Dry goods: Trojan DLL realizes hot update operation

There was a requirement for the Trojan horse developed in the past: The Trojan horse is a DLL file. The DLL needs to be injected into a process to be resident. The DLL has the ability to upgrade itself. When a new available version is found, it immediately Free itself and load the new one.

Here is one of my implementation schemes:

Start a monitoring thread, pull the new available version from the network, download it to a temporary directory, if it is found that it needs to be upgraded, it will immediately FreeLibrary itself, and then perform the update process.

Since the memory area of the current module is invalid after FreeLibrary, a separate thread is used in the update process, and the code of the update process is written to the allocated memory in the form of shellcode for execution.

Some system API functions will be used during the update process, which cannot be called directly by the function name, because this will access the import table, and the DLL is already Free at this time. Therefore, pass it to the thread by preparing a parameter in advance, and the parameter has some data and addresses to be used by the update thread:

Let's take a look at how the update listener thread works and how to prepare these parameters:

After creating the update thread, you have to exit in time and Free yourself. Here you need to use a special technique to call FreeLibray (so that the update thread can delete yourself):

Let's see how the update thread works:

Like Free's own module, after the last VirtualFree parameter and the memory page occupied by the current code, it cannot come back again. The current thread is ended by constructing the stack parameter. The binary instructions compiled by this function are saved in the global array:

The following is the result of the test (XP, Win7 32 &64 are all tested and passed):

Finally, there are a few points to explain:

1. Delete the files in the temporary directory before loading the new dll to prevent the recursive loop update process.

2. It is necessary to determine the version information of the dll before executing the update process, which is also to prevent the recursive cycle process.