DLL virus analysis (1)

Preface: Many people often encounter inexplicable problems in their systems: there are also various strange windows popped up on the Internet, and various Trojan viruses are exploding, mostly due to DLL viruses. I always wanted to write an article about the principle of DLL-inserted Trojan Horse virus. Unfortunately, the time limit has not been implemented.

Before the beginning of the article, I think it is necessary to say two more points,

First, rootkit is used in many articles I have reproduced. Maybe you are not familiar with this term. The promotion of Rising's Kaka netassistant mentioned the adoption of many anti-rootkit technologies. Literally, it means the meaning of the system kernel. Imagine that this is an advanced term. In fact, the term "Linux" generally refers to a technical tool used to hide a backdoor that can directly obtain administrator privileges. Later, it was used in windows, one of the most successful examples of such viruses in Windows is the hacker's door. I believe many of them have been used.

Second, the DLL virus leaves a glorious page in the virus history. Because it is really amazing: The simplest way is to hide other processes. Most of these viruses are backdoor viruses, which generally do not expose themselves to processes. Therefore, they are especially concealed and cannot be found. The carrier EXE that starts the DLL backdoor is indispensable and important. It is called loader. If no loader is available, how can I start the DLL backdoor? Therefore, a good DLL backdoor will try its best to protect its loader from being scanned and killed. Sums and
Svchost.exe, and the entity of the rundll32.exeand svchost.exe DLL backdoor still exists.

To put it simply, DLL is a library that contains code and data that can be used by multiple programs at the same time. Therefore, DLL is also called a dynamic link library. When the EXE program runs, many DLL files are called at the same time to implement the extension function. This has become the machine that the virus creates and uses injection to achieve its own evil purpose.

Write a code that implements the backdoor function as a DLL file and insert it into an EXE file so that it can be executed. In this way, no process is required, and no corresponding PID Number exists, you can also hide it in the task manager. As we can understand, DLL is like a parasite, while EXE is the host, which injects the DLL into the space where the EXE program runs, so that our dll can survive. Once the EXE program is terminated, DLL also died.

After reading the list above, you should have a rough understanding and understanding of DLL insertion. DLL Insertion Technology is also called "remote thread injection technology ". It is not a very new thing, it is one of the rootkit technologies. The operating system security level can be divided into ring0 (kernel driver level) to ring3 (user program level ). There are many technologies in ring3, such as remote thread injection, hook api, and port multiplexing. It is really difficult to reach the ring0 level, but it does not affect our understanding of the DLL virus. For more information about rootkit, visit www.rootkit.com.

Suppose we have already compiled the DLL virus, how can we make it run? As mentioned above, we need to find an appropriate host, that is, an EXE process to load our DLL, which can be divided into the following methods:

I. Use rundll32.exe in the system to load

Some people often find a key value similar to rundll32.exe c: \ temp \ XXX. dll dllmain in the startup Item of the Registry.

What does this mean? Actually, the rundll32.exe program, as its name implies, runs a 32-bit DLL program. Its function is to call a dynamic link library through a command line. Its usage in a command line is as follows:

Rundll32.exe DLL name: name of the called function; = This is the focus =

If the test () function is compiled in our DLL, the call method is rundll32.exe c: \ dlltest. dll test.

In this way, the functions in the DLL are run.

Ii. Replacing DLL files in the system

It makes the code that implements the backdoor function into a DLL file that matches the system, and renamed the original DLL file. When an application requests the original DLL file, the DLL backdoor starts a forwarding function and passes the "parameter" to the original DLL file; if you encounter a special request (such as a client), the DLL backdoor starts, starts and runs, but the implementation is not easy, so it is not popular.

3: we are talking about the DLL injection technology.

The significance is to embed the DLL file into the running system process. In Windows, each process has its own private memory space, but there are still various ways to enter the private memory space of its process to implement dynamic embedded.

