DLL backdoor cleanup

Source: Internet
Author: User
Information Source: lams.blogchina.com


Backdoor! I believe this term will not be unfamiliar to you, but it will not be harmful to you. However, as people's security awareness gradually increases, it also adds the "strong support" of anti-virus software ", so that traditional backdoors cannot hide themselves. Anyone with a little knowledge about computers knows how to "Check ports" and "view processes" to discover some clues ". In this way, the process and port are hidden. This article takes "DLL principle" "DLL cleanup" and "DLL prevention" as the topic, and discusses how to make everyone "Get started" with DLL backdoors without fear of DLL backdoors. Now, go to our topic.

1. dll principles

1. Dynamic Link Library

Dynamic Link Library, short for dynamic link library (DLL), is used to provide extended functions for applications. To call a DLL file, an application must "dynamically link" it to it. From the programming point of view, the application must know the API function exported from the DLL file before calling it. It can be seen that the DLL file itself cannot be run and needs to be called by the application. This is because the DLL file must be inserted into the memory module of the application during running. This shows that the DLL file cannot be deleted. This is caused by the internal mechanism of Windows: running programs cannot be closed. So the DLL backdoor is born from this!

2. dll backdoor principles and features

Write a code that implements the backdoor function as a DLL file and insert it into an EXE file so that it can be executed. In this way, no process is required, and no corresponding PID Number exists, you can also hide it in the task manager. The DLL file itself is not much different from the EXE file, but must be called by the Program (exe) to execute the DLL file. To execute a DLL file, you need to load the EXE file, but to load the DLL file, you need to know the entry function of a DLL file (both the export function of the DLL file). Therefore, according to the DLL file writing standard: EXE must execute the dllmain () in the DLL file as the loading condition (like the mian () of exe ()). There are basically two types of DLL backdoors: 1) Implement all functions in the DLL file; 2) Make the DLL into a Startup File and start a common EXE backdoors as needed.

Common compiling methods:

(1) There is only one DLL file

Enabled. What is rundll32.exe? "Execute a 32-bit DLL file ". The internal implementation is the internal implementation of the dllfile. In this process, only rundll32.exe is available, and no DLL backdoor process is available. In this way, process hiding is realized. If you see multiple rundll32.exefiles in the system, you do not need to be alarmed. This shows how many DLL files are started with rundll32.exe. Of course, we can find all the DLL files executed by rundll32.exe from the locations where the system automatically loads them.

Now, I will introduce the rundll32.exe file, which means that the function is to call the dynamic link library through the command line. There is also a rundll.exe file in the system, which means to "execute a 16-bit DLL file". Pay attention to it here. For more information, see the function prototype used by rundll32.exe:
Void callback functionname (
Hinstance hinst,
Lptstr lpcmdline,
Int ncmdshow

The command line uses rundll32.exe dllname and functionname [arguments].
Dllname is the name of the DLL file to be executed, functionname is the specific extraction function of the DLL file to be executed on the front, and [arguments] is the specific parameter of the extraction function.

(2) Replace the DLL file in the system

This type of backdoor is more advanced than above. It makes the code that implements the backdoor function into a DLL file that matches the system, and changes the original DLL file name. When an application requests the original DLL file, the DLL backdoor starts a forwarding function and passes the "parameter" to the original DLL file; if you encounter a special request (such as a client), the DLL backdoor starts, starts, and runs. For such backdoors, all the operations are implemented in the DLL file to be the most secure, but there is a lot of programming knowledge and it is very difficult to write. Therefore, these types of backdoors generally make DLL files into a "Startup" file. In special cases (such as client requests), they start a common EXE backdoor; after the client ends the connection, stop the EXE backdoor, and then the DLL file enters the "break" status. It will not be started until the next client connection. However, with the introduction of Microsoft's "Digital Signature" and "file recovery" features, such backdoors have gradually declined.


In the winntsystem32 directory, there is a dllcache folder containing a large number of DLL files (including some important EXE files). After the DLL file is illegally modified, the system will recover the modified DLL file from here. If you want to modify a DLL file, you must first delete or rename the DLL file under the dllcache directory. Otherwise, the system automatically recovers.

(3) Dynamic embedded

This is the most common method for DLL backdoors. The significance is to embed the DLL file into the running system process. In Windows, each process has its own private memory space, but there are still various ways to enter the private memory space of its process to implement dynamic embedded. Because the key processes of the system cannot be terminated, such backdoors are very hidden and difficult to detect and kill. Common dynamic embedded systems include: "connected API", "Global hook", and "remote thread.

