Trojan hiding technology has gone through the process of hiding files, hiding windows, and hiding. Now, remote injection technology is developing. Hiding a file is simply setting the file attribute to "hidden". In addition, there is no other protection means. Most users are unfamiliar with computer operations, security software vendors have just begun to explore the market era. This simple self-protection Trojan is widely used. The Trojan Horse produced by this method is collectively referred to as the "First Generation Trojan ". Hiding windows, we all know that the program interfaces running in windows are defined as "Windows", through which the program interacts with the user, each complete program must have at least one window, but what if the writer sets this window to "invisible" during running? In this way, the user will not notice that the program is running on the desktop, but if you have experience opening the task manager, he will be suspected of discovering multiple processes in the system. Hidden processes are registered as system service processes by using the "registerserviceprocess" API function, which is not publicly available by Microsoft ", in fact, the job manager in Windows 9x does not display such a process. The result is that the virus has been exploited to allow trojans such as glaciers to settle down on the machines of most common users in China. Of course, the "hidden process" technology is no longer effective. By default, Windows 2000, XP, 2003, and other systems in the NT System display all processes, including system service processes. Next we will focus on the latest Trojan hiding technology-using "remote injection" Although the trojan virus that uses "thread injection" has blossomed everywhere, however, those who have gone through the chaos era will not forget the fear of the first DLL Trojan with "thread injection" and "ghost of the outside, what is thread injection? Next Let's explain in detail. First, the user may not understand the meaning of the "Thread", but to explain the "Thread", the concept of "process" cannot be mentioned first. Many users who are new to computers cannot understand what a "process" is. They often hear experts say that they open the task manager and close a process. But when they see a bunch of things in the Task Manager List, the header is big. Many users know that they use the task manager to close some tasks that have no response. However, if a task does not appear in the "application" list, they will be overwhelmed. What is a process? "Process" refers to the data information block that the system requests to open to an executable file in the memory during running, by controlling this data block, the system provides data exchange for running programs and determines the survival period of the program. Any program must have at least one process, otherwise it will not be recognized by the system. In one aspect, a process is an executable file that copies itself from the storage medium to an image in the memory. It usually corresponds to a file on the disk, A complete process information includes a lot of data. The "application" tab we see in the process viewing tool contains the process title, the "process" tab contains the process file name, process identifier, and memory usage. Among them, "process file name" and "process identifier" are essential, the process identifier is the unique number specified by the system when it is allocated to the process memory space. The number remains unchanged during the process from loading the memory to the end of running, the process file name corresponds to the media storage file name. Based on the process file name, we can find the initial executable file location. The "task" listed in the "application" item of the task manager refers to the window object displayed by the process on the desktop, for example, if you open the word 2003write document, then the process winword.exe will create a foreground window displayed on the desktop, which is the "task" visible in the task manager. Not all processes leave "tasks" in the task manager, such as QQ, MSN, and all background programs. They do not appear in the task list, but you will find them in the process list. What if you want them to appear in the task list? You only need to generate a form that appears on the desktop. Simply open a friend chat and you will find that the QQ task is finally displayed in the task list. Therefore, the true scientific program for terminating a program execution is to end the program running for "processes", rather than closing the program in the task list, because the trojan authors won't let their Trojans appear in the task list, but the process list is mostly inaccessible. The "Thread" refers to multiple execution progress instances generated in a process. For example, if a network file transfer program runs only one thread (single thread, the execution efficiency is very low, because it needs to read file data from the network, save the file to the disk, and draw the current transmission progress bar, since these operations can only be executed in one order from the code perspective, the program cannot draw a transmission progress bar while saving the data, even if the programmer barely makes it together for execution, in the user's opinion, the response of this program will be very slow or even directly collapsed, while the multi-thread technology is generated to solve this problem, applications compiled using the "multithreading" technology can generate multiple operation instances that are executed simultaneously during runtime, for example, a network file transfer program using the "multi-thread" technology can separate three progresses to simultaneously perform network data transmission, file storage operations, and draw transmission progress bars, so in the user's opinion, this program runs smoothly, which is the role of the thread. When the program runs, only one process can be generated, but multiple threads can be generated in the memory space of the process (an independent memory field opened up for normal execution of the program, there is at least one default thread, called the "main thread", which is the running part of the main code of the program. So what does "thread injection" mean? In fact, its full name is "remotethread injection". Generally, the memory space of each process is not accessible to each other, this also lays the foundation for stable running of the program. This access restriction makes all processes independent from each other. As a result, the crash of any non-system critical process will not affect the execution of processes in other memory spaces, so that the stability of the NT architecture is much higher than that of the Win9x architecture. However, in some specific scenarios, mutual access and management must be enabled between processes. This is the original intention of the "remote thread" technology, which enables cross-memory space access between processes, its core is to generate a special thread, which can connect a piece of Execution Code to the memory space of another process and run it as one of the non-core threads of another process, this connection is called "injection ). Remote thread technology is better than a vine that is parasitic on a big tree. Once the target process is injected, this new thread will become part of the code of the target process, as long as the target process is not terminated, whether or not the original process is still running will no longer affect the execution result. What is "hook" technology essential to "thread injection"? What is this "hook? Its official definition is as follows: Hook is a platform for message processing in windows. Applications can set sub-processes on the platform to monitor messages in a specified window, the monitored window can be created by other processes. When a message arrives, process it before the target window processing function. The hook mechanism allows applications to intercept and process window messages or specific events. A hook is actually a program segment for message processing. It is called by the system and mounted to the system. When a specific message is sent, the hook program captures the message before it reaches the target window, that is, the hook function gets control of the message first. In this case, the hook function can process (Change) the message, continue to transmit the message without processing it, and forcibly end the message transmission. Here, the trojan writer first loads a DLL file that is actually the main body of the Trojan into the memory, and then injects it into the memory space of other processes through the "thread injection" technology, finally, the code in this DLL becomes a part of other processes to implement its own hidden execution. by calling the "Hook" mechanism, this DLL Trojan can monitor users' input and output operations, intercept useful information and other operations. The actual execution body of this trojan is a DLL file, which is called by the system as a module-type execution body, it only contains a bunch of modules output in the form of functions. That is to say, each DLL needs to be loaded by an EXE of a function that uses it, after the function in the DLL is executed, a running result is returned to the EXE that calls it, And the DLL process exits from the memory to end the execution process. This is the standard DLL running cycle, the DLL using the "thread injection" Technology is not like this. Although they are also export functions, their code has the execution logic. This module is like a common EXE, but it cannot be started directly by itself. Instead, it needs a process generated by a special program (called a loader) to load the main function of the DLL into the memory for execution, so that it becomes a running Trojan program. For example, rundll32.exe C:/dlltest. dll test uses rundll32.exe to load the dlltest. dll file and call the test () function section. Because Windows systems use a large number of DLL systems, many DLL files are loaded into the memory and executed by related applications at startup, therefore, no one can tell at a glance which DLL file is not provided by the system, and the normal system DLL file may be replaced by the virus DLL file of the same name, therefore, the concealment of this trojan improves the level, and its execution method is more concealed. Users who know about Windows know that the module is closely dependent on the process. Once the process that calls a module exits, its loaded DLL module is forced to terminate, but in the DLL Trojan, this situation does not occur because the earliest started EXE is terminated because it uses the remote thread injection technology. Therefore, when the user discovers an exception, the DLL Trojan has long been unaware of which normal process is being injected. Even if the user finds the trojan dll, it cannot be terminated, to close it, you must find the process injected by it in so many system processes and terminate it. The injected system process is often a key process of system operation, it is impossible for general users to manually scan and kill Trojans.
|