Debuggered

by Lennard Cher

In the recent article, Delete files that don’t exist, Stephen described a malware using the registry to delete a certain file upon launching. The same registry key is used in another way now. By adding the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<command to hijack>

with value name of “Debugger” and Value containing the path to a handler, malware can disable applications or launch itself whenever the user attempts to launch the hijacked application. Below is a demonstration.

Modifying the registry with registry editor

I have added a new registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

and added the value Debugger to point to Notepad.exe

Upon modification, each time i run cmd.exe, notepad.exe will open and load the binary cmd.exe.

Yet another way to exploit the poor registry.

Debuggered

Free tools

Sophos Firewall Home Edition

Sophos Scan & Clean

Sophos Cloud Optix

What do you think? Cancel reply

Recommended reads

Serious Security: DEADBOLT – the ransomware that goes straight for your backups

Alleged Kaseya ransomware attacker arrives in Texas for trial

You didn’t leave enough space between ROSE and AND, and AND and CROWN