I believe used to play the Trojan horse friends will know some of the characteristics, will have their own favorite horse, but many of my friends still do not know if the rise in recent years, "DLL Trojans" are. What is a "DLL Trojan" mean? It with the general horse different?
First, from the start with DLL technology
To understand the Trojan DLL, you must know the "DLL" What does that mean, therefore, let us back a few years ago, DOS system popular in the days to come. At that time, writing programs is a complicated matter, because each procedure code are independent, and sometimes in order to achieve a function, we must do a lot of code to write, and later with the development of programming, programmers have to a lot of common code set (common code) into a separate file, and put the file called "Library" (Library), at the time of writing programs, this library file into the compiler can use this library contains all the features without having to go to write a lot of their code, this technique is known as the "static link" (Static Link). Static Link technology allows programmers fatigue relief, everything seemed OK. But the facts prove that good things do not exist for too long, because the static link as a rude salesperson, whether you want one do not want publicity, he all stuffed into your hand to. Write a program that would like to use a library file contains some graphic effects, because of this, you have to carry this library all the graphics are the accession process, keep them as vase decoration, which might be nothing important But these roads are blocked confused vase - static link to the end of the process technology has become big, because the compiler has the entire library files are also enumerated.
Era in the development, static link technology as a natural disadvantage can not meet the aspirations of programmers, people start looking for a better way to solve the code duplication problem. Later, Windows system there, the watershed was finally time. Windows systems use a new link technology, which is known as "Dynamic Link" (Dynamic Link) of the new technology is also used library files, Microsoft calls them "dynamic link library" - Dynamic Link Library, DLL name that comes out of this. Static and dynamic link itself links to no difference, is also the common code written into the independent file, but compiled, the company made a circle around and did not add to the library method of procedure, but the library made program files have been compiled to give them to open interfaces to exchange data, when programmers write programs, if you want to use a library file of a performance function, the system put the library file into memory, connect to share this program task process, then the implementation of procedures to use the feature function, and the results returned to the process shown, in our view, as is the function with the same procedure themselves. After the completion of the functionality required, the DLL stop the run, the entire call process is completed. Microsoft, these libraries can be invoked multiple procedures to achieve a more perfect sharing, the programmer to write no matter what procedures, if the code is added the statement calls on the relevant DLL can use its full functionality. The most important thing is, DLL will not let you take more than a vase, what you want it to you, you do things that it does not give you. This was no longer carrying out the process a lot of garbage - will definitely not let what you take home leftovers, or a fine, which is buffet.
DLL technology was born, so programming becomes a simple matter, Windows has provided us with thousands of function interfaces, sufficient to meet the needs of most programmers. Moreover, Windows system itself is composed by the thousands of DLL files, DLL support each of these to form a powerful Windows. If Windows uses static linking technology, its size will be? I dare not think.
Second, application program interface API
Above, we probably made a DLL technology analysis, in which I mentioned the "interface", which is it? Because DLL can not be done as a static library file into the programs, and so let the program know how to code and to achieve functional documents into question, Microsoft has done a Biaozhun 涓?DLL technical specifications, Rang a DLL file Xiang Yi Yang opened many holes in the cheese, Meige holes are noted inside the Gongneng Cunfang name, Cheng Xu Zhiyaogenju standards related to the hole on Zhaodao can get it to taste, and this hole is the "application program interface" (Application Programming Interface), with each DLL interface is not the same as the maximum possible reduction of the code duplication. Steven sentence with: API is a toolbox, you need to be removed under the screwdriver, wrench, and then used them back in place. In Windows, the basic three DLL files are kernel32.dll, user32.dll, gdi32.dll. Together they constitute the basic system framework.
3, DLL and Trojans
DLL is compiled code, no major differences with the general procedure, but it can not run independently, and need to process calls. So, DLL can be linked with Trojan What is the relationship? If you learned programming and wrote a DLL, will find, in fact, DLL's code and other procedures is almost no different, just different interface and startup mode, as long as the changes to the code entry about , DLL becomes a separate proceedings. Of course, DLL file is not in application logic here is not to say DLL = EXE, however, can still missing DLL main entrance as EXE, DLL function with the various features can be seen as a process of several function modules. DLL Trojan horse is the function that implements the code, plus some special code written DLL file, export-related API, in the other view, this is a common DLL, but this DLL is to bring a complete Trojan functionality This is the concept of DLL Trojans. Some people may ask, since the same code Trojan functionality can be achieved, then the program can directly do, why superfluous written DLL? This is to hide it, run-time DLL is linked directly to the procedures in the process of calling it in and will not produce another process, so relative to the traditional EXE Trojan, it is difficult to find.
4, DLL operation
Although the DLL are neither run, but the DLL is loaded when Windows requires an entrance function, just as the main EXE, as otherwise the system can not reference DLL. Therefore, according to the preparation of specifications, Windows must find and implement a function inside the DLL loaded DLL DllMain as the basis for this function as the API is not exported, but the internal function. DLL DllMain function to be preserved in memory, some DLL which does not DllMain function, but still able to use because Windows can not find the DllMain in time, will run the library from other do not do anything to find a default DllMain function to activate the DLL so that it can be loaded that DLL can not give up DllMain function.
