How to study computer Trojan behavior using Windows PE

There are more and more computer Trojans. With the emergence of various Trojan modification technologies, Trojan killing tools are often powerless. Relying solely on anti-virus software and Trojan removing software is becoming increasingly unreliable.
However, most computer Trojans have several notable features:
1. Computer Trojans rarely modify existing files in the system. Only a few files are modified.
2. In order to reside in the computer, computer Trojans usually copy themselves to the Windows system folder. If you can accurately find the files added to the folder, it is easy to find such Trojans
3. Computer Trojans usually modify some key values in the system registry. If the system registry content changes can be detected, it also helps to detect trojans

In general, if you can accurately find out the Trojan's changes to the file system and the Registry, you can safely clear these Trojans with the help of Windows PE.

How can we find out how these Trojans modify the system accurately? One method is to create a tool using system snapshots such as regsnap. This method is relatively simple. However, some Trojans currently apply the file hiding technology, so that these trojan files cannot be found when you call the Windows API to query files.

Another method is to use Windows PE to assist in detection. This method is more complex than regsnap, but more accurate.

First, prepare a testing machine. Do not install important software on this machine. After our experiment, this machine is no longer important. If you do not have a dedicated lab machine, you can also use virtual machines such as VMware. Install necessary system software on this machine.