Preface
Backdoor! I believe this term will not be unfamiliar to you, but it will not be harmful to you. However, as people's security awareness gradually increases, the "strong support" of anti-virus software is added ", so that traditional webshells cannot hide themselves. Anyone with a little knowledge about computers knows how to "Check ports" and "view processes" to discover some "clues ". In this way, the process and port are hidden. This article takes "DLL principle" "DLL cleanup" "DLL prevention" as the topic and discusses it in order to allow everyone to "get started" with DLL backdoors without fear of DLL backdoors. Now, go to our topic.
I. DLL principles
1. Dynamic Link Library
Dynamic Link Library, short for Dynamic Link Library (DLL), is used to provide extended functions for applications. To call a DLL file, an application needs to perform a "Dynamic Link" with it. From the programming point of view, the application needs to know the API function exported from the DLL file before calling. It can be seen that the DLL file itself cannot be run and needs to be called by the application. This is because the DLL file must be inserted into the memory module of the application during running. This shows that the DLL file cannot be deleted. This is caused by the internal mechanism of Windows: running programs cannot be closed. So the DLL backdoor is born from this!
2. DLL backdoor principles and features
Write a code that implements the backdoor function as a DLL file and insert it into an EXE file so that it can be executed. In this way, no process is required, and no corresponding PID Number exists, you can also hide it in the task manager. The DLL file itself is not much different from the EXE file, but must be called by the Program (EXE) to execute the DLL file. To execute a DLL file, you need to load the EXE file, but to load the DLL file, you need to know the entry function of a DLL file (both the export function of the DLL file). Therefore, according to the DLL file writing standard: EXE must execute the DLLMain () in the DLL file as the loading condition (like the mian () of EXE ()). There are basically two types of DLL backdoors: 1) Implement all functions in the DLL file; 2) Make the DLL into a Startup File and start a common EXE backdoors as needed.
Common compiling methods:
(1) There is only one DLL file
Enabled. What is Rundll32.exe? "Execute a 32-bit DLL file ". The internal implementation is the internal implementation of the dllfile. In this process, only rundll32.exe is available, and no DLL backdoor process is available. In this way, process hiding is realized. If you see multiple rundll32.exefiles in the system, you do not need to be alarmed. This shows how many DLL files are started with rundll32.exe. Of course, we can find all the DLL files executed by rundll32.exe from the locations where the system automatically loads them.
Now, I will introduce the rundll32.exe file, which means that the function is to call the dynamic link library through the command line. There is also a rundll.exe file in the system, which means to execute a 16-bit DLL file. Pay attention to it here. For more information, see the function prototype used by rundll32.exe:
The command line uses Rundll32.exe DLLname and Functionname [Arguments].
Void CALLBACK FunctionName (
HWND hwnd,
HINSTANCE hinst,
LPTSTR lpCmdLine,
Int nCmdShow
);
DLLname is the name of the DLL file to be executed, Functionname is the specific extraction function of the DLL file to be executed on the front, and [Arguments] is the specific parameter of the extraction function.
(2) Replace the DLL file in the system
This type of backdoor is more advanced than above. It makes the code that implements the backdoor function into a DLL file that matches the system, and changes the original DLL file name. When an application requests the original DLL file, the DLL backdoor starts a forwarding function and passes the "parameter" to the original DLL file; if you encounter a special request (such as a client), the DLL backdoor starts, starts, and runs. For such backdoors, all the operations are implemented in the DLL file to be the most secure, but there is a lot of programming knowledge and it is very difficult to write. Therefore, these types of backdoors generally make DLL files into a "start" file. In special cases (such as client requests), they start a common EXE backdoor; after the client ends the connection, stop the EXE backdoor, and then the DLL file enters the "break" status. It will not be started until the next client connection. However, with the introduction of Microsoft's "Digital Signature" and "file recovery" functions, such backdoors have gradually declined.
Tip:
In the WINNTsystem32 directory, there is a dllcache folder containing a large number of DLL files (including some important EXE files). After the DLL file is illegally modified, the system will recover the modified DLL file from here. If you want to modify a DLL file, you must first delete or rename the DLL file under the dllcache directory. Otherwise, the system automatically recovers.
(3) Dynamic embedded
This is the most common method for DLL backdoors. The significance is to embed the DLL file into the running system process. In Windows, each process has its own private memory space, but there are still various ways to enter the private memory space of its process to implement dynamic embedded. Because the key processes of the system cannot be terminated, such backdoors are very hidden and difficult to detect and kill. Common dynamic embedded systems include: "hook api", "Global HOOK", and "remote thread.
