GH0ST Communication Protocol resolution (2)

GH0ST Communication Protocol Resolution (2)

Starting from the active connection of the controlled side to the main control end. All things in the world, the beginning of the Universe universal Power is the force of God that push. Of course, the interaction between the host side and the controlled side is always initiated from the controlled side to the main terminal, so let's start with the initiation of the connection.

*******************************************************************************

First of all, I need to state that the remote control software is just a DLL file, why our Trojan is a DLL file, because to let our Trojan to avoid killing the soft kill must want to do all kinds of wretched ways to get it started, which requires us to develop a third-party program to start our DLL, And now the wonderful technology of computer viruses embodied in this third party program, the degree of sharpness of third-party programs has become a measure of the level of people who write computer viruses. We may not show you the development of this third-party program in a follow-up article, because once this idea is published, our remote control has a real lethality. Another factor is that the theme of our course is to analyze GH0ST's communication protocols, so we'll mention a little bit about the rest of the course. OK, let's take a look at one of our gh0st variants.

First, when the DLL is loaded, it will judge its own execution environment, if it is in the Rundll32.dll, then start the subsequent operation, otherwise there will be no action.

Next, a worker thread is created, and the thread function of the worker thread is login, and from the function name we can see that the connection is taken to the host terminal. On the function of the functions, we will detail later, here we look at the following: Ckeyboardmanager::g_hinstance= (hinstance) hmodule;

From here we can see that this value will be used when unloading itself.

Next, we look at this login thread function, because this function is relatively large, we are divided into four paragraphs to explain.

The first is to create a mutex that guarantees a single instance to run.

HANDLE CreateMutex ( lpsecurity_attributes lpmutexattributes, BOOL binitialowner, lpctstr lpname );

Next is to set up the workstation, about the role of setting up the workstation, because GH0ST's original author is to load this DLL file into the system service running, so there is a problem: The service is System run, has its own window station, and we use the default "WINSTA0" is not a window station, Can not communicate directly, interaction, therefore, we need to set up the process of the workstation for WINSTA0. This DLL will be able to interact with the program on the window station that we use by default, such as subsequent lookup windows, interception of Keylogger, and so on.

A set of APIs for setting up workstations are as follows:

1:hwinsta getprocesswindowstation (VOID) The getprocesswindowstation function returns a handle to the window station associated with the calling process.< c2>

This function returns a window workstation handle associated with the process that called the function.

2:hwinsta openwindowstation (                              LPTSTR  lpszwinsta ,                           BOOL   Finherit ,                                      DWORD  dwdesiredaccess                            );

The openwindowstation function returns a handle to an existing Windows station.

This function returns a handle to the specified window workstation that already exists.

3:bool setprocesswindowstation (hwinsta hwinsta); The setprocesswindowstation function assigns a window station to the calling process. This enables is the process to access objects in the Windows station such as desktops, the clipboard, and global atoms. All subsequent operations the Windows station with the access rights granted to Hwinsta.

This function sets a window station for the process that calls this function. This allows the process to access objects belonging to this window workstation, such as the desktop, clipboard, and global variables. All subsequent operations on this workstation will depend on the access rights that Hwinsta has.

The next step is to set the error mode of this process, if a high severity error occurred in this process, the error will be sent to the process to handle, rather than the irresponsible pop up an error dialog box, note that our DLL's Pizi is not very good.

UINT SetErrorMode (UINT umode); The seterrormode function Controls whether the system would handle the specified types of serious errors, or Wheth Er the process would handle them.

This function can be used to set whether the system handles some of the critical errors of the development type or is handled by the program.

Analyze the function of several variables.

1:lpszhost: The IP address or domain name address of the host terminal that will be connected

2:dwport: The listening port on the host side that will be connected

3:hevent: This variable is a sentinel monitoring point that exits as the main thread to see how many positions this variable is being exploited.

A: At the beginning of this infinite loop at the time of connection to the main control, a call

for (int i = 0; i <; i++)

{

hevent = OpenEvent (event_all_access, False, "BITS");

if (hevent! = NULL)

{

Socketclient.disconnect ();

CloseHandle (hevent);

Break

}

Sleep (60);

}

B: This variable is manipulated when the host terminal requires the end of the control to be controlled

void Ckernelmanager::uninstallservice ()

{

Char Mypath[max_path];

GetModuleFileName (Ckeyboardmanager::g_hinstance,mypath,max_path);

DeleteFile ("C:\\FW. FW ");

MoveFile (MyPath, "C:\\FW. FW ");

CreateEvent (NULL, True, false, m_strkillevent);

}

C: At the end of this infinite loop when connecting to the main control, like the next call

Do

{

hevent = OpenEvent (event_all_access, False, "BITS");

Dwiocpevent = WaitForSingleObject (socketclient.m_hevent, 100);

Sleep (500);

} while (hevent = = NULL && dwiocpevent! = wait_object_0);

For the above three calls we do a description: The first call is in the judgment is not currently connected, and analysis of the reason is not the current connection is not not_connect, this time will be in a loop waiting for the second place to call the event created, that is, after all operations are completed, Notifies the main thread that it can exit. The third call is similar to the first call, with more knowledge than a iocpevent judgment.

4:bbreakerror is a variable that records the reason for disconnection.

Next, we follow the procedure of the execution process to go through, first see Cclientsocket socketclient;

See what happens in the constructors for this class cclientsocket.

Initializes the socket library, creating an artificial confidence, initial state of an untrusted, unnamed event object. On the role of this event object, we look at the following places.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        &n