New
#11
Thanks for the help everyone! I decided to download a version of the Ask Toolbar installer - "Offercast2802_DEMOTB_.exe"and add it to the exclusion list in Image Hijacker before running a capture with ProcMon then trying to run the toolbar installer.
The screenshots are what I think might be important in understanding how this software works but I admit that I don't have a full understanding so if anyone can interpret the screenshots - I'd be grateful.
It seems to me as if registry entries for blocked executables are created in:
HKEY\LOCAL MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options
with the Value Name "Debugger"
and the Value Data "C:\Users\Chris\Desktop\Toolbox\Image Hijacker\FM.exe"
FM.exe as I understand it is the Image Hijacker executable that runs in place of "Offercast2802_DEMOTB_.exe" and displays the user defined message on screen - in this case "Ask Toolbar Installation Blocked"
I still don't really understand what's happening here. It looks like registry entries can be used to block an executable and run another one in it's place but how on earth is the executable detected when it attempts to run?
HELP!
Last edited by Callender; 06 Dec 2013 at 23:11. Reason: include more info
Got it! Forget everything about the kernel-mode driver I told before, it's probably wrong. That registry keys are the real thing that do the work.
That registry path is a Windows special entry. It's designed to help programmers to run programs under debuggers before they launch, so you can monitor your program in the early phases of its startup. What those keys do is, when the executable pointed there is run, Windows does NOT run it, but instead it runs the thing specified in the "Debugger"" entry, passing the whole original command line to it. The real intention is to put a debugger there that can monitor the target program, but it can really be used for anything, effectively replacing any program with another one. That behavior is built-in in Windows itself, your program has nothing to do with that, just sets those entries and provides a nice "alternative" program to run instead.
Look here:
Launching the Debugger Automatically
registry - set "Image File Execution Options" will always open the named exe file as default - Stack Overflow
A practical usage (discussed in the StackOverflow thread) is replacing Notepad with Notepad2. There is done manually, but as far as I remember, the official Notepad2 installer does exactly the same, effectively running Notepad2 everywhere instead of the real built-in Notepad.
BTW, may I suggest to use a more "innocent" program as a test piggy? Why not try this blocker with the calculator instead of a real virus?
Thanks Alejandro85
You explain very well indeed and with some decent advice. I did originally try substituting my browser with notepad to see if it worked but just couldn't understand how it worked. I chose Ask Toolbar as I knew that I could remove it!