What are the benefits? The first step is to implement hiding. The task manager cannot see our DLL backdoor. Secondly, unlike Windows and Linux, running programs cannot be deleted, this is why "XXX is running and cannot be deleted" is prompted frequently when you delete objects. Maybe the most important thing is that we can penetrate the vast majority of firewalls. Imagine that the firewall will not block IE, so we will insert the DLL into the IE process and will not penetrate the firewall?

So how can we inject DLL into EXE? DLL itself will not be automatically injected. Where can I get a dlllorder.exe? When writing the code to dlllorder.exe, you only need to run dlllorder.exe, and the corresponding DLL file can be injected into any program. With dlllorder, it is easy to do. As long as the system can automatically start the dlllorder every time, the backdoor's survival time increases greatly. As for how to start it, there are registries, services, BHO, ActiveX, and scheduled tasks, etc, too many.

Prevention and removal of DLL Trojans

For the first DLL file:

The following figure shows that rundll32.exe is in progress. You only need to find the DLL it calls and kill the hidden program.

For the third DLL file

First:

For DLL hiding, temp, system32, and Windows folders are the most common. If one day you find that a DLL file in temp cannot be deleted, it is almost certain that this file is faulty. After installing the system and all applications, back up the EXE and DLL files in the System32 directory: Open cmd, go to the WINNT \ system32 directory, and execute:

Dir *. EXE> exefirst.txt; dir *. dll> dllfirst.txt

In this case, all exeand dllfiles will be stored in the exe.txtand dll.txt files. if an exception is found in the future, you can use the same command to back up the EXE and DLL files again.

Dir *. EXE> exesecond.txt; dir *. dll> dllsecond.txt

And use:

FC exefirst.txt exesecond.txt> dllresult.txt FC dllfirst.txt dllsecond.txt> exeresult.txt

The purpose is to use the fccommand to compare two exefiles and DLL files, and save the comparison result to the exedll.txt file. In this way, we can find multiple EXE and DLL files and determine whether the files are DLL backdoors Based on the file size and creation time. = This is okay, but it will make people very depressed! =

Second trick:

Use related tools such as syscheck, icesword, and ring firewalls to check whether unknown DLL files are loaded in IE and exeplorer desktop processes. These tools have the same testing capability, and I think syscheck is relatively stronger.

Third trick:

Search by creation time, and use the search file function in win to set the time to search for available files. Generally, I select "create time ".

Fourth move:

Regularly check the locations automatically loaded by the system, such as registry startup items, service list, win. ini, system. ini.... You can search for more boot locations online. We recommend that you use the autoruns tool for detection. = May not be able to detect all, but it is also quite good =

Fifth trick:

Use related tools to view the port list. If you do not want to use cmd, pay attention to the Application Path after each TCP connection. You can also find files. You can use the terminal product scanning tool. This is not necessary!

Sixth trick:

How can we delete suspicious files by using the previous steps? How to kill "parasites "? The simplest way is to let the "host" Die and end the inserted EXE process, such as IE, which can be directly killed by the task manager on the desktop, when the exeplorer process on the desktop is killed, the task bar disappears. How can I delete the DLL? Press CTRL + ALT + DEL to call up the task manager, and then click the file on the menu bar to create a task, at this time, a "create new task" window will appear, click "Browse" below to find and insert the resource manager DLL file, that is, "Parasite", right-click and delete it, after deletion, enter "exeplorer" in the "Create a new task" window and click OK. What if crss.exe and other system core processes are inserted? What if the host cannot be killed ?. = To be honest, I personally don't think this can be done, but I will forget it if I say this on the Internet. I personally recommend you go to the Internet to find the virus File Based on the virus file we have determined. If you cannot find any other files on the internet, start dos and kill it! =

Written below: In reality, it is not as simple and simple as I said, but it can be found as long as the core is captured. Regardless of its 72 changes, it still shows its original shape. Finally, we wish everyone a better chance of getting away from the virus!

