Http://www.e-works.net.cn/ewk2004/ewkarticles/509/Article14881.htm Introduction In recent years, the hacker attack is endless, and the network security has constituted a great threat. Trojans are one of the main attack methods of hackers, which enters the opposite host system to achieve remote operation of the target host, and the destructive power is quite large. So far, the development of Trojans has experienced five generations: the first generation Trojan is just a simple password stealing, transmission, etc., there is no special place in hidden and communications. The typical representative of the second generation Trojan is the ice river. It launches file-related way, and opens up new chapters in the history of Trojan technology through email. The third-generation Trojan information transmission method has broken through, using ICMP protocol, increasing the difficulty of killing. The fourth generation Trojan has obtained a major breakthrough in the process hidden, using the insertion of the kernel, using remote insertion thread technology, embedding the DLL thread, or histed PSAPI, and realizes the hidden of Trojans, and uses the rebound port technology to break through the firewall restriction, Good hidden effects have been made under Windows NT / 2000. The fifth-generation Trojan is closely integrated with the virus, using the operating system vulnerability, directly realizing the purpose of infection, without having to deceive the user actively activated, such as the newly appeared Trojan - Nightmare II. The key technology of Trojans Trojans are based on the C / S mode. The server-side program runs on the controlled host, and the client completes the control function. When designing Trojans, you need to consider several key factors: first have depth concealed, to ensure the hidden operation and start of the Trojan, followed by the communication of the client and server-side communication, and finally implement other functions as needed. I. There are two ways to hide the horsema: one is a DLL Trojan, which makes the Trojan disappears in the list, but the process of the program still exists; another method is thread injection Trojan, it makes the program thoroughly Disappearing, not working in processes or services. 1. DLL Trojan as long as the Trojan server side is registered as a service, the system will not treat it as a process, and the program will disappear from the list of task. After pressing Ctrl Alt Delete, you can't see it. program. This method first is to load kernel32.dll, then determine the address of the function registerServiceProcess () in this DLL to call, but only for Windows9X / ME system, Windows NT / 2000 can still be found in the system through service manager. Service. Method (ie, API intercepting technology) can be used under Windows NT / 2000, by establishing a background system hook (hook), blocking PSAPI's EnumProcessModules and other related function control process and service traversal calls, when the Trojan is detected Skip directly when the server is processed, so that the process is hidden. This method is widely used, in addition to the process hidden, it is also widely used in many instant software. For example, Jinshan word tyrant uses a similar method, intercepting the TextOuta, TextOutw function, intercept screen output, and realizes instant translation. The DLL file is the foundation of Windows, all API functions are implemented in the DLL. The DLL consists of multiple function functions. The entry function is DLLMAIN, which cannot be run independently, usually loaded and called by the process. Since the DLL file cannot be run independently, the DLL does not appear in the process list, but only the load process appears.
The easiest way to run the DLL file hidden process is to use Rundll32.exe, but it is also very easy to know. The more advanced practice is to use Troy DLL, which uses Trojan DLL to replace the commonly used DLL file, and forward normal calls through function repeater For the original DLL, intercept and process specific messages. However, the Windows operating system has a considerable prevention, and there is a DLLCACHE directory in the System32 directory of Win2000, which stores a lot of DLL files (including some important EXE files), once the operating system discovers that the protected DLL file is tampered with, This file is automatically restored from DLLCache. In addition, the Troj DLL method itself has some vulnerabilities (such as repairing installation, installation patches, upgrade systems, check digital signatures, etc.), which may cause Troj to fail to fail), not the best choice for DLL Trojans. Despite this, there are still many ways to bypass DLL protection (such as changing the backup in the DLLCache directory and modify the DLL file, or change the default start path of the DLL using the Knowndlls key value). 2, thread injection Trojans better hidden ways are to exist in the way Trojans do not exist in processes and services, but completely dissolve into the system kernel. Therefore, in the design, we should not make it a application, but make a thread that can inject application address space. The application must ensure absolute security, so that it can achieve thorough hidden effects and increase the difficulty of killing. Thread Injection Trojans use dynamic embedded technology to embed your code into the running process. Each process in Windows has its own private memory space, and other processes do not operate the private space, but in fact, there are many ways to operate private space. Dynamic embedding technology, such as window hook, hook API, remote thread, etc., remote thread technology is relatively simple, as long as there is a basic process thread and dynamic link library knowledge, it can be easily implemented. Remote thread technology refers to the memory address space of the process by creating a remote thread in a remote process. You can create a remote thread through the CreateremoteThread function, and the desired remote thread can share the address space of the remote process so that you can enter the memory address space of the remote process, so that the remote process is equivalent, such as Start a DLL Trojan inside the remote process, and even tampered with the data. The key to remote thread technology is to copy the thread function executor and its parameters into the remote process space, otherwise the remote thread will report an error when the parameters are not found. Second, the self-loading operation program of the Trojan server-side program self-run is: load program to the startup group; write the program launch path to the HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersions / Runonce subkey (and Runonce, Runservice, RunonceService et al; modify Boot.ini; directly mount the input clicker value in the registry; modify the Explorer.exe startup parameters and add a startup item in the LOAD section in Win.ini and System.ini; Add programs in AutoExec.bat.
