Virus Trojan Killing Combat No. 020: The basic principle of active defense in Ring3 layer

This series of tutorials is copyright "I spring and Autumn" All, reproduced please indicate the source.

for Video tutorials, please visit "I Spring" (www.ichunqiu.com).

Preface

If we have anti-virus software installed in our computer, then when we intentionally or unintentionally downloaded a malicious program, kill the soft generally pop up a dialog box prompts us, the download program is likely to be malicious programs, suggest deletion or the like, or kill the soft without prompting, directly deleted; or when we run a program, Contains suspicious operations, such as the creation of boot-up items, then kill the soft generally will also be reminded of this, or when we insert a USB stick in the computer, kill soft often will also be the first time to scan the U disk, confirm that there is no problem, then open the U disk ... These, in fact, belong to the "active defense" function of killing soft.

Introduction to "Proactive Defense"

Anti-virus software usually integrates monitoring and identification, virus scanning and cleaning, automatic upgrade virus database, active defense and other functions, and some anti-virus software with data recovery and other functions, is an important part of the computer defense system. With regard to "virus scanning and purging", we have already explained the basic principles in the course of writing and signature killing tools. And the development of anti-virus software so far, the major security manufacturers are increasingly focusing on the "active defense" technology research and development. This technology is so important because a good "proactive defense" system can still prevent all kinds of unknown Trojans and new viruses, even without upgrading the virus database. Because of any malicious program, if it wants to implement a variety of functions, it will eventually need to invoke various API functions. Then we can monitor the sensitive API functions, before the API function execution, first parse the contents of the API function parameters, so as to determine what the target program is to achieve what kind of function, if it is malicious operation, interception, so that the API function can not be executed. If it is normal operation, the direct release.

For example, malicious programs like to add themselves to the system's Startup items, then we can turn on the registry of the relevant functions of monitoring, if the target program is detected to add registry startup items, then before adding, the first interception, ask the user whether to agree to the program to join the startup item, if the user agrees to cancel the interception, Joins the program to the startup item. If the user does not agree, or the "active defense" system is determined that the target program is a malicious program, then it will block the malicious program of this function, to ensure the security of our computer. Through our previous course of analysis of the virus can be known that virus programs tend to have a variety of behavior, then we need to monitor all aspects of the computer system, and even need some algorithm to analyze the mutual relationship between the API function calls, so that the target program to determine. Because of this, the "active defense" system is not so dependent on the virus database support. As a result, many master computers often do not install any anti-virus software, but must install the "active defense" system.

Mature anti-virus software or specialized "active defense" system, their programming implementation is based on the RING0 layer, because it is only at the kernel level, can achieve good monitoring effect. For simplicity, our course is easy to understand, and it is the simplest implementation of the "active defense" system based on the RING3 layer. Although the R3 level, but also involved a lot of knowledge, I hope we must first make clear the theory, so in the next programming implementation, will be very well.

The knowledge we need has the following points:

1, the basic principle of the Inline hook

2, the basic method of DLL injection

3, the system to monitor the global

Fundamentals of Inline HooksThe API functions are stored in the DLL files provided by the operating system. When we call an API function in the program and run the program, the program implicitly loads the DLL file where the API function is located into the process, so that the program invokes the API function as if it were a function called itself. We can take a look at the experimental procedure:

#include <stdio.h> #include <windows.h>int main () {char szcommandline[] = "notepad.exe";    The program to be started startupinfo si = {sizeof (SI)};    Process_information Pi; Si.dwflags = Startf_useshowwindow;                Specifies that the Wshowwindow member is valid Si.wshowwindow = TRUE;                        This member is set to TRUE if the new process's main window is displayed BOOL BRet = CreateProcess (NULL,//Do not specify the file name of the executable here Szcommandline,//command-line parameter NULL,//default process security NUL L,//default process security FALSE,//Specifies that the current in-process handle cannot be inherited by the quilt process Create_n              ew_console,//Creating a new console window for the new process NULL,//environment variable using this process null,    Drive and directory using this process &si, &AMP;PI);        if (BRet) {//switch off unused handle CloseHandle (Pi.hthread); CloseHandle (pi.hprocess);}    GetChar (); return 0;}

When the above program runs, the Notepad program opens. Because our entire "active defense" program is designed around the CreateProcess () function, so our example is explained in this function. We can use OD load this program to look at the statement at the function call location:

Figure 1

As you can see, the program calls the call statement to invoke the CreateProcess () function in Kernel32.dll when a series of push has the parameters in the stack. In fact, the call statement to implement two functions, the first is to push the stack into the current instruction in memory position, that is, the use of the push statement to save the return address, followed by the use of the JMP statement to jump to the entrance of the called function. You can step into the call statement, then press F7 to enter the call:

Figure 2

At this point the program jumps to the location of the 0x7c80236b, which is where CreateProcess () really implements the code. By observing the current load state in memory, it is known that the address is in Kernel32.dll:

