Image File Execution Options

Image File Execution Options

What is is

Image File Execution Options (IFEO) is a feature in Windows that allows administrators to control the execution of specific executable files. IFEO provides a way to specify custom behavior for certain executable files, such as:

  1. Redirecting the execution of an executable to a different file or command.
  2. Specifying command-line arguments to be passed on to the executable.
  3. Controlling the environment variables that are set when the executable is run.
  4. Logging or debugging the execution of the executable.

We need Administrator privileges for this attack to work, as IFEO settings are stored in Windows Registry

The flow

For our example, we’ll investigate the scenario of attaching a debugger to an application after launch.

When a process is created, a debugger will be attached to the application’s name, launching the new process under the debugger.

We can also launch a monitor program when the specified program silently exits. To do this, enable “GlobalFlag” on IFEO and add the monitor value to “SilentProcessExit“.

This Windows behavior makes persistence easy since an arbitrary executable can be used as a “Debugger” of a specific process or as a “MonitorProcess” and affects all Windows versions.
In both scenarios, code execution will be achieved by creating a process or exiting an application.
As mentioned previously, implementing this persistence technique requires Administrator privileges since the registry location where the keys need to be added is under HKEY_LOCAL_MACHINE.

The “Debugger”

Image File Execution Option Debugger

To implement this technique, we must create a registry key and a payload that will be executed upon a specific action.
The registry key will redirect the execution of any application to a different executable.

We can use whatever payload we like, but in this case, we will modify a C++ reverse shell so that when the targeted EXE launches, it will start our payload in the background.
Otherwise, the original EXE would not be visible to the user, who might suspect something is wrong.

We added the following code to our reverse shell main function:

C++ code

After uploading our payload to the target, we create the necessary registry keys to implement the persistence technique via “Debugger.”

registry key creation

In order to validate the Debugger registry key, we will check the registry on “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options” and verify that the Debugger registry key has been added successfully on notepad.exe

registry key validation

When the user launches Notepad, we get a shell that loses connection only if the machine shuts down, and we regain the connection when Notepad runs again.
This can be done on a startup process instead of a notepad, so we will always have a connection.

reverse shell via Image File Execution Options Injection

The GlobalFlag

For this technique, we need to create three registry keys and a payload that will be executed upon a specific action (e.g., when Notepad is closed)

registry key creation for the global flag

The value 512(0x200) in the “GlobalFlag” registry key enables the silent exit monitoring for the notepad process.

global flag registry key

The ReportingMode registry key enables the Windows Error Reporting process (WerFault.exe), which will be the parent process of the “MonitorProcess” lootsec.exe

As we see on Process Explorer, after closing Notepad, a new process called “WerFault.exe” has our payload as a child process.

Mitigations

This attack technique cannot be easily mitigated with preventive controls since it is based on abusing system features.

References

Hey!

Welcome to my blog, I’m r00tkie!
Here, I share my knowledge, document my learning journey, and showcase intriguing finds from the internet.
While I mostly like to write about Active Directory, Windows Exploitation and Cloud, you may find me diving deep to other topics as well.
Thanks for dropping by, and I’m really looking forward to connecting with you!