Current location - Loan Platform Complete Network - Foreign exchange account opening - Guangwai girl Trojan WIN2000 Chinese version of the killing tutorial.
Guangwai girl Trojan WIN2000 Chinese version of the killing tutorial.
1.RegSnap v2.80 is the best tool to monitor changes in the registry and system files.

2.fport v 1.33 tool for viewing the ports opened by the program.

3. Tools for viewing file types.

4.ProcDump v 1.6.2 Shelling tool

5.IDA v4.0.4 Dismantling tools All tools are ready. Let's start analyzing this Trojan horse. Generally, once Trojan horse's server is running, it will do some tricks on the registry and system files, so we should make a good backup of the registry and system files before analysis.

Open RegSnap first, select New from the File menu, and then click OK. In this way, we have recorded the current registry and system files, and if the Trojan horse later modifies one of them, we can analyze it. Save the backup as Regsnp 1.rgs.

Then run the server side of "Guangwai Girl" on the computer. Don't be afraid, because it has been backed up in detail, and its hands and feet can be changed back to the original. Double-click gdufs.exe and wait a moment. If you are running "Skynet Firewall" or "Kingsoft Internet Security", you should find that these two programs automatically quit. Is that weird? And listen to our analysis later. Suppose the Trojan horse is in our system now. Let's see what it did to us. Reopen RegSnap, select New from the File menu, and then click OK to save the snapshot result as Regsnp2.rgs

Select Compare from the file menu of RegSnap, open Regsnp 1.rgs in the first snapshot, open Regsnp2.rgs in the second snapshot, and select show modified key names and key values in the radio box below. Then press the OK button, so RegSnap will start comparing the two records. What is the difference? When the comparison is completed, the analysis result file Regsnp 1-Regsnp2.htm will open automatically.

Check Regsnp 1-Regsnp2.htm and pay attention to the following:

Summary information:

Deleted key: 0

Modified key: 15

New key: 1

It means that in the two records, the registry key has not been deleted, 15 registries have been modified and a new registry has been added. Look behind:

List of files in C:\WINNT\System32\*. *

Summary information:

Deleted files: 0

Modified file: 0

New file: 1

New document

Diagcfg.exe size: 97 792, date/time: 2006 54 38+0 July 06 54 38+0 July 23:00: 12.

-

Total position: 1

The meaning of this passage is that a new file diagcfg.exe has been added to the directory C:\WINNT\System32\. This file is very suspicious, because we only run the comparison of Trojan information named "Guangwai Girl" between the two systems, so we have reason to believe that diagcfg.exe is the backdoor program left by Troy in the system. If you don't believe me, open the task manager and have a look. You will find that there is a DIAGCFG.EXE process, which is the original body of the Trojan horse. But don't delete DIAGCFG.EXE at this time, otherwise the system will not work normally.

Trojans usually set some key values in the registry to run automatically every time the system restarts. Let's see which registry keys in Regsnp 1-Regsnp2.htm have changed. According to experience, we should pay attention to the following points:

HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command \ @

Old value: string:% 1 %*

New value: string: C:\WINNT\System32\DIAGCFG. EXE % 1 %*

The key value is changed from the original% 1 %* to c: \ winnt \ system32 \ diagcfg.exe%1%*, which is the most suspicious, because it contains Trojan horses in diagcfg.exe. So what does this registry key do?

Is the format of running executable file, changed to C:\WINNT\System32\DIAGCFG. EXE% 1% *。 After that, every time you run any executable file, you must first run the program C: \ winnt \ system32 \ diagcfg.exe.

It turned out that this Trojan horse was tampered with here, so that it could run automatically. Its startup mode is different from that of ordinary Trojan horses. Ordinary Trojan Horse runs in HKLM \ Software \ Microsoft \ Windows \ current version \ *

Add a key value to the key, so you can start it yourself, but this method is well known by anti-virus software, so it is easy to be killed. The trojan horse of "Guangwai Girl" is more cunning. It sets the startup item in another position.

Now that we know the location of this Trojan horse and the startup items in the registry, it is also important to find out which port it is listening to. This can be easily achieved by using fport. Run fport.exe on the command line, and you can see:

1 176 diag CFG->; 6267 TCP C:\ WINNT \ System32 \ diag CFG。 Extensions of executable programs

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ! !

You can clearly see that the Trojan is listening to TCP port 6267. So far, we can say that we have mastered all the actions of the trojan horse "Guangwai Girl" in our system, and now we can easily kill it. After the previous analysis, we have understood the working mode of the Trojan "Guangwai Girl", so let's clear it up now. The following are the ways to completely eliminate "Guangzhou female students". Note: The order of this step cannot be reversed, otherwise the Trojan horse may not be completely removed.

1. Press the Start menu, select Run, enter regedit, and then press OK. Open the following key values:

HKEY _ Local _ Machine \ Software \ Classes \ Exefile \ Shell \ Open \ Command \, but don't modify it yet, because if you modify the registry at this time, the DIAGCFG.EXE process will change it back immediately.