The following program achieved by modifying the Trojan registry key HKEY_LOCAL_MACHINE / Microsoft / SOFTWARE / Windows / CurrentVersions / Run from the start: RegCreateKeyEx (HKEY_LOCAL_MACHINE, // handle to open key "SOFTWARE // MICROSOFT // WINDOWS // CURRENTVERSION / / RUN ", // subkey 0, NULL, // class string REG_OPTION_NON_VOLATILE, // special options KEY_READ | KEY_WRITE, // desired security access NULL, & mKeyClass, & dwDisposition // disposition value buffer); RegSetValueEx (mKeyClass, NULL, 0, REG_SZ, (const unsigned char *) Name, Lstrlen (Pathbuf) 1); RegcloseKey (MKEYCLASS); Ice Troja uses a file associated to realize Trojans. Taking the association of the text file as an example, the value of hkey_classes_root / txtfile / shell / open / command in the registry is the association of text files (* .txt file), default is "% systemroot% / system32 / notepad.exe% 1" , Change it to Trojan, then open the text file in the future, the Trojan will be executed first. After the Trojan starts, then running NotePad.exe opens the specified file. This process is in the general people, it seems that something has not happened. DLL Trojan replaces the original dynamic connection library, and the system is launched when the system is loaded. This start-up mode is quite concealed, and the famous Gina Troja is the GINA program of the system, and the system function is exported to the Trojan DLL to realize the normal functionality of the system, and then realize its own Trojan function. Third, the Trojan's communication Trojan program is a lot of ways, the most common is to use TCP, UDP protocol, but this method is poor, it is easy to find, for example, using the netstat command to see the current activity TCP UDP connection. But there are still many means to avoid this reconnaissance, and the author has tried the following two methods: one method is to bind the communication connection of the Trojan in the universal port and send information through these service ports. For example, the information of the attacked host is transferred to an attacker's email address or upload to a FTP host, or you can use the free homepage space for information transfer station. Using the FTP protocol to upload information to the FTP site, it is easy to be tracked. Use the SMTP protocol to return information through email. It is not easy to follow up. You can only find an attacker mailbox, but the firewall and some anti-virus software discovers local mail. When sending, it may be masked and prompted users. Upload information with HTTP protocols is quite safe to attacker, and the firewall cannot distinguish the transfer of information is the interactive information of the user's Internet browsing or the personal information sent by Trojans. This method will be described in detail later. However, these means must pass commands and data by establishing a TCP connection, there is a fatal vulnerability: Trojans are in the process of waiting and running, there is always a port that is connected to the outside world. Another way is to use the ICMP protocol.
ICMP packets are processed directly by the system kernel or process without passing port. If Trojans will disguise themselves into a ping process, the system will give the ICMP_ECHOREPLY (PING response package) to the Trojan process, once in advance The ICMP_ECHOREPLY package appears (such a package has been modified by the ICMP header, add Trojan's control fields), and the Trojans will accept, analyze and analyze commands and data from the packets. Firewall generally does not filter ICMP_echorePly packets because filtering the ICMP_ECHOREPLY message means that the host cannot perform PING routing diagnostic operations. DLL Trojan's functionality Trojan's main functions include: getting a key record, get host information, upload host information, and accept the control terminal to remote shutdown.
1. Set the hook in the main program: The method of implementing the record button is mainly used by the keyboard hook and implemented by designing the low-level keyboard driver. The code implemented using the keyboard hook is as follows: SETWINDOWSHOKEX (Wh_JournalRecord, KeyboardProc, g_module, 0); where KeyboardProc is a callback function: LRESULT CALLBACK KeyboardProc (int code, WPARAM wParam, LPARAM lParam) {if (code <0) return CallNextHookEx (g_hLogHook, code, wParam, lParam); if (code == HC_ACTION) {EVENTMSG * pEvt = (EVENTMSG *) LParam; if (pevt-> message == wm_keydown) {... // Judgment whether the keystroke is recorded in the file}} Return CallNexthooKex (G_hloghook, code, wparam, lparam);} 2, get host information (including host) Name, IP address, operating system version, etc.): Word wversionRequested = MakeWord (1, 1); WSADATA WSADATA; WSASTARTUP (WVersionRequested, & WSADATA); CHAR HOSTNAME [256]; int Res = gethostname (Hostname, Sizeof (Hostname); // Get the host name hostent * phostent = gethostByname (HostName); // Get the host IP address hostent & he = * phostent; SockAddr_in sa; memcpy (& sa.sin_addr.s_addr, he.h_addr_list [0], he.h_length); lstrcpy (& Myip [0], inet_ntoa (sa.sin_addr); wsacleanup (); dWVersion = getVersion (); // gets Windows version number dwwindowsmajorversion = (DWORD)); dwwindowsminorversion = (D Word) (Hibyte (dWversion))); if (dwversion <0x80000000) // is a Windows NT system dwbuild = (dWord)); Else IF (dwWindowsmajorversion <4) // is Win32 system dwbuild = (DWORD) & ~ 0x8000); ELSE / / is Windows 95 system dwbuild = 0; 3, remote shutdown: When the Trojan receives the shutdown command, execute the shutdown operation, it is necessary to improve the permissions, otherwise the system is considered authority Not enough will be prohibited.
