Process-Hidden methods

Process-Hidden methods

Most basic hidden: invisible form + hidden file

The Trojan horse program is anyway mysterious, but after all, still is a kind of program under WIN32 platform. There are two common programs under Windows:

1.win32 Applications (WIN32 application), such as QQ, office, etc. belong to this column.

2.win32 Console Program (WIN32 console), such as the hard drive boot hotfix fixmbr.

Win32 applications typically have an application interface, such as a "calculator" that comes with a system that provides a variety of digital buttons. Although the trojan belongs to the Win32 application, it generally does not contain the form or hides the form (but there are some special cases, such as the Trojan user to chat with the victim's window), and the Trojan file property is set to "hidden", this is the most basic hiding means, a slightly experienced user simply open "task Manager", and will "Show All Files" in "Folder Options" tick to easily find the trojan, so there is the following to introduce the "process hiding" technology.

First-generation process stealth technology: Backdoor for Windows 98

In Windows 98, Microsoft provides a way to register a process as a service process. Although Microsoft did not publicly provide the technical implementation details of this approach (because this mechanism is not available in subsequent versions of Windows), there are still experts who have discovered the secret, a technique known as registerserviceprocess. As long as this method, the process of any program can register themselves as a service process, and the service process in the Windows 98 Task Manager happens to be not displayed, so the Trojan horse program drilling.

To deal with this hidden Trojan is simple, just use other third-party process management tools to find its place, and the use of this technology to hide the Trojan in Windows 2000/XP (because it does not support this hidden method) in the show! After aborting the process, the Trojan file can be deleted. But the next second-generation process hiding technology is not so easy to deal with.

Second generation process hiding technology: process insertion

In Windows, each process has its own private memory address space, and when the memory is accessed using pointers (a mechanism for accessing memory), one process cannot access the memory address space of another process, just as you cannot enter a neighbor's house to eat without the neighbor's consent. such as QQ in memory to store a picture of the data, and MSN can not directly read the memory of the way to obtain the image data. This also ensures the stability of the program, if your process has an error, overwriting the memory on a random address, this error does not affect the memory used by the other process.

Do you know what the process is?

For an application, a process is like a large container. After the application is run, it is equivalent to loading the application into a container, you can add other things to the container (such as the variable data that the application needs at runtime, the DLL files that need to be referenced), and when the application is run two times, the contents of the container will not be emptied. The system will find a new process container to accommodate it.

A process can contain several threads (thread), and the thread can help the application do several things at the same time (such as one thread writing to the disk, the other receiving the user's keystrokes and reacting in a timely manner, without interfering with each other), after the program is run, The first thing the system needs to do is to create a default thread for the program process, and then the program can add or remove related threads on its own.

1. What is process insertion

A separate address space is very advantageous for programmers and users alike. For programmers, the system is more prone to capturing arbitrary memory reads and writes. For users, the operating system will become more robust because one application cannot disrupt the operation of another process or operating system. Of course, this robust feature of the operating system comes at a cost, because it is much more difficult to write an application that can communicate with other processes or be able to manipulate other processes. However, there are still many ways to break the boundaries of a process and access the address space of another process, which is "process injection". Once the Trojan's DLL has been inserted into the address space of another process, it can do whatever it wants for another process, such as the stolen QQ password described below.

2. How to steal the QQ password of the Trojan horse

Under normal circumstances, an application receives the keyboard, mouse operation, other applications are not entitled to "ask". How can the stolen Trojan horse secretly record my password? Trojan first inserted 1 DLL files into the QQ process and become a thread in the QQ process, so that the Trojan DLL is impressively become part of the QQ! Then when the user entered the password, because at this time the Trojan DLL has entered the QQ process inside, so it will be able to receive the user passed to QQ password type, is really "thief difficult to prevent" Ah!

3. How to insert a process

(1) Inserting a DLL using the registry

Early process plug-in Trojan trick by modifying [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\windows\appinit_dlls] in the registry To achieve the purpose of the insert process. The disadvantage is that it is not real-time, and a restart is required after the registry is modified to complete process insertions.

(2) inserting a DLL with a hook (hook)

More advanced and covert way, through the system hook mechanism ("hook", similar to the DOS era of "interrupt") to insert the process (some thieves QQ Trojan, Keylogger Trojan hooks into other processes "sly"), need to call the SetWindowsHookEx function ( Also a WIN32 API function). The disadvantage is that the technical threshold is high, the program is difficult to debug, this Trojan must have a considerable level of WIN32 programming.

You know what--what's an API?

