Windows Hardening Guide: Locating and Removing Debuggers

Neemobeer

Windows Forum Team
Staff member
#1
Applies to:
Windows 7 and newer *(will work on older Windows versions)

Description:
This tutorial will help you locate configured debuggers and remove them

About Vulnerability:
This isn't necessarily a vulnerability. The intended purpose is for debugging applications by redirecting to a real debugger such as windbg.exe. Malware can take advantage of this capability, so it's a good idea to check for them. On most users computers you won't find any legitimate use of this key.

NOTES:
PROCEXP.EXE from SysInternals is a good example of a legitimate program that uses this feature.

The following script (also attached) can find all processes that contain the debugger key. Due to the possibility that the key may be there for legitimate reasons, the script will not remove the property. There are instructions at the end for removing the debugger property
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Unrestricted

The Script:
Code:
Function Get-EnabledDebuggers
{
    $debugRoot = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"

    $IFEOEntries = Get-ChildItem $debugRoot

    foreach($entry in $IFEOEntries)
    {
        if($entry.Name.Contains(".exe"))
        {
            # Convert to powershell path
            $executablePath = $entry.Name.Replace("HKEY_LOCAL_MACHINE","HKLM:")

            $debuggerValue = $null
            $exeName = $executablePath.Substring($executablePath.LastIndexOf('\')+1)
            $debuggerValue = Get-ItemProperty -Path $executablePath -Name "Debugger" -ErrorAction SilentlyContinue

            if($debuggerValue -eq $null)
            {
                Write-Host "No Debugger property found for [$exeName]" -ForegroundColor Green
            }
            elseif ($debuggerValue.Debugger -eq "")
            {
                Write-Host "Debugger property found but contains no value for [$exeName]" -ForegroundColor Yellow
            }
            else
            {
                Write-Host "Debugger property found and contains data for " -NoNewline
                Write-Host "[$exeName]" -ForegroundColor Red
                Write-Host "Debugger value: " -NoNewline
                Write-Host "$($debuggerValue.Debugger)" -ForegroundColor Red
                Write-Host "This could be a sign of malware as this can be used to intercept a process" -ForegroundColor Red
                Write-Host "Some good processes will do this such as procexp.exe from SysInternals if you replace task manager"
            }
        }
    }
}

Get-EnabledDebuggers
Execution:

  • To run this script copy the code or download the script (I've called mine Get-EnabledDebuggers.ps1)
  • Open a powershell prompt by clicking start and typing powershell
  • Navigate to the directory the script with Set-Location "C:\PATH\TO\SCRIPT\DIRECTORY"
  • Run the script . .\Get-EnabledDebuggers
    dbg.PNG
Sample output you may see
upload_2017-10-6_14-20-14.png


Debugger Removal:
In 99% of cases you can safely remove these
  • Click Start or press the Windows key
  • Type regedit.exe
  • Accept the UAC prompt if you have one
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  • Click on the key with the executable name
  • On the right select the 'Debugger' property and press delete on the keyboard or right click and select delete
  • No reboot is required
 


Attachments

This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.