Author: dahubaobao [Nuke Group] Update: 2004-03-25 Category: Network Security -> Network Security total views / Today: 343/4 text: hold your "hand" Clear DLL backdoor Author: dahubaobao [Nuke Group] Home: http://www.ringz.org Group Site: http://www.digitalnuke.com/main/ Email: Dahushibaobao@vip.sina.com QQ: 47809945 Posted in Hacker X Archive 2004 2 Tools and Pictures In the compression package, unzip password: www.ringz.org http://dahubaobao.go.nease.net/dll.rar Welcome to the ring area, a group of technical fanatics, www.ringz.org Welcome to your join ! ============================================================================================================================================================================================================= =================== Hold your "hand" to clear the DLL back door ------ DLL back door clearance full posture back door! I believe that this word will not be strange to you, it's harmful, but as people's safety awareness is gradually enhanced, add the "strong support" of anti-virus software, so that the traditional back door cannot hide themselves, any People who have a little bit of computer knowledge know "Check Port" "see process" to find some "spider silk". Therefore, the writer of the back door adjusts the idea in time, put the eyes on the dynamic link library, that is, make the rear door into the DLL file, then be used as a carrier, or use rundll32.exe to start, so There will be no steps, do not open the port, etc., the process is hidden. This paper is the subject with the theme of "DLL" "DLL" "DLL" "DLL", and expands the discussion, it is designed to make everyone "quick start" to the DLL back door ", not in the lattime. Ok, enter our theme. I. Principle of DLL 1. Dynamic link library dynamic link library, full name: Dynamic Link Library, abbreviation: DLL, the role is to provide extension for the application. The application wants to call the DLL file, you need to "dynamic link" with it; from the perspective of programming, the application needs to know the API function to which the DLL file exported can be called. It can be seen that the DLL file itself cannot be run, requiring application calls. Because the DLL file must be inserted into the memory module of the application, this will explain that the DLL file cannot be deleted. This is due to the internal mechanism of the Windows: the program is running cannot be turned off.
So, the rear door of the DLL is born! 2, the DLL latter principle and characteristics write a code that implements the back door function into a DLL file, then insert it into an EXE file, so that it does not need to take up the process, there is no corresponding PID number, You can hide in the task manager. The DLL file itself and the EXE file differ, but must use the program (EXE) call to execute the DLL file. The execution of the DLL file requires the exe file to load, but EXE wants to load the DLL file, you need to know the entry function of a DLL file (both DLL file export functions), so according to the writing criteria of the DLL file: EXE must execute the DLL file Dllmain () as a loaded condition (like the mian () of Exe). Doing a DLL back door basics into two: 1) All functions are implemented in a DLL file; Common writing methods: (1), only one DLL file This latter is very simple, only make yourself into a DLL file, where the registry RUN key value or other place that can be loaded automatically by the system, using Rundll32.exe start up. What is Rundll32.exe? As the name, "execute 32-bit DLL files". Its role is to execute internal functions in the DLL file, so in the process, there will be Rundll32.exe, without having a DLL back door process, so that the process is hidden on the process. If you see multiple rundll32.exe in the system, you don't have to panic, this proves how many DLL files have been launched with Rundll32.exe. Of course, what the DLL files executed by these Rundll32.exe, we can find it from the system automatically loaded. Now, I will introduce the file of rundll32.exe, meaning that the function is to call the dynamic link library in the command line. There is also a Rundll.exe file in the system, he means "executing 16 DLL files", here you should pay attention. In a look Rundll32.exe function prototypes used: Void CALLBACK FunctionName (HWND hwnd, HINSTANCE hinst, LPTSTR lpCmdLine, Int nCmdShow); using the method in which the command line is: Rundll32.exe DLLname, Functionname [Arguments] DLLname need The DLL file name executed; FunctionName is the specific extraction function of the DLL file you need to execute; [arguments] is the specific parameters of the lead function. (2), the replacement of the DLL files in the system such that the latter is more than the top, it makes the code that implements the back door function into one and the system matching DLL file, and the original DLL file is renamed. When the application requests the original DLL file, the DLL back door enables a forwarded role, passes the "parameter" to the original DLL file; if you encounter a special request (such as the client), the DLL back door starts, start, start And run. For such lattices, all operations are most secure in the DLL file, but there are also many programming knowledge, and it is very difficult to write.