Remote thread technology refers to the process's memory address space by creating a remote thread in a process. When the exe (or rundll32.exe) creates a remote thread in the inserted process and commands it to execute a DLL file, our DLL backdoor will be mounted for execution, and no new process will be generated here, to stop the DLL backdoor, only the process linked to the DLL backdoor is terminated. However, if you are connected to key processes of some systems, you cannot terminate them. If you terminate the system processes, windows will be terminated !!!

3. dll backdoor startup features

The carrier EXE that starts the DLL backdoor is indispensable and important. It is called loader. If no loader is available, how can we start the DLL backdoor? Therefore, a good DLL backdoor will try its best to protect its loader from being scanned and killed. The entity of the DLL backdoor still exists. 3721 the real name of the network is an example, although it is not a "real" backdoor.

Ii. dll cleanup

This section uses three well-known DLL backdoors, namely "svchostdll. dll", "bits. dll", and "qoserver. dll ". The manual cleanup method is described in detail. I hope that you will be able to use these three DLL backdoors flexibly without fear of DLL backdoors. In fact, it is relatively simple to manually clear the DLL backdoor. It is nothing more than making an article in the registry. For more information, see the following.

1, portless Backdoor

This is a very powerful DLL backdoor program, in addition to the shell that can obtain the local system permission, it also supports a series of functions such as "detecting clone accounts" and "installing Terminal Services" (For details, refer to program help), applicable to systems such as Windows 2003, XP, and. The program uses svchost.exe to start. Normally, it does not open a port. You can perform reverse connections (the biggest feature). For hosts with _ blank "> firewalls, this function is far better.

Before introducing the cleanup, let's briefly introduce the key services of the system svchost.exe:
Svchost serves only as the service host and does not implement any functions. If svchost is required to start the service, a service is implemented in the form of DLL. The loader of the DLL directs to SVCHOST. Therefore, when starting a service, svchost calls the DLL of the Service to start the service. The DLL file for starting a service using svchost is determined by the parameters in the registry. There is a parameters subkey under the service to be started, servicedll indicates which DLL file is responsible for the service, and this DLL file must export a servicemain () function to support service tasks.

Haha! After reading the above theory, is it a bit blind (I am almost asleep)? Don't worry, let's take a look at the specific content ). We can see the parameters sub-key under hkey_local_machinesystemcurrentcontrolsetservicesrpcss. Its key value is % SystemRoot % system32rpcss. dll. This indicates that when the RPCSS Service is started. Svchost calls RPCSS. dll under the winntsystem32 directory.

This is the hkey_local_machinesoftwaremicrosoftwindows ntcurrentversionsvchost in the registry. It contains the groups started by svchost and various services in the group, among which the netsvcs group has the most services. To start a service using svchost, the service name will appear in hkey_local_machinesoftwaremicrosoftwindows ntcurrentversionsvchost. There are four methods to achieve this:
1. Add a new group and add the service name to the group.
2. Add a service name to an existing group.
3. directly use a service name in the existing group, but the service is not installed on the local machine
4. Modify the existing service in the existing group and point its servicedll to its own DLL backdoor.

The third method used by portless backdoor I tested.
Now, after reading the above principles, I think we can think of our method of clearing portless backdoor. Okay. Let's start now.

Note: As this document only describes how to clear a file, the usage is skipped here.

The loader of the backdoor calls svchostdll. DLL is inserted into the svchost process. Therefore, we first open Windows Process Management 2.5 in the Windows optimization master to view the module information in the svchost process, svchostdll. the dll has been inserted into the svchost process. We can conclude that, there will be a new service in "Administrative Tools"-"services. The service name is iprip, Which is started by SVCHOST.-K netsvcs indicates that the service is included in the netsvcs Service Group.

Stop the service, open the Registry Editor (START-run -- Regedit), and go to hkey_local_machinesystemcurrentcontrolsetservicesiprip to view its parameters subkey ). The key value svchostdll.exe of the programkey is the loader of the backdoor; the key value C: winntsystem32svchostdll. dll of servicedll is the called DLL file, which is the DLL file of the backdoor. Now let's Delete the iprip subkey (or use SC to delete it), and then edit the netsvcs Service Group under hkey_local_machinesoftwaremicrosoftwindows ntcurrentversionsvchost to delete the 49 00 70 00 72 00 69 00 70 00 00, the corresponding service name is iprip. Then exit and restart. After restart, delete the backdoor file in the winntsystem32 directory.

2, Bits. dll

This is Rong GE's work, DLL backdoor, and svchostdll. the DLL principle is basically the same, but here we use the fourth method described above, that is, "Modify the existing service in the existing group and point its servicedll to its own DLL backdoor ". To load. We still use Windows Process Management 2.5. From Figure 7, we can see that bits. dll has been inserted into the svchost process.