==========================================

Other related knowledge:

==========================================

1. Tracing start with DLL

To understand what a "DLL Trojan" means, you must know what a "DLL" means! When talking about DLL, we can't go without a long dos era. In the era of DOS, writing a program is a tedious task, because the code of each program needs to be independent. In this case, in order to implement a common function, you even need to write a lot of code for this. Later, with the development and progress of programming technology, programmers began to put many common code sets (that is, General Code) into an independent file, the file is called the "library ). When writing a program, you can add this library file to the compiler and use all the functions contained in this library without having to write a lot of code on your own. This technology is called "static link "(
Link ). The static link technology relieved tired programmers, and everything seemed wonderful. However, the biggest drawback of the static link technology is the extreme consumption and waste of resources. When a program only needs a certain graphic effect contained in a library file, the system adds all the graphic effects carried by the library file to the program, which makes the program very bloated. Although this is not important, these bloated programs are blocking the road-static link technology makes the final program into a large header, because the compiler loads the entire library file.

Technology is always developing. due to unavoidable drawbacks of static link technology, it cannot meet the needs of programmers and programming. People begin to look for a better way to solve the problem of code duplication. With the emergence of windows, Windows uses a new technology called dynamic link library, which also uses library files, the DLL name is like this. The dynamic link itself is no different from the static link itself. It also writes common code into some independent files. However, in terms of compilation, Microsoft makes library files into compiled program files, develop an interface for data exchange for them. When a programmer writes a program, once a function of a library file is used, the system transfers the library file to the memory and connects the task process occupied by the program, then execute the function used by the program, and return the result to the program. After the required functions are completed, the DLL stops running and the entire call process ends. Microsoft enables these library files to be called by multiple programs and achieves perfect sharing. No matter what programs the programmer wants to write, you only need to add the call declaration to the relevant DLL in the code to use all of its functions. In this way, the written program can no longer carry a lot of useless garbage.

The birth of DLL technology makes programming a simple task. Windows provides thousands of function interfaces to meet the needs of most programmers. Moreover, the Windows system itself is composed of thousands of DLL files, which are supported by each other and constitute a huge Windows system. If windows still uses the static link technology, it is unimaginable.

2. What is API

What is the "interface" mentioned above? Because the DLL cannot be inserted into the program as the static library file, how to let the program know the code and files that implement the function becomes a problem, Microsoft has made a Standard Specification for the DLL technology, each DLL file is clearly labeled with its function name. The program only needs to find the relevant name for calling according to the standard specification. This is the application programming interface) application interfaces. the interfaces of each DLL are different, minimizing the repetition of program code. In Windows, the three most basic DLL files are kernel32.dll, user32.dll, and gdi32.dll. They constitute a basic system framework.

Iii. dll and Trojan

DLL is the compiled code, which is no big difference from the general program, but it cannot run independently and needs to be called by the program. So what is the relationship between DLL and Trojan? If you have learned programming and written DLL, you will find that the DLL code is almost the same as that of other programs, except that the interface and startup mode are different. You just need to change the code entry, the DLL becomes an independent program.

Of course, the DLL file has no program logic. In fact, the DLL is not equal to the exe. However, you can still regard the DLL as a program without the main entry, and the various functional functions of the DLL can be considered as several function modules of a program. A dll Trojan is a code that implements the trojan function, and some special code is written as a DLL file to export related APIs. In others' opinion, this is just a common DLL, however, this DLL carries the complete Trojan function, which is the concept of the DLL Trojan. Some people may ask, since the same code can implement the trojan function, you can simply do the program. Why do you need to write the same code as a DLL? This is to hide, because the DLL Runtime is directly linked to the process that calls its program and does not generate other processes. Therefore, compared with the traditional EXE Trojan, it is hard to be found.

