Windows: injecting argument to \*.exe invocation

Windows has an interesting way of starting debugger on process inception.

greggm's WebLog : Inside 'Image File Execution Options' debugging
There are times that you need to debug the startup code for an application, but something else is launching the application.

To do this on Solaris/Linux is another interesting matter. Can dtrace be used? Or do we still use the classic way of replacing binary file with shell scripts? I'll leave it to experts for now.

Back to Windows.. This feature can be used in various good & bad way(e.g. virus) other than debugging. Today, I used this feature to pass an option to java.exe.

There are many applications that spawns "java.exe" and there often is no way to pass java flags. So, I think it's not only me who ever wished injecting java option dynamically, like -XMX. I'll probably write another blog after polishing this script and elaborate how I did for java.exe.

For today, I'll show a sample with "cmd.exe". With "/T:fc" option, cmd.exe shows up on red on white. I know this is a very lame example. But I think this is much safer to try than java.exe example. So..., here goes. Save this as \*.vbs file and go ahead with registry editor. To test, run "cmd /k dir" from Windows menu, with system() call in perl, no matter how.

'ToDo: There should be 2 run mode.
'  1. Run from command line with .exe name and injection string passed in as argument.
'     Create registry key(\*.exe) and create "Debugger" value under it.
'  2. Run via IFEO. This part is complete.
'
Option Explicit

Dim oShell, cmdLine, i
Set oShell = WScript.CreateObject("WScript.Shell")

'cmdLine = "cmd.exe /K " & WScript.Arguments( 1 ) & " "  'For those programs interacting with stdin/stdout
cmdLine = WScript.Arguments( 1 ) & " "
cmdLine = cmdLine & WScript.Arguments( 0 ) & " "
For i = 2 to WScript.Arguments.Length-1
  cmdLine = cmdLine & WScript.Arguments(i) & " "
Next

oShell.RegDelete "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\cmd.exe\\Debugger"
oShell.Run cmdLine,,true   'setting bWaitOnReturn flag to "false" is dangerous!
oShell.RegWrite "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\cmd.exe\\Debugger", _
                "cscript //NoLogo " & WScript.ScriptFullName & " /T:fc"
WScript.Quit
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today