Therefore, such lattices are generally a "launch" file in this latter. In the case of special cases (such as client requests), start a normal EXE latter; after the client ends the connection, put the exe The back door stops, then the DLL file enters the "Rest" state, and it will not start before the next client connection. But with Microsoft's "digital signature" and "file recovery" function introduced, this back door has gradually declined. Tip: In the winntsystem32 directory, there is a DLLCACHE folder, which stores numerous DLL files (including some important EXE files). After the DLL file is illegally modified, the system will recover the modified DLL file here. If you want to modify a DLL file, you should first delete or rename the same name DLL file in the DLLCache directory, otherwise the system will automatically recover. (3) Dynamic embedded this is the most common method of DLL back door. Its significance is to embed the DLL file into the running system process. In a Windows system, each process has its own private memory space, but there is still a way to enter the private memory space of its process to achieve dynamic embedded. Since the key process of the system cannot be terminated, this latter is very hidden, and it is very difficult to kill. Common dynamic embedded features: "Mounting API" "Global Hook" "Remote Thread", etc. Remote thread technology refers to the memory address space of that process by creating a remote thread in a process. When the EXE carrier (or rundll32.exe creates a remote thread in the inserted process, then when it executes a DLL file, our DLL latter is hanging up, and there will be no new processes here. Want to stop the DLL back door, only the process of making this link DLL back door is terminated. But if you have a key process link to some systems, you can't terminate. If you terminate the system process, the windows is then terminated! ! ! 3, the start-up feature of the DLL back door Starting the carrier EXE of the DLL back door is indispensable, it is also very important, it is called: loader. If there is no Loader, how do our DLL back door started? Therefore, a good DLL back door will try to protect his Loader is not killed. There is a lot of ways of Loader, which can be a EXE file written for our DLL back door; can also be Rundll32.exe with the system, even if it stops Rundll32.exe, the main body of the DLL back door exists. 3721 Network real name is an example, although it is not "real" back door. Second, DLL clearance This section is "SVCHOSTDLL.DLL" "bits.dll" "QoServer.dll" in this section. Detailed explanation of its manual cleaning method. I hope that after reading these three DLL lattice clearance methods, you can raise a non-three, flexible use, not afraid of the DLL back door. In fact, hand-cleared DLL back door is still relatively simple, nothing more than being in the registry. For details, please see below. 1. Portless Backdoor This is a very powerful DLL back door program, in addition to the shell of Local System permissions, also supports a series of functions such as "Detection Clone Account" "Installing Terminal Services" (specifically see the program help Applicable to Windows2000 / XP / 2003 and so on.
The program uses svchost.exe to start, usually does not open the port, can be reverse connection (maximum feature), this feature is good for the host with firewalls. Before introducing the cleaning method, let's brief introduction to the key service of SVCHOST.EXE system: SVCHOST is just a host, it does not implement any function, if you need to use SVCHOST to start the service, a service is Implemented in DLL, the DLL carrier Loader points to SVCHOST, so the DLL that calls the service by SVCHOST when the service is started. The DLL file using SVCHOST is determined by the parameters in the registry. There is a parameter subkey in the next side that needs to start the service, where ServicesDLL indicates which DLL file is responsible for the service, and this DLL file must Export a servicemain () function and support for processing service tasks. Ha ha! I looked at the theory of the upper side (I have been asleep), don't worry, let's take a look at the specific content (Figure 1). From Figure 1, we can see the parameters subkey under HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESRPCSS whose key value is% systemroot% System32rpcss.dll. This shows: When starting the RPCSS service. Svchost calls RPCSS.DLL under the WinntSystem32 directory. Taken a look at Figure 2, this is the HKEY_LOCAL_MACHINESOFTWAREMICROFTWINDOWS NTCURRENTVCHOSTVCHOST in the registry, which is stored in the group and group of SVCHOST launched, where the NetSVCS group has the most service. To start a service using SVCHOST, the service name will appear under HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS NTCURRENTVCHOSTVCHOST. Here are four ways to achieve: 1. Add a new group, add service name 2 in the group, add service name 3 in the existing group, directly using a service name in the existing group, but this unit is not installed Services 4, modify existing services in the existing group, pointing its serviceDLL to the third method used by the portless backdoor of your DLL backdoors. Ok, I think everyone has finished reading the principle of the upper side, I can think that we have cleared the Portless Backdoor method, right, is to make an article under the SVCHOST key of the registry. Ok, we start now. Note: Since this article is only an introduction to the cleaning method, the method is slightly somed. Loader's Loader inserts svchostdll.dll into the SVCHOST process, so we first open the Windows Process Management 2.5 in the Windows Optimization Master, check the module information in the SVCHOST process (Figure 3), from Figure 3 we can see, svchostdll .dll has been inserted into the SVCHOST process, in accordance with the "a service name directly in the existing group," there is no service that does not have the service installed ", we can conclude that in" Administrative Tools "-" Service " There is a new service.
