木马攻击与防范

男娘i 2022-08-26 00:48 357阅读 0赞

# BO2K下载： #

http://sourceforge.jp/projects/sfnet\_bo2k/releases/

http://sourceforge.net/projects/bo2k/?source=pdlp

# 使用说明： #

BO2K Core Package and Plugins  
Version v1.1.6  
  
  
  
  
Table of Contents:  
  
  
1 - Introduction  
2 - Licencing and Legal Information  
3 - Installation and Usage  
3.1 - Installation  
3.2 - Help and Support  
3.3 - Third-Party Plugins  
3.4 - Development Plugins (unstable)  
4 - Version History  
5 - Credits, Contacts and Acknowledgments  
6 - Conclusion and Notes  
  
  
1 -- Introduction  
  
  
BO2K is a remote administration tool for Windows systems. It comes with a client  
and a server. The server is lightweight and inobtrusive. A dynamic plugin  
architechture allows for easy system extension.  
  
  
This release consists of the binaries for the core applications and plugins.  
Included files are:  
  
  
bo2k.exe - Server program ver 1.1.5  
bo2kgui.exe - Client program ver 1.3.1  
bo2kcfg.exe - Server configuration Utility ver 1.2.0.5  
  
  
auth\_null.dll - Null authentication module  
enc\_null.dll - Null encryption module  
io\_tcp.dll - TCP IO module  
io\_udp.dll - UDP IO module  
  
  
srv\_interface.dllver 1.3  
srv\_control.dllver 1.2  
srv\_regfile.dllver 1.3  
srv\_system.dllver 1.0  
srv\_inetcmd.dllver 1.0  
srv\_legacy.dllver 1.0  
srv\_reverser.dllver 1.4  
srv\_rootkit.dllver 1.1  
  
  
cli\_botoolver 1.5.0.7  
  
  
misc\_livekeylog.dllver 1.0  
misc\_bochat.dllver 1.0  
misc\_bopeep.dllver 1.4  
  
  
  
  
2 -- Licencing and Legal Information  
  
  
BO2K v1.1.6  
Copyright (C) 2007 Bo2k Development Team (http://www.bo2k.com/)  
  
This program is free software; you can redistribute it and/or modify  
it under the terms of the GNU General Public License as published by  
the Free Software Foundation; either version 2 of the License, or  
(at your option) any later version.  
  
This program is distributed in the hope that it will be useful,  
but WITHOUT ANY WARRANTY; without even the implied warranty of  
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  
GNU General Public License for more details.  
  
You should have received a copy of the GNU General Public License  
along with this program; if not, write to the Free Software  
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA  
  
  
  
  
3 -- Installation and Usage  
  
  
3.1 -- Installation  
  
  
Just unzip the package on a directory of your choice. See the on-line documentation  
(links below) for usage instructions.  
  
  
  
  
3.2 -- Help and Support  
  
  
Support for this package is provided on-line. Please check the following websites:  
  
  
\- BO2K Website:  
http://www.bo2k.com/  
  
  
\- Project's Tracker:  
https://sourceforge.net/tracker/?group\_id=4487  
  
  
\- Forums:  
http://bo2k.sf.net/forums/  
  
  
\- Documentation:  
http://www.bo2k.com/documentation.html  
  
  
\- Mailing Lists:  
https://sourceforge.net/tracker/?group\_id=4487  
  
  
  
  
3.3 -- Third-Party Plugins (stable)  
  
  
Third-party plugins for BO2K 1.1.x are avaliable at:  
  
  
http://www.bo2k.com/software/bo2k11.html  
or  
https://sourceforge.net/project/showfiles.php?group\_id=4487&release\_id=55979  
  
  
  
  
3.4 -- Development Plugins (not necessarily stable)  
  
  
Latest developer plugins for BO2K 1.1.x are avaliable at:  
  
  
http://bo2k.sourceforge.net/Development/  
  
  
These plugins are the latest available however they are in development and may be unstable.  
  
  
  
  
4 -- Version History  
  
  
\---< 1.1.6 ( 25 Mar 07 ) >---  
  
  
This version is mainly in support of the new bopeep plugin.  
  
  
\- New Client (ver 1.3.1)  
  
  
a. Modifications to the plugin button on the Bo Server Connection Dialog  
b. Client now checks for proper version of botool and bopeep  
c. Modifications to accept reverse connections from bopeep.  
  
  
  
  
\- New cli\_botool.dll (ver 1.5.0.7)  
  
  
a. Modified to accept proper command for connections through the plugin button and right click from server list  
b. Now checks for proper version of client  
  
  
  
  
\- New misc\_bopeep.dll (ver 1.4)  
  
  
a. Memory leak for client and server is fixed  
b. New control "ROAM" cuts screen link with remote mouse and allows you to scroll around screen using buttons which will appear around display screen when "ROAM" radio button is selected...updates every second  
c. Full Screen button allows you to view the entire remote screen within the display frame...updates every 5 seconds.  
d. New Control quality spinners allow you to control the display quality on the fly...range from 10 to 95.  
e. Reverse connection now works for both viewing and hijack.  
f. Now checks for proper version of client  
  
  
  
  
\--------Known issues--------  
The reverse connect for botool can get out of sync sometimes...if it happens close down client and restart.  
Insidious mode is flakey...don't use it  
Remote to remote file transfer is broken for now......  
Repeated attempts for reverse registry connect can cause client to not recognize the botool plugin  
Hijack does not always register a mouse click.  
Copy button on bopeep client doesn't work.  
  
