1. dynamic link library
Dynamic link library, full name: dynamic link library, short name: DLL, is used to provide extended functions for applications. If an application wants to call a DLL file, it needs to be "dynamically linked" with it; From a programming point of view, applications need to know the API functions exported from DLL files before they can be called. As you can see, the DLL file itself can't run, and it needs an application call. Just because the DLL file must be inserted into the memory module of the application at runtime, it means that the DLL file cannot be deleted. This is due to the internal mechanism of Windows: the running program cannot be closed. Therefore, the DLL back door was born!
Principle and characteristics of 2.DLL back door
Write the code to realize the backdoor function as a DLL file, and then insert it into an EXE file to make it executable, so that it does not need to occupy the process and has no corresponding PID number, and can be hidden in the task manager. The DLL file itself is not much different from the EXE file, but it must be called by the program (EXE) to execute the DLL file. The execution of DLL file needs to load the EXE file, but EXE needs to know the entrance function of a DLL file (that is, the export function of the DLL file) to load the DLL file. Therefore, according to the writing standard of DLL file, EXE must execute DLLMain () in DLL file as the loading condition (just like mian () of EXE). There are two basic methods to make a DLL backdoor: 1) to realize all the functions in the DLL file; 2) Make the DLL into a startup file, and start the common EXE backdoor when necessary.
Common writing methods:
(1) There is only one DLL file.
This backdoor is very simple. Make yourself a DLL file, and use Rundll32.exe to automatically start it in the registry Run key value or other places that can be automatically loaded by the system. What is Rundll32.exe? Gu Ming believes that "executing 32-bit DLL files". Its function is to execute the internal functions in the DLL file, so that in the process, there will only be Rundll32.exe, and there will be no DLL backdoor process, thus realizing process hiding. If you see multiple Rundll32.exe in the system, don't panic, which proves how many DLL files are started with Rundll32.exe. Of course, what are these DLL files executed by Rundll32.exe? We can find them where the system automatically loads them.
Now let me introduce the file Rundll32.exe, that is, its function is to call the dynamic link library through the command line. There is also a Rundll.exe file in the system, which means "executing 16-bit DLL file". Please pay attention here. Let's take a look at the function prototype used by Rundll32.exe:
Void callback function name (
HWND hwnd,
HINSTANCE hinst,
LPTSTR lpCmdLine,
Int nCmdShow
);
The usage method under the command line is: Rundll32.exe dllname, function name [arguments].
DLLname is the file name of the DLL to be executed; Functionname is a specific derivative function of the DLL file to be executed earlier; [Arguments] is the specific parameter of the derivative function.
(2) Replace the DLL file in the system
This backdoor is slightly more advanced than the above one. It makes the code that realizes the backdoor function into a DLL file that matches the system, and renames the original DLL file. When the application requests the original DLL file, the DLL backdoor will start a forwarding function and pass the "parameters" to the original DLL file. If you meet a special request (such as a client), the DLL backdoor starts, starts and runs. For this kind of backdoor, it is safest to realize all operations in DLL files, but it also requires a lot of programming knowledge and is very difficult to write. Therefore, this kind of backdoor usually makes the DLL file into a "startup" file, and starts an ordinary EXE backdoor under special circumstances (such as the request of the client); After the client ends the connection, stop the EXE backdoor, and then the DLL file will enter the "dormant" state, and will not be started until the next client connection. However, with the introduction of Microsoft's "digital signature" and "file recovery" functions, this back door gradually declined.
Tip:
Under the WINNT/system32 directory, there is a dllcache folder with many DLL files (including some important EXE files). After the DLL file is illegally modified, the system will restore the modified DLL file from here. If you want to modify a DLL file, you should first delete or rename the DLL file with the same name in the dllcache directory, otherwise the system will recover automatically.
(3) Dynamic embedded system
This is the most commonly used method of DLL backdoor. Its significance lies in embedding the DLL file into the running system process. In Windows system, each process has its own private memory space, but there are still various ways to enter the private memory space of its process to realize dynamic embedding. Because the key process of the system cannot be terminated, this back door is very hidden and difficult to kill. Common dynamic embeddings include "hook API", "global hook", "remote thread" and so on.
Remote thread technology refers to creating a remote thread in a process to enter the memory address space of the process. When the EXE carrier (or Rundll32.exe) creates a remote thread in the inserted process and commands it to execute a DLL file, our DLL backdoor will be suspended and executed, and no new process will be generated here. If we want to stop the DLL backdoor, we must stop the process of linking the DLL backdoor. But if it is linked with some key processes of the system, it cannot be terminated. If you terminate the system process, Windows will terminate immediately! ! !
Start-up characteristics of 3.DLL back door
EXE, the carrier to start the back door of DLL, is indispensable and very important. It is called a loader. If there is no loader, how can our DLL backdoor start? So a good DLL backdoor will try its best to protect its loader from being killed. There are many ways of Loader, which can be an EXE file specially written for our DLL backdoor. It can also be the Rundll32.exe that comes with the system. Even if Rundll32.exe is stopped, the main body of the DLL backdoor still exists. 372 1 network real name is an example, although it is not a "real" back door.
Second, the removal of DLL.
This section takes three well-known DLL back doors as examples, namely "SvchostDLL.dll", "BITS.dll" and "QoServer.dll". Explain its manual removal method in detail. I hope that after reading these three methods of cleaning the back door of DLL, you can draw inferences from others and use them flexibly. Don't be afraid of the back door of DLL. In fact, it is relatively simple to manually clear the back door of DLL, which is nothing more than making a fuss about the registry. How to do it, please see below.
1, no port back door
This is a very powerful DLL backdoor program, which supports a series of functions such as "detecting cloned accounts" and "installing terminal services" in addition to the Shell with local system permissions (see program help for details), and is suitable for Windows2000/xp/2003 and other systems. Svchost.exe is used to start the program. Usually do not open the port, you can reverse it (the biggest feature is oh). This function is perfect for those hosts with _blank "> for firewalls.
Before introducing the cleaning method, briefly introduce the key services in svchost.exe:
As a host of services, Svchost does not implement any functions. If you need to use svchost to start the service, the service is implemented in the form of DLL, and the carrier loader of DLL points to Svchost. Therefore, when starting the service, svchost calls the DLL of the service to achieve the purpose of starting. The DLL file for starting the service with svchost is determined by the parameters in the registry. There is a parameters subitem under the service to be started, in which ServiceDll indicates which Dll file is responsible for the service. This DLL file must export a ServiceMain () function to support the service task.
Ha ha! After reading the above theory, is it a bit confusing (I almost fell asleep), don't worry, let's take a look at the specific content). We can see the Parameters subitem under the current control service sRPCSS of HKEY _ Local _ Machine System, and its key value is% systemroot% system32RPCSS.dll. This means that when the RpcSs service is started. Svchost calls rpcss.dll in the WINNTsystem32 directory.
This is HKEY _ local _ machine software Microsoft windows ntcurrentversionSvchost in the registry, which stores the groups started by Svchost and the services within the groups, among which the netsvcs group has the most services. To start the service with Svchost, the service name will appear under HKEY _ local _ machine software Microsoft Windows ntcurrentversionsvchost. There are four ways to achieve this:
1, add a new group and add a service name to the group.
2. Add the service name to the existing group.
3. Use the service name in the existing group directly, but there is no service installed on this computer.
4. Modify the existing service in the existing group and point its ServiceDll to its own Dll backdoor.
The third method used by the portless backdoor I tested.
Well, I want to see the above principle, and you can definitely think of our way to clear the back door without ports. Yes, it is to make a fuss under the Svchost key in the registry. Ok, let's start now.
Note: Since this article only introduces the cleaning method, the usage method is omitted here.
The loader in the back door inserts SvchostDLL.dll into the Svchost process, so we first open Windows Process Management 2.5 in the Windows optimizer to check the module information in the Svchost process. SvchostDLL.dll has been inserted into the Svchost process. According to the prompt of "use a service name in an existing group directly, but no service is installed on this machine", it can be concluded that there will be a new service-"service" in the "Management Tool". Proved my statement, the service name is: IPRIP, started by Svchost, and -k netsvcs indicates that this service is included in the netsvcs service group.
Let's stop the service, then open the Registry Editor (Start-Run-Registry Edit) and go to HKEY _ Local _ Machine System Current Control Settings Service SiPrep to check its parameter subitems). SvcHostDLL.exe, the key value of the program key, is the loader; Back door; Key value of servicedlc: WINNTsystem32svchostDLL. DLL is the called dll file, which is the dll file of the back door. Now let's delete the IPR subitem (or delete it with SC), and then go to HKEY _ local _ machine software Microsoft windows ntcurrentversionsvchost to edit the netsvcs service group, and delete 49 00 70 00 72 00 69 00 70 00 00 00 00, which is the service name of IPR. Then exit and restart. Delete the backdoor file in the WINNTsystem32 directory after restarting.
2、 BITS.dll
This is Brother Rong's work, and it is also a DLL backdoor. The principle is basically the same as that of SvchostDLL.dll, but the fourth method introduced above is used here, that is, "modify the existing services in the existing group and point their ServiceDll to their own DLL backdoor". In other words, the backdoor modifies an existing service and points the DLL of its original service to itself (that is, BITS.dll), so as to achieve the purpose of automatic loading; Secondly, the back door does not have its own loader, but uses the system's own Rundll32.exe to load it. Let's use Windows Process Management 2.5. From Figure 7, we can see that bits.dll has been inserted into the Svchost process.
Ok, now let's look at the specific removal method. Because the back door is to modify the existing service, we don't know which service to modify, so we searched bits.dll in the registry, and finally searched bits.dll under HKEY _ local _ machine system currentControlsetServicesRasauto. Look at ServiceDll under the Parameters subitem, and its key value is C:WINNTsystem32bits.dll (as shown in Figure 8). The original backdoor replaced the original DLL file of RasAuto service with bits.dll, thus realizing automatic loading. It is easy to know why. Now we change the key value of ServiceDll to the original Dll file of RasAuto service, that is,% systemroot% system32Rasauto. Exit and restart. Then delete the bits.dll in the WINNTsystem32 directory.
3. Black Queen
NOIR-QUEEN is a DLL backdoor &; Trojan horse program, the server is inserted into the Lsass.exe process of the system in the form of DLL file. Because Lsass.exe is the key process of the system, it cannot be terminated. Before introducing the removal method, let me introduce the Lsass.exe process:
This is a local security authorization service, which will generate a process for authorized users who use Winlogon service. If the authorization is successful, Lsass will generate the user's entry token, which will start the initial Shell. Processes started by other users will inherit this token.
From the above introduction, we can see the importance of Lsass to the system, so how to remove it? Please see below.
After the backdoor is successfully installed, a service named QoSserver will be added to the service, and the QoSserver.dll backdoor file will be inserted into the Lsass process, so that the process can be hidden and started automatically (as shown in Figure 9). Now we open the registry, enter the current control setting service sQosserver of HKEY _ local _ machine system, directly delete the Qosserver key, and then restart. After the restart, when we come to the service list, we will see that the QoSserver service is still there, but it is not started. The category is automatic, so we changed it to Disabled. Then, if you look up, you will find a service called AppCPI, whose executable program points to QoSserver.exe (for reasons I will talk about later), as shown in figure 1 1. We open the registry again, enter HKEY _ local _ MachinerSystemCurrentControlSetServiceAppCPI, delete the AppCPI key, restart, delete the QoSserver, and finally delete the backdoor file in the WINNTsystem32 directory.
I struggled with this back door for more than three hours and restarted it n times. The reason is that even if the QoSserver service is deleted, the backdoor is still running and the QoSserver service in the service list is "resurrected". Later, I learned the reason: after I deleted the qoss server service and restarted it, the QoSserver.dll file inserted in the Lsass process restored the qoss server service and generated another service AppCPI. So we must delete the AppCPI service in the registry to clear the back door. It can be seen that the current protective measures for the back door are really a buckle.
Note: After deleting and restarting the QoSserver service, the startup category of the restored QoSserver should be changed to "Disabled", otherwise, even if the AppCPI service is deleted, the QoSserver service will run again.
Third, the prevention of DLL.
After reading the above example, I think everyone has a certain understanding of the method of clearing the DLL backdoor, but in reality the DLL backdoor does not use the default file name, so you are not sure whether you have won the DLL backdoor. For DLL backdoors, the system32 directory is a good place, as are most backdoors, so pay special attention here. Let me introduce in detail how to find the back door of DLL, hoping to help everyone.
1, after installing the system and all applications, back up the EXE and DLL files in the system32 directory: open CMD, go to the WINNTsystem32 directory, and execute: dir *. exe & gtexe.txt & ampdir *。 Dll & gtDll.txt, so that all EXE and dll files will be backed up to exe.txt and dll.txt files; In the future, if any abnormality is found, you can use the same command to back up the EXE and DLL files again (here, we assume that it is exe0.txt and dll0.txt), and use: fcEXE.TXTEXE0.txt > exedll.txt & ampfc dll . txt dll 0 . txt & gt; EXEdll.txt means to compare the Exe file and the dll file twice with the FC command, and save the comparison result to the exedll.txt file. In this way, redundant EXE and DLL files can be found out, and whether it is a DLL backdoor can be judged by the file size and creation time.
2. Use the memory/module tool to view the DLL file called by the process, such as Windows Process Management 2.5 in the Windows optimizer. In this way, we can find out what DLL file the process called, and combine the results with the FC command above to further determine whether the DLL backdoor has been taken down. If there is no optimizer, you can use TaskList. This gadget can also display the DLL file called by the process, and it also has the source code for easy modification.
3. Ordinary backdoor connection needs to open a specific port, and DLL backdoor is no exception. No matter how hidden, you need to open the port when connecting. We can use netstat -an to check the connections of all TCP/UDP ports to find illegal connections. You should know which ports you have opened and know something about the state attribute in netstat -an. Of course, you can also use Fport to display the processes corresponding to ports, so that you can have a panoramic understanding of any unknown connections and ports in the system.
4. Regularly check the places where the system automatically loads, such as registry, Winstart.bat, Autoexec.bat, win.ini, system.ini, wininit.ini, Autorun.inf, Config.sys, etc. Secondly, manage services and understand the default services of the system. When a problematic service is found, you can use SC in Windows 2000 Server Resource Kit to delete it. All these places can be used to load DLL backdoor loaders. What can I ask if I delete the DLL backdoor loader? How does the DLL backdoor work? !
By using the above methods, I think most DLL backdoors can be "exposed". If you make more backups at ordinary times, it will get twice the result with half the effort to find the back door of DLL.
postscript
This paper introduces some knowledge of DLL backdoor in detail. In fact, it is not difficult to see from the above that the back door of DLL is not as terrible as expected, and it is relatively simple to clean up. At the beginning of the article, I said: I hope this clumsy article can help you. If there are any mistakes in the text, please forgive me, thank you!