No process Trojan ideas

Latest NewTrojanDirected and non-ProcessDLLThe trend of Trojan development. Although there are various programming methods, the principles are basically the same. We specially organized this articleArticleSo that you can learn more about this:

1) process hiding in Windows

32-bit M $ operationSystemThere are many ways to hide the process. In Win98ProgramRegistering as a system service can hide the process in the process list. However, in NT/2000, because the Operating System adds many features, the process hiding brings a new height. Among them, the DLL Trojan is a very popular form, it adds itself to the process of other executable files, so that our DLL files will not appear in the task manager, but the EXE file of our DLL. In master Jeffrey Richter's article, I mentioned several DLL insertion methods, such as adding trojan dll, trojan dll, and Windows Hook and remote thread insertion in appinit_dlls of the Registry, I will not go into detail here. Now we will introduce a new method for hiding processes. It still exists in the form of DLL (it also needs to be loaded by other executable files), and it also has the port-free feature. It uses the new features of Windows Socket 2, the service provider interface. SPI tries to support all 32-bit Windows operating systems, including Windows 95.

Ii) Windows Socket 2 SPI technology Overview

WinSock 2 SPI is a new feature and is provided for the staff of the writing service provider. WinSock 2 not only provides access by a Supply ApplicationNetworkThe Windows Socket Application Programming Interface (API) of the service also contains the Winsock Service Provider Interface (SPI) and ws2_32.dll implemented by the transmission service provider and the name resolution service provider. The following uses the transmission service provider as an example to hide a process. The following is the hierarchical relationship between the application ws2_32.dll and the Transport Service Provider Interface:

-------------------------- | Windows Socket 2 Application | ------------------------------ Windows Socket 2 API | ws2_32.dll | ------------------------ Windows Socket 2 transmission SPI | transmission service provider (DLL) | required ----------------------------

The transmission service provider exists in the form of a DLL. It has only one entry function, namely wspstartup. The lpwsaprtocol_infow structure pointer determines the type of the service provider, the other 30 DTS provider functions are called in the form of an allocation table. When a network application calls the wsasocket/socket function to create a socket, there are three parameters: Address Family, socket type, and protocol, these three parameters jointly determine which type of transmission service provider is used to implement the functions of the application. In the entire hierarchy, ws2_32.dll only plays a role in the media, and applications implement user functions. What truly implements the network transmission function is the transmission service provider interface. There are some default service providers in the current system. They have implemented most of the basic functions. Therefore, when writing the Service Provider Program, we only need to modify the datagram, send the datagram to the system service provider to implement the remaining functions.

there are three protocols in the service provider: layered protocol, basic protocol, and Protocol chain. The chainlen value of the protocolchain structure in the saprotocol_infow is distinguished. The chainlen value of the layered protocol is 0, the value of the basic protocol is 1, and the value of the Protocol chain is greater than 1. In fact, there is not much difference between the layered protocol and the basic Protocol in terms of function implementation (you can call the system service provider to implement data forwarding), but there is a big difference in the installation. When the basic protocol is installed, we replace the DLL file names and paths of all basic service providers with our custom basic protocols. After the hierarchical protocol is installed, we must also combine the Protocols related to the layered protocol into a protocol chain, and then install the Protocol chain. After all service providers are installed, we must re-arrange their installation order, which is important. When our wsasocket/socket creates a socket, ws2_32.dll searches for the service provider that matches the three parameters provided by wsastartup/socket in the database of the service provider in sequence, if two service providers of the same type exist in the service provider database at the same time, the service provider in the previous order will be called. Generally, after we install our own service providers, We will rearrange our service providers at the beginning. In instbd.exe, we use the layered protocol as an example to demonstrate how to install the transmission service provider.

Ws2_32.dll uses the standard dynamic link library to load the DLL of the service provider interface to the system, and CALLS wspstartup to initialize the SDK. Wspstartup is the initialization function of the SPI program called by the Windows Socket 2 application, that is, the entry function. The lpwsaprotocol_infow pointer of wspstartup provides the expected protocol information of the application. Then, with this structure pointer, we can obtain the DLL name and path of the saved system service provider, after loading the system service provider, find the wspstartup function pointer of the system SPI program. With this pointer, we can associate the wspstartup function of our service provider with the wspstartup function of the system SPI program, then call the various service provider functions of the system. In the implementation of data transmission service providers, we need two programs: one is the executable file used to install the transmission service provider, and the other is the DLL-form data transmission service provider.

Iii) SPI-Based DLL TrojanTechnology

We have already introduced the features of the transmission service provider. Now let's take a look at how to use this technology to hide the Trojan process. There are system network services in each operating system. They are automatically loaded when the system is started, and many of them are based on the IP protocol. If we write an IP-Protocol Transmission Service Provider and install it at the frontend of the service provider database, the system network service will load our service provider. If the trojan program is embedded into the DLL file of the service provider, our Trojan program will also be started when the system network service is started. This form of DLL Trojan must be installed only once, and then automatically loaded into the executable file process. Another feature is that it will be loaded by multiple network services. Generally, when the system is shut down, the system network service will end, so our Trojan program can remain active during system operation.

Among the transmission service providers, 30 SPI functions exist in the form of allocation tables. Most functions in ws2_32.dll have corresponding transmission service provider functions. For example, wsprecv and wspsend, their corresponding functions in ws2_32.dll are wsarecv and wsasend. The listener is listening at 135/TCP. In our transmission service provider, we re-compiled the wsprecv function to connect to the received data for analysis. if it contains the password sent by the client, execute the corresponding command to get the expected action. Then we can call the wspsend function to send the result to the client. This not only hides the process, but also reuses the existing port.

