-
-
Save Neo23x0/3a245e6206951f17125f2b214b160fe8 to your computer and use it in GitHub Desktop.
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe] | |
| "Debugger"="taskkill /F /IM " | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe] | |
| "Debugger"="taskkill /F /IM " | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe] | |
| "Debugger"="taskkill /F /IM " | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssecsvc.exe] | |
| "Debugger"="taskkill /F /IM " | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasksche.exe] | |
| "Debugger"="taskkill /F /IM " | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhsvc.exe] | |
| "Debugger"="taskkill /F /IM " | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wcry.exe] | |
| "Debugger"="taskkill /F /IM " | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\111.exe] | |
| "Debugger"="taskkill /F /IM " | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lhdfrgui.exe] | |
| "Debugger"="taskkill /F /IM " |
I wonder - I've seen this method used by attackers as they register debugger cmd.exe for sethc.exe, which causes both cmd.exe AND the sticky keys app window pop up in login screen when pressing shift 5 times on a row. Therefore I thought that the debugger starts as a second process.
No, the debugger is responsible for launching the original program.
A good way to effectively block with IFEO is to redirect to a blank executable or to alg.exe
its not work :(
Modified the vaccine and added the newest known file names
@Neo23x0, this was a great quick reaction solution. Please accept my apologies for leaving a comment and not having the time to better explain (things at the office were nuts :).
The Image File Execution Options (IFEO) key is a centralized configuration location for adjusting how images (processes) are executed. As you perfectly illustrated in the above Gist, you can modify the way named processes are executed by creating a key with the targeted process' name (for example, wannacry.exe). Under this key, there are several values you could create to adjust the ASLR implementation (MitigationOptions) or automatically attach a specified debugger to troubleshoot a process (Debugger).
As you noted, several malware families have used the Debugger value to prevent the future execution of Personal Security Products (PSP). Often, they will set the Debugger value to "taskkill.exe /F /IM " or just "taskkill.exe". Although the desired effect is achieved, it's not because of taskkill.exe and I'll explain why:
When a process gains execution, one of the earliest actions performed by explorer.exe is to check the IEFO key. If the executed process has a correlating subkey sharing the same name, it will check for a Debugger value. If the Debugger value exists, the OS will execute the data within the value and pass the original process and process arguments to the specified debugger. If I was a developer of myApp.exe, I could add the following to the registry to automatically attach the Windows Debugger (windbg.exe) when my process is executed:
`Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\myApp.exe]
"Debugger"="windgb.exe"`
If my command line syntax was myApp.exe, this would effectively run windbg.exe myApp.exe (thus never actually running myApp.exe directly). If attackers were to create a Debugger value set to "taskkill.exe /F /IM " for myApp.exe, it would effectively run "taskkill.exe /F /IM myApp.exe" as demonstrated in this ProcMon screenshot:
For disabling PSPs, this is ideal because the process is already running. As for disabling the execution of future processes, this only works because myApp.exe never actually gets executed. As @charlesmilette alluded to, pointing the Debugger value to any application which does not execute the passed arguments and does not open a window is a good solution (does not have to be taskkill.exe). In my personal collection of offensive tradecraft, I've used the following Debugger values to also get the job done:
- alg.exe
- consent.exe
- ctfmon.exe
- DeviceEject.exe
- dllhost.exe
- dllhst3g.exe
- dwm.exe
It's also important to note that I disagree with @ilyaglow's suggestion to set the value to an application which does not exist. This will cause a pop-up like the following to display which unnecessarily inconveniences end users.
Once again, kudos for the quick thinking and I hope everyone got a kick out of this explanation of what is actually going on under the hood with these additions to your registry. If you have any more questions, hit me up on Twitter.
anyone share me the wanna cry sample i want to reverse it's
You can find md5 hashes of the samples
This software is much better! It blocks all the ways WannaCry 2.0 has to enter you PC
https://github.com/phtom/WCRipper
Share.
i need wannacry ransomware sample because i am working in ransomware project and testing and protecting our firewall for that reason if anyone is having file or link send me my mail id [email protected]
can anybody send me link to prevent ransomware open source code due adding firewall
my mail id [email protected]
Debugger's value is in fact precedes an actual process name, so it should be sufficient to use just
"Debugger"="taskkill.exe /IM /F"or even"Debugger"="somethingthatdoesntexist.exe"Update: That was a really rush comment and as @KyleHanslovan pointed out below the solution to use
somethingthatdoesntexist.exefor the debugger value probably wouldn't be convenient for your end-users because they could see pop-ups about wannacry exes that seem not exist, but are actually on their disk. However depends on your goals this solution could provide your users awareness about them being vulnerable and be used later for a survey etc.In addition I should note that
taskkill /F /IMdebugger value will maketaskkillfail to even start properly because it will get full path to an exe file, instead of it's image name, although it will stop malicious execution.