Various Trojan hiding technologies

Disclaimer: This article only outlines various hidden Trojan techniques.
No specific production method

In the past, I thought that as long as files sent by netizens are not casually run, they will not contain viruses or Trojans, but then they will see shock waves and waves spread by exploiting vulnerabilities. In the past, I once thought that web page Trojans would not be available on small websites, but many large websites, including a well-known game website in China, were hacked to mount trojans on their home pages. From then on, I know that security has never been absolute. Although there is no absolute security, if you can know yourself and know the hidden means of the Trojan, you can discover the trojan in time to minimize the loss even if you cannot beat the Trojan. So how is a trojan hiding in our system? Basic hiding: invisible forms + hidden files No matter how mysterious the trojan program is, it is still a program on the Win32 platform. There are two common programs in Windows: 1. Win32 applications, such as QQ and office, all belong to this column. 2. Win32 console Program (Win32 console), such as hard disk boot fixmbr. Among them, Win32 applications usually have an application interface. For example, the "Calculator" in the system provides an application interface with various digital buttons. Although a trojan belongs to a Win32 application, it generally does not contain a form or hides a form (but there are some special cases, such as the window in which the trojan user chats with the victim ), you can also set the trojan file attribute to "hide", which is the most basic hiding method. users with a little experience only need to open the "Task Manager ", check "show all files" in "Folder Options" to easily find out the trojan, so the "process hiding" technology described below appears. First-generation process hiding technology: Windows 98 Backdoor In Windows 98, Microsoft provides a method to register a process as a service process. Although Microsoft did not disclose the technical implementation details of this method (because this mechanism was not provided in subsequent Windows versions), some experts still discovered this secret, which is called registerserviceprocess. As long as this method is used, any program process can register itself as a service process, and the service process does not appear in the Job Manager in Windows 98, therefore, the trojan program drilled into the air. To deal with this hidden Trojan, you only need to use other third-party process management tools to find its location, in addition, the Trojan horse that uses this technology is displayed in Windows 2000/XP (because this hiding method is not supported! Stop the process and delete the trojan file. However, the second generation of process hiding technology won't be so easy to deal. Second-generation process hiding technology: Process insertion In Windows, each process has its own private memory address space. When a pointer (a memory access mechanism) is used to access the memory, A process cannot access the memory address space of another process, just as you cannot enter the neighbor's house for dinner without the consent of a neighbor. For example, QQ stores the data of an image in the memory, while MSN cannot directly read the data of the image in the memory. This also ensures the stability of the program. If an error occurs in your process and the memory on a random address is rewritten, this error will not affect the memory used by another process. Do you know what process is? For applications, a process is like a large container. After an application is run, it is equivalent to adding the application to the container. You can add other things to the container (for example: variable data and DLL files to be referenced when the application is running). When the application is run twice, nothing in the container will be dumped, the system will find a new process container to accommodate it. A process can contain several threads, which can help applications do several things at the same time (for example, a thread writes files to a disk, the other one receives users' key operations and responds in a timely manner without interfering with each other.) After the program is run, the first thing the system needs to do is to create a default thread for the program process, then the program can add or delete related threads as needed. 1. What is process insertion? Independent address spaces are very advantageous for programmers and users. For programmers, it is easier for the system to capture random memory read and write operations. For users, the operating system will become more robust because one application cannot disrupt the operation of another process or operating system. Of course, the robustness of the operating system is costly because it is much more difficult to write applications that can communicate with other processes or operate on other processes. However, there are still many ways to break the process boundaries and access the address space of another process, that is, process injection ). Once the trojan dll is inserted into the address space of another process, you can do whatever you want for the other process, such as the QQ password to be introduced below. 2. How Trojans steal QQ passwords Under normal circumstances, the keyboard and mouse operations received by an application are not permitted by other applications. How can I secretly record my password for a trojan? The trojan first inserts a DLL file into the QQ process and becomes a thread in the QQ process. In this way, the trojan dll becomes a part of QQ! Then, when the user enters the password, because the trojan dll has already entered the QQ process, the user will be able to receive the password that the user passes to the QQ, which is really "difficult to defend against family thieves! (Insert graph 06zcxtrojan0a. tif) 3. How to insert a process (1) Use the Registry to insert DLL Early process plug-in Trojans can be inserted by modifying [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ windows \ appinit_dlls] in the registry. The disadvantage is that it is not real-time. After you modify the registry, You need to restart to complete process insertion. (2) Use hook to insert a DLL Relatively advanced and concealed methods, through the system hook mechanism (that is, "Hook", similar to the "interrupt" in the DOS era ") you must call the setwindowshookex function (also a Win32 API function ). The disadvantage is that the technical threshold is high and the program debugging is difficult. The Trojan producer must have a considerable Win32 programming level. You know -- What is API? The interfaces