[Misc Series #2] Debug trick with Image File Execution Options (IFEO)
Sometimes we want to debug some child process that will contains some parameters from its parent process, especially some windows native process. We can’t just attach a debugger directly to the child process since it might already executed to some certain part of code that you want to analyze or the execution just already ended.
Fortunately, we can add a registry key into HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ to enable us to immediately (debug/pause) the process once it launched.
We just need to add a new registry path into HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ with your process name as key and registry name as debugger and its data with debugger executable file path
Suspend the process once it was launched
If the target process that you wanted to debug spawned as child process, the
GUI of the debugger will not appear, we have to suspend
and detach it from the GUI-less debugger and reattach back to our debugger
with gui.
The debugger will pop out right after the execution
if process directly execute by the user.
Detach From Debugger
Attach your process with your favorite debugger and Resume
Attach the process using debugger (I’m using xdbg64.exe) and resume the process again, have the resume multiple times depends on the thread number inside the process.
Continue debug and have fun again :D
Note:
When I set the debugger to xdbg64, I can’t detach the process from debugger, I’m not sure why does it so 🤔
However, IFEO can be abused by the adversaries as stated in MITRE ID T1546.012 by changing the debugger’s data value of the specific process into some malicious binary. Then, the malicious binary will be execute once the process is launched. All these required admin privileges to be done.
