The charm of Hacker's door: infection and loading (figure) _ Vulnerability Research

Recently on the back door has a very strong interest in the Internet and you have a good discussion, some people mentioned the "hacker door" is very powerful, but also a relatively successful launch of a backdoor, so the Internet download a research research, by the way also learn the methods and skills. Dare not to enjoy, share this, at the same time hope the experts advice.

Introduction to "The door of hackers"

The hacker door used some advanced backdoor technology at present, it has only one DLL file that starts itself by infecting the system file, and the infected system file size and date will not change; the thread insertion technique itself does not have a process, itself does not start the mouth, but rather reuses any port that the system process opens, such as 80, 135,139,445 and so on, so it's very good hiding, and penetrating the firewall is also very easy. This version of the file is not large and only provides some useful commands. There is no way to find out how the tool can find this back door, as Fport,llister,rkdetector and other search tools fail.
Self-priming of programs

Since it is a backdoor, then the system will start with the launch, according to the hacker's door, it is through the infection System Program files to implement the program's own start. Since it is infected with the system files (like viruses), then look at the infection before and after the infection of the system file differences! In order to test the difference before and after the infection, I prepared a specially used to be infected with the file TestLoad.exe, it does not have any function, just pop-up a dialog box, so good waiting for testing, though small, spite, save the movement system files. Then run the command:

C:\>rundll32 Hkdoordll,dllregisterserver TestLoad.exe 2
Causes the hacker gate infection TestLoad.exe, after the infection completes uses the EXE file View sharp weapon exescope to see TestLoad.exe is infected before and after the difference.

The structure of the TestLoad.exe shown Exescpoe before infection is as shown in Figure 1:

The structure of the TestLoad.exe after infection is shown in Figure 2:

Figure 2

Can be seen after the infection of the introduction of the TestLoad.exe table more than a Hkdoordll.dll to lead the warehouse. After careful observation of the infection, the TestLoad.exe's introduction table address (Import table addressing ITA) has been changed, and the original ITA is 0X000043FC and 0x0000477e after infection.
To further look at the changes in the files before and after the infection, use LordPE.exe to compare the TestLoad.exe table functions before and after the infection, and compare the results as shown in Figure 3:

Figure 3
Tips: Use LordPE.exe to view EXE file introduction Table function method is: Click on PE Edito Open the appropriate file, then click on Directories, pop-up dialog box, click the Import table to the right three points, This allows you to view the introduction table for an executable file.

As you can see, just add a corresponding Hkdoordll.dll to the introduction table, so that when the infected program runs again, the system loader searches for the Hkdoordll.dll and references it to the infected program's address space, and the back door runs. This seed-priming method of the hacker gate is worth learning, and is more dexterous.

To understand the hacker's door to start the way, we can manually clear it, here must not be Hkdoordll.dll directly removed, which may directly lead to system crashes. Because the system will not be able to load the infected program (if it is Services.exe), it will not be loaded, and if the infected one is the key process of the system, the system won't be able to start properly. Hkdoordll.dll,services.exe Clear the time we can go to other machines (the same system and patches) to find a Services.exe, will be infected with the program named Services2.exe, will Services.exe copy to the System32 folder, restart the computer, delete the Hkdoordll.dll to clear the door of the hacker.
Run-time infection

It is said that the hacker's door to start the way, the following look at the hacker door is how to infect the running system files, which makes me dizzy for a long time, finally found that using a very flexible tips.
We know that under the Windows system, the running of the program files can not be modified or deleted, it is because of this, only a variety of programs run when the delete Dafa, the program since the deletion is not our focus. However, careful users may have discovered that under Windows 2000 or Wndows XP, we can rename or move EXE files that are running.
And then take the TestLoad.exe just to do the test, run:

C:\>rundll32 Hkdoordll,dllregisterserver TestLoad.exe 2
You can find that TestLoad.exe is in the folder more than a file TestLoad.exe.bak, I think the "Hacker's Door" do a good job, automatically help you back up the system files, in fact, this is the door of the hacker Fox Ah! It was the last resort. Do not close TestLoad.exe, and then try to delete TestLoad.exe and TestLoad.exe.bak, is not found a miracle? Unexpectedly put TestLoad.exe deleted, and TestLoad.exe.bak unexpectedly don't let delete, is not and I just said the words contradictions? Not too! Not too! Just to prove the words: Hackers first renamed TestLoad.exe to TestLoad.exe.bak, and then generate an infected TestLoad.exe, so that the next run TestLoad.exe is actually replaced the program, the original program is placed on one side.
An IDA Pro disassembly Hkdoordll.dll can find calls to the following functions:

