I. Introduction
With the continuous development of computer networks, hacker technology has become a non-negligible technical force, although most hackers' attack targets are in the server-based, the direct harm of most internet users is not big. However, there is a kind of hace program called "Trojan Horse" to install Trojan's server at the ordinary network client by deception, and the user's computer has a back door when the computer is online, and the hacker can be infected by this back door. The computer is monitored and destroyed. Obviously this black soft is very serious about the harm of ordinary network users.
Such black soft still belongs to the application, the essence is a socket-based network communication program. Therefore, a very necessary prerequisite for hacker can successfully attack the infected computer is that the attacker already has a Trojan's server running. Since the Trojan is a malicious program, it is clear that the attacker opens the back door without being perceived by the attacker. Therefore, it is obvious that the display is displayed in the taskbar and task list as the other programs, otherwise it will be immediately If the user is perceived, it will be closed, and it will lose its role to provide the attacker. This article discusses the mechanism of its hidden program.
Second, the procedure of the program in the taskbar
The program is relatively simple in the taskbar, first to ensure the hidden of the main interface of the program, generally achieved by modifying the application class's initialization instance function initInstance () showWindow () Sw_SHOW parameter is sw_hide. The main interface hidden while the taskbar will disappear, but it will flash when the program starts, so it is necessary to modify the extension attribute of the program. One method is the SDK's writing, that is, directly utilizing getWindowlong () to get the current extension attribute and then remove the original WS_EX_APPWINDOW attribute through the logic, and add a WS_EX_TOOLWINDOW attribute so that the system will think is a toolbar window. Will not be displayed in the taskbar. Finally, you need to write the modified extended attribute to the setWindowlong () function. The declarations of these two functions are as follows:
Long getWindowlong (HWND HWND, INT NINDEX);
Long SetWindowlong (HWND HWND, INT NINDEX, long dwnewl);
Another simple is the MFC's Writing: In the pre-creation window function of the program framework, the program properties are changed by directing the logical operation of the CreateStruct structure object:
CS.Style = WS_POPUP;
Cs.dwexStyle | = WS_EX_TOOLWINDOW;
Although these two ways have different forms of expression, their essence is the same.
Third, the hidden principle in the program in the task list
Task list (Plus dialog box when Ctrl Alt DEL) shows some applications that the current system is running. If the previous step is implemented, although you can not see the program in the taskbar, experienced users can pass the task list. Discover some applications worthy of doubt, turn it off here. So most black soft also achieves hidden in the task list through more complicated means, making the opportunity to be discovered greatly.
In Win9x, each application is usually requested by an API (Application Interface) function registerServiceProcess () to request a registration to a service process, and it is also the operation of the service process through this function to end this service process. If a process is registered as a service process, you can see the title of the process in the task list via Ctrl Alt Del. And if a process runs, it is not displayed in the task list if a process is running but does not apply for registration to the system. Black soft is also using this principle to make itself hidden in the task list at runtime. This function is stored in the system kernel kernel32.dll, and the specific declaration is as follows:
DWord RegisterServiceProcess (DWORD DWPROCESSID, DWORD DWTYPE);
The first parameter is specified as a process identifier for a service process. Black Soft is usually loaded into memory from the Kernel32.dll dynamic connection library when the program starts initialization, and then hides the program from the task list by this function:
/ / Load registerServiceProcess from kernel32.dll ()
HModule M_hkernel = :: getModuleHandle ("kernel32.dll");
RSP M_RSP = (RSP) :: getProcaddress (M_hkernel, "RegisterServiceProcess");
M_RSP (:: getCurrentProcessId (), 1); // is hidden, when the second parameter is 0
In addition, some of the black soft is to start a new thread by using the showWindowasync () function to display a new window. The original shape of this function is:
Bool ShowWindowasync (HWND HWND, INT NCMDSHOW);
Black Soft is a second parameter that drilled the function. You can set the empty space of the form display state, and you can hide the target form (black soft) from the task list when set to sw_hide.
Summary: The above is some of the basic functions of the hacker program under Win9X. On this basis, we can prepare some utilities such as background monitoring by means of its implementation skills. And through the analysis of the hidden mechanism of hacking software, the majority of users will adopt some necessary measures to such black softness, by strengthening prevention, to prevent their loss to prevent them.
