Trng i Hc Bch Khoa H Ni Vin Cng Ngh Thng Tin V Truyn Thng

BI TP LN
Mn : H iu Hnh

Ti : Tm hiu virus Hooker

Gio vin : Vn Uy Sinh Vin Thc Hin : o Vn Long

M S Sinh Vin : 20081576

Lp :

HTTT-K53

H Ni Thng 4/2011

Mc Lc
Tn phn : Trang :
3 4 4 5 7 7 9 9 14 15 19 20 21 Phn 1: Li ni u Phn 2: Ni Dung I. S lc v virus 1. Hooker l g 2. Lch s ca virus Hooker 3. Cu to ca Hooker II. Cch thc virus tip cn vo my 1. Cc dng ly nhim 2. Cch ly bm III. Cch thc hot ng 1. Sau khi trojan c kch hot chng s lm nhng vic nh sau 2. Cch thc ngy trang 2.1.Tin hnh vic ly thng tin 2.2.Tin hnh lin lc vi ch ca n 2.3RPC(Remote Procedure Call) 2.4. Cch thc Config virus Hooker IV. Lm sao bn t bo v mnh Phn 3: Tng Kt

PHN I:GII THIU CHUNG

Hooker thc cht l mt loi Trojan m ngun m.Trojan l mt chng trnh bt hp php c cha bn trong mt chng trnh hp php.Chng trnh khng hp php ny thc hin nhng hm b mt m ngi dng khng bit hay khng dng n.V chc nng ca Trojan chng ti s cp n trong phn sau.Mt khc Trojan cng c th c l nhng cng c qun tr t xa. Ngy nay Trojan lun lun l mt vn ln trong vn bo mt v an ton trn mng.Nhiu ngi khng bit Trojan l g v h ti xung nhng file m khng bit r ngun gc.Hin nay c hn 1000 trojan v c th nhiu hn na, v mi hacker, mi lp trnh vin hay mi nhm hacker u vit Trojan ring cho mnh v nhng con Trojan ny khng c cng b ln mng cho n khi n c pht hin. Trojan: mt chng trnh my tnh trng c v l hu dng nhng tht ra n gy ph hy.Trojan b pht tn khi mi ngi b li ko bi mt chng trnh bi v h ngh n n t mt ngun hp php.Trojan cng c th cha trong phn mm m bn ti xung min ph. Khc vi virus,Trojan l mt on m chng trnh hon ton khng c tnh cht ly lan.N ch c th c ci t bng cch ngi to ra n la nn nhn,cn virus th t ng tm kim nn nhn ly lan Phn mm c cha Trojan thng l c dng chng trnh tin ch, phn mm mi hp dn nhm d thu ht ngi s dng. Trong bi vit ny em s trnh by vi cc bn v Trojan v Hooker.Nhng khi nim c bn,c ch ly bm ,cch thc m trm ti khon ngi dng v lm sao n c th xm nhp vo my ca bn c?

PHN II:NI DUNG

I.S lc v virus Hooker: 1.Hooker l g?
Hooker ny l mt loi virus nm trong nhm Keylogger . Keylogger hay "trnh theo di thao tc bn phm" theo cch dch ra ting Vit l mt chng trnh my tnh ban u c vit nhm mc ch theo di v ghi li mi thao tc thc hin trn bn phm vo mt tp tin nht k (log) cho ngi ci t n s dng. V chc nng mang tnh vi phm vo ring t ca ngi khc ny nn cc trnh keylogger c xp vo nhm cc phn mm gin ip . V vy Hooker l loi virus nhm gip ch nhn ca n nh cp nhng thng tin trn my tnh nhim phi con virus ny nh ti khon mail

2.Lch s ca virus Hooker :

2.1.Version 1.0: y mi ch l mt chng trnh th nghim vi kh nng hot ng rt yu (ch l mt keylog n gin). V n c vit li hon ton trong phin bn k tip. 2.2.Version 2.0: By gi n gi i mt keylog v sao chp mt khu di tp (*.pwl). Sau n thit lp mt ng k xc nh ng dn cho ngi s dng. N c th xc nh kch thc ti a ca mt tp tin log-file. Sau khi gi file-log i th n xo file v lp file-log mi. Hooker s thm vo trc cc t m trong tiu v lu tr cc tnh nng ny. 2.3.Version 2.1: Thm cc t c gi v sau khi ng nhp trn. 2.4.Version 2.2 beta 1: C nh cc li rt ln trong keylogging v mc ni cc chc nng trong keylogdll khin trojan tr nn n nh hn vi nhiu chc nng hn. 2.5.Version 2.2 beta 2: C inh li trong chc nng cho bit ngy gi ca h thng. 2.6.Version 2.3 beta 14:

