//
Www.cfanclub.net
3721 Reporting Mechanism Simple Research (Dragon Ball)
Simply studied 3721 mechanisms, written here, as an experience note. Most gains come from Softice disassembly, not necessarily applicable to certain versions.
1. CNSMIN.DLL resident
3721 Core file: cnsmin.dll usually exists under
By the registry RUN key value load: rundll32
Rundll32main () pseudo code:
void Rundll32Main () {hMutex = CreateMutex ( "CNSMINMUTEX"); if (ERROR_ALREADY_EXISTS) {CloseHandle (hMutex); exit;} if (IsWindowsNT ()) {SetProcessSecurityInfo ();} else {RegisterProcessAsService ();} CheckVersion (); // cnsminkp.sys / vxd kernel driver, Protection 3721 Key file and registry items are not deleted ContactWithCnsMinkPDriver (); // Key Hook, responsible for injecting cnsmin.dll into other process space installcbthook (); // Key hook Responsible for injecting cnsmin.dll into other process space installCallWndProchook (); // cnsminio.dll is responsible for the prompts under the IE address bar initcnsminio (); // Some registry information initregistry (); // protect cnsmin.dll hooks Uninstall or preemptive installGuardTimer ();
CreateMsgWindow ();
// message loop while (true) {getMessage (& MSG); DispatchMessage (& MSG);}}
CNSMIN is mainly to inject the IE process space through both global hooks of WH_CBT and WH_CallWndProc. After the IE is injected, the hooks such as WH_KEYBOARD, WH_DEBUG are installed. The "real name conversion" is implemented for 3721 is useful for WH_KEYBOARD. This is a local hook.
In order to ensure the highest priority, CNSMin uses a timer function to repeatedly install the hook, which will undoubtedly cause a decline in system performance.
I have tried to install a WH_Debug hook to block the call of the 3721 hook, and it really has the effect, and the 3721 can be invalid immediately. However, this method 3721 still resides in the IE process, which belongs to the method of not cure.
Forced end Rundll32 processes, you can temporarily uninstall the resident code of 3721. However, cnsmin.dll has been embedded in the IE component via COM registration, and then restarting the IE, the process will restart. 2. 3721 anti-Detection means file system driver: cnsminkp * .sys There are different versions for NT / 2000 / XP (98 under cnsminkp.vxd).
The driver is loaded by Windows.
The driver filters the deletion of the file and registry. When you try to delete the 3721 key file and the registry key, return a true, so that Windows believes that deletion has been successful, but the files and registry are actually there. The driver also has a blacklist (saved in an external file), blocking Windows from reading the plugin file of other 3721 competitors.
There is currently no way to stop the drive.
Delete method: Before Windows starts before starting (for example, below to DOS below) to delete the cnsminkp * .sys file. Note: 3721 has self-recovery capabilities. After some key files are deleted, other modules will try to re-download from the 3721 website. Therefore, you need to disconnect the network before you completely remove it.
3. Delete steps for current versions: a) Run 3721 The delete program they provide yourself. Most of the files can be deleted. b) Starting from DOS, delete residual files, such as cnsmin.dll, cnsminkp *. *, etc. Possmin: Downloaded Program Files Directory, Program Files / 3721 Directory, Drivers Directory C) Start Windows, and Windows will report some modules when entering desktops. Can't find the mistake, don't pay attention to, delete the value of 3721 in the registry. Possible location: HKEY_CURRENT_USER: Software / 3721 HKEY_LOCAL_MACHINE: Windows / CurrentVersion / Run System / CurrentControlSet also hides separately, looks out with keyword.
