[YA-12] APT攻击之木马系列—木马的功能

此前已经提及木马的基本概念和分类：

The basic concepts and classifications of Trojans have been mentioned previously:

The full name of the horse is Trojan Horse, which comes from ancient Greek mythology. Trojan horses are installed by deception or deception, and hidden in the user’s computer to achieve the purpose of controlling the user’s computer. It is a malicious code with remote control, information theft, destruction and other functions. See details[YA-09] APT Attack Trojans series – Types of Trojans

以下是常见的木马种类：

            远程控制木马

            密码发送木马

            键盘记录木马

            破坏性质的木马

            Dos 攻击木马

            代理木马

            FTP 木马

            程序杀手木马

            反弹端口型木马

在以上木马类型中，本文只讨论远控木马的常见功能与其意图。

The following are common types of Trojans:

                Remote control Trojan

                Password sending Trojan

                Keylogger Trojan

                Destructive horse

                Dos attack Trojan

                Proxy Trojan

                FTP Trojan

                Program killer Trojan

                Rebound end mouth horse

In the above Trojan types, this article only discusses the common functions and intentions of remote control trojans.

以下为正文：

The following is the text:

首先看下木马的结构，一般由三部分组成，包括木马配置程序、控制端程序（客户端）和被控制端程序（服务端程序）。其中配置程序用于配置被控端的特征和功能，包括是否创建服务、是否隐藏等。

At first, let’s look at the structure of the Trojan horse, generally composed of three parts, including the Trojan configurator, the control side program (client) and the controlled side program (server). The configuration program is used to configure the features and functions of the controlled terminal, including whether to create services and whether to hide them.

下图展示了PcShare的主控界面，其中“生成客户”点击后就是木马的配置过程。

The following figure shows the main control interface of PcShare, where “Generate customer” click is the Trojan configuration process.

下图展示了木马上线后的控制界面，包括目录浏览、屏幕控制、进程列表、窗口列表、服务管理、注册表编辑、键盘记录等。

The following figure shows the control interface after the Trojan goes online, including directory browsing, screen control, process list, window list, service management, registry editing, keylogging, and so on.

下面是灰鸽子的主界面。

Below is the main screen of Grey Pigeon.

木马的典型功能包括：

• 文件管理

• 进程管理

• 服务管理

• 注册表管理

• 屏幕监控、屏幕截取

• 语音视频截获

• 键盘记录

• 窗口管理

• 远程Shell

  
  

Typical Trojan features include:

• ‍File management

• Process management

• Service management

• Registry management

• Screen monitoring, screen capture

• Voice and video interception

• keylogging

• Window management

• Remote Shell

‍

1.文件管理【File management】

    文件管理主要目的是获取目标的文件系统信息，通常包括如下功能：

• 浏览各磁盘文件

• 上传、下载文件（包括上传恶意文件）

• 执行文件

• 删除文件

• 修改文件信息（如文件属性、时间）

• The main purpose of file management is to obtain the file system information of the target, which usually includes the following functions:
  

• View files on each disk

• Upload and download files (including uploading malicious files)

• Executive file

• Delete file

• Modify file information (such as file properties, time)

• 
  

可能涉及的部分关键函数: GetLogicalDriveString、 GetDiskFreeSpace(Ex)、GetVolumeInformation、GetDriveType、 FindFirstFile、 FindNextFile、 FindClose、DeleteFile、SHFileOperation 、SHEmptyRecycledBin、 MoveFile、 CreateFile( Ex) 、WriteFile 等

Some of the key functions that may be involved: GetLogicalDriveString, GetDiskFreeSpace(Ex), GetVolumeInformation, GetDriveType, FindFirstFile, FindNextFile, FindClose, DeleteFile, SHFileOperation, SHEmptyRecycledBin, MoveFile, CreateFile(Ex), WriteFile, etc

2.进程管理【Process management】

查看、结束、暂停目标系统进程。具体目的包括：

• 查看目标系统的环境信息
  通过进程查看功能可以实现查看安装了哪些软件？目前对方正在做什么？

• 停止或暂停目标系统的相关程序，从而形成干扰
  如反病毒程序

View, end, and pause the target system process. Specific purposes include:

• View the environment information of the target system

• What software is installed through the process view function? What is the other party doing at the moment?

• To stop or pause the relevant procedures of the target system, thereby causing interference

• Such as anti-virus program

涉 及 的 关 键 函 数 包 括:CreateToolhelp32SnapShot、 Process32First、Process32Next、 EnumProcesses、 GetCurrentProcess、 OpenProcessToken、LookupPrivilegeValue、 AdjustTokenPrivilege、 OpenProcess、 GetModuleBaseName、EnumProcessModules、 GetModuleFileNameEx、 TerminateProcess 等。

Involved in the key functions including: CreateToolhelp32SnapShot, Process32First, Process32Next, EnumProcesses, GetCurrentProcess, AdjustTokenPrivilege, OpenProcess, GetModuleBaseName, EnumProcessModules, OpenProcessToken, LookupPrivilegeValue, Adjusttokenprivilege, OpenProcess, GetModuleFileNameEx, TerminateProcess, etc.

