Evolution History of RAT Structure

Reprinted with reserved Copyright
Anskya@Gmail.com
Http://www.famdiy.com/
If you want to learn more about the RAT architecture, you may wish to come in and see...
The structure of Bifrost, Flux, and PoisonIvy is described in detail.

Let's just talk about the evolution of the RAT structure... other technologies are not discussed...
Since Bo was born, a large number of rats have appeared one after another...
Familiar in China, glaciers, black holes, PcShare, gray pigeons...
Familiar with other countries such as. Bifrost, Flux, Assasin, Beast, Bandook, Institution, and PoisonIvy...
Have their own characteristics... including program structure... there are a lot of amazing things...

[1] structure introduction:

First generation:-EXE independent structure
Corresponding... C/S architecture...
EXE ----> EXE
They are all EXE... for example, glaciers, black holes... almost the first, and the second generation of RAT.

Second generation: DLL Split Structure
This generation of DLL is purely designed to penetrate the wall...
Use Inject Code ----> LoadLibrarA
Complete DLL loading.
Or the registry, message hooks, and so on...

2.5: Plugin Architecture
Most of the RAT functions in the plug-in structure...
Said plug-in-type RAT. In China, only the dark pigeon stream makes such a thing.
And it is purely a decoration...

FWB ++
DLL ing injection... I believe you know FilePacker, Alloy, MoleBox, PEBundle
Map the DLL to the EXE space, and then modify the jump address of the import table...
In this way, you do not need to load the DLL (in fact, the DLL is mapped to the EXE space)
FWB ++ is playing like this ~... Hu HU ~
Tequila Bandita uses DLL Stream Inject ~ It is rarely used in China...

The most powerful plug-in is the Spirit series.
It's almost perfect, powerful code injection methods, including code optimization and integration, and the use of PE structures.
It's long before Spirit4b1's 1.37k volume... (API Hash search (write too Cool), LZO compression engine, RT32 injection engine .)
He mainly uses the code injection method... and then transfers the DLL plug-in.

Third generation: code injection type...
This technology is similar to virus technology...
Write the host file...
In terms of process injection, you can write the LoadLibraryA function.
Why can't I write all the code...

Technical difficulties: code and data relocation...
There are also data address acquisition and so on... some such problems...
Of course, programmers... in fact, these are easy to solve...

3.5:
At the core of NT, you can use ProcessHack technology...
Code replacement and zombie processes are similar technologies.

To sum up, there are several forms of RAT ....
So what do I have to say for a long time ?? I'm talking about the Framework Structure of the Trojan...
Next, I will discuss the Trojan's existing forms...

//--------------------------------------------------
Glaciers:
In simple EXE and WIn9x, register yourself as a system service to hide the process...

Black hole, Nuclear Rat, gray pigeon, Spook, wind and rain, rivers and lakes...
Both adopt the second generation form...
EXE + DLL...
This generation is huge...
Whatever it is, the message hook

Here we will talk about Bifrost, Flux, and Poison Ivy... it's boring in China. Please forgive me for being unreasonable...
This article is about the framework ~ Something you dare to interest...

I believe some of my friends are interested in Bifrost, Flux, and Poison Ivy.

Flux, Bifrost, and Poison Ivy actually use FWB + technology...
But they all have a common point...
Here, C-One V1.0 (Caecigenus)
Caecigenus is a good guy. I don't know anything about it. At least he can speak French, English, and Chinese...
X140d4n said he is Chinese? Or chinese ???

C-One is similar to Flux, but the encoding technology is not as good as Gargamel's Cool...
Flux, Bifrost, Poison Ivy, and C-One are all works of former EES. Current ChaseNET

[1] C-One is relatively simple. Let's talk about it first.
1. Install yourself
2. Inject to the default browser
The browser path is obtained by HKEY_CLASSES_ROOTHTTPshellopencommand.
Because he does not use the RT32 or EliRT Component Library
Therefore, this RAT does not support Win9x.
The injection method is also very simple.
VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
CreateRemoteThread
WaitForSingleObject
The Protocol package is also very simple (simple and maddening... the speed is so slow... it also gets an encryption algorithm that is both encrypted and not encrypted)

[2] Flux, Bifrost
We use the original structure and admire Gargamel and ksv's perseverance.
So much code can be written directly using VC... full code injection...
Same as C-One above... injection method, but both use EliRT 1.01

But to prevent being tracked, they inject code first.
Assumer.exew.msgsrv32.exe
And then jump to... Of course, if you are familiar with your Debuger Tools, you can easily inject the process you want to inject.
Then analyze his structure... OD enough...

