Technical Analysis of rogue software and anti-rogue software

The technology of rogue software is varied. Any function may become a rogue technology, just like a weapon. If it is used, justice can be done. If it is used properly, it can be used as an accomplice to evil.

First, I started with some rogue Analysis in win32:

1. As a rogue software, the first thing I want to do is to run it in real time. For example, in the registry run, add the startup tool under boot. This should be an old method. In the past, 3721 seemed to be running, but now the average person knows it.

2. As a rogue software, he has changed some of the features of previous Trojans. Instead of starting the trojan in real time, he needs to start it again. For example, opening a browser window, this is a general method of rogue software, because he needs to connect to the Internet to have benefits, so the browser must be a process of rogue software monitoring.

3. The use of BHO plug-ins was a popular technology earlier. This is an interface provided by Microsoft and is intended to allow IE to expand its functions. Whenever an IE browser is started, it will call the necessary plug-ins under BHO, which is used by rogue software. Monitors all browser events and information.

4. The most stupid way is to use the process snapshot to monitor the process and determine that the process under its own monitoring is started. Then, you can use atl to get the browser pointer to monitor all browser events and information.

5. Another way is to use spi, which I can see on the Internet. Spi is a layered protocol. When winsock2 is started, it will call its dll to monitor all application layer data packets. This monitors user information and enables real-time startup.

6. The hook method and hook Technology can be widely used, especially in monitoring. Therefore, rogue software will not be missed. The first application is the api function hook, such as the apihook class in windows core programming or Microsoft's detous class. The two methods are the same: Modify the IDT function entry address. The api hook hooks createprocess to monitor the process, which has better performance than the process snapshot. You can hook the functions under spi to complete all the functions under spi. There are also hook messages, mouse messages, keyboard messages, daily messages, and so on. There are too many methods available.

The above lists how to use rogue software, but one feature of rogue software is that it cannot be detached. So it will use the following method again.

Because many of the methods above can delete the registry and uninstall them, what should we do? It will monitor the registry items from time to time, and it will monitor the registry items in its processes or threads, set up a loop monitoring. if it finds it is missing, install it and add it. I think this should be the technology of many rogue software.

Now there is another new problem, that is, what if the process thread of the rogue software is terminated ??? West view

7. One method is the above api hook technology. It hooks openprocess and uses its own function to determine whether the process is enabled and returns the correct result. This method is used, users or general software cannot end their processes.

8. Another kind is that the above is like bho, spi has no process at all. A normal user cannot delete him or her.

9. Another method is remote threads. This technology is also widely used. The first is to apply for a piece of memory space in the target process like the api hook, and then map it by yourself, then, use CreateRemoteThread to create a remote thread. Generally, many rogue software or some previous trojan programs inject threads into system processes, such as explorer and service. It is difficult to process or stop using the user or general anti-virus software ..

10. After registering as a service, you can simply hide the process. What's even more ridiculous is that after the process name is the same as some system process names, such as lsass, it will not end.