Detailed implementation process of Trojan horse "adding/shelling"

Editor's note: we will comprehensively analyze the knowledge about the attack and defense of popular Trojans for you, so that you will not simply format and reload the system when you encounter a middle-case attack. By introducing the entire process of making, disguising, planting, and preventing Trojans, you can gain a more systematic understanding of seemingly commonplace Trojans.
Why do we need to "Add/detach shell "? For hackers, this technology has been fully applied to the disguised Trojan client, in order to prevent anti-virus software from backtracing, detection, and debugging, it also prevents algorithm programs from being statically analyzed by others.

Use pe-scan to shell the Trojan

Cytkk, a Trojan research enthusiast, first downloads the latest bounce Port Trojan (Trojan Z) from a famous hacker forum outside China. to experience its powerful functions, it was depressing to be caught by Norton Antivirus. Cytkk attempted to use the shell software UPX (Ultra Packer For executable) to perform simple packaging on it to cheat the anti-virus software. The system prompts that the shell fails. The detection showed that the trojan Z had been compressed by the program author using UPX, it is imperative to remove this "rotten" shell that has been recognized by Norton Antivirus.

Cytkk runs a software named pe-scan 3.31. Click "open" to open the client of Trojan Z. In the center-centered display box, the shell type is UPX, and then click "unpack" → "start ", cytkk sets the Directory and file name as prompted to complete the shell removal. In this way, the original client program of Trojan Z is obtained.

Master passthrough: After complicated multi-shelling, the results are not necessarily accurate. In this case, you need to use "adv. scan "advanced scan, pe-scan analyzes the possibility of shelling by various shelling tools.

Re-shelling anti-virus software

Next, cytkk needs to shell the original client of Trojan Z. Based on previous experience, it is wise to use ASPack1.12, which has a standard Windows interface, the operation is simple and intuitive. To ensure the integrity of the program after shelling, cytkk gave up the most possible compression, removed the "compression resource" check box in "options", and selected "retain additional data ". The "compression" option is intuitive and has two progress bars. The preceding one indicates the compression progress, and the following one indicates the compressed file size. After compression, cytkk can't wait to click the "test" button on the left to perform integrity testing. As a result, cytkk was not disappointed. The outstanding performance of ASPack caused Norton Antivirus, which is well known for its strict nature, to turn a blind eye to the Trojan Z after shelling.

The software described in this article can be found at www.2cto.com.