Trojan Horse static variable dynamic DLL Trojan program Disclosure _ Vulnerability Research

I believe that friends who often play Trojan horse will know the characteristics of some Trojans, but also have their favorite Trojan, however, many friends still do not know the rise of recent years, "DLL Trojan" why things. What is a "DLL"? What's the difference between it and a typical Trojan?
First, from the DLL technology.
　　To understand the DLL, you have to know what this "DLL" means, so let's go back a few years ago, when the DOS system was on its way. At the time, writing a program was a tedious task, because each program's code is independent, sometimes in order to implement a function, it is necessary to write a lot of code, and later with the development of programming technology, programmers put a lot of common code set (common code) into a separate file, and the file called "Library" ( Library, when you write a program, you can add it to the compiler to use all of the functionality that the library contains without having to write a bunch of code yourself, a technique called "static link" (Static link). Static link technology Let the tired programmer sigh, everything seems to be beautiful. But it turns out that good things don't last long, because static links are like a rude salesman, and they all stick to your hand, whether you want them or not. Writing a program only wants to use one of the graphic effects contained in a library file, because of this, you have to add all the graphics effects that the library file has to the program, keep them as vases, it doesn't matter, but these vases are blocking the road-static link technology makes the final program become big, Because the compiler also counted the entire library file. The development of the Times, static link technology due to the inherent drawbacks, can not meet the wishes of programmers, people began to find a better way to solve the problem of code duplication. Later, the Windows system appeared, the era of the watershed finally emerged. Windows systems use a new link technology, the new technology called "Dynamic Link" (Dynamic link) is also the use of library files, Microsoft called them "Dynamic link library"--dynamic link library, This is how the DLL's name comes in. The dynamic link itself is no different from static links, but it also writes the generic code into separate files, but in terms of compiling, Microsoft has gone around and not taken the method of adding library files to the program, but instead of making them into compiled program files, giving them an interface for exchanging data, and when programmers write programs, Once you want to use a function function of a library file, the system puts the library file into memory, connects the task process that this program occupies, then executes the function function that the program uses, and returns the result to the program to display, in our opinion, it is like the function of the program itself. Once the required functionality has been completed, the DLL stops running and the entire call process ends. Microsoft makes these library files can be called by multiple programs to achieve a more perfect sharing, programmers no matter what program to write, as long as the code to add to the relevant DLL invocation declaration can use its full functionality. Most importantly, the DLL will never let you take more than one vase, and what you want it willGive you something that you don't want it's not going to give you. In this way, the written program can no longer carry a lot of rubbish--absolutely will not let you take the leftover things home, otherwise fine, this is buffet.  
The birth of DLL technology makes writing programs a simple thing, Windows provides us with thousands of functional interfaces enough to meet the needs of most programmers. Also, the Windows system itself is made up of thousands of DLL files that support each other and make up a powerful Windows system. If Windows uses static link technology, how big will it be? I don't think so.
Second, application interface API
Above we have a general analysis of DLL technology, in which I mentioned "interface", what is this? Because DLLs can't be stuck in a program like a static library file, how to get the program to know the code and file that implements the functionality is a problem, and Microsoft has made a standard specification for DLL technology, Let a DLL file like cheese opened a lot of small holes, each hole is marked with the name of the function stored inside, the program as long as the standard specifications to find the relevant hole to get it to the delicious, the hole is "Application Interface" (Application programming Interface), each DLL has an interface that is different, minimizing the duplication of code to the fullest extent possible. In Steven's words: The API is a toolbox, you need to remove the screwdriver, wrench, and then put them back in place. In Windows, the most basic 3 DLL files are kernel32.dll, User32.dll, and Gdi32.dll. Together, they form the basic system framework. Third, DLL and Trojan
A DLL is a compiled code that doesn't make much difference to a normal program, except that it doesn't run independently and requires a program call. So what is the relationship between a DLL and a Trojan horse? If you learn to program and write a DLL, you will find that the DLL's code is almost the same as other programs, just the interface and startup mode, as long as the code portal changes, the DLL becomes a separate program. Of course, DLL files do not have program logic, this is not to say Dll=exe, but still can be considered as missing the main entrance of the Exe,dll band of the function functions can be considered as a program of several function modules. DLL is a realization of the Trojan Horse function code, plus some special code written DLL file, export related APIs, in other people's opinion, this is just a common DLL, but this DLL is carrying a complete Trojan function, this is the concept of the DLL Trojan. Some people may ask, since the same code can be implemented Trojan horse function, then directly to do the program can, why do you have to write a DLL? This is to hide, because the DLL runtime is directly hanging in the process of calling its program, and will not produce another process, so compared to the traditional EXE Trojan, It's hard to find.
