[Recommended]to uncover the virus-the mystery of DLL remote inject technical explanation-vulnerability warning-the black bar safety net

ID MYHACK58:6220054066
Type myhack58
Reporter 佚名
Modified 2005-10-26T00:00:00


DLL remote injection technology is currently the Win32 virus is a widely used technology. Using this technique the virus body is usually located in a DLL, At system startup, an EXE program will the DLL be loaded to some system processes 如 Explorer.exe in the run. As a result, the ordinary Process Manager it is very difficult to find this virus, and even if found is also very difficult to remove, Because as long as the virus parasitic process is not terminated, then the DLL will not be in memory and unloading, The user will not be able to in Explorer to delete the DLL files, turns out both you. Remember 2 0 0 3 year QQ tail virus is raging, it has some tail virus variants in the use of this technology. To 2 0 0 4 at the beginning, I used to try to simulate a QQ tail virus, but alone is to skip the DLL to the remote loading technique. Until recently in the school Forum, see a few friends in exploring this technology, they couldn't resist this dusty art from My memory picked out to meet the majority of technology enthusiasts. Essential knowledge Before reading this article, you need to know about the following API function:

·OpenProcess - for opening to the parasitic of the target process.

·VirtualAllocEx/VirtualFreeEx - used in the target process allocation/release of memory space.

·WriteProcessMemory - used in the target process is written to the loaded DLL name.

·CreateRemoteThread - remote to load the DLL of the core content for the control target process calls the API function.

·LoadLibrary - the target process by calling this function to load the virus DLL.

Here I give only a brief summary of the Function Description, With regard to the function of the Detail Features and description please refer to MSDN.

Sample program

I will in the following pages with a simple example Virus. exe to implement this technology. This example of the interface as shown below:

首先 运行 Target.exe this file is a Win32 Application Wizard-generated“Hello, World”program, Used as a parasitic of the target process.

Then in the interface of the edit control enter the name of the process“Target.exe”, click“inject DLL”button This time the Virus. exe it will be the current directory of the DLL. dll injection to Target. exe process.

In the injected DLL. dll after that, you can also click“unload DLL”to the already injected DLL is unloaded.

模拟 的 病毒 体 DLL.dll

This is a simple Win32 DLL program, which consists of only one entry function DllMain is composed of:

| BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved ) { switch ( fdwReason ) { case DLL_PROCESS_ATTACH: { MessageBox( NULL, _T("DLL has entered the target process."), _T("information"), MB_ICONINFORMATION ); } break; case DLL_PROCESS_DETACH: { MessageBox( NULL, _T("DLL from the target process is unloading."), _T("information"), MB_ICONINFORMATION ); } break; } return TRUE; }

As you can see, here I am in the DLL is loaded and unloaded when the call to the MessageBox, which is used to display my remote injection/ Uninstall job is successfully completed. And for a real virus body, It is often the processing the DLL_PROCESS_ATTACH event, Added the start of the virus code part:

case DLL_PROCESS_ATTACH: { StartVirus(); } break; The injection of!

Now to begin our injection work. First, we need to find the target process:

DWORD FindTarget( LPCTSTR lpszProcess ) { DWORD dwRet = 0; HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); PROCESSENTRY32 pe32; pe32. dwSize = sizeof( PROCESSENTRY32 ); Process32First( hSnapshot, &pe32 ); do { if ( lstrcmpi( pe32. szExeFile, lpszProcess ) == 0 ) { dwRet = pe32. th32ProcessID; break; } } while ( Process32Next( hSnapshot, &pe32 ) ); CloseHandle( hSnapshot ); return dwRet; }

Here I use the Tool Help Library, of course, if you are a NT system, you can also select the PSAPI library. This section of the Code of the object is given by the process name in the current system to find the corresponding process, and returns the process ID. Get the process ID after You can call OpenProcess to open the target process:

// Open the target process


It is now necessary to say about the OpenProcess the first parameter specified the three kinds of permissions. In Win32 system, Each process has its own 4G virtual address space, between the various processes are independent of each other. If a process needs to complete the cross-process work, Then it must have the target process of the corresponding operation permissions. Here, PROCESS_CREATE_THREAD shows I could through the return process Handle in the process of creating a new thread, that is calling CreateRemoteThread permissions; similarly, PROCESS_VM_OPERATION It indicates that in the process of allocation/release of memory permissions, that is to call VirtualAllocEx/VirtualFreeEx permissions; PROCESS_VM_WRITE can be represented to the process's address space write data, that is, the call to WriteProcessMemory permissions.

