Fortune Telling Collection - Comprehensive fortune-telling - What does Trojan Horse mean?
What does Trojan Horse mean?
Analysis:
What is a Trojan horse?
Trojan horse (hereinafter referred to as Trojan horse) is called "Trojan House" in English, and its name is taken from the Trojan horse in Greek mythology.
It is a hacker tool based on remote control, which has the characteristics of concealment and unauthorized.
The so-called concealment means that the Trojan designer will use various means to hide Troy in order to prevent it from being discovered, so that even if the server finds that it is infected with Troy, it can only look at the horse and sigh, because it is not sure of its location.
The so-called unauthorized means that once the control terminal is connected to the server, the control terminal will enjoy most of the operating rights of the server, including modifying files, modifying the registry, controlling the mouse and keyboard, etc. And these rights are not given by the server, but stolen by the Trojan horse program.
Judging from the development of Trojan horse, it can be basically divided into two stages.
At first, the network was still in the period of UNIX platform, and Trojan horse came into being. At that time, the function of Trojan horse program was relatively simple, and it was often to embed a program in the system file and use jump instructions to perform some Trojan horse functions. During this period, the designers and users of Trojan horses were mostly technicians, and they must have considerable knowledge of network and programming.
Then, with the increasing popularity of WINDOWS platform, some Trojan horse programs based on graphical operation have appeared. The improvement of user interface enables users to skillfully operate Trojans without knowing too much professional knowledge. Relative Trojan horse intrusions also occur frequently, and because the functions of Trojans are improving day by day during this period, the damage to the server is even greater.
Therefore, the Trojan horse has done everything it can to this day. Once it is controlled by a Trojan horse, your computer will have no secrets.
References:
BBS . 5 1ww/365000/ShowPostx
-
The secret of DLL trojan horse
I believe that friends who often play Trojans will know the characteristics of some Trojans and have their own favorite Trojans. However, many friends still don't know what the "DLL Trojan Horse" is in recent years. What is a "DLL Trojan Horse"? What's the difference between it and an ordinary Trojan horse?
First of all, from the DLL technology
To understand DLL Trojan, we must know what this "DLL" means, so let's go back to the time when DOS system was popular a few years ago. At that time, writing programs was a tedious task, because the code of each program was independent. Sometimes, in order to realize a function, a lot of code must be written for it. Later, with the development of programming technology, programmers put a large number of commonly used codes (general codes) into an independent file, and called this file "library". When writing programs, they can use this library file by adding it to the compiler. Static link technology makes tired programmers breathe a sigh of relief, and everything looks beautiful. But it turns out that good things will not last long, because a static link is like a rude salesman. Whether you want the leaflet or not, he will give it all to you. The writer only wants to use the graphic effects contained in the library file. Because of this, you must add all the graphic effects carried by this library file to the program and save it as a vase. It doesn't matter, but these vases are in the way-static linking technology makes the final program very big, because the compiler will also count the whole library file.
With the development of the times, static linking technology can no longer meet the programmer's wishes because of its inherent shortcomings, and people begin to find better ways to solve the problem of code duplication. Later, the Windows system appeared, and the watershed of the times finally appeared. Windows system uses new link technology. This new technology, called "dynamic linking", also uses library files. Microsoft calls them "dynamic link libraries", hence the name DLL. Dynamic link itself is no different from static link, which is to write common code into some independent files. However, when compiling, Microsoft took a detour and did not adopt the method of adding library files to the program. Instead, it makes the library files into compiled program files and opens an interface for them to exchange data. When a programmer writes a program, once the function of a library file is used, the system will call the library file into memory. Connecting the task process occupied by this program, then executing the functional functions to be used by the program, and returning the results to the program for display, in our view, is just like the function of the program itself. After completing the required function, the DLL stops running and the whole calling process ends. Microsoft enables these library files to be called by multiple programs to achieve perfect sharing. No matter what program the programmer wants to write, as long as a call statement is added to the relevant DLL in the code, all its functions can be used. The most important thing is that DLL will never let you take an extra vase. It will give you everything you want, and it will not give you everything you don't want. The program written in this way can no longer carry a lot of garbage-it will never let you take leftovers home, or you will be fined. This is a buffet.
