How viruses achieve concealment: Secrets of Virus concealment technology

Hidden is the nature of the virus, in the industry definition of the virus, "concealment" is one of the most basic characteristics of the virus, any virus want to be hidden in the infected computer is not found, because the virus can only be found in the case of the implementation of its destructive behavior. To achieve this, many viruses use a variety of techniques to evade anti-virus software testing, creating a variety of hidden forms of viruses that cause headaches for ordinary users. Because the behavior characteristics of the backdoor Trojan horse has a virus condition, so here the Trojan door is also unified into a virus to describe.

Pedigree: Hiding windows, hiding processes, hiding files

In the early days of computer-popular, virus and Trojan door and other harmful programs in the general user scope is not very widespread, this period of user groups on the computer and network security awareness can be said to be almost no, ordinary users of the system is also more vulnerable to Windows 95/ Slow network of 98 series and telephone line dialing, and that period of time is the foreign Trojan "Bo" and domestic Trojan embryonic "glacier", "Netspy" and so on now seems to all aspects of the technology is quite simple remote control software large line of the Golden Age, many users do not have firewalls and anti-virus software (even if there is, is also to kill CIH), even if the remote hackers turned the user's computer upside down, users will not be aware that this period of contact with such technology relatively few people, so did not cause today the virus spread everywhere.

Because the domestic user's machine environment in this phase is still in the mainstream of Windows 9x, virus writers do not need to consume too much brains to make the virus run silently, and make it invisible in the task Manager that Alt+del+ctrl exhaled.

As we all know, the program interface that runs under Windows is defined as a "window" in which the program interacts with the user, and each complete program must have at least one window, but what if the writer sets the window to "invisible" during run time? Users will not be aware that the program is running on the desktop, but if a user with some experience opens the Task Manager, he will be suspicious of discovering more processes in the system, so the virus writers have taken the primary form of hiding in this period: hiding the process.

In fact, the so-called hidden process is to use the Microsoft Non-public API (Application programming interface, application interface) function "RegisterServiceProcess" to register itself as a "service process", It happens that the Task Manager in Windows 9x does not show such a process, the result is a virus drill loophole, let "glacier" and other Trojans in the domestic most ordinary users of the machine home.

And in the early backdoor technology, there is a basic behavior is to hide the file, compared to today's various hidden means, it is "not inflow" level-the "hidden" here is simply to set the file attributes to "hidden", in addition, there is no other means of protection, however, Since the system was designed to prevent beginners from randomly deleting files and the default "do not show system and hidden files" approach (which was upgraded to "Hide protected system Files" in the Windows 2000/xp ERA), it provided the virus with a natural stealth location- Most users unfamiliar with computer operations do not know the meaning of "hidden files", not to mention set to "Show All Files", in that security software vendors have just begun to explore the market era, users will not pay attention to too many security products and their actual meaning, so this period has become a variety of early Trojan technology development of an important stage, The use of this means to make a Trojan is collectively known as the "first generation of Trojans."

In today's technology and vision, the discovery and clean-up of these early technology works is relatively simple, because they use the "process hiding" technology in the NT system windows2000/xp/2003 and other operating systems have been ineffective, Directly using the system's own task Manager will be able to detect and quickly terminate the process, and then in the "Control Panel"-"Folder Options" inside the set "Show All Files" and Cancel "Hide protected system files", you can find the hidden Trojan program. For Windows 9x users, it is easy to discover using any of the Third-party process management tools such as the process management component of Windows Optimizer master.

Continued development: Use of threaded injection technology DLL Trojan

Although now the use of "threaded" Trojan virus and rogue software has sprung up, but people from the chaos era will not forget the first "thread injection" of the DLL Trojan "broad external phantom" At that time brought the fear, "thread injection" in the end is what kind of things? Let us explain in detail below.

First, the user may not understand the meaning of thread, and to explain the thread, one must first mention the concept of process. Many users who have just contacted the computer cannot understand what "process" is: often hear the master said open Task Manager to shut down a certain process, but see the Task Manager list of a pile of things, the head is big. Many users know that using Task Manager to turn off some of the unresponsive tasks, but if a task does not appear in the Applications list, the user is overwhelmed. What exactly is "process"? Process "refers to an executable file during the operation of the request system in memory to open to its data information block, the system by controlling this block for the running program to provide data exchange and determine the lifetime of the program, any program must have at least one process, otherwise it is not recognized by the system.

The process is, in a way, the executable file that copies itself from the storage media to an image in memory, it usually has a correspondence with a file on disk, a complete process information that includes many aspects of data, and the Application tab we see Using the Process Viewer contains the title of the process, and the process tab contains the process file name, the process identifier, consumes memory, where the process filename and process identifier are the keys that must be mastered, and the process identifier is the only number that is specified when the system is allocated to the process memory space, and the number is unchanged from the time the process is loaded into the end of the run. Process filename "is the corresponding media store file name, and according to the process filename we can find the original executable location."

"Tasks" listed in the "Application" item in Task Manager, is the window object that the process displays on the desktop, such as when a user opens a Word 2003 compose document, and its process "winword.exe" creates a foreground window that is visible on the desktop, which is visible in the task Manager. "Task", and what really is running is the process "winword.exe". Not all processes leave "tasks" in Task Manager, like QQ, MSN, and all background programs, they don't appear in the task list, but you find them in the process list, what do you do if you want them to appear in the task list? Just let them create a form that appears on the desktop. , casually open a friend chat, you will find the task list finally appeared the task of QQ. Therefore, the real scientific termination program is for the "process" to end the operation of the program, rather than in the task list close the program, because the Trojan authors will not let their Trojans appear in the task lists, but the process list in general people are not escape.

and "Thread" is the number of execution progress instances that are generated in a process, for a simple example, a network File transfer program, if it has only one thread (single-threaded), is inefficient in its execution because it requires both reading file data from the network and saving files to disk. You also need to draw the current transfer progress bar, because in the code point of view these operations can only be executed in the order, the program can not be very good to save the data while drawing the transmission progress bar, even if the programmer put it reluctantly into a piece of execution, in the view of users, the program's response will be very slow or even directly crashes, and " Multithreading technology is to solve this problem, the application of "multithreading" technology to write applications can produce multiple simultaneous operation instances, such as a "multi-threaded" technology in the network File transfer program can also be divided into three progress at the same time to perform network data transmission, File save operation and draw the transfer progress bar operation, so in the user's view, the program runs very smoothly, this is the role of the thread. When the program is running, only one process can be generated, but in the memory space of the process (the isolated memory domain that the system opens up for the normal execution of the program), multiple threads may be generated, with at least one default thread, called the "main thread", which is the running part of the program's main code.

So what does "threaded injection" mean? In fact, its full name is "Remote thread injection" (remotethread injection), usually, the memory space of each process can not be accessed, this is also for the program can be stable operation lay the foundation, This access restriction allows all processes to be independent of each other, so that any system-critical process crashes will not affect process execution in other memory spaces, making the NT architecture much more stable than the Win9x architecture. But on certain occasions, there must be access and management between processes, and this is what "remote threading" technology is designed to achieve across memory space between processes, at the core of which is the creation of a special thread that can connect a piece of execution code to the memory space of another process. Run as one of the non-core threads of another process to achieve the purpose of exchanging data, the process of this connection is called "injection" (injection). Remote threading Technology is like a vine in a tree, once the target process is injected, this new thread becomes part of the target process, and as long as the target process is not terminated, the original process will no longer affect execution results, whether or not it is still running.