N pht hin thm li kt ni RAS v c nh li ny. i khi n cng xung t vi mt vi ch .Khi keyloggingDll c cha trong LZW. 2.7.Version 2.3 beta 5: Hooker gi i cc keylog. Nu trong ca s ch c . iu c ngha l trojan khng th gi th i (Hooker ch cn lm y hp th vi mt lng ln cc th). 2.8.Version 2.3 beta 6: Ch cn mt cht thay i trong th tc gi mail l hooker c th bt u trn my m khng cn rasapi32.dll. 2.9.Version 2.4: Khng c thm phin bn, y l bn pht hnh.C nh t li trong tn ngi dng v tn my ch pht hin.C thm mt vi tnh nng:
Keylog y : nu khng c kim tra Hoocker s ch ng nhp ca

s, ni m c keystrokes.
Nng cao ng nhp: nu khng c kim tra, Hoocker s khng ng

nhp phm kho m rng nh shift,alt Ngoi ra cn c nh li trong kt ni IP

3.Cu to ca Hooker : a. Thnh phn chnh :

Mt con Hooker thng c ba phn chnh : * Chng trnh iu khin (Control Program): dng theo iu phi hot ng, tinh chnh cc thit lp, xem cc tp tin nht k cho Hooker . Phn ny l phn c giu k nht ca Hooker , thng thng ch c th gi ra bng mt t hp phm tt t bit. * Tp tin hook, hoc l mt chng trnh monitor dng ghi nhn li cc thao tc bn phm, capture screen (y l phn quan trng nht) * Tp tin nht k (log), ni cha ng/ghi li ton b nhng g hook ghi nhn c. Ngoi ra, ty theo loi c th c thm phn chng trnh bo v (guard, protect), chng trnh thng bo (report) cho ch nhn con virus

b. Mt s loi Hook :
5

Trong Windows, khi chng ta thc hin cc thao tc nhp chut, nhn phm th h iu hnh s chuyn cc s kin ny thnh cc thng ip (message) ri a vo hng i (queue) ca h thng. Sau , cc thng ip c trao li cho tng ng dng c th x l. Hook l mt k thut cho php mt hm c th chn, theo di, x l, hoc hy b cc thng ip trc khi chng m n c ng dng. Hai v d thng gp ca Hook l ng dng son tho vn bn ting Vit (Unikey, Vietkey) v ng dng tra t in trc tip trn mn hnh (ClicknSee, Lc Vit MTD, English Study). Chng x l thng ip t bn phm i vn bn sang ting Vit, hoc x l thng ip t con chut ly vn vn di con tr. Chng trnh KeyLogger chuyn n cp mt khu cng s dng k thut ny , v con Virus Hooker cng da trn nguyn tc Xt v mt chc nng, Hook c 15 loi ng vi nhm s kin m n s x l : - WH_CALLWNDPROC - hook qun l cc thng ip trc lc h thng gi chng ti ca s ch - WH_CALLWNDPROCRET - hook qun l cc thng ip sau khi chng c x l bi th tc ca s ch - WH_CBT - hook nhn nhng thng bo c ch ti ng dng hun luyn trn c s tnh ton (CBT) - WH_DEBUG - hook c ch cho vic debug nhng th tc hook khc - WH_FOREGROUNDIDLE - hook s c gi khi thread foreground ca ng dng s tr thnh khng dng n. Hook ny c ch cho hot ng nhng nhim v (task) u tin thp trong thi gian khng c dng n - WH_GETMESSAGE - hook qun l cc thng ip c post ti hng thng ip - WH_JOURNALPLAYBACK - hook post nhng thng ip c ghi trc bi th tc hook WH_JOURNALRECORD

