Image hijacks

What is image hijack?

Image hijack - in one line definition - refer to method opening specific applications or dlls with specified debuggers.

What is the purpose of image hijacks?

Suppose you are having some executable file, which you want to debug. Then the standard method would be – open the debugger; say visual studio. In that debugger, load the application to be debugged. And then debug in usual way, like single stepping, stepping in, putting breakpoints, etc.

Another smart (?) way provided by Windows is image hijacks.
Here, we can assign a specific debugger for a specific executable. Thus, when you open that executable by double clicking on it, it launches the debugger with your executable as argument. And you are saved from efforts (?) of manually opening the debugger and loading application. This is done using windows registry.

As an exercise, let’s hijack some executable file.

1. Select any sample executable for experiment, say Mozilla Firefox – firefox.exe.
2. Open registry editor.
3. Navigate to the key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options”.
4. Under that key, create a new sub-key named “firefox.exe”
5. In the right side pane, create a new string value. Name that entry as ‘debugger’.
6. Double click that string, to edit its value. Set its value to another executable, say notepad.exe.
7. A single line command to do above steps would be
   
   reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v debugger /d "notepad.exe" /f
8. Now double click your Firefox icon. This will indeed open firefox.exe using notepad. – You can verify the command line using process explorer.
9. Now, close notepad without saving. If you save binary file using notepad, it will corrupt it. Hence make sure that you do not save the firefox.exe file with notepad. Off course, if you save it by mistake, you still have option of re-installing Firefox.
10. Now the undo part - delete the key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe”
11. Done – your system is back to normal. You can verify it by opening Firefox again.

What we just did is an example of using image hijacks. For practical use, the Firefox.exe would be your test executable and notepad.exe would be actual debugger like visual studio.

Some useful image hijacks I used:

I normally don’t like notepad. I prefer notepad++. Hence whenever some file is being opened using notepad, I want it to be opened by notepad++ instead of notepad. Hence I created a small C program, which reads the command line arguments. I made that as debugger for notepad.exe using image hijacking. So when I open any text file – say boot.ini, it would rather launch the command "my_app.exe notepad.exe boot.ini”. Now my application receives them as command line arguments. All required to be done is to strip out the first argument – notepad.exe, and launch the notepad++ command with remaining arguments. A similar trick was used to force open Firefox instead of internet explorer.

Just for the record, “replace task manager” feature in process explorer is implemented by using image hijacks. (And that’s where I first discovered this concept of image hijacks. :) )

What is the risk involved with it?

There is a big risk involved with this ‘feature’ Microsoft has provided. What if the debugger associated with an application is a virus file? That file is executed instead of your application. That virus file can then launch the real application.

Suppose some virus hijacks the file reg.exe. And you are trying to remove virus infection within registry using reg.exe.

All the calls you make to your application – reg.exe are completely visible to the virus file. It would also know what parameters you passed to the reg.exe, where you called the reg.exe from (which process) and all other such details.

The virus knows the parent process, which called reg.exe – say command prompt – it can terminate that process, knowing its PID.

The virus knows the arguments passed. It can allow reg.exe to run and then again undo the effect caused by reg.exe. It’s funny that you see reg.exe run. It does its job; but in the end, nothing happens. :D

The worst risk is, you carefully remove virus from different autorun locations and then you try to delete it using command prompt. And if cmd.exe has been hijacked by the same virus, the virus would run again. It will again copy itself to the startup locations and your efforts to remove from startup are all in vain.

How to get rid of such hijacks?

Open sysinternal’s utility called autoruns (mentioned in previous post). Navigate to tab called image hijacks. Remove any suspicious entries. Before you delete these entries, make sure that the virus is not already running. There are “N” no of ways; the virus can be in execution – as exe, as dll, as injected code within some other exe etc. Hence this caution – virus should not be executing – must be handled with trial-and-error.

Suppose the virus is not already in execution. Now using autoruns utility, delete the image hijacks first. Then delete it from screensaver, if any entry is present and then subsequently from other autorun locations. After removing it from such autorun places, delete the virus executable from your disc, either using windows explorer, or command prompt.

Off course you can manually delete it using registry; but going through all the keys is more troublesome.

How to overcome such hijacks – what is the workaround?

Suppose that autoruns.exe has been hijacked. Now what to do? Whenever you try to open autoruns.exe, it will launch virus file. Other commonly hijacked files are task manager (taskmgr.exe), command prompt (cme.exe), registry editor (regedit.exe), reg.exe, msconfig.exe etc.

The answer is simpler than I could imagine. Note that the image hijacking is done for autoruns.exe. Thus the solution is to rename it to autoruns2.exe or any other name of your choice. Normally, the viruses would not stop the user from using his PC altogether. Hence they would never hijack some executables like explorer.exe. Copy autoruns.exe to your desktop, rename it to explorer.exe and simply execute it. Then after the autoruns utility has been opened, you can easily remove the image hijacks as per your wish.

How to USE image hijacks to get rid of viruses?

This is interesting and easy. Once you know the name of the virus – say shahrokh.exe, you can hijack the virus executable. The procedure is same as the one we experimented for Firefox.exe. Just ensure that the virus name does not coincide with some system file.

I would recommend that debugger to be kept to notepad.exe or some simple windows executable file known to you. Now whenever the virus tries to execute itself, it will launch notepad with virus file as argument. Thus the virus does not get executed. The virus will not get executed, even if you accidentally or rather purposely double click on it :) . Now you can safely remove the autorun entries using autoruns utility & subsequently delete it from system.