Found a good DLL back door complete removal techniques _ virus killing

Source: Internet
Author: User
Tags ini
Back door! I believe this word will not be unfamiliar to you, it's harm otherwise, but as people's awareness of security gradually enhanced, coupled with anti-virus software, "strong support" so that the traditional backdoor can not hide themselves, any little bit of computer knowledge, all know "check port" "Look at the process" in order to find some " Clues. " So, the writer of the back door adjusted the idea in time, focus on the dynamic link library, that is, the back door into a DLL file, and then an EXE as a carrier, or use Rundll32.exe to start, so there will be no process, not the beginning of the mouth and other characteristics, also achieved the process, The port is hidden. This article takes the "principle of the DLL" "The DLL's elimination" As the theme, and launches the discussion, aims to let everybody to the DLL backdoor "Quick Start", no longer fear dll back door. Well, get into our subject.


One, the principle of the DLL

1, Dynamic link library

Dynamic link library, the full name Ynamic link library, for short ll, the role is to provide extended functionality for the application. The application wants to invoke the DLL file, and it needs to be "dynamic linked"; From a programmatic point of view, the application needs to know that the API functions of the DLL file export can be invoked. This shows that the DLL file itself is not operational and requires application invocation. Because the DLL file must be inserted into the application's memory module while it is running, this means that the ll file cannot be deleted. This is due to the internal mechanism of Windows: A running program cannot be closed. So, dll back door is born!

Principle and characteristics of 2,dll back door

The implementation of a backdoor function of the code into a DLL file, and then inserted into an EXE file, so that it can be executed, so that there is no need to occupy the process, there is no corresponding PID number, can also be hidden in Task Manager. The DLL file itself is not the same as the EXE file, but you must use a program (EXE) call to execute the DLL file. DLL file execution, need exe file loading, but EXE want to load DLL file, need to know a DLL file entry function (both DLL file export function), so, according to the writing standard DLL file: exe must execute the DLL file DllMain () as a condition of loading ( Like the Mian ()) of the EXE. Do dll back door is basically divided into two kinds: 1 All functions in the DLL file implementation, 2 to the DLL into a startup file, when needed to start a common exe back door.

Common Ways to write:

(1), only one DLL file

This kind of backdoor is very simple, just make yourself a DLL file, in the registry run key value or other can be automatically loaded by the system, using Rundll32.exe from the dynamic boot. What is Rundll32.exe? As implies, "execute a 32-bit DLL file." Its function is to execute the internal functions in the DLL file, so that in the process, there will be only Rundll32.exe, and no DLL back-door process, so that the process of the implementation of the hidden. If you see multiple Rundll32.exe in the system, don't panic, which proves how many DLL files have been started with Rundll32.exe. Of course, these Rundll32.exe execute DLL files, and we can all find them from where the system is automatically loaded.

Now, let me introduce you to the Rundll32.exe file, which means that the function is to invoke the dynamic Linker library as a command line. There is also a Rundll.exe file in the system, which means "execute a 16-bit DLL file," to be noted here. Look at the function prototypes used by Rundll32.exe:

Void CALLBACK functionname (

HWND hwnd,

HInstance Hinst,

LPTSTR lpCmdLine,

Int nCmdShow

);

The following methods are used under the command line: Rundll32.exe dllname,functionname [Arguments]
Dllname is the name of the DLL to be executed; FunctionName is the specific derivation function of the DLL file that needs to be executed in the front; [Arguments] is the specific parameter of the derivation function.

(2), replace the DLL file in the system

This kind of backdoor is a bit more advanced than the above, it makes the code that implements the backdoor function into a system matching DLL file, and renamed the original DLL file. When the application requests the original DLL file, the DLL back door initiates a forwarding function, passing "parameters" to the original DLL file, and if a special request (such as a client) is encountered, the DLL's back door starts, starts, and runs. For this kind of backdoor, all operations in the DLL file to achieve the most secure, but the need for programming knowledge is very much, but also very difficult to write. So, this kind of backdoor is usually to make the DLL file a "startup" file, in the face of special circumstances (such as the client's request), start a common EXE backdoor; After the client ends the connection, the EXE back door is stopped, and then the DLL file goes to the "rest" state, before the next client connects, is not started. But with the advent of Microsoft's "digital signature" and "File Recovery" functions, the backdoor has gradually declined.

Tips:

In the Winnt\System32 directory, there is a Dllcache folder, which contains a number of DLL files (also includes some important EXE files), after the DLL file has been illegally modified, the system from here to restore the modified DLL file. If you want to modify a DLL file, you should first delete or rename the DLL file under the Dllcache directory, otherwise the system will automatically recover.

(3), dynamic embedded

This is the most common method of DLL backdoor. The implication is to embed the DLL file in a running system process. In Windows system, each process has its own private memory space, but there are still a variety of ways to enter the private memory space of their processes to implement dynamic embedded. Because the key process of the system can not be terminated, so this kind of backdoor is very covert, killing is also very difficult. Common dynamic inserts are: Hook API, Global Hook (hook), remote thread, and so on.