WH_JOURNALRECORD - hook ghi nhng thng ip u vo c post ti hng thng ip h thng. Hook ny c ch cho vic ghi cc macro - WH_KEYBOARD - hook qun l cc thng ip keystroke - KEYBOARD_LL Windows NT - hook qun l nhng s kin nhp vo t keyboard mc thp - WH_MOUSE - hook qun l cc thng ip chut - WH_MOUSE_LL Windows NT - hook qun l nhng s kin u vo chut mc thp - WH_MSGFILTER - hook qun l cc thng ip c kt sinh nh l mt kt qu cu s kin u vo trong dialog box, message box, menu hay scroll bar - WH_SHELL - hook qun l cc thng ip nhn thng bo hu ch shell cc ng dng - WH_SYSMSGFILTER - t mt ng dng cc thng ip c kt sinh nh l kt qu ca mt s kin u vo trong dialog box, message box, menu hay scroll bar. Th tc hook qun l nhng thng ip ny cho tt c cc ng dng trong h thng ng vi mi loi Hook, Windows s c mt chui cc hm lc (filter function) x l. V d, khi ngi dng nhn phm, thng ip ny s c truyn qua tt c cc hm lc thuc nhm WH_KEYBOARD
-

II.Cch thc virus tip cn vo my:

1. Cc dng ly nhim :
T ICQ : ICQ l 1 chng trnh my tnh cho php nhn gi tin nhn trc tip vi nhau qua dng ch vit hay ting ni , n ging Instant Messenger ca Yahoo hay MS . Nhng nhiu ngi li ngh rng Trojan khng th ly lan trong khi h ang ni chuyn c th gi cho h mt ch Trojan. C th bn bit n ICQ cho bn mt bug cho php bn gi mt file .exe ti ngi khc nhng khi ngi nhn nhn nh c v bn ang gi mt file m thanh, hnh nh
1.1

V d: C ngi no s thay i biu tng ca file.exe thnh file.bmp, v ni vi bn rng y l hnh ca anh. Bn s download n v v bum bum bum !!! Nhng nu ngi gi file i tn file.exe thnh .bmp th bn an ton, v khi file.exe i tn thnh .bmp th file.exe khng th thc hin. Nhng khi file gi n bn ng l mt con Trojan c kp chung vi file hnh nh v ngi gi thay i icon ca file.exe, khi Trojan s bt u chay m bn khng h nghi ng, v khi n vn hin hnh nh ca mt ai . l l do m hu ht ngi dng ni h khng chy bt k file no trong khi h l lm truyn vo m khng bit. 1.2 T IRC: Cng ging nh phng php ly truyn t ICQ phng php ly truyn qua IRC cng l la nn nhn chy Trojan trong my ca mnh.IRC(Internet Relay Chat) l dng lin lc cp tc qua mng Internet 1.3.T mail: Trojan c ly lan bng mail v tc ca n rt nhanh. Mt cch n gin v thng dng l Trojan s ly a ch mail trong address book pht tn cho nhng ngi bn ca bn. V th phng con virus ny chng ta hy ci ngay chng trnh c th kim tra mail trc khi download v v kim tra nhng mail c gi i. 1.4 T truy cp trc tip: Trong qu trnh s dng my tnh th c th do li truy nhp m h c th b dnh Trojan, hoc do mt ngi no xm nhp vo my ca mnh v lm cho my ca ta b Trojan tn cng. 1.5. Mt s th thut v mnh khe khc: Trn cc my Microsoft Windows, ngi tn cng c th nh km mt Trojan vo mt ci tn c v lng thin vo trong mt th in t vi vic d ngi c m tp nh km ra. Trojan thng l cc tp kh thi trn Windows v do s c cc ui nh l .exe, .com, .bat, .src. hay .pif. Trong nhiu ng dng ca Windows c cu hnh mc nh khng cho php hin th cc ui ny..Do , nu trojan c tn chng hn l Readme.txt.exe th tp ny s hin th mt

cch mc nh thnh Readme.txt v n s nh la ngi dng rng y ch l mt loi h s vn bn khng th gy hi. Cc biu tng cng c th c gn vi cc loi tp khc nhau v c th c nh km v th in t. Khi ngi ny dng , m cc biu tng th cc Trojan n du s tin hnh nhng tc hi bt ng.Hin nay cc Trojan khng ch xa cc tp , b mt iu chnh cu hnh ca my tnh b nhim m cn dng my ny nh l mt c s tn cng cc my khc trong mng. Li dng mt s li ca trnh duyt web, chng hn nh Internet Explorer, nhng Trojan vo mt trang web, khi ngi dng xem trang ny s b nhim. Ngi dng nn cp nht cc bn v li thng xuyn v dng mt trnh duyt web c bo mt cao nh Firefox
2. Cch ly bm :

