Image File Execution Options
Image File Execution Options are designed to launch a debugger when an executable is run in order to assist in debugging in a foreign environment or debugging system services. An attacker can take advantage of this functionality to piggyback on the execution of a legitimate program to launch malware. It is a rather simple method that just requires setting a registry value to point to a "debugger".
The first thing we will get out of the way is how to go about actually setting the debugger option in the Image File Execution Options. The Image File Execution Options registry keys are found under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Image Name] where each Image Name represents a binary file name. If a key does not already exist for a specific binary it can be created in a new key and when ever a program of the same name is executed it will be run with the debugger. The next step is to create a subkey under the image name key of type REG_SZ called Debugger and to point the value to the path of the debugger.
The following image shows a list of registry keys found under:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
An example scenario using Image File Execution Options can be found in my tutorial on RDP Sticky Keys Backdoor.
When running a program with a debugger specified, the file name and any arguments are instead passed as arguments to the debugger. For example, when we launch
Program.exe file1.txt Windows will actually launch
Debugger.exe Program.exe file1.txt. If the debugger given does not handle and launch the arguments, then it will execute on its own and never run the orginal program,
giving away the malware in question.
Another problem is that this is a rather obvious persistence method in that it will be quite visible to anyone who knows where to look. Any Debugger subkey set will immediately draw additional attention and may trigger an alert with security products.
Once again, this is also a somewhat "unreliable" persistence method in that it does not necessarily guarantee a predictable execution but it could be set for a legitimate program that will run upon startup or on a certain schedule in an attempt to make it more reliable.