All kinds of Trojan hide technology omni-directional mass dew

In the past, I once thought that as long as not casually run the files sent by netizens will not virus or trojan, but then there was the use of loopholes in the spread of shock waves, shock wave; before, I had thought that not on the small web site will not be a Trojan horse, but later, including a well-known game site in a number of large sites in its home page was hackers hung on the Trojan horse. From then on, I know: security, never absolute.

Although there is no absolute security, but if you can know that, know the hidden means of Trojan horse, even if not victorious, can be found in time, so that the loss of minimization. So, how is the Trojan actually hiding in our system?

Most basic hiding: invisible forms + hidden files

Trojan Horse program in any case mysterious, but in the final Win32 platform is still a program. There are two common types of programs that are available under Windows:

1.win32 Applications (WIN32 application), such as QQ, office and so on, are among the ranks.

2.win32 Console Program (WIN32 console), such as the hard drive boot hotfix fixmbr.

Among them, Win32 applications often have an application interface, such as the "calculator" in the system, which provides a variety of digital buttons for the application interface. Although the trojan belongs to the Win32 application, it generally does not contain forms or hides the form (but there are some special cases, such as Trojan user chat with the victim window), and the Trojan file property set to "hidden", which is the most basic means of hiding, a bit of experience users simply open the Task Manager, and will The "Show All Files" Check in Folder Options makes it easy to find the Trojan horse (see Figure 1), so there is the "process hiding" technique described below.

First generation process hiding technology: backdoor of Windows 98

In Windows 98, Microsoft provides a way to register a process as a service process. Although Microsoft has not publicly provided the technical implementation details of this approach (because this mechanism is not available in subsequent versions of Windows), there are still masters who have discovered the secret, a technology known as registerserviceprocess. As long as this method is used, the process of any program can register itself as a service process, and the service process in the Windows 98 Task Manager does not appear, so it is a Trojan drill loophole.

To deal with this hidden Trojan is simple, just use other third-party process management tools to find its location, and the use of this technology to hide the Trojan in Windows 2000/XP (because it does not support this hidden method) in the show! After aborting the process, delete the Trojan file. But the next generation of process hiding technology is not so easy to deal with.

Second generation process Stealth technology: Process insertion

In Windows, each process has its own private memory address space, and when a pointer (a mechanism to access memory) is used to access memory, a process cannot access the memory address space of another process, just as you can't go to a neighbor's house without your neighbor's consent. For example, QQ in memory to store a picture of the data, and MSN can not directly read the memory of the way to get the image of the data. This also guarantees the stability of the program, if your process has an error, overwriting a random address memory, this error will not affect the memory used by another process.

You know what the process is?

For an application, a process is like a large container. After the application is run, the equivalent of putting the application into a container, you can add something else to the container (such as the variable data that the application needs to run, the DLL file to refer to), and when the application is run two times, the contents of the container are not dropped. The system will find a new process container to accommodate it.

A process can contain several threads (thread), which can help the application do several things at once (for example, one thread writes a file to the disk, the other receives the user's keystrokes and responds in a timely manner, and does not interfere with each other), and after the program is run, The first thing the system does is create a default thread for the program process, and then the program can add or remove the associated threads as needed (see Figure 2 Process diagram).

1. What is the process insertion?

A separate address space is very beneficial for both programmers and users. For programmers, the system is more likely to capture random memory reads and writes *. For the user, * the system will become more robust because one application cannot break another process or make the system run. Of course, this robust feature of the system comes at a cost, because it will be much more difficult to write applications that can communicate with other processes, or that can be done with other processes. But there are still a number of ways to break the boundaries of the process and access the address space of another process, which is process injection. Once the Trojan DLL is inserted into the address space of another process, you can do anything to the other process, such as the QQ password to be introduced below.

2. Trojan is how to steal the QQ password

Under normal circumstances, an application receives the keyboard, mouse *, and other applications are not entitled to "interfere". How can stolen Trojan horse secretly record my password? The Trojan first inserts 1 DLL files into the QQ process and becomes a thread in the QQ process, so the Trojan DLL is a part of QQ! Then when the user enters the password, because at this time the Trojan DLL has entered the QQ process inside, So also can receive the user to pass to QQ password type, really "self-protection" Ah!

(Insert figure 06zcxtrojan0a.tif)

3. How to insert a process

(1) Insert DLL using Registry

Early process plug-in Trojan trick by modifying the registry in [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Ntcurrentversionwindowsappinit_dlls] To achieve the purpose of the insert process. The disadvantage is that it is not real time to modify the registry after a reboot to complete process insertion.

(2) inserting a DLL using hooks (hooks)

The more advanced and covert way, through the system's hook mechanism (ie "hook", similar to the DOS Era "interrupt") to insert the process (some stolen QQ Trojan, keyboard record Trojan Hook into the other process of "stealing"), need to call the SetWindowsHookEx function ( Also a WIN32 API function). The disadvantage is that the technical threshold is higher, the program debugging difficulties, this Trojan must have a considerable level of WIN32 programming.

You know what--what is an API?

Interfaces in windows that provide a variety of functionality implementations are called the WIN32 API (application programming Interface, the "Application Programming Interface"), where some programs need to read and write files on disk, first by using the appropriate API ( File read and write will call the file-related API) to issue the call request, the API then completes the request implementation function based on the parameters provided by the program when it calls its function (such as reading and writing files, and the filename and path of the file that needs to be read and written), and finally invokes the result (such as writing the file successfully, or reading the file failure, etc.) Return to the program (see Figure 3 Application, Win32 API, System diagram).

(3) Inserting a DLL using a remote thread function (createremotethread)

This "remote process" mechanism is provided in systems in Windows 2000 and above, and a system API function can be used to create a thread (insert DLL) into another process. The disadvantage is obvious, only support Windows 2000 and above systems, there are still a considerable number of users in the domestic use of Windows 98, so the use of this process to insert the Trojan Horse lacks platform versatility.

Trojan will itself as a DLL inserted in another process space, the way to see the process can not find the traces of the trojan, you can see just some of the normal process, but the Trojan has sneaked into it. The solution is to use the process management tools that support "process module view" (such as the process view provided by the Windows Optimizer Master), and the Trojan DLL module will be visible.