trn l mt s cch thc m con virus ny tip cn my ca chng ta . cho n bm c vo cc vt mang tin nh trn th ch nhn con virus ny dng Godmessage lu trojan vo trong mail, trang web. Khi nn nhn m mail, hay trang web th s t ng b nhim trojan (Godmessage l mt cng c to ActiveX trn trang web. Ngi dng IE truy cp ti mt trang gi sn m ActiveX nguy him, th ngay lp tc trnh duyt ca h ti v mt file dng nn. V ln khi ng sau, n s c bung ra v bt u honh hnh) . ActiveX l mt on chng trnh cho php nhng con Hooker vo trong ti liu hoc trang web. Khi chng ta download mt ti liu no , chng hn l file nh , nu ngi gi file i tn file.exe thnh .bmp th bn an ton, v khi file.exe i tn thnh .bmp th file.exe khng th thc hin. Nhng khi file gi n bn ng l mt con Trojan c kp chung vi file hnh nh v ngi gi thay i icon ca file.exe, khi Trojan s bt u chay m bn khng h nghi ng, v khi n vn hin hnh nh ca mt ai . l l do m hu ht ngi dng ni h khng chy bt k file no trong khi h l lm truyn vo m khng bit

III.Cch thc hot ng: 1. Sau khi trojan c kch hot chng s lm nhng vic nh sau
- Tm v tr an ton n thn: on m chnh c th t to ra t 2 n 3 file v
9

c th nhiu hn na tm mt v tr tt m n , nhng ni m chng thch nht l... sytem, ...system32, trong c mt file gi l kch hot thng l cc file thi hnh vi ui c th l .com, .exe, .bat, .inf..., 1 file dng lu cc hm hoc th vin hoc thng tin, nu nh file cha th vin thng c ui l .dll, cn file cha thng tin thng c ui l .dat hoc l .tmp. - Ginh quyn khi ng : Sau khi n thn an ton chng bt u ginh quyn khi ng bng mt s cch - y l nhng ni m win u tin khi ng trc : - Trong cc Autostart Folder: v d file khi ng ca trojan l trojan.exe th C:\Windows\Start Menu\Programs\startup\trojan.exe. Trong file C:\windows\Win.ini ti dng lnh load=Trojan.exe hoc run=Trojan.exe - Trong file c:\windows\system.ini sau dng lnh shell Shell=Explorer.exe trojan.exe Trojan s t ng chy khi file Explorer.exe chy - Trong Autoexec.bat c:\....\Trojan.exe - Explorer Startup c:\explorer.exe,c:\...\trojan.exe - To mt kha trong Registry : [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio n\Run] "trojan"="c:\...\Trojan.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio n\RunOnce] "trojan"="c:\...\Trojan.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio n\RunServices] "trojan"="c:\...\Trojan.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio n\RunServicesOnce] "trojan"="c:\...\Trojan.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

10

Run] "trojan"="c:\...\Trojan.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ RunOnce] "trojan"="c:\...\Trojan.exe" - Trong Registry Shell Open vi key l "%1 %*" [HKEY_CLASSES_ROOT\exefile\shell\open\command] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\com mand] trojan.exe "%1 %*" - Trong 1 s ng dng m cho php mt s chng trnh chy: v d ICQ [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\] - Trong ActiveX [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName] StubPath=C:\...\Trojan.exe - Tiu dit cc Phn mn antivirus v cc firewall tc l nhng chng trnh chng li n bng cch kim tra b nh v pht hin nu nh 1 s file no m ging nh list nm trong file d liu th remove hoc ngn chn li . Cc tin trnh m virus t ng kt thc trong khi thc thi : ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE NT.98.EXET CA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE
11

SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXEP CFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXEI CMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE
12

IAMSERV.EXE IAMAPP.EXE FRW.EXEFPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE FAGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXEAVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE

13

_AVPM.EXE _AVPCC.EXE _AVP32.EXE

2.Cch thc ngy trang :

