Some Trojans will only have a client program after decompression, and users can work from some of the settings in the client to generate targeted relatively strong server programs, such as specific ports, hitting the Mail, password, SMTP. Server, etc.. In this article, I will briefly explore the implementation of this technology.
In fact, this technology is not mysterious, because it is said that this technology is just a custom resource for executable files. That is, the client program itself is tied to a custom binary data, which is essentially a server template. After the user has been set up, the client fills the set of these specific data completed into this template, and then generates this sectionally configured binary data template to generate a specific server program by writing the operation of the write file. .
For example, the post office has a lot of blank envelopes. After you buy an envelope, fill in the postal code, the recipient address and name on the envelope, and then load your letter into the envelope, which becomes a letter you unique. - I hope I explain this to let you understand that I will undergo a general process of operation below.
Below I want to implement a demo "MSGBox Builder", you can make MessageBox's title and text settings on the client, and then the program will generate a "Hello," Hello, "Hello," Hello, World program, this pop-up MessageBox is what you were set to the client. The run interface is as follows:
Ok, then I will first design the template of this server. In order to imitate Trojans, I use Win32 ASM to write this template, the program is as follows:
.386.model flat, stdcalloption casemap: noneinclude /masm32/include/windows.incinclude /masm32/include/kernel32.incincludelib /masm32/lib/kernel32.libinclude /masm32/include/user32.incincludelib /masm32/lib/user32.lib .Datasztitle DB 100 DUP ('a') Sztext DB 100 DUP ('b'). Codestart: Invoke Messagebox, Null, Addr Sztext, Addr Sztitle, MB_OK or MB_ICONIONFORMATIONINVOKE EXITPROCESS, NULLEND Start As you can see, ICZelion is in him The "Hello, World" written in the Win32 assembly tutorial, I only did a little change:
.datasztitle DB 100 DUP ('a') Sztext DB 100 DUP ('b') These two lines of code may make you quite convinced, then let me leave it later. Now you can compile this source code to generate a msgbox.exe file - this template is left back.
Let me explain the use of custom resources. Before this, I first introduced several APIs I want to use:
· FindResource: Find a resource. · SIZEOFRESOURCE: Get the size of the resource. · LoadResource: Loading resources. · LockResource: Lock the resource. Ok, you can understand the detailed functions and parameters of these functions by reviewing MSDN, here I haven't described it. My entire idea is as follows:
1. Compile the msgbox.exe template as a binary resource of the client program.
2. When generating the MSGBox.exe server, use the above API functions to read this binary resource data.
3. Re-process this binary data by the data set by the user.
4. Save this new binary data as a file.
Now I will implement step 1. First, you change the template msgbox.exe to msgbox.bin as a binary and put this file into the folder of the client source code. Then, import this binary resource to the client's resource script (.rc file), as shown below:
At this time, the VC will pop up a dialog prompt, as shown below:
You can fill in your resource type in "Resource Type", this type name is the type of resource we want to use in the third parameter of the FindResource function, and I am here as an example of "Server".
This way, I can use this template in the way of resources. My code is as follows:
HRSRC HRESINFO; HGLOBAL HRESDATA; DWORD DWSIZE, DWWWRITEN; LPBYTE P; Handle Hfile; Tchar Sztitle [100], SZText [100]; // Find the required resources hRESINFO = FindResource (Null, MakeintResource (iDR_server), "Server") ; if (hresinfo == null) {MessageBox (HDLG, "Finding Resources Failed!", "Error", MB_ok | MB_ICONInformation; Break;} // Get Resource Size DWSIZE = SizeOfResource (null, hresinfo); // Load Resources HRESDATA = LoadResource (NULL, HRESINFO); if (HRESDATA == NULL) {MessageBox (HDLG, "Loading Resource Failed!", "Error", MB_OK | MB_ICONIONFORMATION; Break;} / / For data allocation space P = (LPByte ) GLOBALLOC (GPTR, DWSIZE); if (p == null) {MessageBox (HDLG, "Assign Include Failed!", "Error", MB_OK | MB_ICONIONFORMATION; BREAK;} // Copy Resource Data CopyMemory ((LPVOID) P LockResource (HRESDATA), DWSIZE); Ok, now I have left a copy of the template so that we can handle this template as needed. Below I need to solve the problem is how to find the title of the source code and the location of the text in the source code to rewrite it? Ah, this is what I define the intention of the series of 'A' and 'B'. Now you can open the binary resource msgbox.bin to see a look, I believe you will find something like this in a certain location:
Yes, this is to say that the relative offset of the title is 0x800, and the relative offset of the text is 0x864. Then, my left code is as follows:
// Get the title and text, and copy data getDLGItemText (HDLG, IDC_EDT_TITLE, SZTITEMTEXT (HDLG, IDC_EDT_Text, Sztext, 100); CopyMemory (P 0x800), (LPCVOID) Sztitle, 100) CopyMemory (P 0x864), (LPCVOID) Sztext, 100); // Create a file, write data hfile = createfile ("c: //msgbox.exe", generic_write, 0, null, create_always, 0 , Null; if (hfile! = Null) Writefile (HFile, (lpcvoid) p, null; else {messagebox (HDLG, "Create file failed!", "Error", MB_ok | MB_ICONInInformation; globalfree ((Hglobal) p); Break;} // Tailing work, release resource closehandle (HFILE); GlobalFree (hglobal); talking about it, the core part of this technology is basically finished. The same is true of the server server settings, but it is called the MSGBOX headings and text here to the corresponding port number, email address, and more. The part of the code is more intuitive, so there is not much explanation, I hope to look at the official Haihan. Click to download sample code
Author Blog:
http://blog.9cbs.net/titilima/
