Shift backdoor analysis process

Yesterday, liurui569 sent a shift backdoor to download and play with it. Because it was too late to elaborate on the writing process, today we made a detailed Graphic Process to illustrate the cracking process.
There are currently several methods for activating shift backdoors.
1. Use Keyboard Events to activate through shortcut keys
2. Click or double-click a mouse event to activate the event.
3. Activation by combining Keyboard Events and mouse events
The above is the anti-DDoS backdoor activation method. rar self-extracting is not within this range. Currently, the backdoor programming language is mainly used in vb, delphi, c ++, and other languages.
I found no tutorials on the Internet for cracking the shift backdoor. I had to search for it for a long time, so I had to explore it myself. I also released two vb webshells in Huaxia 77169.
Let's look at the backdoor from liurui569.

After that, the webshell written by delphi is no shell, and thus the shelling step is omitted.
Test and run the backdoor. After the backdoor is detected, copy itself to c: windowsfontsfonts.exe and hijack the Registry to point to this path.
Some system programs, part of the data detected by the software
New C: WINDOWSPrefetchCACLS. EXE-25504E4A.pf
New C: WINDOWSPrefetchCACLS. EXE-25504E4A.pf
Create a C: System Volume Information \ _restore00005828498b-e212-48e2-b40c-3d66645342f01_rp9a0005390.exe
Create a C: System Volume Information \ _restore1_5828498b-e212-48e2-b40c-3d66645342f01_rp9a0005391.exe
Create C: WINDOWSFontsfonts.exe
New C: WINDOWSPrefetchSC. EXE-012262AF.pf
New C: WINDOWSPrefetchSETHC. EXE-23CFB742.pf
What are these specific behaviors? I did not conduct in-depth detection. I mainly focused on the activation method and password of the program.
The program is loaded into the resource editing tool pcycler.exe to view and analyze software-related resources.

We mainly look at rc data. The first two items are automatically generated by the system. The following three TPASS items are the Password Input window. The Tuser is the function interface window of the backdoor, And the TX item is sethc.
Program Interface.

The text item of a TEDIT control in TPASS finds a set of values of 6521206. It is very likely that the password is recorded for the time being, and it is unknown before the final verification.
Here we mainly focus on the main interface of sethc, because all the activation methods are in this project.

Note that five Label controls and three Button controls are used on the main interface. There are no redundant controls. Some password input boxes will be used when activated.
Label control, I once wrote a shift backdoor that is used in this way. So I started to guess that he was using a keyboard event to activate it. Then I continued to analyze each control.
And found the secret.

See, this Label3.Label4. Label5 control uses an ONdblclick. Anyone who has played delphi knows that this is a double-click event.
The double-click event on the control is very suspicious, so you can be sure that this backdoor is activated with the mouse event, because it seems that the combination of the mouse and keyboard events to write the backdoor
It is still relatively small, so we can perform the test run after preliminary analysis. Since there are three groups of double-click events, there must be a sequence problem.
The first test Label3-5 were double-click, can not be activated, reverse order is still, the third cycle test Label3-4-5-3, then the password input interface appears,
Label3 double-click twice to appear should not be normal, and finally confirmed the double-click order is Label4-5-3, haha perfect. The program is activated normally

Perform a password test, enter the 6521206 value set just now, and enter.
So far, the method of activating the backdoor is analyzed completely. The behavior analysis of the software is not listed in this process.
In conclusion, this is a simple shift backdoor. the login password is not effectively protected, so that the correct password is obtained easily, and you do not need to change the password.
Using static or dynamic analysis tools, a resource editor can find that the activation method is not very difficult. If you use a keyboard event to activate it, you need to use analysis engineers such as OD.
The backdoors are tracked. By analyzing the backdoors, you can analyze other backdoors and crack them. The analysis process is here.