Menu
As this link suggests, I want replace Notepad.exe with Notepad2.exe using "Image File Execution Options" function by run the command
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"
/v "Debugger" /t REG_SZ /d "\"c:\windows\Notepad2.exe\" /z" /f
But when I run notepad it still opens the file
c:\windows\notepad.exe
in notepad2.exe as a text file by default.
Is there a way to avoid that?
I know using this tech Notepad.exe will as the first param passed to Notepad2.exe. but I don't know how to avoid this :(
604
Image File Execution Options are used to intercept calls to an executable. It's in use for debugging, replacing and stopping specific executables. Image File Execution Options (IFEO) are used for debugging.
IFEO is Malwarebytes' generic detection name for PUPs that block another program from running by intercepting it using the Image File Execution Options (IFEO) registry key in Windows.
The purpose of the "debugger" key is to automatically launch a debugger and pass the original commandline to the desired debugger. It also sets a flag on the win32 function CreateProcess that indicates this is a debugging session.
It is implied that the debugger will then call CreateProcess after modifying the arguments appropriately.
>notepad.exe "\document1.txt"
turns into
>mydebugger.exe notepad.exe "\document1.txt"
mydebugger could then call something like this:
BOOL res = CreateProcess( NULL, L"notepad.exe \"\\document1.txt\", NULL, NULL,
FALSE, cFlags, env, NULL, startupInfo, procInfo&);
So the solution to abusing this registry key is to make the fake debugger that can manipulate the commandline the way you desire. It should be a simple process that just parses the commandline and replaces the notepad.exe with notepad2.exe. Then you need to point the registry to that .exe
182
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