Okay. Now let's take a look at the specific clearing method. Because this backdoor is used to modify the existing service, but we don't know which service is modified, search for bits in the registry. DLL, and finally found bits under hkey_local_machinesystemcurrentcontrolsetservicesrasauto. DLL to view servicedll under the parameters subkey. Its key value is C: winntsystem32bits. DLL (8 ). Originally, the backdoor replaced the original DLL file of the RasAuto service with bits. DLL to implement automatic loading. Now we can modify the servicedll key value to the original DLL file of the RasAuto service, that is, % SystemRoot % system32rasauto. dll. Exit and restart. Then, delete bits. dll in the winntsystem32 directory.


Slave is a key process of the system, so it cannot be terminated. Before introducing the cleanup, I will first introduce the lsass.exe process:

This is a local security authorization service, and it will generate a process for the authorized users using the Winlogon service. If the authorization is successful, LSASS will generate a user access token, use the token to start the initial shell. Other user-initiated processes will inherit this token.

From the above introduction, we can see the importance of LSASS to the system. How can we clear it? See the following.

After the backdoor is successfully installed, a service named qosserver will be added to the service, and the qosserver. the DLL backdoor file is inserted into the LSASS process so that it can hide the process and start it automatically (9 ). Now let's open the registry and go to hkey_local_machinesystemcurrentcontrolsetservicesqosserver, delete the qosserver key directly, and restart. Explain (I will talk about the reason later), as shown in 11. Open the Registry again, go to hkey_local_machinesystemcurrentcontrolsetservicesappcpi, delete the appcpi key, restart, delete the qosserver, and finally Delete the backdoor file under the winntsystem32 directory.

I had a fight with this backdoor for more than three hours and restarted it n times. The reason is that, even if the qosserver service is deleted, the backdoor is still running, and the qosserver service in the service list is "Revived ". Later I learned the cause: After I deleted the qosserver service and restarted it, I inserted it to the qosserver In the LSASS process. the DLL file restores the qosserver service and generates another service, namely, appcpi. Therefore, you must delete the appcpi service in the Registry to clear the backdoor. From this we can see that the current backdoor protection measures are really a ring.

Note: After the qosserver service is deleted and restarted, change the qosserver startup category to disabled. Otherwise, even if the appcpi service is deleted, the qosserver service runs again.

Iii. dll prevention

After reading the above example, I think you have some knowledge about how to clear the DLL backdoor, but in reality, the DLL backdoor does not use the default file name, so you cannot be sure whether the DLL backdoor is in use. For DLL backdoors, the System32 directory is a good place, and most backdoors are the same, so pay attention to them here. Next I will introduce how to find the DLL backdoor. I hope it will help you.

1. After installing the system and all applications, back up the EXE and DLL files in the System32 directory: Open CMD and go to the winntsystem32 directory and run dir *. EXE> exe.txt & dir *. DLL> export), and use the: fc exe.txt exe0.txt> exedll.txt & FC dll.txt dll0.txt> export file. In this way, we can find multiple EXE and DLL files and determine whether the files are DLL backdoors Based on the file size and creation time.

2. Use a memory/module tool to view the DLL file called by the process, for example, Windows Process Management 2.5 in Windows optimization master. In this way, we can find out what DLL files are called by the process, and compare the results with the above FC command to further determine whether the DLL backdoor is in use. If you do not have an optimization master, you can use tasklist. This tool can also display the DLL file called by the process and the source code to facilitate modification.

3. for a common backdoor connection, you need to open a specific port, and the DLL backdoor is no exception. No matter how hidden it is, you need to open the port during the connection. We can use netstat-An to view all TCP/UDP port connections to find illegal connections. You usually need to know the port you open and understand the state attribute in netstat-. Of course, you can also use fport to display the process corresponding to the port. In this way, you can see all the unknown connections and ports in the system.

4. regularly check the locations automatically loaded by the system, such as registry and winstart. bat, autoexec. bat, win. INI, system. INI, wininit. INI, Autorun. INF, config. SYS. The second step is to manage services and understand the default services of the system. You can use SC in Windows 2000 Server Resource Kit to delete problematic services. All of the above can be used to load the loader of the DLL backdoor. If we delete the DLL backdoor loader, how can this problem be solved? How does the DLL backdoor run ?!

By using the above method, I think most DLL backdoors can be "active". If we do more backups at ordinary times, it will get twice the result with half the effort to find the DLL backdoors.


This article describes in detail some knowledge about DLL backdoors. In fact, it is not difficult to see from the above that the DLL backdoor is not as terrible as you think, and it is relatively simple to clear it. At the beginning of this article, I mentioned that it is intended to allow everyone to "get started quickly" with DLL backdoors. Therefore, I hope this article will be helpful to everyone. Please forgive me for any errors in this article, thank you!

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.