Thursday, September 2, 2010

VC + + program under the analysis of covert means hacking software

With the constant development of computer networks, hackers technology Riyi become a Buke ignore the technical Li Liang, although most of Gongjimubiao hacker to server Wei Zhu, for most Internet users directly Weihaibingbu large. But there is a class called 'Trojan horse' hacker program can by means of deception in the ordinary Internet users to install Trojan horse client service side to make the user's computer when leaving the back door in the Internet, but hackers will be through the back door on infected calculating ...

With the computer network of continuous development, hacking techniques are increasingly becoming a force to be ignored technical strength, although the majority of hacker attacks target to server-based, for most Internet users do not directly harm large. Dan You a class of drugs called "Trojan horse" of the hacker program Ke Yi by deception in Pu Tong Wang Luo user client Anzhuang Trojan service Duan, which enables users computer O'clock in the Shang Wang left the back door, Er Heike Ze can be infected by Zhege the back door right computer monitor whim, destroy. Clearly this black soft for ordinary Internet users is a very serious harm.


Such software is still a black applications, its essence is based on the sockets network communication program. So hackers can successfully attack an infected computer is very necessary at this time is a prerequisite for the attacking side has Trojan server is running. As the Trojan is a malicious program, an attacker can not detect the case for the attacker to run quietly started to open the back door, it is obviously not as glamorous as the other programs shown in the task bar and task list, otherwise it will immediately Users are aware of and to turn it off, also lost the back door for attackers to provide role. This following procedure to hide the mechanism for its discussion.

Program in the taskbar hidden principle

Program is relatively simple task bar hidden, first make sure the main interface of the hidden program, usually through the adaptation of the initialize instance application class function InitInstance () of the ShowWindow () statement in the SW_SHOW parameter for the SW_HIDE to achieve. The main interface while hiding the task bar will disappear though, but when the program starts flash, so need to modify the program extended attributes. One way is the wording of SDK, which directly use the GetWindowLong () to obtain an extension to the current attributes and then remove the original logical operations WS_EX_APPWINDOW properties, and add a WS_EX_TOOLWINDOW new properties, so the system will be considered as an toolbar window and will not be displayed in the taskbar. Need to be modified final extension of property by SetWindowLong () function to write back. Statement of the two functions are as follows:

LONG GetWindowLong (HWND hWnd, int nIndex);

LONG SetWindowLong (HWND hWnd, int nIndex, LONG dwNewLong);

The other is a very simple MFC-written: pre-class in the program framework to create the window function in CREATESTRUCT structure by direct operation of the logic of the object properties to change the program:

cs.style = WS_POPUP;

cs.dwExStyle | = WS_EX_TOOLWINDOW;

Although written two different forms, its essence is the same.

Program in the task list in the hidden principle

Task list (Ctrl + Alt + Del dialog box when the pop-up) shows the current system is running some applications, if implemented on a step, though invisible in the task bar program, but experienced users can observe the task list and found some questionable applications and in this turn it off. Consequently, most black soft also through more complex means to achieve their own hidden in the task list, so the opportunity was found to be much lower.

Win9x in, Generally speaking, each application must be through an API (application programming interface) function RegisterServiceProcess () to the system for registration of a service Jin Cheng Cheng Wei, Bingqieyeshi off by the Han Shu Qi Lai service process to end this service process Di Yun Xing. If a process registered as a service process, by Ctrl + Alt + Del task list can be seen in the title of the process. If a process is running but no application for registration to the system service process it will not be displayed in the task list. Black Soft also took advantage of this principle to itself in the run-time achieved in the task list can be hidden. The Kernel32.dll function stored in the system kernel, the specific statement as follows:

DWORD RegisterServiceProcess (DWORD dwProcessId, DWORD dwType);

The first parameter is designated as a service process, process ID, is 0 if the current registration process; second parameter that is registered or the cancellation of the current process, its state, respectively: RSP_SIMPLE_SERVICE and RSP_UNREGISTER_SERVICE. Black soft-start initialization is generally when the program first will be from the dynamic link library Kernel32.dll RegisterServiceProcess () function is loaded into memory and then process through the function hidden from the task list:

/ / Loaded from the Kernel32.dll RegisterServiceProcess ()

: GetModuleHandle ("Kernel32.DLL");
RSP m_rsp = (RSP):: GetProcAddress (m_hKernel, "RegisterServiceProcess");

m_rsp (:: GetCurrentProcessId (), 1); / / time to hide, when the second parameter to 0 to display

In addition, there are some black soft through ShowWindowAsync () function to start a new thread to display a new window. The function prototype is:

BOOL ShowWindowAsync (HWND hWnd, int nCmdShow);

The Black Diamond Software is the function of the second parameter can be set to display the status of the empty form, when the set SW_HIDE can target form (black soft) to hide from the task list.

Summary: The above is under Win9x hacker procedures have some of the basic functions, on this basis we can write by means of its realization techniques to monitor some, such as background like utility. And can be on the hacker class software analysis of the hidden mechanism allows the user of such black soft take all the necessary measures, through the strengthening of defenses to guard against their loss.

No comments:

Post a Comment