In fact, dynamic link library (DLL) is used to provide extended functions for applications. To call a DLL file, an application must perform a "Dynamic Link" with it. From the programming point of view, the application must know the API function exported from the DLL file before calling. It can be seen that the DLL file itself cannot be run and needs to be called by the application. Because the DLL file must be inserted into the memory module of the application during running, the DLL file cannot be deleted, and the running program cannot be closed due to the internal mechanism of windows. As a result, the DLL backdoor is born from this. How to deal with these special DLL files?
Take three well-known DLL backdoors as examples: "svchostdll. dll" and "bits. dll". The following describes how to manually clear them.
Host svchost
Before introducing the release of dll, Let's briefly introduce the key services of the system svchost.exe:
Svchost serves only as the service host and does not implement any functions. If svchost is required to start the service, a service is implemented in the form of DLL. The loader of the DLL directs to SVCHOST. Therefore, when starting a service, svchost calls the DLL of the Service to start the service. The DLL file for starting a service using svchost is determined by the parameters in the registry. There is a parameters subkey under the service to be started, servicedll indicates which DLL file is responsible for the service, and this DLL file must export a servicemain () function to support service tasks.
The hkey_lo cal_machine \ Software \ Microsoft \ WindowsNT \ current version \ svchost in the registry stores the groups started by svchost and the services in the group, among which the netsvcs group has the most services. To start a service using svchost, the service name will appear in HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ svchost.
There are four methods to achieve this:
1. Add a new group and add a service name to the group.
2. Add a service name to an existing group.
3. directly use a service name in the existing group, but the service is not installed on the local machine.
4. Modify the existing service in the existing group and point its servicedll to its own DLL backdoor.
Portless Backdoor
This is a very powerful DLL backdoor program. In addition to the shell that can obtain the local system permission, it also supports a series of functions such as "detecting clone accounts" and "installing Terminal Services, applicable to Windows2000, XP, and 2003 systems. The program starts with svchost.exe. Normally, the port is not opened and you can perform reverse connections. For hosts with firewalls, this function is highly destructive.
The loader of the backdoor calls svchostdll. DLL is inserted into the svchost process. Therefore, first open Windows Process Management 2.5 in the Windows optimization master to view the module information in the svchost process. You can see that svchostdll. the dll has been inserted into the svchost process. Based on the above principle, it can be determined that there will be a new service in "Administrative Tools"-"services. The service name is iprip, started by svchost, and-K netsvcs indicates that the service is included in the netsvcs Service Group.
Stop the service, open the Registry Editor (START-run -- Regedit), and go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip to view its parameters sub-key. The key value svchostdll.exe of programkey is the loader of the backdoor; the key value c: \ winnt \ system32 \ svcho stdll. dll of servicedll is the called DLL file, which is the DLL file of the backdoor. Now let's Delete the iprip subkey (or use SC to delete it), and then edit the netsvcs Service Group under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ svchost, delete 49 00 70 00 72 00 69 00 70 00 00. Here the service name of iprip is used. Then exit and restart. After the restart, delete the backdoor file under the WINNT \ system32 directory.
Portless backdoor is the third method of SVCHOST. Therefore, you can clear portless backdoor by pressing the svchost key in the registry.Article.
Bits. dll
This is Rong GE's work, DLL backdoor, and svchostdll. the DLL principle is basically the same, but here we use the fourth method described above, that is, "Modify the existing service in the existing group and point its servicedll to its own DLL backdoor ". To load. We still use Windows Process Management 2.5 to check whether BITs. dll has been inserted into the svchost process.
Now let's look at the specific clearing method. Because this backdoor is used to modify the existing service, but we don't know which service is modified, search for bits in the registry. DLL, and finally found bits under HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ RasAuto. DLL to view servicedll under the parameters subkey. Its key value is c: \ winnt \ system32 \ bits. DLL. Originally, the backdoor replaced the original DLL file of the RasAuto service with bits. DLL to implement automatic loading. Now, we can modify the servicedll key value to the original DLL file of the RasAuto service, that is, % SystemRoot % \ system32 \ RasAuto. dll. Exit and restart. Then, delete bits. dll in the WINNT \ system32 directory.
Prevent DLL
You may have learned how to clear the DLL backdoor, but in reality, the DLL backdoor does not use the default file name, so you cannot be sure whether the DLL backdoor is in use. For DLL backdoors, the System32 directory is a good place, and most backdoors are the same, so pay attention to them here.
1. After the system and all applications are installed, back up the EXE and DLL files in the System32 directory: Open cmd, go to the WINNT \ system32 directory, and run dir *. EXE> exe.txt & dir *. DLL> export), and use the: fc exe.txt exe0.txt> exedll.txt & FC dll.txt dll0.txt> export file. In this way, we can find multiple EXE and DLL files and determine whether the files are DLL backdoors Based on the file size and creation time.
2. Use a memory/module tool to view the DLL file called by the process, for example, Windows Process Management 2.5 in Windows optimization master. In this way, we can find out what DLL files are called by the process, and compare the results with the above FC command to further determine whether the DLL backdoor is in use. If you do not have an optimization master, you can use tasklist. This tool can also display the DLL file called by the process, and there areSource codeTo facilitate modification.
3. You need to open a specific port for backdoor connection, and the DLL backdoor is no exception. No matter how hidden it is, you need to open the port for connection. We can use netstat-An to view all TCP/UDP port connections to find illegal connections. You usually need to know the port you open and understand the state attribute in netstat-. Of course, you can also use fport to display the process corresponding to the port. In this way, you can see all the unknown connections and ports in the system.
4. regularly check the locations automatically loaded by the system, such as registry and winstart. bat, autoexec. bat, win. INI, system. INI, wininit. INI, Autorun. INF, config. SYS. The second step is to manage services and understand the default services of the system. You can use SC in Windows 2000 Server Resource Kit to delete problematic services.
By using the above method, I think most DLL backdoors can be "active". In fact, as long as we do more backups at ordinary times, it will get twice the result with half the effort in searching for DLL backdoors.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
