First-generation process hiding technology: Windows 98 Backdoor
In Windows 98, Microsoft provides a method to register a process as a service process.
Although Microsoft has not publicly provided technical implementation details of this method (because this mechanism is not provided in subsequent Windows versions ),
However, some experts still find this secret. This technology is called registerserviceprocess.
With this method, any program process can register itself as a service process,
The service process is not displayed in the task manager in Windows 98, so it is drilled down by the trojan program.
To deal with this hidden Trojan, you only need to use other third-party process management tools to find its location,
In addition, the Trojan horse that uses this technology is displayed in Windows 2000/XP (because this hiding method is not supported!
Stop the process and delete the trojan file. However, the second generation of process hiding technology won't be so easy to deal.
Second-generation process hiding technology: Process insertion
In Windows, each process has its own private memory address space. When a pointer (a memory access mechanism) is used to access the memory,
A process cannot access the memory address space of another process, just as you cannot enter the neighbor's house for dinner without the consent of a neighbor.
For example, QQ stores the data of an image in the memory, while MSN cannot directly read the data of the image in the memory.
This also ensures the stability of the program. If an error occurs in your process, you can rewrite the memory on a random address,
This error does not affect the memory used by another process.
Do you know what process is?
For applications, a process is like a large container. After an application is run, it is equivalent to loading the application into a container.
You can add other things to the container (for example, the variable data required by the application at runtime and the DLL file to be referenced ),
When an application is run twice, nothing in the container will be dumped, and the system will find a new process container to hold it.
A process can contain several threads, which can help applications do several things at the same time (for example, a thread writes files to a disk,
The other receives the user's buttons * and responds in a timely manner without interfering with each other). After the program is running,
The first thing the system needs to do is to create a default thread for the program process, and then the program can add or delete related threads as needed (see Figure 2 process relationship diagram ).
1. What is process insertion?
Independent address spaces are very advantageous for programmers and users. For programmers, it is easier for the system to capture random memory reads and writes.
For users, * the operating system will become more robust because one application cannot destroy another process or * the operation of the system.
Of course, * the robustness of the system is costly, because it is necessary to write a program that can communicate with other processes,
Or it will be much more difficult for applications that can perform * on other processes.
However, there are still many ways to break the process boundaries and access the address space of another process, that is, process injection ).
Once the trojan dll is inserted into the address space of another process, you can do whatever you want for the other process, such as the QQ password to be introduced below.
2. How Trojans steal QQ passwords
Under normal circumstances, other applications do not have the right to "ask" for the keyboard and mouse * received by an application.
How can I secretly record my password for a trojan? The trojan first inserts a DLL file into the QQ process and becomes a thread in the QQ process,
In this way, the trojan dll becomes a part of QQ! Then, when the user enters the password, because the trojan dll has entered the QQ process,
So I can also receive the password that the user has passed to QQ and enter it. It's really "one piece is hard to defend against!
3. How to insert a process
(1) Use the Registry to insert DLL
Early process plug-in Trojan tricks,
Modify the [hkey_local_machinesoftwaremicrosoftwindows ntcurrentversionwindowsappinit_dlls]
To insert a process. The disadvantage is that it is not real-time. After you modify the registry, You need to restart to complete process insertion.
(2) Use hook to insert a DLL
In a relatively advanced and concealed way, the process is inserted through the system hook mechanism (that is, "hook", similar to "interrupt" in the DOS era ).
(Some QQ Trojans and keyboard record Trojans are inserted into other processes as hooks to "steal chickens and dogs "),
You need to call the setwindowshookex function (also a Win32 API function ). The disadvantage is that the technical threshold is high and the program debugging is difficult,
The trojan producer must have a considerable Win32 programming level.
You know -- What is API?
The interfaces that provide various functions in windows are called Win32 APIs (Application Programming Interface "),
If some programs need to read and write files on the disk, they must first send a call request to the corresponding API (file-related APIs must be called to read and write files,
Then, the API provides parameters based on the parameters provided by the program when calling its function (for example, to read and write a file, you need to provide the file name and path to be read and written at the same time)
To complete the implementation of the request, and finally return the call result (such as a successful file writing or failed File Reading) to the program
(See figure 3 Application, Win32 API, and system relationship diagram)
(3) use the remote thread function (createremotethread) to insert the DLL
This "Remote Process" mechanism is provided in Windows 2000 and later systems. You can use one system API function to create a thread (insert DLL) to another process ).
