How hackers Use thread injection technology to hide their own viruses

From http://wz.csdn.net/url/536354/

Hiding is the nature of viruses. In the industry's definition of viruses, "Concealment" is a basic feature of viruses, any virus can be hidden from the infected computer, because the virus can only be destroyed without being detected. To achieve this goal, many viruses use different technologies to bypass the test of anti-virus software, which produces a variety of hidden forms of viruses that cause headaches to common users. Because the behavior characteristics of the Trojan and backdoor have already met the virus conditions, the trojan and backdoor are also described as viruses.

Originator: Hiding windows, hiding processes, and hiding files

In the early days of computer popularity, computer viruses, Trojans, backdoors, and other harmful programs were not widely popularized among common users, in this period, the user group has almost no awareness of computer and network security. Common User systems are mostly Vulnerable Windows 95/98 series and telephone line dialing slow networks, that period of time was the prime time when foreign Trojan "BO" and domestic Trojan prototype "glacier" and "NetSpy" appeared to be widely used in many aspects of technology., many users do not have firewalls or anti-virus software at all (even if they do, they are mainly responsible for killing CIH). Even if hackers from far away turn users' computers to the ground, users will not be aware of this. This period has seen a relatively small number of people familiar with such technologies, so it has not caused the spread of this virus everywhere.

At this stage, Chinese users' machine environments are still dominated by Windows 9x, so virus writers do not need to spend too much time to make the virus run quietly, and make it invisible in the task manager that calls out by ALT + DEL + ctrl.

We all know that the program interface running in Windows is defined as a "window". The program interacts with the user through this channel, and each complete program must have at least one window, but what if the writer sets this window to "invisible" during running? In this way, the user will not notice that the program is running on the desktop, but if you have experience opening the task manager, he will be suspicious of the process that exists in the system. Therefore, virus writers used the initial form of hidden means during this period: hidden processes.

In fact, the so-called hidden process is to use the application programming interface (application interface) function "registerserviceprocess", which is not disclosed by Microsoft, to register itself as a "service process ", in fact, the job manager in Windows 9x does not display such a process. The result is that the virus has been exploited to allow trojans such as glaciers to settle down on the machines of most common users in China.

In the early backdoor technology, another basic behavior is to hide files. Compared with today's various hidden methods, it can be described as a "no stream" level-the "hidden" mentioned here is simply to set the file attribute to "hidden". In addition, there is no other protection means, however, the default "do not show the system and hide the file" approach is designed to prevent beginners from deleting files randomly (in the Windows 2000/xp era, this method is upgraded to "hiding protected system files ), however, these viruses provide a natural stealth location-most users who are unfamiliar with computer operations do not know the meaning of "Hidden Files, not to mention setting it as "show all files". In the era when security software vendors began to explore the market, users would not pay attention to too many security products and their actual meanings, therefore, this period has become an important stage in the development of Trojan technology in various early stages. Trojans created using this method are collectively referred to as "the first generation of Trojan ".

From the current technology and perspective, the discovery and cleaning of these early technical works is relatively simple, because the "process hiding" technology they use is no longer valid on Windows 2003, xp, and operating systems on the nt System, you can directly use the task manager that comes with the system to discover and Quickly terminate processes, then, set "show all files" and "Hide protected system files" in "Control Panel"> "Folder Options ", you can find the hidden Trojan program. For Windows 9x users, you can easily find any third-party process management tool, such as the process management component of "Windows optimization master.

Continued development: dll Trojans using thread Injection Technology

Although Trojan viruses and rogue software using "thread injection" have blossomed everywhere, however, those who have gone through the chaos era will not forget the fear of the first dll Trojan named "ghost of the World" using "thread injection, what is thread injection? Next Let's explain in detail.

First, the user may not understand the meaning of the "thread", but to explain the "thread", the concept of "process" cannot be mentioned first. Many users who are new to computing machines cannot understand what a process is: they often hear experts say they open the task manager and close a process. But when they see a bunch of things in the Task Manager List, the header is big. Many users know that they use the service manager to close some failed tasks. However, if a task does not appear in the "application" list, they will be overwhelmed. What is a process? "Process" refers to the data information block that the system requests to open to an executable file in the memory during running, by controlling this data block, the system provides data exchange for running programs and determines the survival period of programs. Any program must have at least one progress; otherwise, it will not be recognized by the system.

In one aspect, a process is an executable file that copies itself from the storage medium to an image in the memory. It usually corresponds to a file on the disk, A complete process information includes a lot of data. The "application" tab we see in the process viewing tool contains the process title, the "process" tab contains the process file name, process identifier, and memory usage. Among them, "process file name" and "process identifier" are essential, the process identifier is the unique number specified by the system when it is allocated to the process memory space. The number remains unchanged during the process from loading the memory to the end of running, the process file name corresponds to the media storage file name. Based on the process file name, we can find the initial executable file location.

