How to clear DLL backdoors completely

Preface

Backdoor! I believe this term will not be unfamiliar to you, but it will not be harmful to you. However, as people's security awareness gradually increases, the "strong support" of anti-virus software is added ", so that traditional webshells cannot hide themselves. Anyone with a little knowledge about computers knows how to "Check ports" and "view processes" to discover some "clues ". In this way, the process and port are hidden. This article takes "DLL principle" "DLL cleanup" "DLL prevention" as the topic and discusses it in order to allow everyone to "get started" with DLL backdoors without fear of DLL backdoors. Now, go to our topic.

I. dll principles

1. Dynamic Link Library

Dynamic Link Library, short for dynamic link library (DLL), is used to provide extended functions for applications. To call a DLL file, an application needs to perform a "Dynamic Link" with it. From the programming point of view, the application needs to know the API function exported from the DLL file before calling. It can be seen that the DLL file itself cannot be run and needs to be called by the application. This is because the DLL file must be inserted into the memory module of the application during running. This shows that the DLL file cannot be deleted. This is caused by the internal mechanism of Windows: running programs cannot be closed. So the DLL backdoor is born from this!

2. dll backdoor principles and features

Write a code that implements the backdoor function as a DLL file and insert it into an EXE file so that it can be executed. In this way, no process is required, and no corresponding PID Number exists, you can also hide it in the task manager. The DLL file itself is not much different from the EXE file, but must be called by the Program (exe) to execute the DLL file. To execute a DLL file, you need to load the EXE file, but to load the DLL file, you need to know the entry function of a DLL file (both the export function of the DLL file). Therefore, according to the DLL file writing standard: EXE must execute the dllmain () in the DLL file as the loading condition (like the mian () of exe ()). There are basically two types of DLL backdoors: 1) Implement all functions in the DLL file; 2) Make the DLL into a Startup File and start a common EXE backdoors as needed.

Common compiling methods:

(1) There is only one DLL file

Enabled. What is rundll32.exe? "Execute a 32-bit DLL file ". The internal implementation is the internal implementation of the dllfile. In this process, only rundll32.exe is available, and no DLL backdoor process is available. In this way, process hiding is realized. If you see multiple rundll32.exefiles in the system, you do not need to be alarmed. This shows how many DLL files are started with rundll32.exe. Of course, we can find all the DLL files executed by rundll32.exe from the locations where the system automatically loads them.

Now, I will introduce the rundll32.exe file, which means that the function is to call the dynamic link library through the command line. There is also a rundll.exe file in the system, which means to execute a 16-bit DLL file. Pay attention to it here. For more information, see the function prototype used by rundll32.exe:

The command line uses rundll32.exe dllname and functionname [arguments].

Void callback functionname (
Hwnd,
Hinstance hinst,
Lptstr lpcmdline,
Int ncmdshow
);

Dllname is the name of the DLL file to be executed, functionname is the specific extraction function of the DLL file to be executed on the front, and [arguments] is the specific parameter of the extraction function.

(2) Replace the DLL file in the system

This type of backdoor is more advanced than above. It makes the code that implements the backdoor function into a DLL file that matches the system, and changes the original DLL file name. When an application requests the original DLL file, the DLL backdoor starts a forwarding function and passes the "parameter" to the original DLL file; if you encounter a special request (such as a client), the DLL backdoor starts, starts, and runs. For such backdoors, all the operations are implemented in the DLL file to be the most secure, but there is a lot of programming knowledge and it is very difficult to write. Therefore, these types of backdoors generally make DLL files into a "start" file. In special cases (such as client requests), they start a common EXE backdoor; after the client ends the connection, stop the EXE backdoor, and then the DLL file enters the "break" status. It will not be started until the next client connection. However, with the introduction of Microsoft's "Digital Signature" and "file recovery" functions, such backdoors have gradually declined.

Tip:

In the WINNT/system32 directory, there is a dllcache folder containing a large number of DLL files (including some important EXE files). After the DLL file is illegally modified, the system will recover the modified DLL file from here. If you want to modify a DLL file, you must first delete or rename the DLL file under the dllcache directory. Otherwise, the system automatically recovers.

(3) Dynamic embedded

This is the most common method for DLL backdoors. The significance is to embed the DLL file into the running system process. In Windows, each process has its own private memory space, but there are still various ways to enter the private memory space of its process to implement dynamic embedded. Because the key processes of the system cannot be terminated, such backdoors are very hidden and difficult to detect and kill. Common dynamic embedded systems include: "hook api", "Global hook", and "remote thread.

