Rogue Software Technology

The technology of rogue software is varied. Any function may become a rogue technology, just like a weapon. If it is used, justice can be done. If it is used properly, it can be used as an accomplice to evil.
First, I started with some rogue Analysis in Win32:
1. As a rogue software, the first thing I want to do is to run it in real time. For example, in the registry run, add the startup tool under boot. This should be an old method. In the past, 3721 seemed to be running, but now the average person knows it.
2. As a rogue software, he has changed some of the features of previous Trojans. Instead of starting the trojan in real time, he needs to start it again. For example, opening a browser window, this is a general method of rogue software, because he needs to connect to the Internet to have benefits, so the browser must be a process of rogue software monitoring.
3. The use of BHO plug-ins was a popular technology earlier. This is an interface provided by Microsoft and is intended to allow IE to expand its functions. Whenever an IE browser is started, it will call the necessary plug-ins under BHO, which is used by rogue software. Monitors all browser events and information.
4. The most stupid way is to use the process snapshot to monitor the process and determine that the process under its own monitoring is started. Then, you can use ATL to get the browser pointer to monitor all browser events and information.
5. Another way is to use SPI, which I can see on the Internet. SPI is a layered protocol. When Winsock2 is started, it will call its DLL to monitor all application layer data packets. This monitors user information and enables real-time startup.
6.
The Hook method and Hook Technology can be widely used, especially in monitoring. Therefore, rogue software will not be missed. The first application is API function hook, such as Windows core programming.
The apihook class in, or Microsoft's detous can be completed. The two methods are actually the same: Modify the IDT function entry address. API
Hook CreateProcess
You can monitor the process, which has higher performance than the process snapshot. You can hook the functions under SPI to complete all the functions under SPI. There are also Message hooks, mouse messages, keyboard messages, daily messages, and so on.
There are too many methods to use.
The above lists how to use rogue software, but one feature of rogue software is that it cannot be detached. So it will use the following method again.
Because many of the methods above can delete the registry and uninstall them, what should we do? It will monitor the registry items from time to time, and it will monitor the registry items in its processes or threads, set up a loop monitoring. if it finds it is missing, install it and add it. I think this should be the technology of many rogue software.
Now there is another new problem, that is, what if the process thread of the rogue software is terminated ??? West view
7. One method is the above API hook technology. It hooks OpenProcess and uses its own function to determine whether the process is enabled and returns the correct result. This method is used, users or general software cannot end their processes.
8. Another kind is that the above is like BHO, SPI has no process at all. A normal user cannot delete him or her.
9.
Another method is remote threads. This technology is also widely used. First, it is similar
Hook requests a piece of memory space from the target process, maps it to itself, and uses createremotethread to create a remote thread. Generally, many rogue software or
Some of the previous trojan programs inject threads into system processes such as explorer and service. It is difficult to process or stop using users or general anti-virus software ..
10. After registering as a service, you can simply hide the process. What's even more ridiculous is that after the process name is the same as some system process names, such as LSASS, it will not end.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The methods listed above have already formed several rogue software. But don't be too happy, because these technologies are only at the application layer. Now there are a bunch of anti-rogue software tools on the driver layer, such as Super Rabbit, perfect uninstallation, wooden mark star, and Yahoo assistant, there is also the hot 360 security guard.
These anti-rogue software methods are relatively simple to delete the above rogue software. It takes precedence over the startup of rogue software, intercepts all IRPs that access the rogue software file, deletes the registry key, and deletes the file. The anti-rogue task is easily completed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~
To address these anti-rogue software, the rogue software appeared at the kernel layer.
1. The first is to use the file filter driver to protect your own files. The rogue software filters all IRPs outside all fileopen files in the create file and all IRPs under the setinformation file, this effectively protects your files.
2. Kernel-level Hook Technology can hook all public or undisclosed kernel functions, such as zwcreatefile and zwsetinformation, and effectively protect files.
3. The rogue software in the driver layer also uses kernel-level Hook Technology to replace regdeletekey, regdeletevaluekey, and regsetvaluekey to effectively protect the registry.
4. The kernel-level hook technology can also be used to hide or monitor processes and restart processes.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~
Pair
In the above method of rogue software, some anti-rogue software tools under the driver layer are a little helpless. Because drivers intercept IRP, which means no one can operate on it. The deletion of IRP by anti-rogue software tools
Will be blocked, or the deletion function will be replaced. The Registry deletion function will be replaced. Although the driver has been loaded successively, it cannot be ensured that the rogue software can be completely deleted, resulting in some of the more advanced anti-rogue software.
File to the file system, and the Registry is also directly sent to the file system. This type of rogue software can effectively complete the anti-rogue task, but according to my understanding, there are not many such software.
Currently, the hot 360 security guard only uses a stupid method, which takes precedence over the startup of the driver rogue software and creates a device with the same name as the driver rogue software, making the creation of the rogue driver unsuccessful. I know him first
When a rogue driver is started, it creates itself under the pnp_tdi group, that is, a simple NDIS can be better started before 360. If the group is in the front, the 360 won't work. So deal with this type of stream
The RST driver can only use direct transmission to send IRPs to the file system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~
Stream
How does the Ghost Software prevent direct IRPs from being sent to the file system? Rootkit. I think many people have misunderstandings about rootkit, and many think that hook is also a rootkit.
To put it bluntly, rootkit embeds an operating system file. Didn't you send an IRP to the file system ?, But I changed the file system, but the rootkit was based on my observation of Unix or
LinEx is usually used in many cases, but it is still relatively small in Windows because it is too late to write it. I think if rogue software can achieve this technical level, it also does not have to be a rogue,
Directly do the operating system :)