The disadvantage is obvious. Only Windows 2000 and above are supported, and many users are still using Windows 98 in China,
Therefore, Trojans using this process Insertion Method lack platform versatility.
After a trojan inserts itself as a DLL into another process space, it cannot be traced by viewing the process,
What you can see is only the process of some normal programs, but the Trojan has been secretly penetrated into it.
The solution is to use a process management tool that supports "Process Module View" (for example, process view provided by "Windows optimization master"), and the DLL module of the Trojan will be displayed.
Do not trust your own eyes: the horrible process "evaporated"
Strictly speaking, this is the 2.5 generation of process hiding technology, but it is much more terrible than the previous several technologies.
This technology prevents trojans from being inserted into other processes by themselves, but can disappear directly!
It monitors the call of Process Detection APIs of all programs in the system through Hook Technology.
The reason why "Task Manager" can display all the processes in the system is that it calls APIs related to processes such as enumprocesses,
Process information is included in the returned results of the function. The program that sends the call request receives and processes the returned results.
(For example, the "Task Manager" is displayed in the process list after receiving the result ).
The trojan hooks the API function in advance, so in the "Task Manager" (or other programs that call the list process function)
When the enumprocesses function is called (the API function acts as the "internal"), the trojan is notified,
And before the function returns the result (listing all processes) to the program, it has erased its own process information from the returned results.
It's like you are watching a TV program, but some people have connected the TV to a DVD without knowing it, and you have been cheated.
Therefore, whether it is "Task Manager" or anti-virus software, it is futile to detect the Trojan process.
Currently, this Trojan does not have a very effective means of detection and removal. Only before it is run, the anti-virus software detects the trojan file and prevents its virus from running.
At that time, there was another technology where the trojan program deleted its own process information from the "process linked list" used by the Windows system to record process information,
In this way, the process management tool cannot obtain the Trojan process information from the process linked list. However, due to lack of platform versatility and problems in program running,
So it is not widely used.
You know -- What is hook?
Hook is a system mechanism provided in Windows to replace "interrupt" in DOS. It is translated as "Hook" or "Hook" in Chinese ".
After you hook a specific system event (including the call events of a specific API function in the preceding Section,
Programs that hook the event (such as Trojans) will receive system notifications, and the program will be able to respond to the event immediately.
(The Trojan program changes the result before the function returns)
No trace: Comprehensive three-dimensional hiding
Using the hook hidden process method introduced earlier, Trojans can easily hide files,
You only need to apply the Hook Technology to file-related API functions. In this way, neither the "Resource Manager" nor anti-virus software can find out where the trojan is located.
What's even more surprising is that there are Trojans (such as gray pigeons) that use this technology to hide files and processes.
The best way to prevent such Trojans is to use anti-virus software to intercept them before they run.
Vs anti-virus software: Anti-Virus Software Shell
Trojans are tricky, but once the antivirus software defines a pattern, it is intercepted before running. To survive antivirus software, many Trojans are shelled,
It is equivalent to wearing a piece of clothing for the trojan horse, so the anti-virus software won't recognize it, but some anti-virus software will try to shell the common shells,
Then scan and kill (in a small case, don't think I don't know you when I wear a horse clip ).
In addition to passive hiding, we also recently discovered a shell that can work with anti-virus software. After the trojan is added with such a shell,
Once running, the shell gets control of the program and destroys the anti-virus software installed in the system through various means,
Finally, confirm the Security (anti-virus software protection has been dissolved), and then release and execute the trojan wrapped in your own "body" by the shell.
The method to deal with such Trojans is to use anti-virus software with shelling capabilities to protect the system.
You know -- What is shell?
Gu Yu, you can easily guess that this is a package outside.
Yes, the shell can wrap the file (such as exe), and then obtain control from the shell when the file is run, and then release and run the wrapped file body.
Many shells can encrypt their own wrapped file bodies, so as to prevent anti-virus software from scanning and killing.
For example, anti-virus software defined the trojan as "12345". If a file contains this feature, the file is considered as a Trojan,
The shell with the encryption function encrypts the file body (for example, the original feature is "12345", and the encryption is changed to "54321 ",
In this way, anti-virus software certainly cannot be checked by file features ).
Shelling refers to removing the shells outside the file and restoring the State before the file is not shelled.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