Do vic phn chia lm nhiu phn gip Trojan rt nhiu trong vic ngy trang ngha l nhng on m chnh c nm trong cc th vin dng ng c ui l dll vi mt phn tn c v rt ging mt th vin ca win lm cho rt kh ph hin v c nm ti nhng ni c cc file cng kiu vi n thng l th mc C:..\system , cn on m c nhim v boot th rt nh c th c m ho v hide khin cho ta nhm tng mt file v hi . chng vic theo di ca cc phn mn anti chng c th t thm mt s lnh m nhng lnh ny khng nh hng ti phn logic ca chng trnh (chng li vic m phng ho ) khin cho n c th thay i kch thc file mi ln khi ng , hoc c th n thn di mt s chng trnh m mi ngi thng dng bng cch ni mt dng lnh vo chng trnh no vi cc kiu ( chn u , chn gia hay chn cui m khng nh hng n chng trnh ch ) , vi cch ny on m boot khng d dng g pht hin , nu c del on m boot trn disk th khi chy chng trnh ch th on m boot vn hot ng tr li mt cch bnh thng . tng thm vic ngy trang chng phi n di taskbar ngha l nhn CTRL+ALT+DEL th on m vn khng hin ra , hoc tin hnh ph hy dng lnh msconfig l dng lnh hin cc file khi ng ca win . Ngoi ra sau khi on m chnh c kch hot th on m boot va to thnh li c dng lnh kim tra xem v del lun c chng trnh chnh khin cho vic n thn cng kn o hn . Chnh v nhim v ly thng tin cn phi kn o nn trojan ly vic kn o v n thn l rt quan trng

2.1.Tin hnh vic ly thng tin :

Tu theo ngi thit k ra trojan m thng tin ly c nhiu kiu khc nhau nhng ch yu l lm nhng nhim v sau : + Ly thng tin v password ca cc loi webmail , cc ng dng c kiu l login+password, ICQ, IRC, FTP, HTTP... + Ly thng tin tt c cc file c kiu:.DBX; .TBB; .EML; .MBX; .NCH; .MMF; .INBOX; .ODS vi mc ch tra ly tt c cc ni dung mail ca victim + Ly v mt s file m do yu cu ngi thit k vit , a s l cc file ng dng v d liu cng nh login thng c dng: .doc; .dbf; .sxl; .pwl; .log + Chim tt c ti nguyn , chng c th m port , to ra giao thc gip cho
14

chng c kh nng ly thm d liu cc my khc hoc gip cho ch nhn ca n c th truy cp t xa hay kt ni vo my vistim ly thng tin hoc ginh quyn iu khin my vistim nh : del, upload, down ..., chim HTTP, FPT, SMTP... gip cho vic lin h vi ch nhn ca n c d dng.

2.2.Tin hnh lin h vi ch n :

Ngi ch ra virus Hooker ch mong c yu cu cui cng ny tc l phi lin h c vi mnh , y l bc m ch nhn n mong ch nht.Nh vy ngoi nhng thnh phn c bn ni trn th c mt con Hooker hon chnh th trong tp Files m sau khi con virus ny c kch hot th n cn c mt File mswinsck.ocw . Mswinsck.ocx l mt trnh iu khin ActiveX v c gi l Winsock Control . N c sn trong Microsoft Visual Studio v c s dng kt ni n mt my t xa trao i d liu bng cch s dng TCP hay UDP, cc giao thc c s dng to ra cc my khch v my ch chng trnh lin lc c vi ch nhn n trojan ny thc hin theo c ch gi t xa RPC(Remote Procedure Call) + Dng thng qua SMTP port 25 pop3 tc l thng qua mt server mail l ni m ch nhn n c kh nng nhn . Nhng dng c SMTP th cn phi kt ni mng , nu nh gi mail i m khng kt ni th tt nhin l my victim s cnh bo chnh v vy m trojan s lu mt s a ch vo phn d liu ca mnh v kim tra gi tr ca url nu nh thy s thay i trn trang web v trn url th tt nhin mng c kt ni , hoc -dng google.com kim tra s kt ni + Dng Ftp port port 21, HTTP fort 80 , 23 , c th gi d liu hay cho ch n. C th to ra mt port no ri nm ch i ch nhn ca n kt ni vo my victim a s cc virus Hooker i sau n tn dng tt c cc kiu truyn thng tin nhng m cng v sau th cng khai thc trit hn ti nguyn , chng ang thin v loi m port nm ch i hn , ci ny th gip ch nhn ca n khai thc c nhiu thng tin hn . gip cho vic kt ni gia trojan nm my victim(ngi b hi) v ch nhn ca con virus th phn d liu ca trojan cn lu thm 2 phn tra tn v pass .N gi mail v hp th ca ch nhn n di dng file Log.txt Sau y chng ta cng tm hiu qua v RPC :

