[Reprinted] 3721 resident mechanism simple research
Quafful @ 水木 清华
Simply studied 3721 mechanisms, written here, as an experience note. Most gains come from
Softice disassembled, not necessarily applicable to some versions.
1. CNSMIN.DLL resident
3721 core file: cnsmin.dll
It is usually found under
Load by registry RUN key value: Rundll32
CNSMin.dll provides a function Rundll32 for Rundll32.exe call
But this function just calls a real resident function Rundll32main ().
Rundll32main () pseudo code:
Void Rundll32main ()
{
HMutex = Createmutex ("cnsminmutex");
IF (error_already_exists)
{
CloseHandle (hmutex);
EXIT;
}
IF (iswindowsnt ()) {
SetProcessSecurityInfo ();
}
Else {
Registerprocessasservice ();
}
CheckVersion ();
// cnsminkp.sys / vxd kernel driver, the key file and registry key protection of 3721 is not deleted
Contactwithcnsminkpdriver ();
// Key hook, responsible for injecting cnsmin.dll into other process space
Installcbthook ();
// Key hook, responsible for injecting cnsmin.dll into other process space
Installcallwndprochook ();
// cnsminio.dll is responsible for the prompt below the IE address bar
INITCNSMINIO ();
// some registry information
INITREGISTRY ();
/ / Protect cnsmin.dll hooks are not uninstalled or preemptive
InstallGuardTimer ();
CreateMsgWindow ();
// Message Loop
While (True)
{
GetMessage (& MSG);
TranslateMessage (& MSG);
DispatchMessage (& MSG);
}
}
CNSMIN is mainly to inject the IE process space through both global hooks of WH_CBT and WH_CallWndProc. injection
After IE, WH_KEYBOARD, WH_DEBUG is installed. The 3721 is implemented to "real name conversion"
Useful is wh_Keyboard. This is a local hook.
In order to ensure the highest priority, CNSMIN has used a timer function to repeatedly install the hook, which will undoubtedly cause
The decrease in system performance.
I have tried to install a WH_Debug hook to prevent the call of 3721 hooks, indeed play,
You can immediately invalidate 3721. However, this method 3721 still resides in the IE process, which belongs to the method of not cure.
Forced end Rundll32 processes, you can temporarily uninstall the resident code of 3721. But cnsmin.dll has been registered with COM
In the IE component, then restart the IE, the process will restart.
2. 3721 anti-deletion means
File system driver: cnsMinkp * .sys There are different versions for NT / 2000 / XP (98 below is cnsminkp.vxd)
It is usually present in the
The driver is loaded by Windows.
The driver filters the deletion of the file and registry. When you try to delete the 3721 key file and the registry key, return a true, so that Windows believes that deletion has been successful, but the files and registry are actually there.
The driver has a blacklist (saved in an external file), preventing Windows from reading other 3721
Competitor's plugin file.
There is currently no way to stop the drive.
Delete method: Before Windows starts before starting (for example, below to DOS below) to delete the cnsminkp * .sys file.
Note: 3721 has self-recovery capabilities. After some key files are deleted, other modules will try to re-from 3721 website.
download. Therefore, you need to disconnect the network before you completely remove it.
3. Delete steps for the current version:
a) Run 3721 The delete program provided by yourself. Most of the files can be deleted.
b) Starting from DOS, delete residual files, such as cnsmin.dll, cnsminkp *. *, etc.
Possible directory: Downloaded Program Files Directory, Program Files / 3721 Directory D, Rivers Directory
c) Start Windows, Windows will report the errors that some modules can be found when they enter the desktop, do not pay attention to, delete
The value of 3721 in the registry.
Yes: HKEY_CURRENT_USER: Software / 3721
HKEY_LOCAL_MACHINE: Windows / CurrentVersion / Run
System / currentControlset
In addition, it is scattered to hide some, look up with keywords.
