3. How to insert a process
(1) Insert DLL using the registry
The trick of the early process insertion * was to achieve the purpose of inserting a process by modifying [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs] in the registry. The disadvantage is that it is not real-time. After modifying the registry, it needs to be restarted before the process insertion can be completed.
(2) Use a hook to insert the DLL
In a more advanced and hidden way, the process is inserted through the system hook mechanism (i.e., "Hook", similar to the "interrupt" in the DOS era) (some stolen QQ *s and keyboard record *s inserted into other processes in the Hook mode to "stole the dog"), and the SetWindows HookEx function (also a Win32 API function). The disadvantage is that the technical threshold is high and the program debugging is difficult. The producer of this * must have a considerable Win32 programming level.
Did you know what an API is
The interface that provides various functions to implement in Windows is called Win32 API (Application Programming Interface, that is, "application programming interface"). If some programs need to read and write files on disk, they must first issue a call request to the corresponding API (the file-related API must be called when reading and writing files). Then the API completes the requested function based on the parameters provided by the program when calling its functions (such as reading and writing files, you need to give the file name and path of the file that needs to be read and written at the same time), and finally return the call result (such as writing files successfully, or reading files failed, etc.) to the program.
(3) Use the remote thread function (CreateRemoteThread) to insert the DLL
This "remote process" mechanism is provided in systems of Windows 2000 and above, and one system API function can create threads (insert DLLs) into another process. The disadvantages are obvious. It only supports Windows 2000 and above systems. In China, there are still quite a lot of users using Windows 98, so *s that use this process insertion method lack platform universality.
After the * inserts itself as a DLL into other process space, the * cannot find the traces of the * by checking the process. All you can see is the process of some normal program, but the * has sneaked into it. The solution is to use process management tools that support "process module viewing" (such as process viewing provided by "Windows Optimization Master"), and the DLL module of the * will appear.
Don't believe your own eyes: The terrifying process "evaporates"
Strictly speaking, this should be considered a process hidden technology of the 2.5th generation, but it is much more terrifying than the previous technologies. This technique allows *s to disappear without having to insert themselves into other processes!
It monitors the calls of all processes related to the process detection APIs of all programs in the system through Hook technology. The reason why the "Task Manager" can display all processes in the system is because it calls process-related API functions such as EnumProcesses. The process information is included in the return result of the function. The program that issues the call request receives the return result and processes it (for example, the "Task Manager" will be displayed in the process list after receiving the result).
Since the * Hooked the API function in advance, when the EnumProcesses function is called by the "task manager" (or other programs that call the enumerated process functions) (the API function at this time acts as the "insider"), the * is notified and has erased its own process information from the return result before the function returns the result (lists all processes) to the program. It's like you're watching a TV show, but someone unknowingly connects the TV to DVD, and you're cheated without you realizing it.
So whether it is a "task manager" or an antivirus software, it is futile to detect the process of such a *. This * currently has no very effective way to detect and kill. It can only detect the * file by the antivirus software before it runs and prevent its viral body from running. At that time, there was another technique that * programs deleted their own process information from the "process link list" used by the Windows system to record process information, so that process management tools could not obtain * process information from the "process link list". However, due to the lack of platform universality and some problems when the program is running, it has not been widely adopted.
Do you know what Hook is
Hook is a system mechanism provided in Windows to replace "interrupt" under DOS, which is translated as "hook" or "hook". After hooking a specific system event (including the call event of a specific API function above), once an event that has been hooked occurs, the program that hooks the event (such as a *) will receive a notification from the system. At this time, the program can respond to the event as soon as possible (the * program changes the result before the function returns).
No trace: 3D hiding in all directions
Using the Hook hiding process just introduced, *s can easily hide files. You only need to apply Hook technology to file-related API functions, so that neither the "explorer" nor the antivirus software can find out where the *s are. What is even more surprising is that there are now * horses (such as gray pigeons) that use this technology to realize the hiding of files and processes. The best way to prevent this * is to use antivirus software to intercept it before it runs.
Fight against antivirus software: Antivirus software shell
No matter how cunning the * is, once the antivirus software defines the feature code, it will be intercepted before it is run. To avoid the pursuit of anti-virus software, many *s are shelled, which is equivalent to wearing a piece of clothing for the *s, so that the anti-virus software will not recognize it. However, some anti-virus software will try to remove the common shells and then check and kill them (small example, don’t think that if I don’t know you if I wear a horse clip). In addition to passive hiding, recently, a shell that can be actively opposite to the antivirus software has been discovered. After the * is added with this shell, once it runs, the shell first obtains program control, and it destroys the antivirus software installed in the system through various means. Finally, after confirming the security (the protection of the antivirus software has been disintegrated), the shell releases the * body wrapped in its "body" and executes it. The way to deal with this * is to use antivirus software with shelling capabilities to protect the system.
Do you know what a shell is
As the name suggests, you can easily guess that this is something that is wrapped outside. Yes, the shell can wrap a file (such as EXE), and then when the file is run, the shell first gains control, and then releases and runs the wrapped file body. Many shells can encrypt the file body they enclose, which can prevent the detection of anti-virus software. For example, the * defined by the original antivirus software is "12345". If a file is found to contain this feature, it is considered that the file is a *, and the shell with encryption function will encrypt the file body (for example: the original feature is "12345", and after encryption, it becomes "54321". Of course, the antivirus software cannot be checked by file characteristics). Unshelling means removing the shell outside the file and restoring the state before the file is not shelled.