2.3.RPC(Remote Procedure Call):

Remote Procedure Call (RPC) Th tc gi hm t xa l mt k thut tin b cho qu trnh kt ni t Client n Server s dng cc ng dng v dch v. RPC cho php client c th kt ni ti 1 dch v s dng dynamic port nm mt my tnh khc. Trong h thng mng my tnh hin nay c rt nhiu dch v v ng dng s dng c ch kt ni RPC, v d qu trnh ng b ca cc Domain Controller trong h thng Active Directory, hoc khi MS Outlook kt ni ti MS Exchange Server A. Kin trc ca RPC:

15

RPC c thit k cung cp cho vic truyn ti thng tin gia client v server d dnghn, bo mt hn, v thun tin hn cho vic ng b ha cc lun d liu. Cc hm cha trong RPC h tr cho vic truy cp bt k chng trnh no i hi phng php giao tip t client n server. Hnh bn di s cho chng ta thy kin trc ca RPC

Hnh 1: Kin trc Remote Procedure Call B. Cc thnh phn ca RPC Thnh phn Client or server process RPC stubs Miu t Chng trnh hoc dch v tr li t yu cu ca RPC

Nhng h thng chng trnh con c dng bi client hoc server khi ng yu cu RPC. Cung cp mt giao din chung gia RPC Client v RPC Server v Marshalling engine c chia lm 2 loi: NDR20 v NDR64. NDR20 c dng cho h (NDR20 hoc tng 32 bits. Trong khi NDR64 c ti u dng cho h tng 64 NDR64) bits. Client v Server s thng lng nn chn NDR20 hay NRD64 giao tip vi nhau Cung cp giao din cho RPC ti Clients hoc Servers. Thng thng, RPC Clients v Servers s gi hm API (giao din lp trnh ng dng) Runtime application khi to RPC v chun b cu trc d liu s c s dng thc programming hin cuc gi RPC. Lp API s quyt nh nu yu cu RPC n t interface (API) marshalling engine hoc trc tip t client/server n my ch ni b hoc my ch t xa. Sau lp API s dn ng cho RPC n Connection RPC, Datagram RPC hoc Local RPC Layers

16

Connection RPC protocol engine Datagram RPC protocol engine

c s dng khi RPC yu cu giao thc kt ni. Lp ny s ch nh s dng giao thc kt ni nu RPC c gi i hoc nhn c mt kt ni hng ti RPC c s dng khi RPC yu cu giao thc phi kt ni. Lp ny s ch nh s dng giao thc phi kt ni nu RPC c gi i hoc nhn c mt phi kt ni ti RPC

Local RPC protocol c s dng khi Server v Client t trong cng mt host. engine c truy cp khi dch v RPC u tin c ti v. Cc thnh phn trong registry s ch nh dy port IP v tn thit b ca cc card mng Registry RPC c th kt hp chng li vi nhau. Tr khi API p buc RPC phi dng, Registry s khng c s dng trong hot ng ca RPC Kernel32.dll l mt file th vin ng 32 bits c trong Windows NT. File ny chu trch nhim qun ly b nh, cc hot ng vo ra ca h Win32 APIs thng (kernel32.dll, Advapi32.dll l file nng cao ca Windows 32 da trn giao din lp advapi32.dll, trnh ng dng. File ny h tr v bo mt v gi cc registry ntdll.dll) Ntdll.dll l file dll qun l chc nng cc file h thng ca Windows NT Cung cp giao din bo mt cho RPC. File secur32.dll s thng SSPI lng cch dng cho vic chng thc v m ha nh: Kerberos, (secur32.dll) NTLM, hoc Secure Sockets Layer (SSL) Rpcss.dll (Remote procedure call subsystem) ch yu cung cp c s h tng cho cc dch v COM, nhng mt phn ca Rpcss.dll c Endpoint Mapper dng cho EPM. RPC Server lin lc vi EPM nhn nhng im kt (EPM) thc ng v ng k nhng im ny vo c s d liu ca EPM. (rpcss.dll) Ri sau khi RPC Clients mun kt ni ti RPC Server, n s lin lc vi EPM nh EPM phn gii nhng im kt thc.. Ch c s dng cho qu trnh x l RPC client khi giao din bo mt c th nh Kerberos hoc Negotiate nh nh cung cp bo mt hoc khi Server dng NTLM nh nh cung cp bo mt Active Directory Used in the RPC client process only when the security interface specifies Kerberos or Negotiate as the security provider or when the server uses NTLM as the security provider. c s dng thng qua cc yu cu v tr li ca RPC gia Client Network stack v Server c s dng thng qua cc yu cu v tr li ca RPC gia Client Kernel v Server C. Qu trnh x l v tng tc ca RPC Cc thnh phn ca RPC s gip cho Clients x l d dng bng cch gi hm nm trn mt chng trnh t xa. Client v Server c mt a ch khng gian ring; iu c