Figure 3

Can summarize, when we write EXE file need to call CreateProcess () function, Will load the Kernel32.dll into memory (in fact, regardless of what program is running, Kernel32.dll generally automatically load memory), and then call the dynamic link library CreateProcess () function (actually called CreateProcessA or CREATEPROCESSW), because the real CreateProcess () function is implemented in the Kernel32.dll module. The call here can actually be understood as jumping directly to the address of the function to execute. Based on this knowledge, we can completely modify the image of the API function in memory, so as to realize the hook of the API function. Specifically, using the Assembler directive jmp to change the execution of the code, instead of jumping to the 0x7c80236b location, skip to the code we wrote, and then decide whether to let it jump to 0x7c80236b to continue execution after we have executed our own code.

So the question now is how to construct a JMP statement. In fact, in the course of the buffer Overflow Analysis series, I've talked about a "jmp back" approach, which is the same way as it is. Let's take a look at the features of the JMP statement in our program. After entering the main function, there is exactly one jmp:

Figure 4

The program passes through this jmp and comes to the real location of the main function. Here we analyze the disassembly code located at 0x00401005, which is "E9 06000000". One of the "E9" is the corresponding machine code in JMP, the following "06000000" is actually a jump offset, the formula for the offset is as follows:

Offset value After JMP = Destination Address – Current address-5

Subtract 5 from the formula because the JMP instruction jumps and requires five bytes to be implemented. So for our current program, combined, the destination address is 0x00401010, the current address is 0x00401005, that is:

Offset value after jmp = 0x00401010-0x00401005–5 = 6

The origin of the "06" Behind "E9". The above analysis shows that we just need to change the first five bytes to our JMP statement at the function location where we want to hook, so that we can jump to our own function position.

Since this method is directly embedded in the process of the program in the JMP instruction to change the process, it is called an inline Hook.

The basic method of DLL injection

The program in which we want the hooked function to actively execute our JMP statements every time we call CreateProcess () requires that we extend the functionality of the target program, which can be done by having the target program load the DLLs we have written. Then, in order for the target program to load the DLL, it needs to be implemented using the DLL injection method.

Specifically to the active defense program we want to write, in fact, the function hook, that is, hook CreateProcess () function, is through a DLL program to achieve, and our main function is to inject the DLL into the corresponding process, when the monitoring stopped, then the DLL unloaded. The injection and uninstallation of DLLs is a rigorous sequence of processes that are injected as follows:

1. OpenProcess get handle to inject process

2, VirtualAllocEx in the remote process to open up a section of memory, the length of strlen (dllname) +1;

3. WriteProcessMemory writes the name of the DLL to the memory opened in the second step.

4, CreateRemoteThread will loadlibrarya as the thread function, the parameter is the name of the DLL, create a new thread

5. CloseHandle Close Thread handle

The uninstallation process is as follows:

1, CreateRemoteThread inject getmodulehandle into the remote process, the parameter is injected DLL name

2. GetExitCodeThread the exit code of the thread exit as the handle value of the DLL module.

3. CloseHandle Close Thread handle

3, CreateRemoteThread the Freelibrarya into the remote process, the parameter is the value of the handle obtained in the second step.

4. WaitForSingleObject wait for object handle to return

5. CloseHandle close thread and process handle.

In fact, the above process is not difficult, and our next lesson in the process of writing, according to the above process.

Global monitoring of the system

In the RING3 layer, the most common way to monitor a system globally is to use the global hooks of Windows. After installing the global hook in the operating system, as long as the target process conforms to the conditions we set, the DLL file of the global hook will be loaded into the process by the operating system automatically or forcibly, and the DLL file is the code of the hook function, that is, we want to hook the implementation of the function. It can be seen that this hook needs to be implemented using DLL injection. If we use this method, we need to use the SetWindowsHookEx () function to set the hook, and set the first parameter of the function to Wh_getmessage, which is to monitor the messages that are posted to the message queue. So the specific implementation of this approach, because it is not the focus of our discussion, so we can refer to the corresponding information. This time we are using a relatively simple approach that does not require global monitoring, but rather the monitoring of the Explorer.exe process.

In fact, most of the process is created by the Explorer.exe process, such as we open processexplorer, and then run the program we wrote above:

Figure 5

It can be seen that there are a lot of sub-processes under the Explorer.exe process, and our CreateProcessTest.exe is a member of its child process, including the Notepad.exe program initiated by the program. So as long as we monitor the process and hook its createprocess () function, we can achieve the monitoring purpose we want to achieve. Of course, the use of this method does not necessarily play an absolute monitoring effect, after all, the method is too simple, but basically can achieve the effect we hope.

SummaryThis time we discussed the basic principles of active defense based on the RING3 layer, we are talking about the simplest way, I hope you can figure out what we are explaining each of the knowledge, so in the next programming implementation, will not be confused.

Virus Trojan Killing Combat No. 020: The basic principle of active defense in Ring3 layer