5, DLL Trojan Technical Analysis
To here, you might think, since there are so many benefits of DLL Trojans, Trojans are used to write after the manner DLL not like it? It though to say yes, but some people think DLL Trojan is not so easy to write . The DLL can be used to write a Trojan, you need to know more knowledge.
1. Trojan subject
Do Do not really like a Trojan API library module written in the same, this is not development WINAPI. Trojan DLL can export several auxiliary functions, but there must be a process for the main implementation of the code, otherwise the DLL API function can only be a pile of fragmented, never mind work.
If it involves some common code, you can write in the DLL in some internal functions, the code for their own use, rather than all of the code is open into the interface so that it calls itself is immune, but can not play.
Standard implementation of the Trojan DLL entrance DllMain, it must be in written DLL DllMain Trojan running code, or point to the implementation of the module DLL Trojans.
2. Dynamic Embedding
Windows, each process has its own private memory space, another process is allowed to operate on the private domain, but in fact we can still resort to other means to enter and manipulate the process's private memory, which is dynamic embedding It is running its own code embedded in the process of technology. There are many dynamic embed, the most common is the hook, API and remote thread technique, most of DLL Trojans are now using remote thread technique to hang himself in a normal system process. In fact, dynamic embedding is not uncommon, Logitech's MouseWare drivers on each system process hung-_-
Remote Thread is created by another process, the remote thread (RemoteThread) method into the process of memory address space. DLL Trojans in the areas where this technology is also called the "injection", when the vector was injected in the process of creating a remote thread inside and ordered it to load the DLL, the Trojans would hang implemented, no new production process, in order to to mount the horse stopped only to the process of decommissioning Trojan DLL. However, many times we can do nothing - it Explorer.exe hang together, are you sure you want to close Windows?
3. Trojan boot
Some may not wait for that DLL into the system directly to the start of this project is not on it. The answer is NO, as I said before, DLL can not run independently, it can not start the project in direct start it. To get up and running horse, you need an EXE DLL using dynamic embedded technology allows the car to catch the other normal processes, so that is embedded in the process of calling the DLL's DllMain function, excited horse run, and finally start the Trojan EXE end of the run, Trojan Start completed.
Trojan EXE DLL launch is an important role, it is called Loader, if not Loader, DLL Trojan is broken pile, therefore, be considered as mature a DLL Trojan will try to protect its Loader will not so easily destroyed. I remember a story you collude? DLL Trojan Loader is climbing in the wolf's in a difficult position.
Loader can be varied, Windows of rundll32.exe are also a number of DLL Trojans used for the Loader, This Trojan usually without the dynamic embedded technology, which runs directly hung rundll32 process, with the rundll32 method (rundll32.exe [DLL name], [function] [arguments]) as the API calls to refer to this as the start function of excitation Trojan DLL module started, even if you kill rundll32, Trojan horses or body, and one of the most common example is the 3721 Chinese real name Although it is not trojan.
The AppInit_DLLs registry key is also used to launch a number of Trojans themselves, such as Klez. Start using the registry is to allow the system to achieve the implementation of DllMain start Trojan purposes. Because it is transferred to the kernel, the stability of this DLL have great demands a little mistake can lead to system crashes, so rarely see such a Trojan horse.
Some more complex points of DLL Trojans launched by svchost.exe, this DLL must be written Trojan NT-Service, import function is ServiceMain, generally rare, but the hidden nature of this Trojan is also good, and Loader secure.
4. Other
Here we all should have learned about the Trojan DLL is not really want to write one? Do not worry, do not know if we thought not, since the Trojan DLL so good, why has not it find the DLL Trojan few? Let me to pour cold water, the most important reason: because the process of DLL Trojans hung system running, if it itself is poorly written, such as failure to prevent run the wrong code or do not strictly regulate the user's input, DLL error will collapse. Do not panic, is this normal EXE finished, but the DLL will lead to the collapse of the procedures followed it hung suffer, do not forget the process of hooking the system Oh, the end is ... ... miserable. So write a DLL Trojan can be published in the troubleshooting inspection done more than the usual EXE Trojan, written all over their upset ... ...
6, DLL Trojan detection and killing
Startup Items are not often look more mysterious items, this is where Loader, as long as the killing of the wolf, in a difficult position no longer a crazy. And more difficult to find DLL Trojan body, you need to have some programming knowledge and analytical ability, DLL Loader where to find the name, or see more from the process in what strange hook DLL, but the novice is ... ... a word that is difficult ah more difficult, so the easiest way: anti-virus software and firewall (not a panacea, avoid long-term use).
相关链接:
MOV to iPod
Do not worry! Three-trick TO help you pick a good memory
About Password PSYCHOLOGY
Hisense donated 6 million yuan to disaster areas for Reconstruction
WMV to MPEG
Articles about Graphic
Five easy way to get repeat customers
"Nobunaga's Ambition 13 Heaven" Method of empirical formula of mass destruction
Science - Screen Savers Directory
DAT To MP4
Money Crowd And Chow's Relay
Premier Vehicles - Screen Savers
Name enterprises HR field coaching "candidates"
Guoxian Chen: The history of fullest achievement of soft dream
Directory Web Development
GPS Positioning World
Convert Pdf Files To Word Excel Html And Other
No comments:
Post a Comment