Iv. dll running

Although the DLL cannot be run by itself, Windows requires an entry function when loading the DLL, just like the main of the exe. Otherwise, the system cannot reference the DLL. Therefore, according to the writing specifications, windows must find and execute a function in the DLL dllmain as the basis for loading the DLL. This function is not exported as an API, but an internal function. The dllmain function keeps the DLL in the memory. Some DLL does not have the dllmain function, but it can still be used because Windows cannot find dllmain, find a default dllmain function that does not perform any operation from other runtime libraries to start the DLL so that it can be loaded. It does not mean that the DLL can discard the dllmain function.

V. DLL Trojan Technology Analysis

Writing DLL Trojans is not as easy as some people think. To write a usable DLL Trojan, you need to know more about the underlying operating system.

1. Trojan subject

Never write the trojan module like an api library. This is not a development of winapi. The DLL Trojan can export several auxiliary functions, but there must be a process responsible for mainly executing the code. Otherwise, the DLL can only be a bunch of fragmented API functions, not to mention the work. If some common code is involved, you can write some internal functions in the DLL for your own code, instead of opening all the Code as an interface, so that it is difficult to call itself, it is even less likely to play a role.

The Standard execution portal of the DLL Trojan is dllmain. Therefore, you must write the code for running the DLL Trojan in dllmain or point to the execution module of the DLL Trojan.

2. Dynamic embedding technology

In Windows, each process has its own private memory space. Other processes are not allowed to operate on this private territory. However, in fact, we can still use various methods to access and operate the private memory of the process. This is dynamic embedding, which is a technology that embeds its own code into the running process. There are many types of dynamic embedding, the most common of which are hooks, APIs, and remote thread technologies. Most DLL Trojans currently use remote Thread Technology to hook themselves into a normal system process. In fact, dynamic embedding is not uncommon. The Logitech mouseware driver hangs on every system process. The remote thread technology is to create a remote thread (remotethread) in another process to enter the memory address space of that process. In the scope of DLL Trojans, this technology is also called "injection". When the carrier creates a remote thread in the injected process and commands it to load the DLL, the trojan is mounted and executed. No new process is generated. To stop the trojan, you only need to stop the process that is mounted to the trojan dll. However, for many times, we can only pull the Wizard together with assumer.exe.

3. Trojan startup

DLL cannot run independently, so it cannot be started directly in the startup project. To make the trojan run smoothly, an EXE needs to use dynamic embedding technology to hook the DLL to other normal processes, so that the embedded process can call the dllmain function of the DLL, activate the trojan, start the Trojan's exe, and start the Trojan. The EXE that starts the DLL Trojan is very important. It is called the loader ). Therefore, a relatively mature DLL Trojan will find a way to protect its loader from being easily discovered and destroyed.

Loadercan be multiple types of Trojans. windowsrundll32.exe is also used by some DLL Trojans for loader. Such Trojans generally do not carry dynamic embedding technology, and they directly run the rundll32 process, the rundll32 method is used to reference the startup function of this DLL like calling an API to stimulate the trojan module to start execution. Even if you kill rundll32, the trojan is still running, one of the most common examples is the 3721 Chinese real name, although it is not a Trojan.

The appinit_dlls key of the Registry is also used by some Trojans to start itself, such as a cover letter virus. Using the Registry to start a trojan is to enable the system to execute dllmain. Because it is transferred by kernel, there is a lot of requirement on the stability of this DLL. A slight error will cause the system to crash, so this trojan is rarely seen. Some of the more specific dlltrojans can be started through svchost.exe. Such DLL Trojans must be written as NT-service, and the entry function is servicemain, which is rarely seen. However, such Trojans are well concealed and loader is guaranteed.

4. Few

Because the DLL Trojan is running by a system process, if it is not well written, for example, if it does not prevent code from running errors or user input is not strictly standardized, the DLL will be prone to errors and crash. But the DLL crash will cause the program to suffer. Don't forget that it is connected to a system process. The ending is ...... Terrible. Therefore, writing a published DLL Trojan will do more work in troubleshooting than the general EXE Trojan, and even the writers will be excited !!

Thanks for reading some online articles and books !!!!