate of food for the user and planned to return, it found that there was a guest on the other table (the program file specified by the debugger parameter) who was a crush object in his primary school! Therefore, the system directly places the food that was originally to be given to the user to the guests to recall the past (convert the execution file image of the Startup Program request and the initial parameter combination into a new command line parameter ...... ), The final food is naturally the debugger guest (GET command line parameters ), at this point, the system is busy executing the debugger guest's boot program request and forgetting the user who sent the most initial boot program request and the food (both sent to the debugger guest for command line parameters.
In the system execution logic, this means that when an ipolice.exe with the ifeoitem debugger.pdf set to notepad.exe.pdf, the user uses the command line parameter "-nohome finished, the file name and parameters of the original execution request are converted into the entire command line parameter "C:/program files/Internet Explorer/iw.e. exe-nohome bbs.nettf.netmask to submit to notepad.exefor execution. The final execution is notepad.exe C:/program files/Internet Explorer/iexplore. exe-nohome bbs.nettf.netmask, that is, the name of the program file iexplore.exeto be executed is replaced by notepad.exe, and the entire line of command line In addition, the sequence was originally executed as a request in the status of the optical pole Commander (without running command line parameters) or with command line parameters.
The debugger parameter is intended to allow programmers to directly access the debugger to debug their own programs by double-clicking the program file. Friends who have debugged the program may have a question, since the ifeo step is required when the program is started, so when you click in the debugger to start the program that has just been sent in by the debugger parameter, isn't it because of this rule that causes another debugger process? Microsoft is not a fool. They naturally take this into consideration. Therefore, whether a program will call the ifeo rule at startup depends on whether it "calls from the command line, how can we understand "call from command line? For example, if we execute the execution request passed by the supervisor in the command prompt, it also falls within the range of "calling from the command line" and triggers the ifeo rule. To distinguish it from user operations, programs loaded by the system and those started in the debugger do not fall within the scope of "calling from the command line", thus bypassing ifeo, this avoids endless loops in the loading process.
From the programming point of view, it is determined whether CreateProcess uses lpcommandline (command line) or lpapplicationname (program file name) to execute "command line call, by default, most programmers write lpcommandline-command line calls.
Bool CreateProcess
(
Lptstr lpapplicationname,
Lptstr lpcommandline,
Lpsecurity_attributes lpprocessattributes.
Lpsecurity_attributes lpthreadattributes,
Bool binherithandles,
DWORD dwcreationflags,
Lpvoid lpenvironment,
Maid directory,
Lpstartupinfo,
Lpprocess_information lpprocessinformation
);
Due to this special role of the debugger parameter, it is also called "redirection", and the attack using it is also called "redirection hijack ), unlike image hijack (or ifeo hijack), image hijack is actually the same technical means.
After explaining the role of the debugger parameter, let's take a look at what "image hijacking" is like, the system that suffers from the popular "image hijacking" virus shows that common anti-virus software, firewalls, security detection tools, and so on all prompt "file not found" or no response is executed, as a result, most users can only reinstall the system. However, experienced users who change the program name and find that the program runs properly again. Why? The answer is that ifeo is manually set a list of executable file names for these popular tools, and the debugger parameter points to a non-existent file or even the virus itself!
Zookeeper can only be passed as the execution handler of kkk.exe. kkk.exe is not a debugger-type program, and even the malicious program author does not write the processing code for execution parameters. Therefore, kkk.exe is the only one to be started, every time a user clicks on a security tool that cannot be opened, the user actually executes another malicious program! This trick is favored by the majority of malware that use the "image hijacking" technology. With the OSO super USB flash drive and avterminator (random number virus, 8-letter virus) after these two malware that have killed most of the popular security tools and anti-virus software, they have been raging over the Internet, in fact, the core of their most improved technology is to use ifeo to set itself as a debugger for various popular security tools. The method of cracking is particularly simple, you only need to change the name of the security tool's execution file. This security tool does not care about the existence of mutex, so it can run normally, unless you are lucky and change it to another file name that is also in the blacklist, for example, changing ast.exeto icesword.exe.
Knowledge: mutex
In order to prevent users from simply changing a file name, most security tools are broken out, some Trojans also use a technology called mutex to completely prevent the running of security tools. In a system, a special type of system objects are called mutex. They exist to reduce system overhead, for example, some tools will check whether another copy is running at runtime. The most efficient way to do this is to create a mutex at the first run, this is actually a very simple method, because the system will save the created mutex for us until the program requests to destroy the mutex, otherwise it will always exist. As a result, the problem arises again. What if a malicious program has mastered the mutex of some security tools and forged them? These security tools will give up the right to continue execution because they detect "they are already running", so that malicious programs will no longer have a chance.
When you double-click the program files, the system reports an error saying "file not found". What is the problem? This is another application of ifeo. The secret is to direct the debugger parameter to a non-existent file location, so that the system will not be able to run smoothly because the debugger cannot be found, if the system honestly reports the error message "the debugger cannot be found", it would be okay, but I don't know if Microsoft is working hard to conceal the fact that ifeo exists, but the user refuses to admit that the error is caused by the absence of the debugger pointed by the debugger, instead, the original execution request that has been "mutated" into a command line parameter and cannot enter the system to create a process mechanism as a "file not found" was reported back, as a result, users who have never understood ifeo can only look at the existing security tools and the system does not recognize them.
4.Prevent "image hijacking"
Well, as I 've said so much, I 've probably scared a group of people and started to sweat. Now we're going to learn how to prevent and crack "image hijacking ".
1.Determine if your machine is hijacked
Your QQ is running, so you don't have to talk about it.