The "task" listed in the "application" item of the task manager refers to the window object displayed by the process on the desktop, for example, if you open the word 2003write document, then the process winword.exe will create a front-end window displayed on the desktop. This window is the "task" visible in the task manager. In fact, the process is actually running winword.exe ". Not all processes leave "tasks" in the task manager, such as qq, msn, and all background programs. They do not appear in the task list, but you will find them in the process list. What if you want them to appear in the task list? You only need to generate a form that appears on the desktop. Simply open a friend chat and you will find that the qq task is finally displayed in the task list. Therefore, the true scientific program for terminating a program execution is to end the program running for the "process" instead of closing the program in the task list, because the trojan authors won't let their Trojans appear in the task list, but the process list is mostly inaccessible.

The "Thread" refers to multiple execution progress instances generated in a process. For example, if a network file transfer program runs only one thread (single thread, the execution efficiency is very low, because it needs to read file data from the network, save the file to the disk, and draw the current transmission progress bar, from the code point of view, these operations can only be executed in a single order, so the program cannot draw a transmission progress bar while saving the data, even if the programmer barely makes it together for execution, in the user's opinion, the response of this program will be very slow or even directly collapsed, while the multi-thread technology is generated to solve this problem, applications compiled using the "multithreading" technology can generate multiple operation instances that are executed simultaneously during runtime, for example, a network file transfer program using the "multi-thread" technology can separate three progresses to simultaneously perform network data transmission, file storage operations, and draw transmission progress bars, so in the user's opinion, this program runs smoothly, which is the role of the thread. When the program runs, only one process can be generated, but multiple threads can be generated in the memory space of the process (an independent memory field opened up for normal execution of the program, there is at least one default thread, called the "main thread", which is the running part of the main code of the program.

So what does "thread injection" mean? In fact, its full name is "remotethread injection". Generally, the memory space of each process is not accessible to each other, this also lays the foundation for stable running of the program. This access restriction makes all processes independent from each other, the crash of any non-system critical process will not affect the execution of processes in other memory spaces, so that the stability of the nt architecture is much higher than that of the win9x architecture. However, in some specific scenarios, mutual access and management must be enabled between processes. This is the original intention of the "remote thread" technology, which enables cross-memory space access between processes, its core is to generate a special thread, which can connect a piece of Execution Code to the memory space of another process and run it as one of the non-core threads of another process, this connection is called injection ). Remote thread technology is better than a vine that is parasitic on a big tree. Once the target process is injected, this new thread becomes part of the code of the target process, as long as the target process is not terminated, whether or not the original process is still running will no longer affect the execution result.

What is "hook" technology essential to "thread injection"? What is this "hook? Its official definition is as follows:

Hook is a platform for message processing in Windows. Applications can set sub-processes on the platform to monitor messages in a specified window, the monitored window can be created by other processes. When a message arrives, process it before the target window processing function. The hook mechanism allows applications to intercept and process window messages or specific events.

A hook is actually a program segment for message processing. It is called by the system and mounted to the system. When a specific message is sent, the hook program first captures the message before it reaches the target window, that is, the hook sub-function obtains control. In this case, the hook function can process (Change) the message, continue to transmit the message without processing it, and forcibly end the message transmission.

Here, the trojan writer first loads a dll file that is actually the main body of the Trojan into the memory, and then injects it into the memory space of other processes through the "thread injection" technology, finally, the code in this dll becomes a part of other processes to implement its own hidden execution. by calling the "hook" mechanism, this dll Trojan can monitor users' input and output operations, intercept useful information and other operations. The actual execution body of this trojan is a dll file. Because the Windows system itself contains a large number of dll files, no one can tell at a glance which dll file is not provided by the system, therefore, the concealment of this trojan improves Level 1 and its execution method is more concealed. This is determined by the features of the Windows system. Windows itself uses a large number of dll systems, many dll files are loaded into the memory and executed by related applications at startup, but who directly saw a dll running in the process? Because the system regards dll as a module-type execution body, it only contains a bunch of modules output in the form of functions, that is to say, each dll needs to be loaded by an exe of a function that uses it. After the function in the dll is executed, a running result is returned to the exe that calls it, then, the dll process exits from the memory and ends the execution process. This is the standard dll running cycle. This is not the case with the "thread injection" technology. Although they are also export functions, however, their code has execution logic. Such a module is like a common exe, but it cannot be directly started by itself. Instead, it needs a special program (called the loader) the generated process loads the main function of this dll into the memory for execution, so that it becomes a running Trojan program.