imagecmdexecutablesteganography

Execute EXE as JPG


I've made a simple program in Visual Basic, then gave it JPG extension and set it up to be run from shortcut with command line cmd.exe /c my_program.jpg, according to this and this guides.

Everything is fine so far, but I'd like to run my program from an image without command prompt opening.

I know that such thing is possible, because I can run programs from PDF, RTF or Word documents because most of PDF files have JS API features, and Microsoft Office documents have VBA and macro support. Maybe some steganography thingamajig can do the trick?


Solution

  • This is hard to believe, but it's actually true. My investigation (with Rohitab API Monitor) shows that upon finding the file, cmd.exe first invokes CreateProcessW - and only if that fails (in this case, with error 193 == ERROR_BAD_EXE_FORMAT), tries ShellExecuteW.

    This behavior is actually documented in KB811528 - Command Prompt (Cmd.exe) Runs Files That Do Not Have Executable File Name Extensions. Sure, the article mentions in passing that this can lead to execution of viruses (as if it's nothing special).

    This doesn't apply to Windows Explorer/shell32 dialogs/most other programs that open files - since they invoke ShellExecute right away. But this does generally apply to programs that execute command lines with system or CreateProcess! (Do you remember processes like setup.tmp during InstallShield-based installations? They are examples.)

    Not all programs that run arbitrary commands are affected. E.g. Total Commander is not: it calls ShellExecute even for command lines.


    Now, regarding you specific question. The 2nd guide actually showcases an exploit (assuming it's not just a scam) - the author specially crafts the image to exploit some vulnerability in Windows Photo Gallery (that probably has been patched by now) to make it execute the contained code. This isn't supposed to be normally possible.

    So, you have two options:

    1. Launch your program through another program (with shortcut or otherwise), but replace cmd with something that doesn't create a console window. wscript comes to mind.
    2. Use some "intelligent" image format that's supposed to contain executable code. I'm not aware of any image ones - after all, images are supposed to contain pictures, not code!
      • There are, of course, more than a few compound/"intelligent" formats (of which you named a few). Yet, they tend to impose strict limitations on when code inside them can be invoked and what it is allowed to do. I'll have you know that these limitations were introduced specifically as a response to others doing what you're trying to do.