With the development of computer network, hacker technology is becoming a technical force which can not be neglected, although most hacker's attacking target is mainly server, the direct harm to most Internet users is not big. But there is a class of hackers called "Trojan Horse" can be used in the ordinary network by deception and other means of installation Trojan server, so that the user's computer in the internet to leave a backdoor, and hackers can through this backdoor to the infected computer arbitrary monitoring, destruction. Obviously this kind of black soft to the common network user's harm is very serious.
This kind of black soft still belongs to the application, its essence is the network communication program based on socket. So the hacker can successfully attack the infected computer a very necessary prerequisite is that at this time the attacker has a Trojan horse program server running. Because the Trojan is a malicious program, can be detected by the attackers in the case of quietly start running for the attacker to open the back door, it is obviously not as glamorous as other programs in the Taskbar and task list, otherwise it will immediately be perceived by the user to shut it down, and will lose the role of providing a backdoor for attackers. This article discusses the mechanism of the hidden program.
Second, the program in the taskbar hidden principle
The program in the task bar hidden relatively simple, first of all to ensure that the main interface of the program is hidden, generally by modifying the application class initialization instance function InitInstance () of the ShowWindow () statement sw_show parameters for Sw_hide to achieve. The main interface is hidden while the taskbar disappears, but it flashes when the program starts, so you need to modify the extended properties of the program. One way is to use the SDK, which uses GetWindowLong () to get to the current extended attribute and then remove the original Ws_ex_appwindow attribute by logical operation, and add a new Ws_ex_toolwindow property. This allows the system to think of it as a toolbar window and not to be displayed in the taskbar. Finally, the modified extended property needs to be written back through the SetWindowLong () function. The declarations of the two functions are as follows:
LONG GetWindowLong(HWND hWnd,int nIndex);
LONG SetWindowLong(HWND hWnd,int nIndex,LONG dwNewLong);
Another very simple way is the MFC method: In the program Framework class of the pre-Create window function in the CREATESTRUCT structure object directly to the logical operation of the program attributes are changed:
Cs.style=ws_popup;
Cs.dwexstyle|=ws_ex_toolwindow;
Although the two forms of expression are different, the essence is the same.
Third, the program in the task List of the hidden principle
The Task List (the dialog box that pops up Ctrl+alt+del) shows some of the applications that are running on the current system, and if the program is not visible on the taskbar, the experienced user can close it by observing the task list and discovering some questionable applications. Therefore, most of the black soft also through more sophisticated means to achieve their own hidden in the task list, so that the opportunity to be found greatly reduced.
In Win9x, it is common for each application to register as a service process through an API (Application interface) function registerserviceprocess (), and to terminate the service process by logging off its service process through this function. If a process is registered as a service process, you can see the title of the process in the task list through Ctrl+alt+del. If a process runs but does not register with the system as a service process, it is not displayed in the Task list. It is also using this principle to enable itself to hide in the task list at runtime. This function is stored in the system kernel Kernel32.dll, which is stated as follows:
DWORD RegisterServiceProcess (DWORD Dwprocessid,dword dwtype);
The first parameter is specified as the process identity of a service process, and if 0 registers the current process, and the second parameter indicates whether the current process is registered or unregistered, with the status: Rsp_simple_service and Rsp_unregister_service. Black soft typically loads the registerserviceprocess () function into memory from the Kernel32.dll Dynamic Connection Library when the program initiates initialization, and then hides the program from the task list by using the function:
//从Kernel32.dll中加载RegisterServiceProcess()
HMODULE m_hKernel=::GetModuleHandle("Kernel32.DLL");
RSP m_rsp=(RSP)::GetProcAddress(m_hKernel,"RegisterServiceProcess");
m_rsp(::GetCurrentProcessId(),1);//此时为隐藏,当第二个参数为0时显示
In addition, a part of the black Soft is the Showwindowasync () function to start a new thread to display a new window. The prototype of the function is:
BOOL Showwindowasync (HWND hwnd,int ncmdshow);
And Black is the drill. The second parameter of the function can set the window to display the state of a loophole, when set to Sw_hide can make the target form (black soft) from the task list hidden.
Summary: The above is Win9x under the hacker program has some basic functions, on the basis of which we can use its implementation skills to write some such as background monitoring and other utilities. And through the hacker software hidden mechanism analysis can make the majority of users of this kind of black soft take some necessary measures, by strengthening the prevention to make their own losses in the bud.