top of page

Performing IFEO Injection

Updated: Sep 26

Peaceful are those who haven't heard about cybersecurity.

Introduction


NOTE: All information presented in this blog is ONLY for research and education purposes.


IFEO Injection attack is a registry-based attack technique that almost guarantees a code execution as a logged-in user or even Admin/SYSTEM user. So what use case would you want to use it? In any use case you can imagine where you want to bind your payload to the "launch" of a binary on the windows platform, IFEO (Image File Execution Options) will probably be your best bet. It is a simple attack that developers often ignore. To quote Microsoft' Blog on IFEO's use case:

IFEO (Image File Execution Options) is a feature the NT-based operating system provides. It can be helpful when debugging at the beginning of an application launch.

A successful IFEO injection involves the following:


  1. A Windows binary on the victim's / target machine. (usually a .exe file of some kind)

  2. Identify a payload that you want to be executed. This usually will be your "malicious.exe" file or the C2C beacon you plan to use in your activity. (For testing, calc.exe is good enough)

  3. Finding a suitable location for your payload to launch from.

  4. Modifying the windows registry (creating the mapping) to launch our payload.


Identifying the target


Any windows EXE file is a potential candidate for a debugger-based IFEO injection attack. During a pen test engagement, a good idea would be to identify and list all the binaries early during the reconnaissance/enumeration phase. Once you have a detailed understanding of the application attack surface, choose the executables and try IFEO debugger-based injection on them, then clean up the registry. The cleanup part is quintessential and would differentiate a seasoned penetration tester from a novice.


The impact


Initially, the image file execution options (IFEO) were created and used for debugging windows binaries and their functionalities. However, there is no check on whether the linked binary is a debugger, so it instantly becomes an attractive attack vector. To gain insight into the potential impact of this technique, the following quote from MITRE's page for IFEO Injections is particularly apt:

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe)

Therefore, if you want to ensure that your payload is persistent and you don't want to use some of the other quickly detectable file-based persistence techniques, then IFEO-based injections offer a great alternative. This technique is an excellent alternative to ensure that your payload remains persistent and is difficult to detect.


The exploit


The registry location that houses these mappings for a particular target.exe is:


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\target.exe         

For demonstration, let's assume that our target binary is notepad.exe and our payload is a binary executable file (a copy of calc.exe) named "darkrelay_payload.exe," stored in the user's Downloads folder. As an attacker, your goal becomes to edit the following registry:


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe

And add a new string value called "Debugger" that points to your payload, in this case "%HOMEDRIVE%%HOMEPATH%/Downloads/darkrelay_payload.exe". This will enable you to access and use the payload for your desired purpose. Therefore, the registry command can then be summarised as follows:


REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "%HOMEDRIVE%%HOMEPATH%\Downloads\darkrelay_payload.exe"
Succesful REG command execution
Succesful REG command execution


The aforementioned command should be executed as an administrator command prompt (alternatively, you can use an admin powershell instance to get the same results). Next, we need to wait for user to execute the notepad and as expected, the launch of our target program will trigger the execution of our payload.


Successful payload execution
Successful payload execution

In some cases, this technique might also lead to a admin -> system privilege escalation. Note that, although our payload was executed successfully, the original target binary (in this case, Notepad.exe) failed to launch, which serves as an easy detection and a clear indicator to the victim that something is amiss.


To circumvent this issue, we can use a similar technique called Silent Process Exit Injection, wherein the original target is allowed to complete its execution and exit, then the payload is called.


 

Register for instructor-led online courses today!


Check out our self-paced courses!


Contact us with your custom pen testing needs at: info@darkrelay.com  or WhatsApp.

1,213 views

Recent Posts

See All

Comments


bottom of page