 

4) MainCodeAnalysis

1.instbd.exe

The main function of the executable instbd.exe program is to install our own layered transmission service provider and rearrange the order of all transmission service providers so that our service provider is at the top of the Protocol chain, in this way, the corresponding type of application will first enter our transport service provider interface. This program has only one parameter, that is, install (-install) or uninstall (-Remove ). As a demonstration, this program only installs the IP layer protocol and the TCP-related Protocol chain. In backdoor. dll, we do not modify the datagram, but only start our Trojan process.

Custom functions:

Bool getfilter (); // obtain all installed transmission service provider void freefilter (); // release StorageVoid installfilter (); // install the hierarchical Protocol, Protocol chain, and sort void removefilter (); // uninstall the hierarchical protocol and Protocol chain.

Code Analysis:

Protoinfo = (lpwsaprotocol_infow) globalalloc (gptr, protoinfosize); // allocate the bucket totalprotos = wscenumprotocols (null, protoinfo, & protoinfosize, & errorcode ); // obtain the getcurrentdirectory (max_path, filter_path) of all service providers installed in the system; // obtain the current path _ tcscpy (filter_name, _ T ("\ backdoor. DLL "); // construct the backdoor file of the service provider. dll path full name wscinstallprovider (& filterguid, filter_path, & iplayerinfo, 1, & errorcode); // install the custom IP layer protocol iplayercataid = protoinfo. dwcatalogentryid; // obtain the unique identifier udpchaininfo allocated by ws2_32.dll for the installed custom IP layer protocol. protocolchain. chainentries [0] = iplayercataid; // install the custom IP layered protocol as the root layered service provider of the custom UDP protocol chain on the top of the Protocol chain wscinstallprovider (& filterchainguid, filter_path, chainarray, provcnt, & errorcode); // install the Protocol chain wscwriteproviderorder (cataentries, totalprotos); // update the installation sequence of all service providers, rank custom service providers at the top of all Protocols wscdeinstallprovider (& filterguid, & errorcode); // uninstall the IP layer protocol wscdeinstallprovider (& filterchainguid, & errorcode ); // uninstall the Protocol chain

2. Backdoor. dll

Transmission service providers all exist in the form of dynamic link libraries, which are loaded by ws2_32.dll when required by applications and uninstalled after use. The transfer service provider has only one entry function, wspstartup, which is the SPI initialization function called by the Windows Socket Application. Other SPI functions are called through the wspstartup parameter wspupcalltable. There is a global variable that can be read and modified by all programs that call the DLL. When loading the service provider for the first time, we start the Trojan process. In the demo, the Trojan process does not have any special functions.ServerAfter the port is connected, if the client sends a specific dark number, the server will send a specific message back.

Custom functions:

Int wspapi wspstartup (word wversionrequested, lpwspdata, lpwsaprotocol_infow lpprotoinfo, wspupcalltable upcalltable, lpwspproc_table lpproctable); // The SPI function wspstartup corresponds to the Windows Socket 2 API function wsastartup, wspstartup is the unique number of entry functions, and the remaining 30 SPI functions are implemented through the upcalltable parameter. They can only be called internally and are not provided externally.

Code Analysis:

Hthread = createthread (null, 0, backdoor, null, 0, null); // create a Trojan process, which only shows the flow of data getmodulefilename (null, processname, max_path ); // obtain the full name outputdebugstring (_ T ("Start the backdoor... "); // output debugging information layerid = protoinfo. dwcatalogentryid; // obtain the unique identifier allocated by ws2_32.dll for the installed custom IP layer protocol. nextlayerid = lpprotoinfo-> protocolchain. chainentries [I + 1]; // obtain the Flag Information wscgetproviderpath (& protoinfo. providerid, filterpath, & filterpathlen, & errorcode); // obtain the installation path expandenvironmentstrings (filterpath, filterpath, max_path) of the next transmission service provider ); // extended environment variable hfilter = loadlibrary (filterpath); // load the next layer of transmission service provider wspstartupfunc = (lpwspstartup) getprocaddress (hfilter, "wspstartup ")); // obtain the wspstartup function of the next transmission service provider to call wspstartupfunc (wversionrequested, lpwspdata, lpprotoinfo, upcalltable, lpproctable); // call the wspstartup function of the next transmission service provider, implement the hook function nextproctable = * lpproctable; // Save the 30 service function pointers of the next layer service provider. Because the service provider in the form of a dynamic link library needs to provide an external entry function, therefore, a configuration file backdoor is required. def: exports wspstartup // provides the portal function wspstartup.

3.testbd.exe

This is a test program used to check whether the Trojan server works normally. After it sends a specific message to the server, if the server works normally, it will send a specific message back. Otherwise, it will not receive any message. Because the Trojan server listens on TCP port 12345, our client is also based on the TCP protocol.

5) Summary and postscript

The purpose of this article is to introduce you to a programming idea, which is not a Trojan tutorial. In fact, technology and ideas will be continuously improved only in constant confrontation. We can maintain the network order and promote the network only when we fully understand various technologies and even have the foresight ability.SecurityDevelopment. Finally, I will give you an old saying: "know yourself and know what you want.