[Already published in hackers x-Files]
First talk about the Radmin That Radmin was a good thing, I also recently discovered this stuff benefits, such as not to be killed, management is very convenient, speed is also very fast, simple configuration...... Anyway, I see a lot of the Administrator's selection of this. Although is a good thing, the disadvantage is still there, such as the service name is very conspicuous, the process of the R_server. exe more were seen on the kill, now one of the most dish the administrator also know to use the Task Manager to killing the process, the configuration of the time if the error is also very easy to be found, his the icon is also very have personality, have a personality it is easy to be found, there is someone complaining that the service name is always R_server the service Manager was very conspicuous...... However, in the spirit of I the Radmin of love, or to put this good stuff from the administrator of the nose to save the back, transformed into its own ultimate Trojan horse, as to how to save the good horse then with me to see it! First talk about the configuration, and then is hidden. Configuration I think needless to say, before the Black x with the article have already said very clearly, the network wanted to see something you don't let him see it. 我们 知道 Radmin 只 需要 R_Server.exe That AdmDll. dll and raddrv. dll these three files can be installed, so you first of all to the This several files to transfer to the other machine, take the trouble while the back has a good way. As for the Radmin configuration, you can start on your machine configuration and then export the[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin]under the content, is transmitted to the others on the machine to import, Radmin will talk to you on the machine configured the same, because the Radmin service depends on the things that are in this item below. Note a few is not the taskbar is displayed, not the log record, and then modify your own password or something basic. My configuration is as follows:
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2. 0\Server\Parameters] "NTAuthEnabled"=hex:00,00,00,00 "Parameter"=hex:fc,e2,fe,2b,e9,2 4,fd,1 1,6 7,bd,be,3b,5c,e1,ac,8b "Port"=hex:8b,0 5,0 0,0 0 "Timeout"=hex:0a,0 0,0 0,0 0 "EnableLogFile"=hex:00,00,00,00 "LogFilePath"="c:\\logfile.txt" "FilterIp"=hex:00,00,00,00 "DisableTrayIcon"=hex:01,00,00,00 "AutoAllow"=hex:00,00,00,00 "AskUser"=hex:00,00,00,00 "EnableEventLog"=hex:00,00,00,00
Such a configuration password is jnc, the port is 1 4 1 9, do not rush, specifically of Registry File config. reg has been with in the back, and want to modify their own password and port you can from your own machine to find the appropriate registry key value to replace it OK. Note, however, that Radmin is from this key value to read the corresponding parameter, so each time with rededit-s to import the registry when you first stop the service then start the service was effective. What you don't know how to install radmin, your own to see previous article go! Well, the configuration is said so much, such a configuration, although not to the ordinary user found, but the above are a few drawbacks also are out, slightly have a little experience of the administrator it is can be found. About the service hide before the Witch of the conditions, but it is not very feasible, she is trying to put system of a scrapbook to erase, and then put your own Radmin disguised as a scrapbook, the look is good, but in fact? I'm not saying to remove clipsrv. exe when the system pop up that the File Protection dialog box is no solution, as shown in Figure one. There is your service display name can be disguised, but the service name still R_server, this is no way to change, it is easy to see through. We can not delete the service and then replaced but directly to the system the nature of the service changed to us, but let others such as service name, etc. are not doing any changes, do not understand the insider who is very hard to see out of. Below we will Radmin hidden to the system of the service, we will he in the executable file path of reform had on the line. Not only is Radmin, and other Backdoor such as Trojan horse, and Tcmd, etc. they itself the default installation of the concealment is not very good, but can be by a similar method to the makeover. The first is selected we want to instead of which service, here I recommend using that do not depend on any other service will be able to start their own service, otherwise there will be not a smooth start of the case, of course, also can not be other people rely on, they system hung up on the end: it. Those with svchost. exe do not see, Oh. Here I recommend the sysmonlog service is the one that"configure Performance Logs and alerts"service, in line with our conditions and also will not be the General administrator of the note, and see how I do it. Suppose we have installed Radmin, the registry file has been imported, 现在的Radmin的程序名字还是R_server.exe in the system directory. 我们 停 掉 Radmin 服务 后 先 把 他 的 名字 改成 sm1ogsvc.exe the. Why change this? Oh, don't think 1 and l much like? Okay, renamed after we can be to replace. Sc this tool to know it, use the following command:
sc config sysmonlog start= auto \\"configure the Performance Logs and alerts"service set to from the start, no doubt, right?\\ sc config sysmonlog binpath= "c:\winnt\system32\sm1ogsvc.exe /service" \\modify the binary path in fact is what we disguised the Radmin\\ net start sysmonlog \\start the service, Radmin started to work again.\\ sc delete r_server \\deleted we started the Radmin service that allows Radmin in the eyes of others disappeared completely\\
This completes the replacement, and now look at it, how about that? net stop r_server, without this service, ha ha! But our port is still in listening Oh! Connect see, may also be connected on the Oh! Modified to here, our Radmin really on the system root, it is difficult to be found. There is also a I prefer the command line tool is Tcmd, probably everyone knows that is listening on the specified port, waiting for our connection when you can get a cmdshell on. This stuff is easy to use, volume is also very small, but the drawback than Radmin also obvious, that"Windows Kernel Service"to see is to do the Trojan, and the service description is empty, the process name is also very conspicuous, and familiar little people will find. For such a not very perfect Trojan horse, we are not programming, but still you can use very simple way to let him become hidden and to serve us. We in the broiler cmdshell installing tcmd, the specific help please see the tcmd /?
tcmd-install 1 4 1 8 jnc
Well, service installed after he needs some of the parameters of what information is saved to the registry, we see the Service Manager in the Windows Kernel Service, the disadvantage is the mentioned hidden well enough. Now we follow the just the idea of Sc removed after his message can continue to work for us! Or replace the"Configure the Performance Logs and alerts"service, change the executable path is OK. I the operation is as follows:
sc config sysmonlog start= auto sc config sysmonlog binpath= "c:\winnt\system32\sm1ogsvc.exe" net start sysmonlog sc delete "Windows Kernel Services"
Their understanding of these is what to do now! See, it has been very covert! It's our own Tcmd Oh, look at the results! As shown in Figure II. Think of a way to let him hide from antivirus Avira, Hey, Hey......it! Here's just talk about this two modifications, in fact, there are many others, such as some Trojan hidden is not high, you can be so modified. There is the Own of the Trojans perfect, I will not say, such as the name of the tricks I used here is 1 and l, you can also use 0 and O, etc. to confuse the eyes of others, if the deal with will only use the task Manager of people, you can be changed to svchost. exe into the system etc directory, so they no way. There is a program icon, not the hidden words can go to modify. There are personal think is better is the Trojan's configuration and Winrar together to make your own Trojan, the process I will not speak, and before the Black X has a much better description. And, most recently, wasn't there a rebound port of the tool?, can be applied on the inside of the port bounce out, because the Internet has someone so made out, I will not write, your think of made into self-extracting EXE file you can