Analysis of Trojan server Generation Technology

Source: Internet
Author: User
Some Trojans only have one client program after decompression. You can automatically generate highly targeted server programs by setting up the client, for example, the specific port, the email address, password, and SMTP server of the key-hitting Trojan. In this article, I will briefly discuss the implementation of this technology.
In fact, this technology is not mysterious, because it is simply an operation on the user-defined resources of executable files. That is to say, the client program itself binds a piece of customized binary data, which is essentially a server-side template. After the user completes the settings, the client will fill in the specific data configured in this template, then, you can write a file to generate a specific server program for the configured binary data template.
For example, there are many blank envelopes in the post office. After you buy an envelope, enter the zip code, recipient address, and name on the envelope, and paste your letter into the envelope, this becomes your unique letter. -- I hope that this explanation will help you understand the general process of my operations.
Next I want to implement a demo program named "msgbox builder". You can set the title and text of MessageBox on the client, and then the program will generate a "hello" named msgbox.exe under C, world Program, the pop-up MessageBox is what you set on the client. The running interface is shown in the following figure:

Now, let's design the template for this server. To fully imitate the trojan program, I use Win32 ASM to compile this template. The program is as follows:
. 386
. Model flat, stdcall
Option Casemap: None
Include/masm32/include/Windows. inc
Include/masm32/include/kernel32.inc
Includelib/masm32/lib/kernel32.lib
Include/masm32/include/user32.inc
Includelib/masm32/lib/user32.lib
. Data
Sztitle dB 100 DUP ('A ')
Sztext dB 100 DUP ('B ')
. Code
Start:
Invoke MessageBox, null, ADDR sztext, ADDR sztitle, mb_ OK or mb_iconinformation
Invoke exitprocess, null
End start
As you can see, it is the "Hello, world" That iczelion wrote in his Win32 compilation tutorial. I only made a few changes:
. Data
Sztitle dB 100 DUP ('A ')
Sztext dB 100 DUP ('B ')
These two lines of code may be confusing to you, so let me leave it for further explanation. Now you can compile the source code and generate a msgbox.exe file. This template is left behind for backup.
The following describes how to use custom resources. Before that, let me give a general introduction to several APIs I want to use:
· Findresource: Find a resource.
· Sizeofresource: obtains the resource size.
· Loadresource: loads resources.
· Lockresource: Lock the resource.
Now, you can refer to msdn to learn more about the functions and parameters of these functions. I will not go into details here. My entire idea is as follows:
1.compile the msgbox.exe template as the binary resource of the client program.
2.when msgbox.exe server is generated, use the preceding API functions to read the binary resource data.
3. reprocess the binary data with the data set by the user.
4. Save the new binary data as a file.
Now let's implement step 1. First, you change the template msgbox.exe to msgbox. bin as a binary file and place the file in the client source code folder. Then, import the binary resource to the client resource script (. RC file), as shown in:

At this time, the VC will pop up a dialog box prompt, such:

You can enter your resource type in "Resource Type" at will. This type name is the resource type we will use in the third parameter of findresource function, here, we use "server" as an example.
In this way, I can use this template as a resource. My code is as follows:
Hrsrc hresinfo;
Hglobal hresdata;
DWORD dwsize, dwwritten;
Lpbyte P;
Handle hfile;
Tchar sztitle [100], sztext [100];
// Find the required resources
Hresinfo = findresource (null, makeintresource (idr_server), "server ");
If (hresinfo = NULL)
{
MessageBox (hdlg, "An error occurred while searching for resources! "," Error ", mb_ OK | mb_iconinformation );
Break;
}
// Obtain the resource size
Dwsize = sizeofresource (null, hresinfo );
// Load Resources
Hresdata = loadresource (null, hresinfo );
If (hresdata = NULL)
{
MessageBox (hdlg, "failed to load resources! "," Error ", mb_ OK | mb_iconinformation );
Break;
}
// Allocate space for Data
P = (lpbyte) globalalloc (gptr, dwsize );
If (P = NULL)
{
MessageBox (hdlg, "memory allocation failed! "," Error ", mb_ OK | mb_iconinformation );
Break;
}
// Copy resource data
Copymemory (lpvoid) P, (lpcvoid) lockresource (hresdata), dwsize );
Now, I have set aside a copy of the template data so that we can process the template as needed. The problem that I need to solve below is how to find the title and text position in the source code for rewriting? Aha, this is the intention of defining the series of 'A' and 'B. Now you can open the binary resource msgbox. Bin and check it out. I believe you will find something like the following at a certain position:

Yes, that is to say, the relative offset of the title is 0x800, and the relative offset of the text is 0x864. The remaining code is as follows:
// Obtain the title and text, and copy the data
Getdlgitemtext (hdlg, idc_edt_title, sztitle, 100 );
Getdlgitemtext (hdlg, idc_edt_text, sztext, and 100 );
Copymemory (lpvoid) (p + 0x800), (lpcvoid) sztitle, 100 );
Copymemory (lpvoid) (p + 0x864), (lpcvoid) sztext, 100 );
// Create a file and write data
Hfile = createfile ("C: // msgbox.exe", generic_write, 0, null, create_always, 0, null );
If (hfile! = NULL)
Writefile (hfile, (lpcvoid) P, dwsize, & dwwritten, null );
Else
{
MessageBox (hdlg, "file creation failed! "," Error ", mb_ OK | mb_iconinformation );
Globalfree (hglobal) P );
Break;
}
// Close the work and release resources
Closehandle (hfile );
Globalfree (hglobal) P );
At this point, the core part of this technology is basically finished. This is also true for the server settings of the Trojan program. However, I changed the title and text of msgbox to the corresponding port number and email address. The code is more intuitive, so there is not much explanation. I hope you can look at Guan haihan.

Click to download sample code

Author's blog:Http://blog.csdn.net/titilima/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.