How to program the remote shutdown in the Trojan
(Electronic Engineering Institute, Sichuan Normal University information security professionals Author: An Meihong) This article has been published in the hacker defense >> << 2005 first issue
In remote control, there is an important part to achieve remote shutdown. If we can see the movement of Trojans everywhere, the Trojan is a remote control software, which is generally remote shutdown function. of. For example, the famous Trojan "Ice", etc., there is this feature, but it is a collection of various functions. Today we will take a look at how this important shutdown section is programmed. Here I use it here. The popular VC6.0 is written, and the VC has also greatly reduced our design work, let our rookie also come to write their intrusion tools.
In the Trojan, we use it to send the relevant instructions to the server Socket to the server's socket, and after the server receives the corresponding instruction, the corresponding operational instruction is performed, which is of course on the server's computer. ongoing. And this operation is to call the corresponding function, this function and its parameter description are as follows:
Bool EXITWINDOWSEX (UINT UFLAGS, DWORD DWRESERVED);
There are values where uflags can have:
EWX_LOGOFF: Missing; EWX_Poweroff: Force shutdown; EWX_REBOOT: Restart;
EWX_SHUTDOWN: Save it first; EWX_FORCE: Do not save it;
EWX_FORCEIFHUNG: It is not saved to shut down (Win2K or later version);
Ok, let's take this function to implement the functions we have to use in VC. Let's take a look at the appearance of our program! Figure 1:
figure 1
First, the wizard in the VC generates a dialog. Note that in the generation wizard to be selected into a static connection, because we are generally often restarted in the Trojan, then we will name this program as reboot! Remove the static text generated by default, then add three single options. And set other main items as follows:
Control ID Property Button1onok "OK" Button2onCancel "Cancel" Radio1IDC_LOGOFF "Disable Computer" Radio2IDC_REBOOT "Restart Computer" Radio3idc_Shutdown "Close Computer"
Second, open MFC ClassWizard's mapping processing, five main controls are clicked by clicking this message, thus making message mapping for each control. Figure 2
figure 2
Third, add a flag member shaping variable M_mark for three radio buttons in Rebootdlg.h. And the function bodies of the three single options buttons are added to M_Mark = 0, M_Mark = 1, M_Mark = 2, such as: (other two also the same)
Void Crebootdlg :: ONLOGOFF ()
{
// Todo: Add Your Control Notification Handler Code Here
m_mark = 0;
}
Fourth, in double-click the "OK" button, remove the ONOK () that is originally called by default, and add the following code to:
Void Crebootdlg :: ONCOK ()
{
// Todo: Add Your Control Notification Handler Code Here
Handle htokeen;
Token_Privileges TKP;
DWORD DWVERSION; // version number
DWVersion = getVersion (); // Get version number of Windows NT or Win32
Switch (m_mark) // is performed by the received single option value
{
Case 0:
EXITWINDOWSEX (EWX_LOGOFF, 0);
Break; // Disabled operation
Case 1:
IF (dwversion <0x80000000)
{
OpenProcessToken (GetCurrentProcess (), Token_adjust_privileges |
Token_Query, & HToken;
Lookuppprivilegevalue (NULL, SE_SHUTDOWN_NAME, & TKP.PRIVILEGES [0] .luid);
Tkp.privilegect = 1; // Set permissions
Tkp.privileges [0] .attributes = se_privilege_enabled;
AdjustTokenprivileges (HToken, False, & Tkp, 0, (ptoken_privileges) null, 0);
EXITWINDOWSEX (EWX_SHUTDOWN | EWX_FORCE, 0);
}
ELSE // WIN series other systems
{
EXITWINDOWSEX (EWX_FORCE | EWX_REBOOT, 0);
}
Break; // Restart operation
Case 2:
IF (dWversion <0x80000000) // to determine the WIN series to set the appropriate permissions
{
OpenProcessToken (GetCurrentProcess (), Token_adjust_privileges |
Token_Query, & HToken;
Lookuppprivilegevalue (NULL, SE_SHUTDOWN_NAME, & TKP.PRIVILEGES [0] .luid);
Tkp.priVilegect = 1;
Tkp.privileges [0] .attributes = se_privilege_enabled;
AdjustTokenprivileges (HToken, False, & Tkp, 0, (ptoken_privileges) null, 0);
EXITWINDOWSEX (EWX_SHUTDOWN | EWX_FORCE, 0);
}
Else
{
EXITWINDOWSEX (EWX_FORCE | EWX_SHUTDOWN, 0);
}
Break; // Turn off the computer
}
}
Fifth, "Cancel" can not be processed, use the default, then compile operation, so you will write a remote shutdown section for your Trojan. Finally, if you have any questions, please contact: anmeihong@sina.com