In special cases, sending and executing commands all adopt the same Socket and can be operated in multiple threads...
They do not conflict with each other. You can view the desktop, WebCam, and transfer files. You can also do something else.
It can be seen that the author's skill is high... no Chinese RAT can do this function...
PcShare also uses HTTP tunnel duplex... a function for a thread ~ Two sockets
The eight main functions mean that there are 2*8 = 16 Socket connection tunnels... (it should not be so scary)

There's nothing to say about code injection. It's just experience... you'll understand it after tracking it yourself.
How does Bifrost provide more functions than Flux ??
Plug-in! Plugin !~~ Of course, he does not use LoadLibraryA to load the DLL, or you will find it...
Use the Plugin of Bo2k to introduce the code... map the DLL to the EXE process and then load the call...
Interesting... (the new version of Poison Ivy is also said to use this function ...)
The Socket Survival Capability of Flux is better than that of Bifrost and smaller, but it is estimated that the number of Flux connections is not much.
Even an I/O input/output model is not used... Khan!

[3] Poison Ivy... horrible guy
I used to feel amazing about the structure of the Poison Ivy... it's so small.
The function can be improved in this way. It violates the "conservation of energy" law. Is shapeless technology so advanced?
IDA + OD removed him...
Because almost all APIs are searched by memory-not using the GetProcAddress function...
A self-written Hash function... Crc32b Hash algorithm...
OD tracked it briefly and found that the Poison Ivy code was not well written in some places.
Code optimization is not as refined as Spirit ~)
Code is not elegant at all, but it is easy to track and analyze OD... no code optimization skills are used.

Why is it that he is horrible... at first, he thought it was the same as Bifrost...
Transfer the Plugin plug-in and then control it...
After passing the od3-Level Jump analysis (first note to assumer.exe... Be careful when using OD tracking ~ It is easy for programs to have endless loops.
The main cause is obtained at. The assumer.exe process always returns 0 !... But he will wait until there is
The presence of assumer.exe.you can manually enter the pid of the assumer.exe process.
Notepad or calculator... this makes it easy to track ..)
Packet Capture analysis... + ice blade observation... Found Poison Ivy
It was not implemented by the transmission... plug-in...
This is the first direct transmission ~ Feature code passed.
(
The data packet is compressed. It is not encrypted... NTDLL. RtlGetCompressionWorkSpaceSize,
RtlCompressBuffer, RtlDecompressBuffer
) The data is compressed... you can Dump the data packet and decompress it yourself. Then, try again.
They are all in plain text. The results are good. I learned the data packet structure ~ I like their style

Because the function code is directly transmitted (the second time will not be transmitted ...)
It's really scary... because it's record-recorded, and it's not necessary to transfer it again for the second time... all functions are implemented locally.
... What will happen ?? Haha ~ Is it interesting...
The same as the active function RAT that the younger brother previously made (reverse connection. Add file management, only 945 bytes after the process management function, written by nasm)

Active Function Type? The first time I saw drocon in TT, I felt like this little fat guy (he got a fat message from x140d4n !)
It's amazing ~ Drocon is mainly engaged in the optimization of asm Code. It is a good job. He prefers his encoding style.
Especially the code optimization is really good... PS: x140d4n when I will show him...

Then, there are some differences between Poison Ivy, Flux, and Bifrost.
Supports multi-threaded file and multi-file transmission at the same time. To ensure the stability of the Socket, he used multiple sockets during file transmission.
Transmission... others still retain independent Socket

The same multi-Thread operation... but it seems that the main control segment's online rate is not very high, and the Thread Pool is not used.
So thread switching wastes too much time... you can observe ..
Use an ice blade to open the injection process. Every time you refresh the directory or perform an operation, is there an extra. thread in the program ???
Haha ~ In addition, there are still a lot of imperfections in Poison Ivy, but now the VIP version is changed... there is not much chance to analyze it.
Alas ~ Who will benefit the elderly? There is nothing to do at home to sell money. I also write money at home every day ~~

In summary, does it seem like how the Poison Ivy code is implemented or confused?
1. The master segment connected to the controlled end

2. Send the active function code of the master segment to the control end...

3. The control end creates a new memory to save the active function code (there is a BUG here. When the main control segment repeatedly sends the function code.
He will not release and directly apply for memory retention. The active function code will not be released ~

4. When the control segment sends the control command again, the control terminal starts to call the active functional code accepted at the beginning...
(Newly created threads are executed. Therefore, a large number of Idle threads are generated... it seems that CloseHandle is not used to close the thread ???)

5. What else can I say? Self Dump ~ Check the data packet...

Reprinted with reserved Copyright
Anskya@Gmail.com
Http://www.famdiy.com/

Okay, right away. Upload a previous bad article. Follow up with any good ideas...