Write viral Trojans using advanced languages
Author: Unknown
I didn't intend to search for QQHACKER2.0 today, I found that there is a download point everywhere, let me feel unexpected, QQhacker is actually only a product in studying the virus, there are many people who have seen today. Decided to write some of the techniques used in QQHacker, hoping to help everyone in the process of learning. Like previous writing styles, try to use the simplest example, the most simple vocabulary, express the clearest idea.
For QQHACKER2.0 technology, these points need to be said: execution, infection, hiding and back door.
First, the implementation method is simple, one method is to first infecting a small program less than 2m, send a normal mail to the target machine. The program received by the target machine is an infected program (the program size increases 32K). Once executed, our background procedure will be implemented. Another approach is the same infection like the Nimda virus, and uses an MIME vulnerability of Outlook to defraud Outlook to perform our code. This implementation is very simple, not to say, the method of infection will be introduced soon.
Second, infection. Usually we will choose compilation or even machine language when writing more exquisite and powerful viruses. Relatively simple 32 but viruses can add a section in the PE file, or join the code we need to perform in other sections, these features require some knowledge of PE file structure and operating system (interested friends can go to A The main page of the crystal looks: http://mincer.top263.net/firstpage.htm). Here I am using a simpler method, simply to just a few statements. That is, the front of our virus program is added to the front of the target program (infected), and the program executes only our virus program. To make the target program running normally, we can save the target to a temporary EXE file, and then run it as a child process. This has basically reached the purpose of infection and execution. Just start thinking about this method is my friend Qiwei, when we discuss this problem, I thought that we were in the first person to think of this method, now I think it is really embarrassing. At the same time, this will produce some problems. Here I introduce the problem that the problem is generated and decomposed, which is also a few more than QQHACKER 2.0:
1, save. The preservation method is to first read the viral body, save the beginning of the EXE file, then keep the target program in the back of the virion, while saving the length of the target or the length of the viral body to a specific location to save the target program. Get his length. The last resulting EXE file is overwriting the source target. This way we double-click the ultimate program, the system executive is our virion, and it is not performed with the back target. Everyone can download the infection function here.
2, execute. First, according to the data we save, save the target program to a temporary EXE file and use createProcess to run it, but it will run two processes at the same time, which is easy to find in the process viewer. And you will leave a redundant file on your hard disk. That time we have two things to do. A, remove one of the processes, and our program still wants to continue, b, the temporary EXE file we created should be deleted immediately, do not leave any traces. The decision is also very simple. The first process hides me in the article "Fully Hidden in Winnt & Win2k", which is more clear, that is, using the CreateRemThetRead function in the target process to run our program. Deleting the method that is running the program file is also smart, namely before we use createProcess, use the CreateFile function to open "Temporary EXE" in a file_flag_delete_on_close. Then when the HFile handle is turned off, the system will automatically delete the temporary EXE file. As follows: char strfile = "temp.exe"
HDESC = :: Createfile (Strfile, 0, File_Share_read, null, open_existing, file_flag_delete_on_close, null); // Automatically delete it after turning off
:: CreateProcess (..........) // Start the target program
:: CloseHandle (HDESC); // Close the handle, ie: Delete the strfile file
3, icon. Obviously, after infection, the icon displayed by the system will be an icon for our virus program. If there is no picture of the virus program, the display will be a default console icon. If the infected target program is like this, even if a comrade that has never learned programming can also guess probably It was infected by a virus. In this case we can change our icons of our virus program to the target program icon. Method, please see "How to Modify the Icon of Executable Documents". The premise is that our virus program must have a program that is an icon. The viral single icon in QQHACKER2.0 accounts for 4K, which makes the length to 32K (not using any weight loss tool). The reason why I use the icon length is that when the icon length of the target program is greater than the length of the virus icon, the source icon is commence, the reason is very simple, I don't say much. Usually we don't infect in the case where the icon length is greater than 4K, can't afford to hide. Oh, finally, I will give a function of modifying icons.
Third, hidden. As mentioned earlier, please see "Completely hidden in Winnt & Win2k"
Fourth, the back door. There are two functions in the back door of QQHACKER 2.0, 1, get the QQ password, in the QQ2000B 0710 version, when we point to save your password, QQ will put the last saved password in DAT / DATA.CFG, And only a simple symmetrical encryption. The file structure is very simple, the first 4 bytes refers to whether there is a saving password, the last 4 byte refers to the length of the password, and then the encrypted password is the same, and then the same QQ number as the previous QQ number, The structure is the same as the password. Note: The QQ number is not encrypted. The encryption method is "single character and then offset 0xFF". When we decrypt, we only need to use 0xFF-pass. In QQHACKER 2.0, find the QQ directory according to the registry, then get the password, if success, return the password email address, not to say. This encryption method is Qiwei discovered. He immediately wrote QQHACKER 1.0, and the ranking on the 9CBS on the 9CBS is rising within a few days. His homepage address is: http://vmtltd.yeah.net, it is worth going. 2, the second function is to get the password of all password boxes, 98, simply, simply get it, 2000 needs to be inserted directly into the target process directly, then sendMessage get the password. In addition, in the back door, we can also bind the common Trojan back door such as CMD by anonymous pipeline.