12/19/2023 0 Comments Ifeo chrome debugger rkill![]() ![]() ![]() Looking at how the process trees compare, we can see where the debugger injects itself into the hierarchy: Figure: The process hierarchy with and without interception. Therefore, here is an example registration: I highlighted the most promising entry that is supposed to contain a full path to the debugger and, optionally, its parameters. Figure: Registry operations performed during process creation.Īs you can see, some code (located in kernelbase.dll according to the stack traces) checks various registry keys for existence. Let us take a look at a portion of Process Monitor’s logs captured while I start cmd.exe. Besides filename corrections (which we will discuss a bit later), you can find how querying for IFEO settings works. Looking at filesystem and registry activity while creating a new process reveals plenty of peculiarities. I know at least three programs that utilize this mechanism for non-debugging purposes: widely known Process Explorer and Process Hacker - to replace Windows Task Manager, and AkelPad - to replace the Notepad. I must say that it is not an innovative approach. Those who want to start experimenting right away can find the GitHub repository here. So, are there any limitations on what we can do if we register ourselves as a debugger? Let’s push this opportunity to the limits and see what we can achieve. Therefore, it becomes the debugger’s responsibility to start the application and then attach itself to it. Internally, the system swaps the path to the image file with the debugger’s location, passing the former as a parameter. Even more importantly, it happens synchronously, i.e., the target won’t start unless we allow it. I don’t know about you, but I immediately saw this feature as a mechanism for executing arbitrary code when someone creates a new process. Then you can single-step through the code and figure what goes wrong. With IFEO, however, you can instruct the system to launch your favorite debugger right when it’s about to start this troublesome process. In case you cannot launch this child manually (that can happen for various reasons), you might have a hard time troubleshooting this problem. Imagine a scenario where some program creates a child process that crashes immediately. One of its features that drew my attention is a mechanism designed to help developers debug multi-process applications. Have you ever heard of Image File Execution Options ( IFEO)? It is a registry key under HKEY_LOCAL_MACHINE that controls things like Global Flags and Mitigation Policies on a per-process basis. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |