[Windows] image hijacking

What is image hijacking?

You may have encountered this situation: No matter where you install the software, there will always be an error message "the system cannot find the specified file" during running, causing the software to fail to run. If you changeEXEFile name to run properly. This is called image hijacking. Image hijacking is a method that affects the normal operation of the system. Many viruses and Trojans use this method to prevent the running of security software.

 

Principle of image hijacking

Image hijacking is a ExploitationWindowsOfIfeo(Image File Execution options.IfeoActuallyWindowsIs a normal function, mainly used for debuggingProgramThe original intention is to enable the debugger to debug the program when the program starts, so that you can observe the behavior of the program in an environment that is difficult to reproduce in the debugger. For example, an error occurs when a program is automatically started upon logon, but it is normal when it is manually started after logon.IfeoSet a debugger to enable the debugger whenever the program starts to debug it to locate the problem.

 

In the registry,HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution optionsIs to saveIfeo. The following is a demonstration.IfeoNormal usage (assuming you have installedVisual Studio):

 

Open the Registry Editor and goHKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution optionsAdd a new item named"Calc.exe".

 

Open the createdCalc.exeItem, right-click in the right pane, create a new string value, named"Debugger", Value:"Vsjitdebugger.exe". Close Registry Editor.

 

When you run the calculator that comes with the system, an application error window will pop up. Select "debug program" and the system will startVisual StudioDebug the calculator.

 

When you runCalc.exeFirst, the system willImage File Execution optionsSearch forCalc.exe". If this item exists, continue searching for the item named"Debugger"String value, if found, then startDebuggerThe program specified in the value, that isVsjitdebugger.exe, AndCalc.exeThe complete path is passed to it as a parameter. So when you run the calculator, what the system actually executes isVsjitdebugger.exe c: \ windows \ system32 \ calc.exe"This command line, not"Calc.exe".

 

IfeoBut its design is obviously not perfect. In the preceding example,Vsjitdebugger.exe"To"Cmd.exe", A command line window is opened when you run the calculator. If you change it to any program name that does not exist, for example,"ABC", The system will not find the specified file when running the calculator.Calc.exeThis program (image) is "hijacked.

 

From this we can see that image hijacking is not equalIfeoAnd vice versa. The official English name of image hijacking is"Image hijack".

 

 

 

The following is an editedIfeoIts predecessor isSkycnThe "image hijacking Editor" on ". The program is stopped because it is scanned for viruses. What I want to say is,IfeoSensitive Areas in the registry. programs in this region may be banned by anti-virus software. If you are not at ease, it is best not to use it.

 

============

Ifeoeditor

Supported systems: XP, Vista, and win7

 

Latest Version:2.0.0 Beta

: Http://files.cnblogs.com/zplutor/IfeoEditor_2.0.0_Beta.rar