In fact, you only need to register regedit.exe1_regedt32.exe, which is not hijacked, then we directly use it to enter the registry key "HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options" and expand the subitem list to check whether the debugger parameter exists. or other heap management parameters that may affect the program running, you can see whether the machine is hijacked.
What if the Registry Editor is hijacked? You can change the name directly ......
The simpler method is to use sysinternals's autoruns and click its "image hijacks" tab to view the hijacked program item.
2.Tracking hijacking sources
If your machine has become a victim of image hijacking, please record the location of the program to which the debugger points, and do not try to execute those security tools any more, first, try to delete the affected ifeo item, and then refresh the Registry to see if the data is restored immediately. If it is restored immediately, a program in the background is judging and writing the ifeo in real time, at this time, you must take out the Registry monitoring tool regmon or similar tool produced by sysinternals, set the filter as the ifeo item of the security tool you are trying to delete, and you will soon find out which process is operating the registry, rename icesword (if it has been hijacked) and terminate the corresponding process in its process list. What if this process is reborn immediately? Terminate the program again, and then quickly click "monitoring into thread creation" in icesword to find out what the name of the last messy program was and record it, start the sysinternals tool "process Explorer" and Right-click the corresponding process and select "Suspend". The process will be suspended, use icesword to suspend all malicious processes, and then use "Force Delete" in the file function of icesword ", before the program can respond, it will destroy their bodies. At this time, it will return to process explorer to kill the process from the largest daemon by size, because no image file exists, they cannot achieve the same purpose of re-establishing the trojan empire.
If the process of scanning and killing is more complex, please refer to the relevant articles here and I will not go into details here.
So as to achieve "immune "? Not recommended practices
The avterminator was so worried that the Internet began to spread "immune image hijacking" or "using images to hijack most common viruses". For the initial providers of these methods, I believe that their starting point is good, but from a strict perspective, this is not desirable.
Then set its debuggerexe as your own logo_1.exe. According to the original author's explanation, the principle is recursive endless loop: "When the value of a debugger is equal to itself, you can call yourself to debug yourself, the result itself is not a debugger. Once again, after recursion, it enters an endless loop and cannot be started."
Although this method is effective (the final phenomenon is "file not found"), it will cause the system to fall into a CreateProcess loop in a short time and the string accumulation status of command parameters, it will consume a certain amount of resources and eventually fail to execute the program because the system uses the CreateProcess instance to replace the instance itself for execution, resulting in an endless loop, and the length of the command line is systematically limited, an error will occur within a certain range, especially in programs that can accept command line parameters. You may even find that the hard disk turns crazy for a while before the error prompt is displayed, during this period of time, it was passed in an endless loop. In the end, an error occurred while the system passed the execution request because the length of the command line exceeds the system limit, from another perspective, if the system does not limit the length of the command line, this operation may directly cause all the resources of the system to be consumed by the self-repeating "Debugger.
As for the practice of "using image hijacking to protect against most common viruses", the initiators mimic the principle of "image hijacking" backdoor to shield most common security tools, we collected a lot of executable file names of popular hazard programs and used the recursive endless loop method mentioned above to achieve the goal. If we do not care about the shortcomings of the previously mentioned recursive endless loop, it seems that this method is feasible.
But is this really feasible? Hidden (the victim exists in the "immune List". You need to know that this is the main execution body of the Microsoft Installer ......
Controversial topic: Do I disable the ifeo list permission?
At the same time, there is also a practice circulating on the Internet to make beginner users understand, that is, to disable the write permission for the ifeo list, the specific operation is as follows:
? Execute the 32bit Registration Table editor regedt32.exe
? Go to HKLM/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options
? Make sure that the focus is on Image File Execution options and select "security"-"permission"
? Remove all "write" permissions in the displayed user list and exit.
In this way, any write operation on ifeo becomes invalid, and the immune effect is also achieved. This method is good for general users. Unless some special programs need to write heap management parameters to them, I recommend that you disable this method, in this way, all ifeo viruses are eliminated.
The dispute arises because, in the long term, users may encounter a normal program that needs to write data to the ifeo list, and the failure to completely prohibit ifeo writing may lead to unforeseen consequences, in this case, we should take a compromise approach. We should use the registry defend (Registry defend) of HIPS (host intrusion defense system ), it provides us with an ifeo management method that combines both of them!
Take SSM as an example. First, make sure that the RD system module is enabled, and then add new monitoring rules. The "Key Path" points to HKLM/software/Microsoft/Windows NT/CurrentVersion/Image File Execution options, "operation" is "alarm when changing". Remember to select "include value" and set "subkey depth maximum value" to "3". Click "OK" to generate a new monitoring rule, then, on the "Rules" Page, make sure that the "access", "delete", and "write" operations are in doubt, this indicates that a message is displayed asking the user when the key value is written, and then click "Apply Settings" to make the rule take effect. Then, you only need to enable SSM, and the image hijacking will leave you away.
5.Summary time
As the saying goes: when almost all the startup items that may be used are turned over by security tools, the opposite security technologies will have to be upgraded to a higher level, therefore, no matter what tricks, as long as they can be used, even if the original intention is good, they will be rewritten and defined. From this image hijacking event, we can see that, this system is far from as easy to grasp as we think. Especially for common users, the misuse of this technology is simply a Disaster Tolerance for them! In today's fierce struggle between security technology and anti-security technology, our users are getting more and more stuck, the days when many web pages can be easily opened will not bring a virus long ago. To save them in this crazy world, we can only guard them by means of various tools, and learn more security knowledge that can be left unattended. Is this really a rule for the survival of the Internet?

 

(From http://www.cnblogs.com/tiasys/archive/2008/04/14/1152220.html)