Image File Execution Options – How to Hijack a Program

Posted on

So what the heck are “Image File Execution Options” and why should I be concerned about them? I know, the name alone is quite a mouthful so….lets just call them IFEO for the rest of this post and make things easy, OK?

Honestly, you should be concerned….very concerned….about IFEO on your Windows based PC. IFEO is an area of the registry that was created to set various options that tells Windows what to do when an given application is run on your system. It is something that can used by developers to run a program in a debugger to troubleshoot an application that they are creating instead of running the program directly. While this is all fine and good if you are a application developer, the problem is that Windows does not verify that the application that you tell it to run instead of the program is actually a legitimate debugger or not. Let me show you an example so that you can get the gist of the problem:

Lets say that someone (for whatever reason) does not want you to be able to run MalwareBytes on you system. All one would need to do is create one simple registry key and value in IFEO that will stop it in its tracks. The process that is executed when you click on malwarebytes is “mbam.exe”. You can easily watch the processes in task manager (or look at the shortcut) to figure this out. Then add a registry key called “mbam.exe” in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options using regedit. Notice the mbam.exe key that was created in “Image File Execution Options”. Once they key is added, add a string value to the key named debugger as shown in the image. Double click on the debugger value and you will see a dialog box that will allow you to added a path to the executable that you would like to run instead of “mbam.exe”. This can be ANYTHING that you want. Think of the possibilities… this case I added a path to c:test.exe, which does not exist. When you try to execute MalwareBytes, it will not run!

There is a lot of malware out there that is doing just this. They are adding a large list of known security applications to they IFEO key so that when you attempt to run them, they either do not run at all, or actually launch another copy of the virus executable itself! How easy! If you suspect that your computer may be infected, and are unable to launch the security applications that you would normally use to help clean it up, this is a good place to start to determine how to get you apps to run properly again.

The silver lining to all this is that you can actually use IFEO in your favor, and do exactly the same thing to the malicious executables that they are attempting to do to your security applications. If you find a suspect EXE file on your system this is a perfect way to turn the tables on the malware and stop its ability to run on your system. Often times malware is not yet smart enough to monitor the IFEO keys to protect itself. A simple reboot after adding the malware to IFEO may give you to opportunity to delete it and finish your cleaning process.

Source by Daniel Kieta

Leave a Reply

Your email address will not be published. Required fields are marked *