Comprehensive Analysis of hook and inline-hook process Hiding Technology

Image:
First of all, we need to understand: 'The process-free Trojan is the Trojan horse that uses technical means to hide the process', which obviously does not belong to the process-free Trojan horse that uses technical means to hide the process, you have your own process, but if you cannot crack its hidden technology, you will not be able to see its process.
　　
How is the process hidden? This inevitably involves some technical issues. Let's try to make it simple and clear. For detailed implementation details, refer to relevant materials. Here, what I want to achieve is not to let you write a trojan that can hide yourself, but to let you know what means to hide the Trojan process, why does a trojan hide it? What kind of technology is needed to crack this solution and find out some professional tools.

　　
At the same time, it should be noted that the technology of hiding processes is also suitable for hiding DLL module programs and drivers. The following is a process for easy description.

　　
Windows provides our developers with several methods to list all processes, modules, and drivers in the system. The most common and common method is to call the system API: createconlhelp32snapshot, enumprocess, enumprocessmodules, etc. If you are not a developer, you don't have to worry about these things. You just need to understand that they are the first method to obtain the process list, we call these to tell the system that we need a list of processes, and then the system will return the list to us.

　　
What have these Apis done after receiving the request? They will call zwquerysysteminformation, and zwquerysysteminformation will call kisystemservice to access the kernel to enter the R0 permission, query the address of ntquerysysteminformation from the ssdt table, and call the actual code it points, ntquerysysteminformation is used to retrieve the corresponding data from the system's data structure, and then return the data in the original way.

　　
Blocking any stage in the middle can achieve the purpose of hiding the process. This interception is called "Hook", which is called the application layer hook before the kernel enters the R0 permission, the subsequent hook is the kernel hook, which must be implemented by a driver.

　　
What is hook? What is ssdt? Here is an example:

　　
Windows operating system is like a service company that manages computers for us, and its working mechanism is reported step by step, each taking its responsibilities, he sent a service staff to follow us at all times, see what requirements we have.

　　
When we want to check what processes are in the system, we will tell the waiter that we want to know which processes are there, then the waiter will report our requirements to whom? He wants to know which department is responsible for the job. The ssdt table is responsible for this job. The ssdt table is like a road sign, indicating which department is responsible for the job. After finding the responsible department through the table, the work will be transferred to that department. after the work is completed, the Department will return the work result to the waiter and the waiter will hand it over to us, and we get the expected results.

　　
The Application Layer hook is like a waiter secretly replaced by a Trojan. When we make a request, he will check whether it is harmful to him or remove harmful information, for example, if we want to view the process, the Trojan process is erased from the result when it is handed over to us. In this way, we naturally cannot see the Trojan process.

　　
The most common kernel hook is the HOOK-SSDT, which says ssdt is a table, indicating what work should be done by what department. The ssdt hook, that is, the trojan, changes the content in the Table. the work originally handed over to department a is changed to the Trojan. In this way, when the waiter reports our request, A look-up table shows that the work of viewing the process is handled by a Trojan. Then he handed the request to the Trojan. What about the trojan? He knows what the original content in the table is. He only filters the request and finds that it is not harmful to him. Then, he directly transfers the request to the original department, which is harmful to him, naturally, it is filtered out or altered based on the situation. Each function implements a certain function. For example, ntterminateprocess is used to end the process. If this function is hooked, you have a chance to change the result before the process ends, you can reject termination. As shown in, when you try to end a process in the task manager, the system will reject your operation. In fact, this is not the system's rejection, but the process itself, because ssdt is hooked by the process itself, the worker who stops the process is handed over to him. Once he finds that the end is his own, then he directly told the waiter that the process could not be completed, and then the waiter gave us the result. In fact, our request did not actually arrive at the department that should be sent.

Pay special attention to the "hook type". The above shows "Hook" and "inline-hook". What is inline-hook?

As I said above, ssdt is like a table that indicates what job is done by which department, the SSDT-HOOK is to change the point of this table. What about inline-hook? He has not changed the table's direction, and the search process still points to the department responsible for searching the process in the table. However, the trojan replaced the personnel in that department, so as to achieve its goal.

Nline-hook is more complex, more evil, and more unstable, and its application scope is more extensive, making it more difficult to search. You need to know whether the point in ssdt table is correct or not, and whether it is directed to the correct department. It should be simpler. Isn't it a table? Just compare it with the original table. However, inine-hook is a replacement company employee. Windows is like a big company. There are thousands or even hundreds of people. God knows which one he has replaced ....

Simply put, the program is like a plan for a specific purpose. What about the process? It is to organize workers to allocate resources and start to execute the plan. What about the Windows operating system? It is a service management company that manages computers for us and workers who manage these execution plans. What are our requirements? The waiter will give us a summary of our requirements to windows, which will organize the workers to execute our requirements and return the results to us. If a trojan replaces a waiter, an ssdt table, or a person in a functional department of a Windows service company, what we get may be a wrong result, or our request cannot be executed, just like killing a process.