File Rename:

. data:1000c618 Lea ECX, [Esp+438h+filename]
. data:1000c61f Lea edx, [esp+438h+var_324]
. data:1000c626 push ECX
. data:1000c627 Push EdX
. data:1000c628 Call Rename

Copy file:

.data:1000c66f           lea      edx, [esp+440h+var_32c]
.data:1000c676            push    0               ; Bfailifexists
.data:1000c678           lea      eax, [esp+444h+var_228]
.data:1000c67f            push    edx            ; Lpnewfilename
.data:1000c680           push     eax            ; Lpexistingfilename
.data:1000c681           call     Copyfilea

To move a file:

. data:1000c795 mov eax, [ebp+8]
. data:1000c798 test eax, eax
. data:1000c79a JNZ Short Loc_1000c7fe
. data:1000c79c Lea ECX, [esp+448h+var_334]
. DATA:1000C7A3 Push 5; dwflags
. DATA:1000C7A5 Lea edx, [esp+44ch+var_230]
. DATA:1000C7AC push ecx; Lpnewfilename
. DATA:1000C7AD push edx; Lpexistingfilename
. Data:1000c7ae Call Movefileexa
The above statement can actually be understood as:
MoveFileEx ("TestLoad.exe", "TestLoad.exe.bak", movefile_delay_until_reboot| movefile_replace_existing);

Little knowledge: The explanation for the MoveFileEx () function in MSDN is:
BOOL MoveFileEx (
LPCTSTR lpexistingfilename,//Pointer to the name of the existing file
LPCTSTR lpnewfilename,//Pointer to the new name for the file
DWORD dwflags//flag that specifies, and move file
);

The file image of the process TestLoad.exe is actually TestLoad.exe.bak, then Hkdoordll.dll generate the infected TestLoad.exe and save it on the original file path.

Kill System File Protection

Once the system starts, the Windows system starts loading the infected system program, but as the "hacker Gate" is started by infecting the system program, it encounters another problem.

As you know, there is System File Protection in Windows 2000 and Windows XP, and once the protected system files are modified, a dialog box will pop up that needs to be inserted into the System Setup disk CD. This leads to a problem, TestLoad.exe is just an ordinary EXE file, rather than the system File Protection system to protect the system process, then why the hacker door to modify the system process, the operating system files of the File Protection system will not be reminded?
This, or the use of disassembly hacker door method, observe how it shuts down the system File Protection function.

Find the following code:

. data:1000bbb0 Loadsfcdll proc near; CODE Xref:sub_1000bc70+b7
. data:1000bbb0 push ESI
. DATA:1000BBB1 xor esi, ESI
. Data:1000bbb3 call GetVersion; Get current version number of Windows
. Data:1000bbb3; and information about the operating system platform
. DATA:1000BBB9 cmp Al, 5
. DATA:1000BBBB JNZ Short LOC_1000BBDF
. DATA:1000BBBD xor ecx, ECX; Windows2000 system at this time
. DATA:1000BBBF mov cl, ah
. DATA:1000BBC1 Test cl, cl
. DATA:1000BBC3 JNZ Short Loc_1000bbd2
. DATA:1000BBC5 push offset Asfc_dll; Lplibfilename
. DATA:1000BBCA call LoadLibraryA at this time for Windows XP system
. data:1000bbd0 pop ESI
. DATA:1000BBD1 RETN
. data:1000bbd2 LOC_1000BBD2:; CODE Xref:loadsfcdll+13 J
. data:1000bbd2 push offset Asfc_os_dll; Lplibfilename
. Data:1000bbd7 Call LoadLibraryA
. DATA:1000BBDD pop ESI
. Data:1000bbde RETN

The code above shows that Hkdoordll.dll calls Sfc.dll or Sfc_os.dll based on the version of the operating system, and if it is Windows NT 5.0, Mount Sfc.dll; if it is windows XP (Windows NT 5.1), Mount Sfc_os.dll. Look at the following disassembly code: