Tuesday, October 26, 2010

Trojan Trojan DLL static variable dynamic development team



I believe used to play the Trojan horse friends will know some of the characteristics, will have their own favorite horse, but many of my friends still do not know if the rise in recent years, "DLL Trojans" are. What is a "DLL Trojan" mean? It with the general horse different?

First, from the start with DLL technology

To understand the Trojan DLL, you must know the "DLL" What does that mean, therefore, let us back a few years ago, DOS system popular in the days to come. At that time, writing programs is a complicated matter, because each procedure code are independent, and sometimes in order to achieve a function, we must do a lot of code to write, and later with the development of programming, programmers have to a lot of common code set (common code) into a separate file, and put the file called "Library" (Library), at the time of writing programs, this library file into the compiler can use this library contains all the features without having to go to write a lot of their code, this technique is known as the "static link" (Static Link). Static Link technology allows programmers fatigue relief, everything seemed OK. But the facts prove that good things do not exist for too long, because the static link as a rude salesperson, whether you want one do not want publicity, he all stuffed into your hand to. Write a program that would like to use a library file contains some graphic effects, because of this, you have to carry this library all the graphics are the accession process, keep them as vase decoration, which might be nothing important But these roads are blocked confused vase - static link to the end of the process technology has become big, because the compiler has the entire library files are also enumerated.

Era in the development, static link technology as a natural disadvantage can not meet the aspirations of programmers, people start looking for a better way to solve the code duplication problem. Later, Windows system there, the watershed was finally time. Windows systems use a new link technology, which is known as "Dynamic Link" (Dynamic Link) of the new technology is also used library files, Microsoft calls them "dynamic link library" - Dynamic Link Library, DLL name that comes out of this. Static and dynamic link itself links to no difference, is also the common code written into the independent file, but compiled, the company made a circle around and did not add to the library method of procedure, but the library made program files have been compiled to give them to open interfaces to exchange data, when programmers write programs, if you want to use a library file of a performance function, the system put the library file into memory, connect to share this program task process, then the implementation of procedures to use the feature function, and the results returned to the process shown, in our view, as is the function with the same procedure themselves. After the completion of the functionality required, the DLL stop the run, the entire call process is completed. Microsoft, these libraries can be invoked multiple procedures to achieve a more perfect sharing, the programmer to write no matter what procedures, if the code is added the statement calls on the relevant DLL can use its full functionality. The most important thing is, DLL will not let you take more than a vase, what you want it to you, you do things that it does not give you. This was no longer carrying out the process a lot of garbage - will definitely not let what you take home leftovers, or a fine, which is buffet.

DLL technology was born, so programming becomes a simple matter, Windows has provided us with thousands of function interfaces, sufficient to meet the needs of most programmers. Moreover, Windows system itself is composed by the thousands of DLL files, DLL support each of these to form a powerful Windows. If Windows uses static linking technology, its size will be? I dare not think.

Second, application program interface API

Above, we probably made a DLL technology analysis, in which I mentioned the "interface", which is it? Because DLL can not be done as a static library file into the programs, and so let the program know how to code and to achieve functional documents into question, Microsoft has done a Biaozhun 涓?DLL technical specifications, Rang a DLL file Xiang Yi Yang opened many holes in the cheese, Meige holes are noted inside the Gongneng Cunfang name, Cheng Xu Zhiyaogenju standards related to the hole on Zhaodao can get it to taste, and this hole is the "application program interface" (Application Programming Interface), with each DLL interface is not the same as the maximum possible reduction of the code duplication. Steven sentence with: API is a toolbox, you need to be removed under the screwdriver, wrench, and then used them back in place. In Windows, the basic three DLL files are kernel32.dll, user32.dll, gdi32.dll. Together they constitute the basic system framework.

3, DLL and Trojans

DLL is compiled code, no major differences with the general procedure, but it can not run independently, and need to process calls. So, DLL can be linked with Trojan What is the relationship? If you learned programming and wrote a DLL, will find, in fact, DLL's code and other procedures is almost no different, just different interface and startup mode, as long as the changes to the code entry about , DLL becomes a separate proceedings. Of course, DLL file is not in application logic here is not to say DLL = EXE, however, can still missing DLL main entrance as EXE, DLL function with the various features can be seen as a process of several function modules. DLL Trojan horse is the function that implements the code, plus some special code written DLL file, export-related API, in the other view, this is a common DLL, but this DLL is to bring a complete Trojan functionality This is the concept of DLL Trojans. Some people may ask, since the same code Trojan functionality can be achieved, then the program can directly do, why superfluous written DLL? This is to hide it, run-time DLL is linked directly to the procedures in the process of calling it in and will not produce another process, so relative to the traditional EXE Trojan, it is difficult to find.

4, DLL operation

Although the DLL are neither run, but the DLL is loaded when Windows requires an entrance function, just as the main EXE, as otherwise the system can not reference DLL. Therefore, according to the preparation of specifications, Windows must find and implement a function inside the DLL loaded DLL DllMain as the basis for this function as the API is not exported, but the internal function. DLL DllMain function to be preserved in memory, some DLL which does not DllMain function, but still able to use because Windows can not find the DllMain in time, will run the library from other do not do anything to find a default DllMain function to activate the DLL so that it can be loaded that DLL can not give up DllMain function.

5, DLL Trojan Technical Analysis

To here, you might think, since there are so many benefits of DLL Trojans, Trojans are used to write after the manner DLL not like it? It though to say yes, but some people think DLL Trojan is not so easy to write . The DLL can be used to write a Trojan, you need to know more knowledge.

1. Trojan subject

Do Do not really like a Trojan API library module written in the same, this is not development WINAPI. Trojan DLL can export several auxiliary functions, but there must be a process for the main implementation of the code, otherwise the DLL API function can only be a pile of fragmented, never mind work.

If it involves some common code, you can write in the DLL in some internal functions, the code for their own use, rather than all of the code is open into the interface so that it calls itself is immune, but can not play.

Standard implementation of the Trojan DLL entrance DllMain, it must be in written DLL DllMain Trojan running code, or point to the implementation of the module DLL Trojans.

2. Dynamic Embedding

Windows, each process has its own private memory space, another process is allowed to operate on the private domain, but in fact we can still resort to other means to enter and manipulate the process's private memory, which is dynamic embedding It is running its own code embedded in the process of technology. There are many dynamic embed, the most common is the hook, API and remote thread technique, most of DLL Trojans are now using remote thread technique to hang himself in a normal system process. In fact, dynamic embedding is not uncommon, Logitech's MouseWare drivers on each system process hung-_-

Remote Thread is created by another process, the remote thread (RemoteThread) method into the process of memory address space. DLL Trojans in the areas where this technology is also called the "injection", when the vector was injected in the process of creating a remote thread inside and ordered it to load the DLL, the Trojans would hang implemented, no new production process, in order to to mount the horse stopped only to the process of decommissioning Trojan DLL. However, many times we can do nothing - it Explorer.exe hang together, are you sure you want to close Windows?

3. Trojan boot

Some may not wait for that DLL into the system directly to the start of this project is not on it. The answer is NO, as I said before, DLL can not run independently, it can not start the project in direct start it. To get up and running horse, you need an EXE DLL using dynamic embedded technology allows the car to catch the other normal processes, so that is embedded in the process of calling the DLL's DllMain function, excited horse run, and finally start the Trojan EXE end of the run, Trojan Start completed.

Trojan EXE DLL launch is an important role, it is called Loader, if not Loader, DLL Trojan is broken pile, therefore, be considered as mature a DLL Trojan will try to protect its Loader will not so easily destroyed. I remember a story you collude? DLL Trojan Loader is climbing in the wolf's in a difficult position.

Loader can be varied, Windows of rundll32.exe are also a number of DLL Trojans used for the Loader, This Trojan usually without the dynamic embedded technology, which runs directly hung rundll32 process, with the rundll32 method (rundll32.exe [DLL name], [function] [arguments]) as the API calls to refer to this as the start function of excitation Trojan DLL module started, even if you kill rundll32, Trojan horses or body, and one of the most common example is the 3721 Chinese real name Although it is not trojan.

The AppInit_DLLs registry key is also used to launch a number of Trojans themselves, such as Klez. Start using the registry is to allow the system to achieve the implementation of DllMain start Trojan purposes. Because it is transferred to the kernel, the stability of this DLL have great demands a little mistake can lead to system crashes, so rarely see such a Trojan horse.

Some more complex points of DLL Trojans launched by svchost.exe, this DLL must be written Trojan NT-Service, import function is ServiceMain, generally rare, but the hidden nature of this Trojan is also good, and Loader secure.

4. Other

Here we all should have learned about the Trojan DLL is not really want to write one? Do not worry, do not know if we thought not, since the Trojan DLL so good, why has not it find the DLL Trojan few? Let me to pour cold water, the most important reason: because the process of DLL Trojans hung system running, if it itself is poorly written, such as failure to prevent run the wrong code or do not strictly regulate the user's input, DLL error will collapse. Do not panic, is this normal EXE finished, but the DLL will lead to the collapse of the procedures followed it hung suffer, do not forget the process of hooking the system Oh, the end is ... ... miserable. So write a DLL Trojan can be published in the troubleshooting inspection done more than the usual EXE Trojan, written all over their upset ... ...