Four, the DLL's operation
Although DLLs cannot be run on their own, Windows requires a portal function when loading DLLs, just like main in EXE, otherwise the system cannot reference DLLs. So, according to the authoring specification, Windows must find and execute a function DllMain in the DLL as a basis for loading DLLs, which are not exported as APIs, but intrinsic functions. The DllMain function keeps the DLL in memory, and some DLLs have no DllMain functions, but can still be used, because Windows cannot find the DllMain You will find a default DllMain function that does nothing from the other runtime to start the DLL so that it can be loaded, not that the DLL can discard the DllMain function.
Technical analysis of DLL and Trojan horse
Here, you may think, since the DLL has so many benefits, after the Trojan is to use the DLL is not good? That is true, but the DLL is not as easy to write as some people think. To write a reusable DLL Trojan, you need to know more.
1. The main body of the Trojan horse
Do not write the Ma Mo block really like an API library, this is not the development of WINAPI. DLL Trojan can export several auxiliary functions, but there must be a process responsible for the main execution code, otherwise this DLL can only be a bunch of fragmented API functions, don't mention work.
If you are involved in some common code, you can write internal functions in your DLL for your own code, rather than opening all the code to interfaces so that it is difficult to invoke itself and is more unlikely to work.
DLL standard implementation of the entrance for DllMain, so must be in the DllMain to write a good DLL running code, or to the implementation of the DLL Trojan module. 2. Dynamic Embedding Technology
In Windows, each process has its own private memory space, other processes are not allowed to operate on this private domain, but in fact we can still use various methods to access and manipulate the process's private memory, which is dynamic embedding, which is the technique of embedding its own code in a running process. There are many kinds of dynamic embedding, the most common is the hook, API and remote threading Technology, now most of the DLLs are using remote threading technology to hang themselves in a normal system process. In fact, dynamic embedding is not uncommon, Logitech's MouseWare drive hangs every system process-_-
Remote threading Technology is the memory address space that enters that process by creating a remote thread (Remotethread) in another process. In the context of the DLL Trojan, this technology is also called "injection", when the carrier in that injected process to create a remote thread and command it to load the DLL, the Trojan hangs up to execute, there is no new process to produce, want to let the Trojan stop only let hook up this trojan DLL process quit running. But most of the time we can do nothing-it hangs with Explorer.exe, are you sure you want to shut down Windows?
3. The launch of the Trojan Horse
Someone may be impatient to say, just put this DLL into the system startup project is not OK. The answer is no, as mentioned earlier, the DLL cannot be run independently, so it cannot be started directly in the startup project. To get the Trojan to run, you need an EXE. Use dynamic embedding technology to let the DLL catch other normal process of the car, so that the embedded process called the DLL's DllMain function, fire Trojan running, the last start of the exe end of the trojan running, Trojan boot completed.
Start DLL EXE is an important role, it is called loader, if there is no Loader,dll Trojan is tattered a heap, therefore, a mature DLL will find ways to protect its loader not so easy to be destroyed. Do you remember the story of a glove? The DLL is crawling on the Wolf Loader on the Jackal.
Loader can be a variety of, Windows Rundll32.exe is also a number of DLLs used to do the loader, this trojan generally without dynamic embedding technology, it directly hangs Rundll32 process, with the Rundll32 method ( rundll32.exe [DLL name],[function] [parameters] refer to the DLL's startup function just as you would invoke the API. The Trojan module starts to execute, even if you kill the Rundll32, the Trojan body is still in, a most common example is 3721 Chinese real name, although it is not a Trojan horse.
Registry Appinit_dlls keys are also used by some Trojans to start themselves, such as a cover letter virus. The use of the registry to start, is to allow the system to perform DllMain to achieve the purpose of the launch Trojan. Because it is kernel, the stability of this DLL has a great demand, a slight error will lead to system crashes, so rarely seen this trojan.
There are some more complex points of the DLL through the Svchost.exe start, this kind of DLL must be written nt-service, the entry function is ServiceMain, generally rarely seen, but this Trojan's concealment is also good, and loader have protection.
4. Other
Here everyone should also have an understanding of the DLL, is not very want to write a? Don't worry, I don't know if you think about it, since the DLL is so good, why are there so few DLLs that can be found? Now let me pour cold water on it, the most important reason is only one: Because the DLL is hung with the system process running, If it is not written properly, for example, without the code that prevents the error from running, or if the user's input is not strictly regulated, the DLL crashes. Don't be nervous, the general EXE is such a failure, but the DLL crash will cause it hangs of the program to suffer, do not forget that it is linked to the system process Oh, the end is ... Appalling. So write a can be announced DLL Trojan, in the wrong check to do the work than the General EXE Trojan, write more of their own irritability ...
Six, the discovery of DLL Trojan and killing
Often see the startup item there is no more inexplicable project, this is the loader, as long as the killing of the Wolf, Jackal can not be crazy. The DLL is more difficult to find, you need to have a certain programming knowledge and analysis capabilities, in the loader to find the name of the DLL, or from the process to see more than what the unknown DLL, but for beginners ... In short, it is more difficult ah more difficult, so, the simplest way: antivirus software and firewalls (not panacea, avoid long-term use).