The birth of DLL technology makes programming simple. Windows provides us with thousands of function interfaces, which is enough to meet the needs of most programmers. Moreover, the Windows system itself is composed of thousands of DLL files, which support each other and form a powerful Windows system. How big will Windows be if static linking technology is used? I dare not think.
Second, the application program interface API
Above we made a general analysis of DLL technology, in which I mentioned "interface". What is this? Because DLLs can't be stuffed into programs like static library files, how to let programs know the codes and files that realize functions becomes a problem. Microsoft has made a standard specification for DLL technology, which makes a DLL file open many holes like cheese, and each hole is marked with the name of the function stored in it. The program can get the delicious food it wants as long as it finds the relevant hole according to the standard specification. This hole is the "application programming interface", and the interface of each DLL is different, so as to minimize code duplication. In Steven's words: API is a toolbox. You can take out screwdrivers and wrenches as needed and put them back after use. In Windows, the three basic DLL files are kernel32.dll, user32.dll and gdi32.dll. Together, they constitute the basic system framework.
Third, DLL and Trojan horse.
DLL is compiled code, which is not much different from ordinary programs except that it can't run independently and needs program calls. So, what is the relationship between DLL and Trojan horse? If you have studied programming and written DLL, you will find that the code of DLL is almost the same as other programs, but the interface and startup mode are different. As long as the code entry is changed, the DLL will become an independent program. Of course, there is no program logic in the DLL file. This does not mean that DLL=EXE. However, DLL can still be regarded as an EXE without a main entrance, and every functional function with DLL can be regarded as several functional modules of a program. DLL Trojan is to write the code to realize Trojan horse function and some special codes into a DLL file to export the related API. In the eyes of others, this is just an ordinary DLL, but this DLL carries a complete Trojan horse function, which is the concept of DLL Trojan horse. Maybe someone will ask, since the same code can realize Trojan horse function, you can just do the program directly, so why write it as a DLL? This is to hide, because the DLL runtime hangs directly in the process of the program that calls it and will not generate other processes, so it is difficult to be found compared with the traditional EXE Trojan.
Fourth, the operation of DLL
Although DLL can't run by itself, Windows needs an entry function when loading DLL, just like the main of EXE, otherwise the system can't reference DLL. Therefore, according to the writing specification, Windows must find and execute a function DllMain in the DLL as the basis for loading the DLL. This function is not exported as API, but an internal function. The DllMain function allows DLLs to be stored in memory. Some dlls don't have a DllMain function, but they can still be used. This is because when Windows cannot find DLLMIN, it will find a default DLLMIN function from other runtime libraries to start the DLL so that it can be loaded. This does not mean that DLL can abandon DllMain function.
Five, DLL Trojan technology analysis
Here you may think, since DLL Trojans have so many benefits, wouldn't it be good to write Trojans with DLL in the future? This is true, but DLL Trojan is not as easy to write as some people think. To write a usable Trojan DLL, you need to know more.
1. The main body of Trojan horse
Don't write Trojan horse modules like API libraries. This is not the development of WINAPI. DLL Trojan can export several auxiliary functions, but there must be a process responsible for the main execution code, otherwise this DLL can only be a bunch of fragmentary API functions, let alone work.
If some common codes are involved, you can write some internal functions for your own code in DLL instead of opening all the codes as interfaces, which makes it difficult to call, let alone play a role.
The standard execution entry of DLL Trojan is DLLMIN, so you must write the running code of DLL Trojan in DLLMIN or point to the execution module of DLL Trojan.
2. Dynamic embedding technology
In Windows, each process has its own private memory space, and other processes are not allowed to operate this private domain. But in fact, we can still use various methods to access and operate the private memory of the process. This method is called dynamic embedding, which is a technology to embed our own code in the running process. There are many kinds of dynamic embedding, the most common ones are hook, API and remote threading technology. At present, most DLL Trojans use remote thread technology to hang themselves in a normal system process. In fact, dynamic embedding is not uncommon. Logitech's MouseWare driver suspends every system process-_-
RemoteThread technology is to create a remote thread in another process to enter the memory address space of that process. In the category of DLL Trojans, this technology is also called "injection". When the carrier creates a remote thread in the injected process and orders it to load a DLL, Trojan hangs and executes, and no new process is generated. If you want to stop Trojan, you must stop the process of suspending Trojan DLL. However, many times we can only do nothing-this is related to Explorer.exe. Are you sure you want to close Windows?