At this point the target process is already open, then how can we be DLL injection wherein? Before that, I invite you to see one line of code Is a How to in the process to explicitly load the DLL:

HMODULE hDll = LoadLibrary( "DLL.dll" );

So, if you can control the target process to call LoadLibrary, do not complete the DLL remote inject? Yes it is, We can use CreateRemoteThread will LoadLibrary as the target process of a thread to start, so that you can complete “Control of the target process to call LoadLibrary”work. Here, maybe you'll take it for granted to write down similar to this code:

DWORD dwID; LPVOID pFunc = LoadLibraryA; HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, (LPVOID)"DLL.dll", 0, &dwID );

However the results will certainly make you disappointed--inject DLL failed!

So now let us analyze the cause of the failure. I am a former said, in a Win32 system, Each process has its own 4G virtual address space, Between the various processes are independent of each other. Here, we used as parameter the string"DLL.dll"is actually a value, It indicates that the string is located in the Virus. exe address space among address, and this address is passed to the Target. exe after It points to the thing loses its effectiveness. Take, for example, such as A, B two buildings, I live in A building of 4 0 of 1; Then the B floor of the 4 0 1 Live The is who I of course can not be determined-that is, 4 0 1 The number in the B building lost effectiveness, but if I want to stay in Building B, then, I'll have to ask B floor Floor length for me in the B floor in the arrangements for new accommodation, of course this new accommodation if 4 0 1 Also it is not necessarily.

Thus it seems that I will need to do so a series of somewhat complicated procedure-the first in the Target. exe in the target process is assigned a segment of memory space, Then to this space to write I want to load the DLL name, then finally calling CreateRemoteThread on. This code became this:

// To the target process address space write DLL name

DWORD dwSize, dwWritten; dwSize = lstrlenA( lpszDll ) + 1; LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE ); if ( NULL == lpBuf ) { CloseHandle( hProcess ); // Failure handling } if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten ) ) { // To write bytes the actually written bytes not equal, is still a failure if ( dwWritten != dwSize ) { VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT ); CloseHandle( hProcess ); // Failure handling } } else { CloseHandle( hProcess ); // Failure handling } // Cause the target process to call LoadLibrary and load the DLL DWORD dwID; LPVOID pFunc = LoadLibraryA; HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );

Need to say there are two points, one is because I want to be in the target process as ANSI string to the allocated memory space, So here all and the target process relevant to the section, clearly the use of the suffix“A”API functions - Of course, if you want to use a Unicode string, it can change as the suffix is“W”of the API; Second, where the LoadLibrary pointer I is taken of the process of the LoadLibraryA address, this is because the LoadLibraryA/LoadLibraryW in kernel32. dll, And Win32 each application will put the kernel32. dll is loaded into the process address space to a fixed address, so here's the address of the function in the Target. exe is also effective. In the call to LoadLibrary is completed, we can do the finishing work:

// Wait for LoadLibrary is loaded WaitForSingleObject( hThread, INFINITE ); // Release the target process in the application space VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT ); CloseHandle( hThread ); CloseHandle( hProcess );

In this explain the WaitForSingleObject sentence. Since we are by CreateRemoteThread in the target process further opens up A LoadLibrary of the thread, so we must wait for this thread to run to completion to be able to release that previous applications of the memory.

Well, now you can try to organize the code and compile and run it. 运行 Target.exe that Then open a module view function view of the processes tool here I use of my July to see the Target. exe module You will find in the injected DLL before Target. exe and not the DLL. the dll is present:

In the call to the injected code, DLL. the dll is located in the Target. exe the module list:

Contradictory phase

Remember 2 0 0 4 beginning of the year I will QQ tail virus successfully after the simulation, there are a lot of friends ask me how to kill Poison, But I have no answer-because I was the focus of the study is not a virus parasitic properties. This parasitic characteristics until today can say I simulation is completed, the Then, I will detoxify the method are also disclosed.

And DLL injection process is similar, except that here the use of two APIS: GetModuleHandle and FreeLibrary on. For space reasons, I omitted with the injection portion of the similar or the same code:

// Make the target process call GetModuleHandle to get the DLL in the target process handle DWORD dwHandle, dwID; LPVOID pFunc = GetModuleHandleA; HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pFunc, lpBuf, 0, &dwID ); // Wait for GetModuleHandle finished running WaitForSingleObject( hThread, INFINITE ); // Get the GetModuleHandle returns the value of the Getexitcodethread places( hThread, &dwHandle ); // Release the target process in the application space VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT ); CloseHandle( hThread ); // Make the target process calls FreeLibrary, the uninstall DLL pFunc = FreeLibrary; hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, (LPVOID)dwHandle, 0, &dwID ); // Wait FreeLibrary uninstall is completed WaitForSingleObject( hThread, INFINITE ); CloseHandle( hThread ); CloseHandle( hProcess );

With this method you can unload a process in the DLL module, including of course those non-virus DLL. So, this code still use caution as well.

At the completion of unloading, if no other program loads this DLL, you can delete it.