17

ngha l mi ngun ti nguyn b nh ca Client v Server cp pht cho d liu s c dng bi hm.

Hnh 2: Qu trnh x l ca RPC Qu trnh x l ca RPC bt u t pha Client. ng dng t pha Client s gi Client stub thay v client phi vit code trin khai cho hm . Cc stub s c bin son v lin kt vi cc ng dng t pha client trong qu trnh pht trin. Thay v cha m code thc hin th tc gi hm t xa, cc code ca stub s yu cu truy vn nhng tham s t a ch khng gian ca Client v sau chuyn chng vo th vin chy thc ca client. Sau , th vin chy thc ca client s bin dch nhng tham s cn thit vo nh dng chun NDR (Network Data Representation) chuyn giao cho Server. Tip theo stub ca Client s gi hm trong th vin chy thc ca Client (rpcrt4.dll) gi cc yu cu v thng s ca n n server. Nu server c t trong cng 1 host vi client, th vin chy thc c th s dng cc tnh nng ca Local RPC (LRPC) v thng qua cc yu cu ca RPC ti Windows kernel cho vic truyn ti n server. Nu server c t mt host khc, th vin chy thc s xc nh mt giao thc truyn ti thch hp v thng qua cc yu cu ca RPC n Network Stack cho vic truyn ti n server. RPC c th dng cc c ch trao i khc (Interprocess Communications IPC) nh: Name pipes v Winsock thc hin truyn ti n server. Bng di y s lit k cc giao thc mng h tr RPC v cc loi RPC kt ni vi giao thc tng ng c s dng Protocol Transmission Control Protocol (TCP) Sequenced Packet Exchange (SPX) Named Pipe HTTP User Datagram Protocol (UDP) Cluster Datagram Protocol (CDP) RPC Type Connectionoriented Connectionoriented Connectionoriented Connectionoriented Connectionless Connectionless

18

Khi Server nhn c yu cu ca RPC(t pha client trong ni b hoc client t xa), cc hm trong th vin chy thc RPC ca Server chp nhn cc yu cu v gi hm x l Server Stub. Server stub s truy vn cc tham s t network buffer v chn 1 trong 2 loi NDR20 hoc NDR64 (trong NDR Marshalling Engines), sau chuyn i chng t nh dng truyn ti mng sang nh dng theo yu cu bi my ch. Sau cc th tc t xa s c chy, c kh nng xut ra cc tham s v tr v gi tr. Khi cc th tc t xa hon tt, mt chui cc bc tng t s tr v d liu cho Client Cc th tc t xa tr d liu ca n v cho Server Stub, chn 1 trong 2 loi NDR20 hoc NDR64 (trong NDR Marshalling Engines), chuyn i nhng tham s c xut ra thnh nh dng truyn ti mng n client v tr chng vo th vic chy thc RPC ca Server. Sau th vin chy thc RPC ca Server s truyn ti d liu n my tnh ca Client bng LRPC hoc qua network. Client hon tt cc th tc bng cch chp nhn d liu qua mng v tr d liu v gi hm. Th vin chy thc RPC ca Client nhn c th tc t xa tr v gi tr, chuyn i gi tr t NDR 20 hoc NDR64 v nh dng c dng bi Client, v tr chng v client stub. i vi Microsoft Windows, th vin chy thc c chia lm 2 phn: 1. Import Library: lin kt vi cc ng dng 2. Th vin chy thc RPC( RPC Runtime Library): c trin khai nh l DLL D. Cc Ports dng cho RPC Cc chng trnh RPC Server thng thng dng nhng port ng ( trnh gy xung t vi cc chng trnh v cc giao thc c ng k trong dy Well-known TCP Ports). Bng di y s lit k cc port dng cho RPC Service Name HTTP Named Pipes RPC Endpoint Mapper RPC Server Programs UDP 80, 443, 593 445 135 <Dynamically assigned> TCP 80, 443, 593 445 135 <Dynamically assigned>