Figure 4 demonstrates my saying that this service name is: iPrip, started by SVCHOST, -k Netsvcs indicates that this service is included in the NetSVCS service group. We stop this service, then open the Registry Editor (Start - Run -Regedit), come to HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESIP to view its parameters subkey (Figure 5). The key value svchostdll.exe of the Program key is the LOADER; serviceDLL's key value C: WinntSystem32svchostdll.dll is the DLL file called the back door. Now we remove IPRIP sub-key (or use the SC to delete), and then came under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost, edit netsvcs service group, the 49 00 70 00 7,200,690,070,000,000 delete, where the corresponding service name is IPRIP Specifically, as shown in Figure 6. Then exit, restart. Remove the back door file in the WinntSystem32 directory after restart. 2, bits.dll This is the work of the buddha, and the back door of the DLL, which is basically the same as the svchostdll.dll principle, but here is the fourth way to introduce the upper introduction, "Modify the existing service in the existing group. Its serviceDLL points to its own DLL back door. " In other words, the back door modifies the existing service, pointing its original service DLL to yourself (that is, bits.dll), which reaches the purpose of automatic loading; second, the back door does not have its own loader, and It is loaded using Rundll32.exe that comes with the system. We still use Windows Process Management 2.5 to view, from Figure 7, we can see that bits.dll has been inserted into the SVCHOST process. Ok, let's take a look at the specific clearance method, because the back door is modified existing service, and we don't know which service is modified, so search bits.dll in the registry, and finally search for HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESRASAUTO. Bits.dll, view the serviceDLL under the Parameters sub-key, whose key value is C: WinntSystem32bits.dll (Figure 8). It turns out that the latter replaces the rasauto service original DLL file to bits.dll, so that it is automatically loaded. If you know the reason, we will do it. Now we modify the servicedll key value to the original DLL file for the Rasauto service, ie% systemroot% system32rasauto.dll, exit, restart. Then delete the bits.dll under the WinntSystem32 directory. 3, NOIR - Queen Noir - Queen (Guardian) is a DLL back door & Trojan, inserted into the system's LSAss.exe process in the form of a DLL file, because lsass.exe is the key process of the system, so Can't terminate.
Before introducing the clearance method, let me introduce the LSAss.exe process: This is a local security authorization service, and it will generate a process for the authorized user using the Winlogon service. If the authorization is successful, LSASS will generate users. Go to the token, the token uses the initial shell. Other processes initialized by users will inherit this token. From the top of the introduction, we can see how the LSASS is important to the system, how is it clear? Please see below. After the installation is successful, you will add a service called QosServer in the service, and insert the QosServer.dll back door file into the LSASS process, so that it can hide the process and start automatically (as shown in Figure 9). Now let's open the registry and come to HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESQOSSERVER, delete the Qosserver key directly, and restart. After restarting, we will come to the service list, you will see the Qosserver service is still, but not started, the category is automatically, we modified him to "disabled"; then, look up, will find a service name Appcpi Service, its executable procedure points to QosServer.exe (I will say behind the cause), as shown in Figure 11. We open the registry again, come to HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESAPPCPI, delete the Appcpi key, restart, then delete the Qosserver, and finally remove the back door file in the WinntSystem32 directory. I and this back door "struggle" for more than 3 hours, restart N times. The reason is that even if the Qosserver service is deleted, the back door is still running, and the Qosserver service in the service list is "dead ashes." Later I learned: After I deleted the QosServer service and restarted, the Qosserver.dll file inserted into the LSASS process and resumed the QosServer service, and generated another service, appcpi, so we must remove it in the registry. The AppCPI service is only cleared by the back door. It can be seen that the protection measures of the back door now are really a ring buckle. Note: After deleting the Qosserver service and restarts, the restored Qosserver startup category is to be modified to "Disabled", otherwise the Qosserver service runs again even if the AppCPI service is deleted. Third, the DLL prevention looked at the example, I think everyone has a certain understanding of the method of clearing the DLL back door, but in reality, the DLL back door does not use the default file name, so you can't definitely DLL back door. For the DLL back door, it is a good place in the System32 directory. Most back doors are true, so it is necessary to pay attention. Let's take a specific introduction to how to find a DLL back door, I hope to help everyone.