Remote Threading technology refers to the memory address space of that process by creating a remote thread in a process. When an EXE carrier (or Rundll32.exe) creates a remote thread in that inserted process, and command it to execute a DLL file, our DLL is hanging up the back door to execute, there will not be a new process, for the DLL to stop the back door, only to let the link DLL back-door process terminated. However, if you link to some of the system's key processes, it cannot be terminated, and if you terminate the system process, Windows is terminated immediately!!!

Startup characteristics of 3,dll back door

Start DLL back door carrier EXE is indispensable, it is also very important, it is called: Loader. If there is no loader, then how does our dll back door start? Therefore, a good DLL back door will try to protect their loader not be killed. Loader way There are many, can be for our DLL back door and specially written an EXE file, can also be the system from the Rundll32.exe, even if the rundll32.exe,dll back door to stop the existence of the main. 3721 network real name is an example, although it is not "true" backdoor.
Second, the removal of the DLL

This section takes three more well-known DLL backdoor cases, respectively, "SvchostDLL.dll" "BITS.dll" "QoServer.dll". Explain the manual removal method in detail. I hope you have seen these three DLL removal method after the backdoor, can extrapolate, flexible use, in the not afraid of the DLL back door. In fact, manually clear the DLL back door is relatively simple, nothing more than in the registry to fuss. What to do, please see below.

1,portless Backdoor

This is a very powerful DLL backdoor, in addition to the shell that can obtain the local system authority, also support such as "Detect Clone Account" "Install Terminal Services" and a series of functions (see Program Help), applicable windows2000/xp/2003 system. The program uses Svchost.exe to start, usually does not start the mouth, may carry on the reverse connection (the biggest characteristic oh), for has the firewall host, this function is not good.

Before we introduce the Purge method, let's start with a brief introduction to the key services of the Svchost.exe system:

Svchost is only as a host of services, does not itself realize what function, if you need to use Svchost to start the service, then a service is implemented as a DLL, the DLL's carrier loader point to svchost, so, The service's DLL is invoked by Svchost at the time the service is started to achieve the purpose of the startup. DLL files that use Svchost to start a service are determined by the parameters in the registry, and there is a parameters subkey below where the service needs to be started, where the ServiceDll indicates which DLL file is responsible for the service. And this DLL file must export a ServiceMain () function to support the processing of service tasks.

Look at the above theory, is not a bit of Meng (I was almost asleep), do not worry, we look at the specific content. First we look at the Parameters subkey under the registry Hkey_local_machine\system\currentcontrolset\services\rpcss, whose key value is%systemroot%\system32\ Rpcss.dll. This means that when the RPCSS service is started. Svchost calls the Rpcss.dll in the Winnt\System32 directory.

Looking at another example, in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, which stores the Svchost-initiated groups and the various services within the group, The Netsvcs group has the most services. To start a service using Svchost, the service name appears under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost. Here are four ways to achieve this:

1, add a new group and add a service name to the group

2, add the service name to the existing group

3, directly using a service name in the existing group, but the service is not installed on this machine

4, modify the existing service in the existing group, and point its servicedll to its own DLL back door

I tested the portless backdoor using the third method.
Well, I think we have read the above principle, you can think of our clear portless backdoor method, yes, is in the registry Svchost key under the fuss. Okay, here we go.

The loader of the back door inserts SvchostDLL.dll into the svchost process, so We first open Windows Process Management 2.5 in the Master of Windows optimization, view the module information in the Svchost process, and see that SvchostDLL.dll has been inserted into the svchost process, under "directly using a service name in an existing group," But there is no service installed on this computer, and we can conclude that there is a new service in the Administrative tools-services. Through the view can prove: This service name is: IPRIP, started by Svchost, K Netsvcs indicates that this service is included in the Netsvcs service group.

We stopped the service and then opened Registry Editor (start-run--regedit) and came to Hkey_local_machine\system\currentcontrolset\services\iprip, View its parameters subkey. The key value of the program key SvcHostDLL.exe for the back door loader; The key value of the ServiceDll is C:\WINNT\system32\svchostdll.dll to the calling DLL file, which is the DLL file for the backdoor. Now we remove the Iprip subkey (or remove it with SC), and then, when we come to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, Edit the Netsvcs service group to delete 49 00 70 00 72 00 69 00 70 00 00 00, which corresponds to the IPRIP service name. Then exit and reboot. After reboot, delete the backdoor file in the Winnt\System32 directory.

2,bits.dll

This is the works of Yung, is also a DLL back door, and SvchostDLL.dll principle basically the same, but here is the fourth method described above, that is, "modify existing services in the existing group, its ServiceDll point to their own DLL back door." In other words, the backdoor modifies an existing service, pointing its original service DLL to itself (that is, BITS.dll), thus achieving the purpose of automatic loading, and secondly, the backdoor does not have its own loader, but is loaded with Rundll32.exe from the system. We're still looking at Windows process Management 2.5来, and we can see that Bits.dll has been plugged into the svchost process.

