"White and black" is a popular term for DLL hijacking technology. Nowadays, many malicious programs use this hijacking technology to bypass the active defense of security software to load themselves, it is currently a fire-free method. This article will provide a brief technical introduction and case study on such viruses.
The so-called "white and black" generally refers to "White exe" and "Black dll". "White exe" refers to a normal exe file with a digital signature, the "Black dll" is of course a dll file containing malicious code. The virus uses the exe program with a digital signature and in the anti-virus software whitelist to load its own dll with malicious code, so that it can gain the automatic trust of the anti-virus software to actively defend against, and then load it to the system. This method of virus is actually a loophole in software writing. If the third-party software is not reviewed or the library file called is not strictly reviewed during compilation, DLL hijacking may occur, microsoft has learned about this vulnerability. For details, refer to Microsoft Security Bulletin (2269637 ).
Dll hijacking technology Overview
When an executable file is running, the Windows loader maps the executable module to the address space of the process. The loader analyzes the input table of the executable module, and try to find any required DLL and map them to the address space of the process. Because the input table only contains the DLL name but does not have its path name, the loader must search for the DLL file on the disk. First, it will try to load the DLL from the directory where the current program is located. If not, it will be searched in the Windows System directory, and finally in the directories listed in the environment variables. Using this feature, malicious programs first forge a DLL with the same name as the system and provide the same output table. Each output function is switched to the real system DLL. In this way, when the program calls the system DLL, it first calls the forged DLL under the current directory, completes the relevant functions, and then jumps to the system DLL function with the same name for execution. In this process, the system DLL is hijacked.
The search order for DLL files loaded on Windows XP SP2 is as follows:
(1) executable Program loaded directory (it can be understood as the Program installation directory, such as C: \ Program Files \ Internet Explorer)
(2) system directory (% windir % \ system32)
(3) 16-bit system directory (% windir % \ system)
(4) Windows Directory (% windir %)
(5) directory where a file is running (for example, C: \ Documents ents and Settings \ Administrator \ Desktop \ test)
(6) Directories listed in PATH Environment Variables
According to the DLL loading sequence described above, when running a program, it will give priority to loading required files under the directory where the program is executed. In this way, the virus Author can forge a dll, all export functions containing the hijacked dll are placed in the executable program directory. When the exe runs, the virus dll is called preferentially.
Virus Case Analysis
1) In this example, the white and black sample is a remote control Trojan installed in a fake game hall. The user downloads the installation package of the bundled trojan from the fake one. After double-clicking the package, the installation interface is displayed, the installation process is similar to the normal installation process.
Figure 1: run the installation package. The installation page is displayed.
2) Click "Next" until the installation is complete. There is an "456 game" shortcut on the desktop. If you double-click to run the task without thinking about it, you will actually be ready. Right-click the shortcut to view the properties. The target file is C: \ Program Files \ Common Files \ ODBC \ SGUpdater.exe, which is not the installation directory and main Program of the 456 game.
Figure 2: virus tampered Desktop shortcuts pointing to itself
3) Find sgupdater.exe to view the attributes. This exe is the sogou wallpaper Upgrade Program with the file version and legal digital signature, which is what we call "White exe ".
Figure 3: normal exe file used by virus
4) the worker has been run, and HWSignature. dll under the same directory is loaded, that is, the "Black dll" in this example, and the self-startup Item is added. In this step, this remote control Trojan is equivalent to "Planting". Next, it connects to the remote control host and records keyboard operations, causing user privacy leakage and personal property security threats.
Figure 4: hwsignature.dllused to help sgupdater.exe load to bypass anti-virus software protection
Figure 5: establish a connection between a Trojan horse and a remote control host
5) Run sgupdater.exe and check the 456 game shortcut attributes again. The target file and location have changed. This time, it points to the true 456 game main program: C: \ Program Files \ KaiUnion Tech \ 456 GAME \ Lobby.exe, then double-click the shortcut to bring up the game interface.
Figure 6: After the virus is loaded successfully, the shortcut is directed back
It can be seen that the virus author is careful and step-by-step. First, bind the virus-related files to the game installation package, release the files to the local disk during the user installation process, modify the game shortcut to direct the files, and trick the user into double-clicking, after the trojan is successfully implanted, direct the shortcut back. You can double-click the shortcut again to bring up the game interface, without any doubt. The Remote Control Trojan is implanted between the two double-click shortcuts, and can be self-started. To avoid more losses, please clear the Trojan horse out of the system.
The cleaning process is simple. First, we delete the sguppda ~ in Xuetr from the task manager worker sgupdater.exe process ~ 1. EXE self-starting item. All Files in the C: \ Program Files \ Common Files \ ODBC directory are not related to the game. Simply delete all Files and restart the computer.
Figure 7: Use Xuetr to delete a virus's self-starting item
Summary
As the dll hijacking vulnerability occurs in the compilation of third-party software, the patch work naturally falls on the software writers. For ordinary Internet users, in addition to careful downloading, it is best to scan anti-virus software before running some unknown programs. Do not run it rashly. After all, security software is not omnipotent, and it may be difficult to prevent it. If the dll contains virus code, the security software can scan and kill the dll. In general, the virus-free killer methods are endless, so security vendors have to continue this "cat and mouse" game.