The Trojan concealing technology- Taking advantage of System Services Case study
The definition of Trojan Trojan in the computer world is a program that can permeate the whole system without victim’s awareness. The Trojan runs in the victim system, like a spy that sneaks into enemy and opens back door for other kinds of attacks. This is like the Trojan strategy in real war, so the program is called “Trojan Horse” or “Trojan”. Trojan usually includes two executable programs: client and server. The Trojan that hides in the victim system is the server, and the so-called “hacker” uses the client as the control terminal. Once the server runs, it will open one or more ports on the victim system, initiating contact with the client and…show more content… The official explanation from Microsoft is “svchost.ext” is the name of the generic host thread of the service that run from dynamic link library (DLL).
When the system starts, “svchost.ext” check the value of the registry entry “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SvcHost” to construct the list of the services need to be loaded. Thus more than one “svchost.exe” thread will run at the same time. The screen shot of the registry entry that the Trojan queries is as following:
picture 1 query the value of the registry entry
As you can see in the Ollydebug handle window, the handle value corresponding to hKey that equals to 130 is “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost”. The screenshot is as follows:
picture 2 handle of registry entry
Then the Trojan continuously call “OpenSCManagerA()”, “OpenServiceA()”, “QueryServiceStatus()”, “QueryServiceConfigA()” to check the status of system services and try to locate the first service which is disabled and stopped.
Firstly, “OpenSCManagerA()” creates a connection to Service Control Manager and opens specified database. Then “OpenServiceA()” opens a service which is already existed. The parameter “lpServiceStatus” of the function “QueryServiceStatus()” includes a pointer that points to the “SERVICE_STATUS” structure which contains service information. What the Trojan is looking for is the service whose value of the parameter “dwCurrentState” of “SERVICE_STATUS” structure is