that provide various functions in windows are called Win32 APIs (Application Programming Interface). For example, some programs need to read and write files on the disk, you must first send a call request to the corresponding API (file-related APIs must be called to read and write files, then, the API completes the request implementation function based on the parameters provided by the program when calling its function (for example, the file name and path of the file to be read and written need to be provided at the same time, finally, return the call result (for example, the file is successfully written or the file fails to be read) to the Program (see Figure 3 Application Program, Win32 API, and system relationship diagram ). Figure 3 (3) use the remote thread function (createremotethread) to insert the DLL This "Remote Process" mechanism is provided in Windows 2000 and later systems. You can use one system API function to create a thread (insert DLL) to another process ). The disadvantage is obvious. Only Windows 2000 and above are supported, and many users are still using Windows 98 in China. Therefore, Trojans using this process Insertion Method lack the versatility of the platform. After a trojan inserts itself as a DLL into another process space, it cannot be traced by viewing the process. What you can see is only the process of some normal programs, however, the Trojan has been secretly penetrated into it. The solution is to use a process management tool that supports "Process Module View" (for example, process view provided by "Windows optimization master"), and the DLL module of the Trojan will be displayed. Do not trust your own eyes: the horrible process "evaporated" Strictly speaking, this is the 2.5 generation of process hiding technology, but it is much more terrible than the previous several technologies. This technology prevents trojans from being inserted into other processes by themselves, but can disappear directly! It monitors the call of Process Detection APIs of all programs in the system through Hook Technology. The "Task Manager" displays all processes in the system, this is also because it calls enumprocesses and other process-related API functions. process information is included in the returned results of this function, the program that sends the call request receives and processes the returned results (for example, the "Task Manager" displays the results in the process list after receiving the results ). The trojan hooks the API function in advance, so in the "Task Manager" (or other programs that call the list process function) when calling the enumprocesses function (at this time, the API function acts as an "internal"), the trojan is notified, and before the function returns the result (list all processes) to the program, the process information has been erased from the returned results. It's like you are watching a TV program, but some people have connected the TV to a DVD without knowing it, and you have been cheated. Therefore, whether it is "Task Manager" or anti-virus software, it is futile to detect the Trojan process. Currently, this Trojan does not have a very effective means of detection and removal. Only before it is run, the anti-virus software detects the trojan file and prevents its virus from running. At that time, there was another technology where the trojan program deleted its own process information from the "process linked list" used by the Windows system to record process information, in this way, the process management tool cannot obtain the Trojan process information from the process linked list. However, it is not widely used because of its lack of platform versatility and some problems in program running. You know -- What is hook? Hook is a system mechanism provided in Windows to replace "interrupt" in DOS. It is translated as "Hook" or "Hook" in Chinese ". After a hook is performed on a specific system event (including the call events of a specific API function in the preceding Section), programs (such as Trojans) that hook the event once an event has been hooked) the system will receive a notification, and the program will be able to respond to the event immediately (the trojan program will modify the result before the function returns ). No trace: Comprehensive three-dimensional hiding Using the hook hiding process method just introduced, Trojans can easily hide files. You only need to apply the Hook Technology to file-related API functions, in this way, neither the resource manager nor anti-virus software can find out where the trojan is located. What's even more surprising is that there are Trojans (such as gray pigeons) that use this technology to hide files and processes. The best way to prevent such Trojans is to use anti-virus software to intercept them before they run. Vs anti-virus software: Anti-Virus Software Shell Trojans are tricky, but once the antivirus software defines a pattern, it is intercepted before running. To survive antivirus software, many Trojans are shelled, which is equivalent to wearing a dress for the Trojan so that the anti-virus software cannot recognize it, however, some anti-virus software will try to shell off common shells and then scan and kill them (in a small case, don't think I don't know you when wearing a horse clip ). In addition to passive hiding, we also recently found a shell that can actively work with anti-virus software. After a Trojan Horse is added with such a shell, once it runs, the shell gets control of the program first, the anti-virus software installed in the system is damaged by various means. Finally, the security is confirmed (the Protection of anti-virus software has been dissolved) then release and execute the trojan package wrapped in your own "body. The method to deal with such Trojans is to use anti-virus software with shelling capabilities to protect the system. You know -- What is shell? As the name suggests, you can easily guess that it is a package outside. Yes, the shell can wrap the file (such as exe), and then obtain control from the shell when the file is run, and then release and run the wrapped file body. Many shells can encrypt their own wrapped file bodies, so as to prevent anti-virus software from scanning and killing. For example, anti-virus software defined the trojan as "12345". If a file contains this feature, the file is considered as a Trojan, the shell with the encryption function encrypts the file body (for example, the original feature is "12345", and the encryption is changed to "54321 ", in this way, anti-virus software certainly cannot be checked by file features ). Shelling refers to removing the shells outside the file and restoring the State before the file is not shelled.