Precaution And Detection On Remote Control Trojan Program

Precaution and detection on remote control Trojan program is a hot topic of information security. This paper focus on I/O completion ports, DLL hijack, file binding, the precaution and detection on DLL hijack. An efficient method of precaution and detecting Trojan program is based on the research on remote control technique.There are five socket I/O models in WinSock. I/O completion ports provide an efficient threading model for processing multiple asynchronous I/O requests on a multiprocessor system. Processes that handle many concurrent asynchronous I/O requests can do so more quickly and efficiently by using I/O completion ports in conjunction with a pre-allocated thread pool than by creating threads at the time they receive an I/O request.If an application want to load dynamic-link library, it must follow this rule in Windows operate system. First, search this dynamic-link library by name in the directory of application. If search nothing the operate system will search other directories. The technology that let the application do not load dynamic-link library in system directory first is called dynamic-link library hijack.File binding is a technology that two or more files are combined in one file. All of the files will be executed when the binding file is executed. A new file binding method that based on resource files is implemented in this paper.Traditional Trojan detection technology can be divided into two categories:static scan and dynamic scan (active defense). For a DLL hijack Trojan, those anti-virus software can’t do an effective detection. This paper design and implement a special precaution tool and a special detection tool to precaution and detect DLL hijack Trojan, through do a deeply research on dynamic-link library hijack.This article describes following parts:1. Analysis I/O completion ports and implement I/O completion ports model.2. Analysis dynamic-link library hijack technology.3. Research on remote control and file binding.4. Study on antivirus technology.5. Design and implement a special DLL hijack precaution tool.6. Design and implement a special detection tool to detect DLL hijack Trojan.