Remote thread technology refers to the process's memory address space by creating a remote thread in a process. When the exe (or rundll32.exe) creates a remote thread in the inserted process and commands it to execute a DLL file, our DLL backdoor will be mounted for execution, and no new process will be generated here, to stop the DLL backdoor, only the process linked to the DLL backdoor is terminated. However, if you are connected to key processes of some systems, you cannot terminate them. If you terminate the system processes, Windows will be terminated !!!
3. DLL backdoor startup features
The carrier EXE that starts the DLL backdoor is indispensable and important. It is called Loader. If no Loader is available, how can we start the DLL backdoor? Therefore, a good DLL backdoor will try its best to protect its Loader from being scanned and killed. The entity of the DLL backdoor still exists. 3721 network real name is an example, although it is not a "real" backdoor.
Ii. DLL cleanup
This section uses three well-known DLL backdoor examples: "SvchostDLL. dll" "BITS. dll" "QoServer. dll ". The manual cleanup method is described in detail. I hope that you will be able to use these three DLL backdoors flexibly without fear of DLL backdoors. In fact, it is relatively simple to manually clear the DLL backdoor. It is nothing more than making an article in the registry. For more information, see the following.
1, PortLess BackDoor
This is a very powerful DLL backdoor program, in addition to the Shell that can obtain the Local System permission, it also supports a series of functions such as "detecting clone accounts" "installing Terminal Services" (For details, refer to program help), applicable to systems such as Windows2000, xp, and 2003. The program starts up with svchost.exe. Normally, the port is not opened and you can perform reverse connections (the biggest feature). For hosts with firewalls, this function is far better.
Before introducing the cleanup, let's briefly introduce the key services of the system svchost.exe:
Svchost serves only as the service host and does not implement any functions. If Svchost is required to start the service, a service is implemented in the form of DLL. The Loader of the DLL directs to svchost. Therefore, when starting a service, svchost calls the DLL of the Service to start the service. The DLL file for starting a service using svchost is determined by the Parameters in the registry. There is a Parameters subkey under the service to be started, serviceDll indicates which DLL file is responsible for the service, and this DLL file must export a ServiceMain () function to support service tasks.
Haha! After reading the above theory, is it a bit blind (I am almost asleep)? Don't worry. Let's take a look at the specific content (1 ). As shown in figure 1, we can see the Parameters sub-key under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRpcSs. Its key value is % SystemRoot % system32pcss. dll. This indicates that when the RpcSs Service is started. Svchost calls rpcss. dll under the WINNTsystem32 directory.
As shown in figure 2, this is the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost in the Registry, which stores the Svchost-enabled groups and various services in the group, among which the netsvcs group has the most services. To start a service using Svchost, the service name will appear in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost. There are four methods to achieve this:
1. Add a new group and add the service name to the group.
2. Add a service name to an existing group.
3. directly use a service name in the existing group, but the service is not installed on the local machine
4. Modify the existing service in the existing group and point its ServiceDll to its own DLL backdoor.
The third method used by PortLess BackDoor I tested.
Now, after reading the above principles, I think we can think of our method of clearing PortLess BackDoor. Okay. Let's start now.
Note: As this document only describes how to clear a file, the usage is skipped here.
The Loader of the backdoor calls SvchostDLL. dll is inserted into the Svchost process. Therefore, we first open Windows Process Management 2.5 in the Windows optimization master to view the module information in the Svchost process (3). We can see from Figure 3 that SvchostDLL. the dll has been inserted into the Svchost process. We can conclude that, there will be a new service in "Administrative Tools"-"services. Figure 4 demonstrates my claim that the service is named IPRIP, started by Svchost, and-k netsvcs indicates that the service is included in the netsvcs Service Group.
Stop the service, open the Registry Editor (START-run -- regedit), and go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIP to view its Parameters sub-Key (5 ). The key value svchostdll.exe of the programkey is the Loader of the backdoor; the key value C: WINNTsystem32svchostdll. dll of ServiceDll is the called DLL file, which is the DLL file of the backdoor. Now let's Delete the IPRIP subkey (or use SC to delete it), and then edit the netsvcs Service Group under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost, and set 49 00 70 00 72 00 69