OK, now let's take a look at the specific cleanup method, because the backdoor is to modify the existing service, and we do not know specifically which service is modified, so search Bits.dll in the registry, and finally in the hkey_local_machine\system\ Currentcontrolset\services\rasauto Search to the Bits.dll, see ServiceDll under the Parameters subkey, its key value is C:\WINNT\system32\bits.dll. Originally, the backdoor to the Rasauto service original DLL file replaced with Bits.dll, so as to achieve automatic loading. Know the reason is good to do, now we put the key value of the ServiceDll to Rasauto service the original DLL file, that is,%systemroot%\system32\rasauto.dll, exit, restart. Then delete the Bits.dll in the Winnt\System32 directory.

3,noir--queen

Noir--queen (Guardian) is a DLL backdoor & Trojan program, the server is inserted into the system in the form of DLL file Lsass.exe process, because Lsass.exe is the key process of the system, so can not terminate. Before I introduce the Purge method, let me introduce the Lsass.exe process:

This is a local security authorization service, and it generates a process for authorized users who use the Winlogon service, and if the authorization is successful, LSASS generates a user's access token, and the token uses the initial shell to start. Other processes that are initialized by the user inherit this token.

From the above introduction we can see the importance of LSASS to the system, that specific how to clear it? Please see below.

After the rear door is successfully installed, a service named Qosserver is added to the service and the QoSserver.dll backdoor file is inserted into the LSASS process so that it can hide the process and start automatically. Now we open the registry, come to Hkey_local_machine\system\currentcontrolset\services\qosserver, delete the Qosserver key, and then reboot. After the reboot we came to the list of services and saw that the Qosserver service was still there, but not started, the category was automatic, we changed it to "disabled", and looking up, a service named APPCPI was found, and the executable program pointed to QoSserver.exe ( The reason I'm going to talk about it is as shown in Figure 11. We opened the registry again, came to HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\APPCPI, removed the APPCPI key, restarted, then removed the qosserver, and finally deleted winnt\ The backdoor file under the System32 directory.

I and this back door "fight" for 3 hours, restart n times. The reason is that even if the Qosserver service is removed, the back door is still running, and the Qosserver service in the list of services is "re-emerging". Later I knew why: after I removed the Qosserver service and restarted, The QoSserver.dll file that is plugged into the LSASS process restores the Qosserver service and generates another service, APPCPI, so we have to remove the APPCPI service in the registry before it clears the back door. From this can be seen, now the back door protection measures, really a ring buckle.

Note: After removing the qosserver service and restarting, the Qosserver startup category of the recovered is modified to disabled, otherwise the Qosserver service runs if the APPCPI service is deleted.
Third, the prevention of DLL

Looking at the above example, I think we have a certain understanding of the way to clear the DLL back door, but in reality, the DLL backdoor does not use the default filename, so you can not be sure whether the DLL back door. For the DLL back door, the system32 directory is a good place, most of the back door is the same, so be very careful here. Let me give a specific introduction to how to find the DLL back door, I hope to help you.

1, after installing the system and all the applications, backup the EXE and DLL files in the system32 directory: Open cmd, come to Winnt\System32 directory, perform IR *.exe>exe.txt & dir *.dll> Dll.txt, so that all EXE and DLL files are backed up into exe.txt and dll.txt files, and later, if an exception is found, you can use the same command to back up the EXE and DLL files again (here we assume the Exe0.txt and dll0.txt) and use: FC Exe.txt Exe0.txt>exedll.txt & FC Dll.txt dll0.txt> Exedll.txt, which means using the FC command to compare exe files and DLL files two times, and save the comparison results to a exedll.txt file. In this way, we can find out the multiple EXE and DLL files, and through the file size, create time to determine whether the back door of the DLL.

2, use the memory/module tool to view the DLL files that the process calls, such as Windows Process Management 2.5 in the Windows Optimizer master. In this way, you can find out what DLL file the process is calling, and compare the results with the FC command at the top to determine if the DLL is in the back door. If you do not have an optimization guru, you can use Tasklist, which can also display the DLL file that the process calls, as well as the source code for easy modification.

3, the ordinary backdoor connection needs to open a specific port, DLL back door is no exception, no matter how it hides, the connection will need to open the port. We can use Netstat-an to view the connections of all TCP/UDP ports to discover illegal connections. We usually have to open the port of their own knowledge, and the netstat-an of the State property has some understanding. Of course, you can also use FPort to display the port corresponding process, so that the system has any unknown connections and ports, can be panoramic view.

4, regularly check the system automatically loaded places, such as: Registry, Winstart.bat,autoexec.bat,win.ini,system.ini,wininit.ini,autorun.inf,config.sys and so on. The second is to manage the service, to be aware of the system's default services, and to remove it by using the SC in Windows Server Resource kit when discovering problematic services. These places can be used to load the DLL back door loader, if we put the DLL back door loader deleted, ask? DLL back door still how to run?!

By using the method above, I think most of the DLL back door can be "visible", if we usually do more backup, it will find a DLL back door would have a multiplier effect.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.