Before the development of Trojan horse has a requirement: Trojan is a DLL file, DLL needs to be injected into a process permanent, the DLL has self-upgrade ability, when the discovery of a new available version, immediately Free yourself, load a new.
Here is one of my implementations:
Start a listening thread, pull the new available version from the network, download it into a temporary directory, and FreeLibrary itself immediately if an upgrade is found, then perform the update process.
Since the memory area of the current module is invalid after FreeLibrary, the update process uses a separate thread and the code to be updated is written to the allocated memory in shellCode for execution.
The update process will use some system API functions, which cannot be called directly by the function name, because this will access the import table, and the DLL will be Free at this point. So we pass it a parameter that has some data and address that the update thread will use:
Let’s look at how the update listener thread works and how to prepare these parameters:
Once the update thread has been created, you need to exit and Free yourself. You need to use a special technique to call FreeLibray (so that the update thread can delete itself) :
Here’s how the update thread works:
As with the Free module itself, the last VirtualFree parameter and the current code in the memory page cannot come back, in the form of a build stack parameter, to terminate the current thread. The compiled binary instructions for this function are stored in the global array:
The following is the effect of the test (XP, Windows 7 32 &64 test passed) :
A few final points to note:
1. Delete the files under the temporary directory before loading the new DLL to prevent recursion cycle update process.
2. Before performing the update process, determine the version information of DLL, also to prevent recursion cycle process.