Remote thread technology refers to the process's memory address space by creating a remote thread in a process. When the exe (or rundll32.exe) creates a remote thread in the inserted process and commands it to execute a DLL file, our DLL backdoor will be mounted for execution, and no new process will be generated here, to stop the DLL backdoor, only the process linked to the DLL backdoor is terminated. However, if you are connected to key processes of some systems, you cannot terminate them. If you terminate the system processes, windows will be terminated !!!

3. dll backdoor startup features

The carrier EXE that starts the DLL backdoor is indispensable and important. It is called loader. If no loader is available, how can we start the DLL backdoor? Therefore, a good DLL backdoor will try its best to protect its loader from being scanned and killed. The entity of the DLL backdoor still exists. 3721 network real name is an example, although it is not a "real" backdoor.
Ii. dll cleanup

This section uses three well-known DLL backdoor examples: "svchostdll. dll" "bits. dll" "qoserver. dll ". The manual cleanup method is described in detail. I hope that you will be able to use these three DLL backdoors flexibly without fear of DLL backdoors. In fact, it is relatively simple to manually clear the DLL backdoor. It is nothing more than making an article in the registry. For more information, see the following.

1, portless Backdoor

This is a very powerful DLL backdoor program, in addition to the shell that can obtain the local system permission, it also supports a series of functions such as "detecting clone accounts" "installing Terminal Services" (For details, refer to program help), applicable to systems such as Windows2000, XP, and 2003. The program starts up with svchost.exe. Normally, the port is not opened and you can perform reverse connections (the biggest feature). For hosts with firewalls, this function is far better.

Before introducing the cleanup, let's briefly introduce the key services of the system svchost.exe:

Svchost serves only as the service host and does not implement any functions. If svchost is required to start the service, a service is implemented in the form of DLL. The loader of the DLL directs to SVCHOST. Therefore, when starting a service, svchost calls the DLL of the Service to start the service. The DLL file for starting a service using svchost is determined by the parameters in the registry. There is a parameters subkey under the service to be started, servicedll indicates which DLL file is responsible for the service, and this DLL file must export a servicemain () function to support service tasks.

Haha! After reading the above theory, is it a bit blind (I am almost asleep)? Don't worry. Let's take a look at the specific content (1 ). From figure 1, we can see the parameters sub-keys under HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/RPCSS, whose key value is % SystemRoot %/system32/RPCSS. dll. This indicates that when the RPCSS Service is started. Svchost calls RPCSS. dll under the WINNT/system32 directory.

See figure 2. This is the Registry's HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/svchost, which contains the groups started by svchost and various services in the group, the netsvcs group has the most services. To start a service using svchost, the service name will appear in HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/SVCHOST. There are four methods to achieve this:

1. Add a new group and add the service name to the group.

2. Add a service name to an existing group.

3. directly use a service name in the existing group, but the service is not installed on the local machine

4. Modify the existing service in the existing group and point its servicedll to its own DLL backdoor.

The third method used by portless backdoor I tested.

Now, after reading the above principles, I think we can think of our method of clearing portless backdoor. Okay. Let's start now.

Note: As this document only describes how to clear a file, the usage is skipped here.

The loader of the backdoor calls svchostdll. DLL is inserted into the svchost process. Therefore, we first open Windows Process Management 2.5 in the Windows optimization master to view the module information in the svchost process (3). We can see from Figure 3 that svchostdll. the dll has been inserted into the svchost process. We can conclude that, there will be a new service in "Administrative Tools"-"services. Figure 4 demonstrates my claim that the service is named iprip, started by svchost, and-K netsvcs indicates that the service is included in the netsvcs Service Group.

Stop the service, open the Registry Editor (START-run -- Regedit), and go to HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/iprip to view its parameters sub-Key (5 ). The key value svchostdll.exe of programkey is the loader of the backdoor; the key value C:/winnt/system32/svchostdll. dll of servicedll is the called DLL file, which is the DLL file of the backdoor. Now let's Delete the iprip subkey (or use SC to delete it), and then edit the netsvcs Service Group under HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/SVCHOST, delete 49 00 70 00 72 00 69 00 70 00 00. Here the service name of iprip is corresponding, as shown in figure 6. Then exit and restart. After the restart, delete the backdoor file in the WINNT/system32 directory.

2, Bits. dll

This is Rong GE's work, DLL backdoor, and svchostdll. the DLL principle is basically the same, but here we use the fourth method described above, that is, "Modify the existing service in the existing group and point its servicedll to its own DLL backdoor ". To load. We still use Windows Process Management 2.5. From Figure 7, we can see that bits. dll has been inserted into the svchost process.

