Debuggered

In the recent article, Delete files that don’t exist, Stephen described a malware using the registry to delete a certain file upon launching. The same registry key is used in another way now. By adding the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<command to hijack>

with value name of “Debugger” and Value containing the path to a handler, malware can disable applications or launch itself whenever the user attempts to launch the hijacked application. Below is a demonstration.

Modifying the registry with registry editor
Modifying the registry with registry editor

I have added a new registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

and added the value Debugger to point to Notepad.exe

Upon modification, each time i run cmd.exe, notepad.exe will open and load the binary cmd.exe.

Loading cmd.exe binary with Notepad.exe
Loading cmd.exe binary with Notepad.exe

Yet another way to exploit the poor registry.