System Security: traces of trojans from processes

From: Fan forums
Many computer users do not pay too much attention to the process concept. Many people think that they only know that the process can kill the program. As for which processes correspond to which processes, what processes should be killed, and what processes cannot kill these problems, they are rarely considered. Here are several examples to unveil the secrets of the process.

Example 1: make a friend with the process's "performer"

In many cases, we do not notice how many processes exist in the system. If you want to know the secrets of processes, you must first make friends with some common system processes. Once you master them, you can quickly find suspicious guys in the process list like a detective.

In Windows 2000/XP, the Ctrl + Shift + Esc combination key can quickly call up the task manager, while Windows 9X is the Ctrl + Alt + Del combination key.

1. "main character" Process

First, familiarize yourself with the basic processes in the system. They are the basic conditions for system operation. Generally, they cannot be shut down. Otherwise, the system will crash.

Windows 2000/XP: Firewall, System Idle Process;

Windows 9x: msgsrv32.exe1_mprexe.exe, mmtask. tsk, and kenrel32.dll.

Do you know

Processes and programs

Simply put, each time a program is started, a process is started. In Windows 3. x, the process is the minimum operating unit. In Windows 9X/2000/XP, each process can start several threads. For example, each downloaded file can open a separate thread. In Windows 9X/2000/XP, the thread is the minimum unit. The program is permanent and the process is temporary. For example, if a program is a script, the performance process is a process; if the program is a recipe, the cooking process is a process.

No worries --svchost.exe

It is located in the System32 folder in the system directory and is a general host process that runs services from the dynamic link library (DLL. In the task manager, you can see that multiple svchost.exe files are running. This may be because multiple DLL files are calling it. However, because of this, it has also become an object for virus exploitation. The previous "blue code" virus is an example. In addition, if the virus is infected, the system prompts "“svchost.exe error ".

If you want to use svchost.exe, enter "tlist-s" in the directory where the Windows kernel is located and press enter (the "tlist pid" command shows the details ). In Windows XP, enter "Tasklist/SVC" to view the process information ("Tasklist/fi" PID eq processID ).

2. "supporting role" Process

Although these system processes are not required to run the system, they often appear in the process list. They are all normal system processes.

After installing Windows, we recommend that you click "Start> program> attachment> System Tools> system information ", in the "System Information" window, click "software environment> running task" (more detailed attributes are displayed in the process list, the program path is very important information), and then click "Operation> Save As text file". In the future, when the system encounters an exception, it will be analyzed in comparison. In addition, Master optimization also provides the function of saving process snapshots ●.

Example 2: search for clues about Trojans

Many Trojans and some protection tools adopt dual-process protection. For example, the "Falling Star" Trojan adopts the dual-process mode. Let's take a look at how to discover them.

Step 1: Open the task manager. According to the comparison with common processes, it is obvious that two "familiar strangers" (similar to the basic process name of the system, but not the same) are found: “internet.exe133 and “systemtray.exe ". Compare it with the "secondary role" Process in the previous instance.

Step 2: Open "software environment> running task" of "system information" and view the path information. Both of them are directed to the WindowsSystem32 directory, and the file size and date are the same, however, the file date does not belong to Microsoft's system file. Go to the resource manager to view its version attributes. Although the company is marked as Microsoft, it is not the same as the Microsoft company name in the system file. It can be determined that it is an illegal process and it is a dual-process mode.

Step 3: during the trial, the first time you select “systemtray.exe to end the process tree, the process will be regenerated immediately, and the two processes will be displayed in the task manager! Then select “internet.exe again, and then end the process tree ●. The process is not regenerated, so the Trojan process is cleared from the system.

Example 3: genuine and false System Processes

Many viruses and Trojans often use a process name similar to the system file or system process name to avoid tracing from the process name.

1. Disguised file name

(1) Modify common program or process characters

For example, the preceding description of "Falling startingtrojan's input name" internet.exe.pdf is very similar to the input method "parameter internat.exe. Can you tell the difference between distinct? (The number "1" replaces the letter "l ")

(2) modify the extension

The service process of the famous Ice Horse is Kernel32.exe. At first glance, I am very familiar with the system process. In fact, the system does not have such a file. In the basic process of Windows 9x, there is a "Kernel32.dll. For example, the Trojan process named "Shell32.exe" evolved from the file "Shell32.dll" which everyone is familiar with. In fact, it does not exist in the system.

2. Path disguise

The Windows Directory and the System directory are the locations of the System's core files. Generally, they are "free of entry ". Therefore, files in and out of them are generally considered as system files, and viruses and Trojans use machines to put the source files in these two directories. In this case, you generally only need to find the path of the source file through the system information and open the file attributes from the date (this is very important, you can see whether it is the same as the System File date), version, company name information. No virus or Trojan file can be designed to be exactly the same as the system file.

Example 4: optimize the system from the process

In addition to the basic processes required to run the system, each process is generated in the system after the program runs, and each process occupies a certain amount of CPU and memory resources. Too many processes and some poorly designed processes will lead to system slowdown and performance degradation. At this time, you can optimize them.

1. streamline processes

Some processes in the system are not necessary. ending them will not cause any harm to the system.

For example, ghost (WinZip Assistant.

There is a free tool called "process killer" that provides the automatic process streamlining function to automatically stop all processes other than the basic process of the system. When you suspect that your computer is running some hacker or virus processes but you are not sure which one is running, the software can effectively clear those illegal processes. However, it is only applicable to Windows 9x/Me. Http://js-http.skycn.net: 8080/down/prockiller_23.rar.

2. Killing bad Processes

Sometimes you will find that the system runs very slowly. In this case, you can open the task manager, click the "processes" tab, and click the "CPU" tab to sort the processes by CPU resource usage, you can clearly see the program with the highest resource usage. In the same way, you can click the "Memory" column label to view those large memory users and end the process in time.

Here is a special case: When you view the CPU usage, a Process called "System Idle Process" will always display around 90%. Don't worry. In fact, it does not occupy such multi-system resources. Click the "performance" tab to view the actual CPU resource usage.
For Windows 9x, you cannot view all processes and CPU and memory usage like Windows 2000/XP. We recommend that you use Process Explorer (html ). "Target = _ blank> Http://www.sysinternals.com/ntw2k/f...rocexp.shtml ).

★If a 16-bit program affects the system operation, and the program cannot be closed, you can access the task manager's progress card, find the ntvdm.exe process, and turn it off to kill all 16-bit applications without restarting.

3. Optimized software or Game Performance

You can also improve the performance of software and game processes by changing their priorities so that they can run faster. Of course, the negative effect is that it may affect other running processes. For example, to avoid the burning failure caused by the overflow of the burning cache, go to the process tab of the task manager, find and right-click the process item of the recording software, and select "set priority ", then select "high" in the pop-up sub-menu