3.服务管理【Service management】

主要功能是查看并管理目标系统的服务，包括：

• 创建服务

• 启动/停止服务

• 删除服务

具体作用如下：

• 查看目标系统的环境信息
  安装了哪些软件？启动了哪些服务？

• 停止或暂停目标系统的相关程序
  如反病毒程序

The main function is to view and manage the services of the target system, including:

    Create service

    Start/stop the service

    Delete service

Specific functions are as follows:

    View the environment information of the target system

    What software is installed? What services are started?

    Stop or pause related programs of the target system

    Such as anti-virus program

可能涉及的关键函数: OpenSCManager、EnumServiceStatus、OpenService、 QueryServiceConfig、 StartService、StopService、 DeleteService 等。

Possible key functions include OpenSCManager, EnumServiceStatus, OpenService, QueryServiceConfig, StartService, StopService, DeleteService, and so on.

下图是PcShare提供的服务管理示例。

The following is an example of service management provided by PcShare.

4.注册表管理【Registry management】

注册表管理可以浏览注册表的信息及键值，也能创建、删除一些键值。

Registry management You can view registry information and key values, and you can also create and delete some key values.

可能涉及的关键函数包括: RegQueryInfoKey、RegEnumKeyEx、 RegEnumValue、 RegCreateKeyEx、RegDeleteKey、 RegSetValueEx、 RegDeleteValue 等。

Key functions that may be involved include: RegQueryInfoKey, RegEnumKeyEx, RegEnumValue, RegCreateKeyEx, RegDeleteKey, RegSetValueEx, RegDeleteValue, and so on.

5.屏幕控制【Screen Control】

• 利用 keybd_event 或者SendInput 模拟按键PrintScreen

• 利用 CreateDC 获取当前屏幕设备的句柄，然后获取屏幕图像

• Use keybd_event or SendInput to simulate the key PrintScreen

• Use CreateDC to get a handle to the current screen device and then get the screen image

6.键鼠操作【Key-and-mouse operation】

下图是PcShare远程控制的键盘控制，主要涉及函数：SetCursorPos、mouse_event、SendInput

The following is the keyboard control of PcShare remote control, mainly involving functions:SetCursorPos、mouse_event、SendInput

7.屏幕截取【Screen capture】

对于有些木马来说，会认为屏幕控制功能流量消耗很大，不希望引起被控制着注意，有时候进行屏幕抓取即可。

• 抓取屏幕（单张、多张连续）

• 了解目标主机的当前操作情况

常见函数包括：CreateDC、CreateCompatibleBitmap、BitBlt

For some trojans, they will think that the screen control function consumes a lot of traffic, and they do not want to attract the attention of being controlled, and sometimes screen grabbing can be done.

    Capture screen (single, multiple consecutive)

    Learn about the current operations on the target host

Common functions include: CreateDC, CreateCompatibleBitmap, BitBlt

8.语音视频截获【Voice and video interception】

录音包括窃取对方谈话信息、窃取对方对外语音通话（如QQ、SKYPE、MSN等），甚至即使是在断网的环境也可能会被录音，当连接网络后再传输对应的数据。另一个是摄像头，主要包括打开摄像头（了解对方现场环境）、摄像录制（敲Z）等。下图展示了语音视频截获的过程。

Recording includes stealing each other’s conversation information, stealing each other’s external voice calls (such as QQ, SKYPE, MSN, etc.), even if the network is disconnected, it may be recorded, and then transmitted the corresponding data after connecting to the network. The other is the camera, which mainly includes opening the camera (understanding the other party’s scene environment), camera recording (tapping Z) and so on. The following diagram shows the process of voice and video interception.

9.键盘记录【keylogging】

获取目标电脑中的键盘击键信息，包括：

• 用户名、密码信息
  QQ、邮箱、网银、网上证券、网络游戏、支付宝等

• 聊天信息
  部分木马支持中文汉字记录

其他功能还有窗口管理，比如查看目标主机目前开启了哪些窗口，了解目标用户正在做什么；再就是远程Shell，包括交互式或非交互式Shell（远程交互的Cmd.exe）、直接执行命令或第三方程序等。部分木马功能如下图所示，其中很多功能所有木马都具有，比如文件管理、注册表管理、屏幕监控，也有一些功能是特有的。

Get keystroke information on the target computer, including:

    User name and password information

    QQ, mailbox, online banking, online securities, online games, Alipay, etc

    Chat message

    Some Trojans support Chinese character recording

Other features include window management, such as viewing which Windows are currently open on the target host and understanding what the target user is doing; Then there is the remote Shell, including interactive or non-interactive shells (remote interactive Cmd.exe), direct execution commands or third-party programs. Some of the Trojan features are shown below, many of which are common to all Trojans, such as file management, registry management, screen monitoring, and some are unique.

最后简单总结下编写木马的关键性：

• 功能适当［精简灵活］

• 适用性强［功能、权限］

• 高效、稳定、隐蔽［传输］

• 可穿透性

• 自更新、自销毁

• 反调试、反分析、防追踪、反制对抗

• 持续免杀性能等

• 特征值、通用主机行为、异常的通信流量

Finally, a brief summary of the key to writing Trojan: 

• Functional appropriate

• Strong applicability

• Efficient, stable, hidden

• penetrability

• Self-renewal and self-destruction

• Anti-debugging, anti-analysis, anti-tracking, counter-countermeasures

• Continuous no-kill performance, etc

• Eigenvalues, common host behavior, abnormal traffic

原文始发于微信公众号（Eonian Sharp）：[YA-12] APT攻击之木马系列—木马的功能