2. Open the Task Manager, find the process in DIAGCFG.EXE, select it, and press "End Process" to close the process. Please note that you can't close the process before opening the Registry Manager, otherwise DIAGCFG.EXE will start when regedit.exe is executed.

3. Change the key value of HKEY _ local _ machine \ software \ class \ Exefile \ shell \ open \ command \ of original C: \ winnt \ system32 \ diagcfg.exe% 1% * to%1%.

4. At this point, you can delete DIAGCFG.EXE in the C:\WINNT\System32\ directory. Remember never to delete this file first, or you will not be able to run any executable files in the system. As we intend to further analyze this Trojan horse, we will not delete it now, but copy it to other directories for research. We already know the basic working principle, startup process and how to get rid of it completely, but there is still one thing we haven't fully understood, and that is how it deals with "Skynet Firewall" or "Kingsoft Internet Security". To understand this deeply, we must look at the code of "Guangwai Girl". This Trojan has not published the source code, but we can still take a look at it through disassembly.

The server side of "Guangwai Girl" is only 96K, which obviously contains compression software. We must first determine what kind of shell it has added. It can be detected by using the gadget FileInfo. Now we will copy the previously analyzed DIAGCFG.EXE to the directory of FileInfo, and then copy fi.exe at the command line, and then press enter, and it will display:

FileInfo has detected that DIAGCFG.EXE uses ASPack v 1.06b to interpret the shell. Knowing its encryption method, we can shell it with ProcDump.

Run ProcDump, click the Unpack button, because we want to take off the shell of ASPack v 1.06b, so we choose Aspack < 108, and then press OK. At this time, it will let you open the file to be shelled, so we will choose DIAGCFG.EXE and open it. Then wait a few seconds and press OK. ProcDump will shell DIAGCFG.EXE, and then a dialog box will appear asking you to save the shell file, and we will save it as gwns.exe.

Note: Trojan horse is running on your system again at this time, so it must be cleaned again according to the previous cleaning steps. The cleaning method has been written before, so I won't go into details here.

Now we have the original file of this Trojan horse before it was shelled. Look at the bombarded gwns.exe, 194k, which is more than twice as big as the original program. This is due to the software with shell. Now you can disassemble it with a disassembler and then look at its assembly code.

Just use IDA to open it. By the way, this IDA is a super disassembly tool and a necessary tool for crackers and Windows hacker. Let's look at some disassembled code:

First load the kernel32.dll, and then use GetProcAddress to get the address of API RegisterServiceProcess. Troy needs to register itself as a system service first, so it is not easy to be found by the task manager when running under Win9x. Then it will GetCommandLineA to get the running parameters, and if the parameters are executable files, it will call Winexec to run.

Then Troy will find the process of snfw.exe and kav9x.exe, that is, the process of "Skynet Firewall" or "Kingsoft Internet Security", and then kill it.

The following is to modify the registry startup entry of Trojan horse, that is, HKEY _ local _ machine \ software \ class \ exception \ shell \ open \ command \, so that it can start itself every time the system restarts. Next, Trojan will initialize Winsock dll, bind the port, and wait for the Trojan client to connect. So far, we have completed the whole analysis process of the Trojan horse program "Guangwai Girl" and understood the startup and operation mechanism of the Trojan horse. Of course, the purpose of writing this article is not simply to introduce the Trojan horse of "Guangwai Girl", but to introduce the analysis method of the general Trojan horse through the detailed analysis of this typical Trojan horse. Using the analysis method in this paper, any unknown Trojan horse breed can be completely analyzed. Finally, let's summarize the methods and steps of Trojan horse analysis:

First, back up the system registry and system files, then run the Trojan server, and then record the registry and system files that Troy has run. We can know what Troy has done in the system by comparing the results of the two records with registry analysis tools. Use fport to view Trojan listening ports. Then, using the obtained information, the method of removing Trojan horse is worked out.

If you want to analyze Troy deeply, you should also shell and disassemble the Trojan server. In this way, you can fully grasp any action of the Trojan horse. Of course, this requires you to have a good grasp of assembly language and some patience, because the lengthy assembly code is not completely understandable by ordinary novices.

If you want to further analyze the Trojan message format, you can use sniffer to monitor the Trojan port, and then make a comparative analysis. This analysis method is complicated.

Related articles
  • Which bank in Wuxi China Merchants Bank New Area can exchange Japanese yen?
  • Types of declaration vouchers for balance of payments statistics
  • How to preserve value under inflation
  • How much can a master win by buying stocks, and how many points does a ticket earn on average?
  • Why can someone give a more favorable exchange rate for individuals to exchange foreign currency?
  • What is the annual salary of the foreign exchange manager?
  • What do you major in financial investment? What subjects are there?
  • Is Beijing Zall Investment Group a fraud company?
  • What does the research report include?
  • What do you need for international tourism?

    • copyright 2024 Loan Platform Complete Network All rights reserved