Okay. Now let's take a look at the specific clearing method. Because this backdoor is used to modify the existing service, but we don't know which service is modified, search for bits in the registry. DLL, and finally found bits under HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/RasAuto. DLL to view servicedll under the parameters subkey. Its key value is C:/winnt/system32/bits. DLL (8 ). Originally, the backdoor replaced the original DLL file of the RasAuto service with bits. DLL to implement automatic loading. Now, we can change the servicedll key value to the original DLL file of the RasAuto service, that is, % SystemRoot %/system32/RasAuto. dll. Exit and restart. Then, delete bits. dll in the WINNT/system32 directory.

3, NOIR--QUEEN

Slave is a key process of the system, so it cannot be terminated. Before introducing the cleanup, I will first introduce the lsass.exe process:

This is a local security authorization service, and it will generate a process for the authorized users using the Winlogon service. If the authorization is successful, LSASS will generate a user access token, use the token to start the initial shell. Other user-initiated processes will inherit this token.

From the above introduction, we can see the importance of LSASS to the system. How can we clear it? See the following.

After the backdoor is successfully installed, a service named qosserver will be added to the service, and the qosserver. the DLL backdoor file is inserted into the LSASS process so that it can hide the process and start it automatically (9 ). Now let's open the registry and go to HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/qosserver to directly Delete the qosserver key and restart it. After the service is restarted, we will see that the qosserver service is still running but not started. The category is automatic, when we change it to "disabled", we can see that the executable program of a service named appcpiis directed to qosserver.exe (I will discuss the cause later), as shown in Figure 11. Open the Registry again, go to HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/appcpi, delete the appcpi key, restart, delete qosserver, and delete the backdoor file under the WINNT/system32 directory.

This man and the backdoor "fought" for more than three hours and restarted n times. The reason is that, even if the qosserver service is deleted, the backdoor is still running, and the qosserver service in the service list is "Revived ". Later I learned the cause: After I deleted the qosserver service and restarted it, I inserted it to the qosserver In the LSASS process. the DLL file restores the qosserver service and generates another service, namely, appcpi. Therefore, you must delete the appcpi service in the Registry to clear the backdoor. From this we can see that the current backdoor protection measures are really a ring.

Note: After the qosserver service is deleted and restarted, change the qosserver startup category to "disabled". Otherwise, even if the appcpi service is deleted, the qosserver service runs again.

Iii. dll prevention

After reading the above example, I think you have some knowledge about how to clear the DLL backdoor, but in reality, the DLL backdoor does not use the default file name, so you cannot be sure whether the DLL backdoor is in use. For DLL backdoors, the System32 directory is a good place, and most backdoors are the same, so pay attention to them here. Next I will introduce how to find the DLL backdoor. I hope it will help you.

1. After the system and all applications are installed, back up the EXE and DLL files in the System32 directory: Open cmd, go to the WINNT/system32 directory, and run dir *. EXE> exe.txt & dir *. DLL> export), and use the: fc exe.txt exe0.txt> exedll.txt & FC dll.txt dll0.txt> export file. In this way, we can find multiple EXE and DLL files and determine whether the files are DLL backdoors Based on the file size and creation time.

2. Use a memory/module tool to view the DLL file called by the process, for example, Windows Process Management 2.5 in Windows optimization master. In this way, we can find out what DLL files are called by the process, and compare the results with the above FC command to further determine whether the DLL backdoor is in use. If you do not have an optimization master, you can use tasklist. This tool can also display the DLL file called by the process and the source code to facilitate modification.

3. for a common backdoor connection, you need to open a specific port, and the DLL backdoor is no exception. No matter how hidden it is, you need to open the port during the connection. We can use netstat-An to view all TCP/UDP port connections to find illegal connections. You usually need to know the port you open and understand the state attribute in netstat-. Of course, you can also use fport to display the process corresponding to the port. In this way, you can see all the unknown connections and ports in the system.

4. regularly check the locations automatically loaded by the system, such as registry and winstart. bat, autoexec. bat, win. INI, system. INI, wininit. INI, Autorun. INF, config. SYS. The second step is to manage services and understand the default services of the system. You can use SC in Windows 2000 Server Resource Kit to delete problematic services. All of the above can be used to load the loader of the DLL backdoor. If we delete the DLL backdoor loader, how can this problem be solved? How does the DLL backdoor run ?!

By using the above method, I think most DLL backdoors can be "active". If we do more backups at ordinary times, it will get twice the result with half the effort.