2.4.Cch thc Config virus Hooker :

Nh cc phn trn c gii thch rng sau khi ly c thng tin t victim th n cn gi kt qu di dng file Log.txt cho ch nhn n thng qua giao thc mng . Sau y em xin ni ngn gn cch cho con Hooker bit c a ch mail ca ch nhn gi li tin : Mt con Hooker c nhng file chnh sau :Config.bat ; history.txt ; hkconf.exe ; hooker.exe ; Hkconf.ini .

19

Sau ta chy file Hkconf.ini : ta thay i cc thng s ca file ny : - host = mail.vnn.vn - mailto=a ch email ca bn (ni m trojan gi account v) - reg_desc = TaskMem - exename = MSCR56.exe Sau khi thay i xong bn save li ! ri chy file Config.bat Sau khi tin hnh xong n s to ra mt file , file ny chnh l file c han thin v c th hot ng . Lc ny chng ta ch cn gi i cho victim .

III.Lm sao bn t bo v mnh ?

+Mt s chng trnh dit virus c th gip ta mt phn no vi antitrojan, antivirus chng hn. +S dng chng trnh scan port xem mnh c m cng no l l khng. +Trc khi chy file, kim tra n trc +Khng nhn file ngi l. +Cch hu hiu nht l ng bao gi m cc nh km c gi n mt cch bt ng. Khi cc nh km khng c m ra th Trojan horse cng khng th hot ng. Cn thn vi ngay c cc th in t gi t cc a ch quen bit. Trong trng hp bit chc l c nh km t ni gi quen bit th vn cn phi th li bng cc chng trnh chng virus trc khi m n. Cc tp ti v t cc dch v chia s tp nh l Kazaa hay Gnutella rt ng nghi ng, v cc dch v ny thng b dng nh l ch lan truyn Trojan horse.

20

PHN III:TNG KT
Con ngi lun mun chinh phc khng gian, t xa xa ti gi khng gian l mt th thch ln nht m con ngi lun tm cch thng n, bn c ngh th xem cng ngy con ngi cng mun lm gim khong cch v khng gian. in hnh nht l ngi ta lun mun tm mi cch tng tc di chuyn ca cc loi hnh giao thng , v d tng vn tc ca xe hi , tu , my bay... Con ngi mun rng trong mt khong thi gian v cng ngn h s n c mt ni m h mong mun gim bt thi gian di chuyn , v thi gian l vng bc . Trong ngnh CNTT cng vy, vn thng tin , d liu v cng qu gi , nhng di chuyn d liu t mt ni ny n ni khc cng cn phi c thi gian chnh v vy m cc cng ngh lun ngy cng i thay, cc HH, cc k thut mi cng nhm mc ch p ng vn ny. Hacker a s l nhng ngi mun lm ch khng gian , h ch cn ngi mt ni ny c th vo mt my tnh mt ni no ly d liu hoc thm nhp vo m khng cn phi dng ti cc cng c di chuyn y l mt th mnh nht ca CNTT m tt c cc ngnh khc u khng c th lm c , v vy tng ca con trojan remote boot ra i c phn no gip cho bn v vn truy cp d liu mt ni rt xa . Hin nay c rt nhiu cng c cho php bn remote boot v d Pc any where , remote boot trong winxp..., trong Trojan cng l mt cng c rt tuyt vi, chng ta bt u cm thy cc cc ch Trojan ngy cng tin b theo CNTT? V trojan Hooker m chng ta va xt tr nn li thi nhng n gp phn cho s a dng ca Trojan ring v th gii virus ni chung.

Ti Liu Tham Kho :

1. Google.com.vn 2.

21