Uncover the hidden veil of the Trojan horse under VC

Summary: This article analyzes the basic principles and multiple implementation methods of the Black soft hidden program.

　　Keywords: Hacker software, hidden programs, Visual C ++

　　I. Introduction

The trojan horse once caused a great deal of fear on the Internet. Such hacker programs Install Trojan servers on the normal network client through deception, so that users' computers have backdoors when accessing the Internet, hackers can use this backdoor to monitor and destroy infected computers as they wish. Apparently, this kind of black soft is very serious to ordinary network users.

In essence, hacker software is still an application and a socket-based network communication program. Therefore, a very necessary prerequisite for a hacker to successfully attack a computer that is infected is that the server where the victim already has a trojan program is running. Because a Trojan is a malicious program, it can be quietly started and run without being noticed by attackers to open a backdoor for attackers, therefore, it is obviously not as straightforward as other programs to display in the taskbar and task list, otherwise it will be immediately closed for the user's detection, thus losing the role of providing a backdoor for the attacker. In this article, we will discuss the mechanism of hidden programs.

　　Ii. How programs are hidden in the taskbar

Hiding a program in the taskbar is relatively simple. First, you must ensure that the main interface of the program is hidden. Generally, the showwindow () of initinstance () is used to modify the initialization instance function of the application class () the sw_show parameter of the statement is implemented by sw_hide. Although the taskbar disappears when the main interface is hidden, it will flash when the program starts. Therefore, you need to modify the extended attributes of the program. One method is to write the SDK, that is, you can use getwindowlong () to obtain the current extended attribute and then remove the original ws_ex_appwindow attribute through logical operations, and add a new ws_ex_toolwindow attribute, in this way, the system will regard it as a toolbar window and will not display it in the taskbar. Finally, you need to write the modified extended attributes back through the setwindowlong () function. The two functions are declared as follows:

Long getwindowlong (hwnd, int nindex ); Long setwindowlong (hwnd, int nindex, long dwnewlong );

Another simple method is to write the MFC statement: In the pre-created window function of the program framework class, the program attributes are changed by directly performing logical operations on the createstruct structure object:

CS. Style = ws_popup; CS. dwexstyle | = ws_ex_toolwindow;

Although the two statements have different forms, they are essentially the same.

　　3. How programs hide in the task list

The task list (the dialog box popped up when CTRL + ALT + DEL) displays some applications currently running in the system. If you have implemented the previous step, even though you cannot see the program in the taskbar, however, experienced users can observe the task list to find some suspicious applications and disable them here. Therefore, most of the Black softwares use complicated means to hide themselves in the task list, greatly reducing the chances of being discovered.

In Win9x/2000, generally, each application must apply to the system for registration as a service process through the registerserviceprocess () function of an API (application interface, this function is also used to log out of the service process to end the running of the service process. If a process is registered as a service process, press CTRL + ALT + DEL to view the process title in the task list. If a process runs but does not apply to the system for registration as a service process, it is not displayed in the task list. Black soft uses this principle to hide itself in the task list during running. This function is stored in the system kernel kernel32.dll. The specific declaration is as follows:

DWORD registerserviceprocess (DWORD dwprocessid, DWORD dwtype );

The first parameter is designated as the process ID of a service process. If it is 0, the current process is registered. The second parameter indicates whether to register or cancel the current process. The status is: rsp_simple_service and rsp_unregister_service. Generally, when the program starts initialization, blacksoft first loads the registerserviceprocess () function from the kernel32.dll dynamic Connection Library to the memory, and then hides the program from the task list through this function:

// Load registerserviceprocess () from kernel32.dll () Hmodule m_hkernel =: getmodulehandle ("kernel32.dll "); RSP m_rsp = (RSP): getprocaddress (m_hkernel, "registerserviceprocess "); M_rsp (: getcurrentprocessid (), 1); // This is hidden. It is displayed when the second parameter is 0.

In addition, some blacksoft functions start a new thread through the showwindowasync () function to display a new window. The original form of this function is:

Bool showwindowasync (hwnd, int ncmdshow );

Black soft is the second parameter of the function that can be drilled to set the blank child of the form display status. When it is set to sw_hide, the target form (black soft) can be hidden from the task list.

　　Iv. Summary

The above are some of the basic functions of hacker programs in Win9x/2000. On this basis, we can compile some utilities such as background monitoring with the help of their implementation skills. In addition, by analyzing the hidden mechanism of hacker software, the majority of users can take some necessary measures for this kind of software, and strengthen prevention to prevent their own losses.

Reprinted: http://dev.yesky.com/469/2015469.shtml