The interfaces in Windows that provide a variety of features are called WIN32 APIs (application programming Interface, or "application programming Interfaces"), as some programs need to read and write files on disk, first through the corresponding API ( File read and write calls to the file-related API) make a call request, and then the API according to the program when calling its function parameters (such as the need to read and write files to both read and write file name and path) to complete the request implementation of the function, and finally call the results (such as writing a file successfully, or read the file failed) returns to the program.

(3) Inserting a DLL using a remote thread function (createremotethread)

This "remote process" mechanism is available in Windows 2000 and above, and a system API function can be used to create a thread (insert DLL) into another process. The disadvantage is obvious, only support Windows 2000 and above the system, there are still a considerable number of users in the domestic use of Windows 98, so the use of this process to insert a Trojan horse lacks platform versatility.

Trojan will itself as a DLL into the other process space, with the way to view the process can not find the trail of the Trojan, you can see just some normal process, but the Trojan has sneaked into it. The solution is to use process management tools that support "process module viewing" (such as the process view provided by Windows Optimizer), and the Trojan's DLL module will appear.

Don't trust your eyes: The process of terror "evaporates"

Strictly speaking, this should be considered a process concealment technique for generation 2.5, but it is much scarier than the previous technologies. This technology makes it unnecessary for Trojans to insert themselves into other processes, and can disappear directly!

It monitors the process of all programs in the system by hook technology, and the Task Manager is able to display all the processes in the system, because it calls the API functions related to processes such as enumprocesses, and process information is included in the return result of the function. , the program that makes the call requests receives the returned results and processes them (such as the Task Manager appears in the process list after receiving the results).

And the Trojan because the API function in advance hook, so in the "Task Manager" (or other calls to enumerate process functions) call the EnumProcesses function (at this time the API function acts as an "inside" role), the Trojan is notified, and the function will be the result ( List all processes) The process information of itself is erased from the returned results before it is returned to the program. It's like you're watching a TV show, but someone unknowingly connected it to a DVD, and you're being cheated.

So whether it is "task Manager" or anti-virus software, want to test the process of this trojan is futile. This trojan currently does not have a very effective means of killing, only before its run by antivirus software detects Trojan files and prevent the operation of its virus body. At the time, there was a technique by which the Trojan would remove its own process information from the "Process chain list" that the Windows system used to record process information, so that the process management tool could not get the Trojan's process information from the "Process chain list". However, because of the lack of platform versatility and some problems in the program operation, it is not widely used.

You know what--what's a hook?

Hooks are a system mechanism in windows that replaces "interrupts" in DOS, with the Chinese translated as "hooks" or "hooks". After a hook is made to a particular system event (including a call event for a particular API function above), once a hook event occurs, the program that hooks the event (such as a Trojan horse) receives notification from the system, and the program responds to the event at the first time ( Trojan Horse program will be robbed before the function returned to the results were modified).

No trace: All-round stereo hiding

Using the hooks just introduced to hide the process of means, Trojan can easily realize file hiding, just hook technology application in the file related API function can, so whether it is "explorer" or antivirus software can not find the Trojan is located. More surprisingly, there are now Trojans (such as gray pigeons) that use this technology to achieve the hidden files and processes. The best way to prevent this trojan is to use anti-virus software to intercept it before it runs.

Anti-virus software against the dry: antivirus shell

The Trojan is cunning, but once the antivirus software defines the signature code, it is intercepted before it runs. To avoid anti-virus software, many Trojans were added shell, equivalent to the Trojan wear a piece of clothing, so antivirus software will not recognize it, but some antivirus software will try to shell the usual shells, and then avira (sample, don't think put on a piece of horse clip I do not know you). In addition to passive hiding, recently found to be able to active and anti-virus software against the shell, the Trojan in addition to the shell, once run, the shell first get control of the program, by means of the system installed in the anti-virus software to destroy, finally in the confirmation of security (anti-virus software protection has been disintegrated) After the shell release wrapped in its own "body" of the Trojan and execute it. The way to deal with this Trojan is to use anti-virus software with shelling ability to protect the system.

You know--what's a shell?

As the name implies, you can easily guess that this is a bag of things outside. Yes, the shell is able to wrap files (such as EXE), and then when the file is run, the shell gets control first, then releases and runs the wrapped file body. A lot of shells can be wrapped in the file body to encrypt, so that can prevent anti-virus software Avira. For example, the original anti-virus software definition of the Trojan is characterized by "12345", if found that a file contains this feature, the file is considered a trojan, and the shell with the encryption function will encrypt the file body (such as: The original feature is "12345", the encryption has become "54321", In this way antivirus software can not rely on the file characteristics of the inspection). Shelling refers to the removal of the outer shell of the file, restoring the state of the file before it is added to the shell.

Process-Hidden methods