6, DLL Trojan detection and killing

Startup Items are not often look more mysterious items, this is where Loader, as long as the killing of the wolf, in a difficult position no longer a crazy. And more difficult to find DLL Trojan body, you need to have some programming knowledge and analytical ability, DLL Loader where to find the name, or see more from the process in what strange hook DLL, but the novice is ... ... a word that is difficult ah more difficult, so the easiest way: anti-virus software and firewall (not a panacea, avoid long-term use).







相关链接:



MOV to iPod



Do not worry! Three-trick TO help you pick a good memory



About Password PSYCHOLOGY



Hisense donated 6 million yuan to disaster areas for Reconstruction



WMV to MPEG



Articles about Graphic



Five easy way to get repeat customers



"Nobunaga's Ambition 13 Heaven" Method of empirical formula of mass destruction



Science - Screen Savers Directory



DAT To MP4



Money Crowd And Chow's Relay



Premier Vehicles - Screen Savers



Name enterprises HR field coaching "candidates"



Guoxian Chen: The history of fullest achievement of soft dream



Directory Web Development



GPS Positioning World



Convert Pdf Files To Word Excel Html And Other



Monday, October 18, 2010

Who is "Green Dam" in pay?



Recently, the Department issued a letter on the computer to force the popularity of the national "Green Dam - Youth Escort" low rogue filtering software notice, this news broadcast on the national uproar caused, according to People's Network public opinion poll, support the installation "Green Dam" software only 5%, 87% Internet users against installing the software. For various reasons, "Green Dam" software installation had to be postponed.

銆??鈥滅豢鍧濃?杞欢鎵撶殑鏄繚鎶ら潚灏戝勾鐨勫ぇ鏃楋紝鑰屽叏鐒跺繕璁颁簡骞垮ぇ鎴愬勾浜虹殑瀹為檯闇?銆傛暣娌讳簰鑱旂綉浣庝織涔嬮琛屽姩渚濈劧鍦ㄥ埉锛屼笉灏戝線鏃ョ啛鎮夌殑缃戠珯琚己鍒跺叧鎺夛紝涓嶅皯娴忚寮曟搸琚鍛婏紝浣嗚繖浼间箮杩樻槸涓嶈兘涓哄伐淇¢儴婊℃剰锛屸?缁垮潩鈥濅竴鍑猴紝婵?捣浜嗗崈灞傛氮锛岀粷瀵规?鐨勫弽瀵圭巼璁╁伐淇¢儴鐨勨?缁垮潩鈥濅箣琛屼笉寰椾笉寤惰繜銆?br />
銆??寰堝鐩稿叧鏉?瘨杞欢涓轰簡缁存姢缃戞皯鐨勫埄鐩婏紝鎶婅濡傜綉缁滃疄鍚嶇殑杞欢鍒椾负鎭跺績杞欢锛屽綋鐒惰繖娆$殑鈥滅豢鍧濃?涔熸病鏈夎兘閫冭劚鎭舵剰鎻掍欢鐨勭姜鍚嶏紝360鏈?厛鎶娾?缁垮潩鈥濆垪涓烘伓鎰忔彃浠讹紝鎻愰啋鐢ㄦ埛鍒犻櫎銆?br />
銆??绗旇?璁や负锛屽鏋滃彧鏄负浜嗕繚鎶ら潚灏戝勾鐨勫仴搴凤紝澶у彲涓嶅繀鍦ㄥ叏鍥借寖鍥村唴鎵?湁鐨勮绠楁満寮哄埗瀹夎锛屽叏鍥界殑浜烘皯涔熶笉閮芥槸闈掑皯骞达紝闈掑皯骞寸殑鍋ュ悍鍥虹劧閲嶈锛岄渶瑕佸叏绀句細鐨勫姏閲忎负闈掑皯骞磋惀閫犱竴涓畨鍏ㄧ殑鐜锛岃?涓斿叏绀句細涔熶负涔嬩笉鎳堝姫鍔涳紝瀵逛簬鍏冲績闈掑皯骞村仴搴风殑浜轰篃鑷湁閫夋嫨锛屽鏍¢噷濡傛灉闇?灞忚斀涓?簺淇℃伅褰撶劧鍙互杩愮敤锛屼絾鏄鍏ㄧぞ浼氱敓娲诲湪涓?釜鍙楀埌灞忚斀鐨勭幆澧冮噷锛屼技涔庢?鏄浜烘劅鍒颁竴绉嶅帇鍔涖?