3. Trojan Horse Startup Company
Some people may be eager to say, just add this DLL to the system startup project. The answer is no. As mentioned earlier, DLL can't run independently, so it can't be started directly in the startup project. In order to make Trojan horse run, an EXE is needed to make DLL catch up with other normal processes by using dynamic embedding technology, so that embedded processes can call DllMain function of this DLL to simulate Trojan horse running. Finally, the EXE that started Trojan horse stops running, and Trojan horse is started.
The EXE that starts DLL Trojan is an important role. It is called a loader. Without the loader, DLL Trojan is a pile of rubbish. Therefore, a mature DLL Trojan will try to protect its loader from being easily destroyed. Remember the story of collusion? The DLL Trojan is the embarrassment of climbing the wolf loader.
Loaders can be varied, and rundll32.exe of Windows is also used as loader by some DLL Trojans. Generally, this Trojan doesn't have dynamic embedding technology, so it runs directly with the rundll32 process, and uses the rundll32 method (rundll32.exe[dll name], [function] [parameter]) to refer to the startup function of this DLL like calling an API to simulate the Trojan module to start execution. Even if you kill rundll32, Troy itself still exists. One of the most common examples is China's real name 372 1, although it is not Troy.
The AppInit _ DLLs key of the registry is also used by some Trojans to start themselves, such as the cover letter virus. Using the registry to start is to let the system execute DllMain to start the Trojan horse. Because it is a kernel call-in, the stability of this DLL is very demanding, and a slight error will lead to system crash, so this Trojan horse is rare.
Some more complicated DLL Trojans were started by svchost.exe. This DLL Trojan must be written as NT-Service, and its entry function is ServiceMain, which is generally rare, but this Trojan has good concealment and the loader is guaranteed.
4. Others
Everyone here should know something about DLL Trojans. Do you really want to write one? Don't worry, I don't know if you have thought about it. Since DLL Trojans are so good, why can we find so few DLL Trojans so far? Now, let me throw cold water on it. There is only one important reason: because the DLL Trojan runs with the system process, if it is poorly written, such as there is no code to prevent it from running incorrectly or the user's input is not strictly regulated, the DLL will go wrong and crash. Don't be nervous, the general EXE will die like this, but the collapse of the DLL will cause the program it hangs to suffer. Don't forget that it hangs on the system process, and the ending is ... terrible. Therefore, writing an open DLL Trojan will make more efforts in debugging than the general EXE Trojan, and I will be annoyed if I write too much. ...
Six, the discovery and killing of DLL Trojans
Always check whether there are more inexplicable items in the startup item. This is where the loader is. As long as you kill the wolf, you can't be crazy anymore. It is difficult to find the ontology of DLL Trojan horse, so you need to have certain programming knowledge and analysis ability, look up the name of DLL in Loader, or see what strange DLL is hooked in the process, but it is difficult for beginners ... In short, it is very difficult, so the simplest methods are antivirus software and firewall (not omnipotent, don't take it for a long time).
- Related articles
- Which TV series is Kangxi played by Jianfeng Bao?
- Yue's name analysis and fortune-telling score
- 1992, six o'clock in the morning on the third day of the first lunar month, is the fate of the monkey people.
- Funny fortune-telling beggar _ funny fortune-telling beggar video
- What do you think of Wei Zi's life chart "Husband and Wife Palace"?
- Free Fortune Telling for the Master _ Free Fortune Telling for the Master
- 20 15 nail transportation method?
- The flesh and blood are not close, the Su family has it, the Huns are frivolous, and the six countries help each other. How to solve it?
- Palm bleeding fortune telling _ What does palm bleeding mean?
- Mr. Fan's fortune telling