銆??鍐典笖杩欑寮哄埗鐨勫仛娉曚笉绂佹湁浜涗笓鍒剁殑鎰忓懗锛屽湪姘戜富涓庣瀛︾殑娲楃ぜ涓嬶紝杩欑绫讳技涓撳埗鐨勫彛鍚诲綋鐒朵笉鏄偅涔堝彈娆㈣繋锛岀旱浣垮畠鏈夌潃鏁颁笉娓呯殑濂藉銆傚苟涓旂浉瀵逛簬杩欑鏅強鐨勫仛娉曪紝浼间箮涔熸湁浜涘お涓?勾鑰屽氨鐨勬?鍒囷紝鏀跨瓥鐨勪笅杈惧線寰?渶瑕佷竴涓紦鍐叉湡锛屽線寰?槸浠ョ偣鍑婚潰锛岃?姝ゆ涓嬭揪鐨勫叧浜庡湪鍏ㄥ浗鑼冨洿鍐呯殑鍜岃繘鍙g殑鎵?湁璁$畻鏈轰笂瀹夎杩欐杞欢锛屽氨鏄惧緱鏈変簺澶繃浜庢?鍒囥?杩欑閫熷害鎭版伆鍙堜娇鍙椾紬蹇冪悊涓婂紩璧锋洿澶х殑涓嶆帴鍙楋紝骞朵笖锛岄殢鐫?洿澶氫汉鍙備笌鍒板弽鈥滅豢鍧濃?鐨勮鍒楁潵锛岃澶氭硶寰嬪鑰呬篃鍦ㄨ川鐤戣繖绉嶅己鍒剁殑鍋氭硶浼氫笉浼氳Е鐘硶寰嬶紝瀵光?缁垮潩鈥濈殑璁よ瘑涔熻秺鏉ヨ秺娣卞叆锛屼篃灏辨渶缁堝鑷翠簡宸ヤ俊閮ㄤ笉寰椾笉鎺ㄨ繜杩欎竴鍐冲畾銆?br />
銆??鍒板簳璋佽涓鸿繖鍦虹被浼奸椆鍓х殑鍐冲畾涔板崟?鈥滃埗瀹氭斂绛栭鍏堣缁忚繃鍛ㄥ瘑鐨勮皟鏌ョ爺绌讹紝瑕佸箍娉涚殑寰佹眰鏉ヨ嚜鍚勬柟闈㈠拰闃跺眰鍚勮涓氱殑鎰忚锛屼篃鍙互鍦ㄧ綉涓婃悶涓?姘戞剰娴嬮獙锛屽喅涓嶅彲闂棬閫犺溅銆傝繖娆$殑澶辫触涓哄浗瀹舵氮璐逛簡鍑犲崈涓囧厓鐨勮祫閲戯紝鑲ヤ簡涓埆浜虹殑鑵板寘锛岃繖绉嶅畼鍍氫富涔夌殑宸ヤ綔浣滈瀹炶返璇佹槑宸茬粡缁欏浗瀹堕?鎴愪簡杈冨ぇ鐨勭粡娴庢崯澶憋紝鏇撮噸瑕佺殑鏄?鎴愪簡涓嶈壇鐨勬斂娌讳笌绀句細褰卞搷锛岃繖浜涢儴闂ㄧ殑璐熻矗浜哄簲璇ヨ闂矗锛屽簲璇ヨ澶勭綒鍜屽鐞嗐?鈥?br />
銆??鍦ㄧぞ浼氳秺鏉ヨ秺鎴愮啛鐨勭幇鍦紝鍋氫换浣曞喅瀹氶兘瑕佺粡杩囨繁鎬濈啛铏戯紝鍦ㄧぞ浼氳秺鏉ヨ秺姘戜富鐨勭幇鍦紝浠讳綍鐨勫喅绛栭兘搴旇浠ユ皯浼楃殑鎰忓織涓洪噸瑕佸弬鑰冿紝鍚﹀垯涓?剰瀛よ涓嶄細鏈夊杽缁堬紝灏忚寖鍥寸殑姘戞剰娴嬮獙寰堢畝鍗曪紝浣嗘槸寰?線琚拷鐣ャ?







相关链接:



AVI to MPEG4



Good E-Commerce



Norton Ghost Clone Parameter Four Examples Demonstrate



VOB to Flash



To work without selection, the problem you thought about it?



Domestic long ROAD CAXA CAD lead the way down to earth



With A Good Wind Power, Send Me Albatron



Photoshop production-ray results



Specialist E-Mail List MANAGEMENT



Guide to fully experience the STILL-MAIL (a) - attachment



Test emergency response capacity of cities: urban emergency on the road



nokia 6300 Embedded with sophisticated multimedia



MPG to Flash