  
  
  
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*  
\---< 1.1.5 ( 18 Jan 07 ) >---  
  
  
The first thing that must be stated is that backward compatibility has been compromised to an extent. For the most part you can still communicate between older servers and the new client or older clients and the new server etc. but behavior will be erratic when attempting some commands. It is highly recommended that you replace all older servers and their plugins with all the latest from this package.  
  
  
\- New Server ver 1.1.5  
  
  
a. Rewritten to accommodate rootkit for injected servers using "browser only" option  
  
  
  
  
\- New Client (ver 1.2.0.3)  
  
  
a. Deletion of listener sockets fixed to prevent crash  
b. Insert and Delete keys now work for listener sockets  
c. Client "hang" on command query during some initial connects fixed  
d. Reverse logic rewritten to allow for more than one server from same remote address  
e. Client crash when reverse botool connect requested and botool plugin not loaded fixed  
  
  
  
  
\- New Server Configuration Utility (ver 1.2.0.5)  
  
  
a. ENTER and ESC keys now trapped to prevent the tab page from blanking.  
  
  
  
  
\- New cli\_botool.dll (ver 1.5.0.6)  
  
  
a. Disconnect menu item on botool registry client fixed  
b. Fatal hang when attempting to view REG\_MULTI\_SZ values fixed  
c. Crash protection when botool registry client can't read a value/key  
d. Remote process spawn fixed so that the correct message shows if unsuccessful  
  
  
  
  
\- New srv\_rootkit.dll (ver 1.1)  
  
  
a. Rootkit now works correctly for all settings including the "browser only" injection option  
  
  
  
  
\- New srv\_reverser.dll (ver 1.4)  
  
  
a. Changes to code to improve reverse connections.  
b. Changes to how communications sent to client for reverse botool connections.  
  
  
  
  
\--------Known issues--------  
The reverse connect for botool can get out of sync sometimes...if it happens close down client and restart.  
Insidious mode is flakey...don't use it  
Remote to remote file transfer is broken for now......  
Repeated attempts for reverse registry connect can cause client to not recognize the botool plugin  
  
  
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*  
  
  
1.1.4 (15/12/06)  
  
  
\- New Server (ver 1.1.4)  
  
  
a. Stealth now works on all windows systems including Windows XP SP 1 & 2 (injection)  
b. Process hop now works on NT/XP systems allowing you to hop from one app to another turning bo2k effectively into the "Ghost in the machine"  
c. New option "Listen Socket" allows you to turn on or off bo2k's listening socket for traditional connections...this is useful for when the reverse plugin is installed and you don't want bo2k detected as a listening server.  
d. New option "Browser Only" allows you to keep bo2k sitting inert in the background until the default browser starts at which time bo2k will inject itself into the browser and the reverse plugin will attempt outbound connections...effective against firewalls.  
e. Delete server changed for injected servers.  
  
  
  
  
\- New Client (ver 1.2)  
  
  
a. Client redesigned to place listening sockets on a bottom panel and normal connections on the top panel (Thanks to James Keane for the design)  
b. Code re-written to allow for unlimited number of listening sockets  
c. The "Save workspace" option now allows for listening sockets to be saved in either active or inactive state.  
d. Control buttons added for listening socket control, open/close, delete, edit.  
e. Code rewritten to allow for easier reverse botool connection, instead of having to set up a new listen port for every botool connection, botool will now use the listen port used for server connection.  
f. Splash screen and credits changed.  
  
  
  
  
\- New Server Configuration Utility (ver 1.2.0.3)  
  
  
a. Complete re-design using a tabbed interface allowing for easier viewing of loaded plugins and variable settings.  
b. New XP look  
c. Allows for drag and drop for loading plugins.  
d. New config dump option for easier debugging help.  
  
  
  
  
\- New srv\_regfile.dll (ver 1.3)  
  
  
a. Now allows for proper display of Large files and and allows for transfers of files larger than 100 Mb.  
b. Allows for resumable uploads and downloads (Must be used with latest botool \[ver 1.5.0.2\])  
  
  
  
  
\- New srv\_control.dll (ver 1.2)  
  
  
a. New command Simple-> "Show Host" will show the Application that bo2k is currently injected into.  
b. New option for "Load Plugin" allows server to load plugins that are in a "frozen" state from having used the bo2k "Freeze" command.  
  
  
  
  
\- New srv\_interface.dll (ver 1.3)  
  
  
a. Keylogging fixed  
b. Plugin size reduced.  
  
  
  
  
\- New srv\_reverser.dll (ver 1.3)  
  
  
a. Now allows for resumable uploads and downloads.  
b. New command "Browser Start" allows for automatic start and connection to the botool browser client  
c. New command "Registry Start" allows for automatic start and connection to the botool registry client.  
  
  
  
  
\- New cli\_botool.dll (ver 1.5.0.3)  
  
  
a. Upload and download now on own threads  
b. Drag and drop for uploads reconnected  
c. Large files now displayed properly  
d. Upload and download of large files now supported  
e. Freeze and Melt of local files now supported  
f. Direct connect capablilites enabled  
g. Reverse connection now automatic when server Reverse=> BoTool connect command issued  
  
  
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*  
  
  
1.1.3 (23/11/04)  
  
  
\- New Server  
  
  
a. "delete original file" re-enabled  
b. "eradicate server" now actually removes the server from the remote machine as well as allregistry entries  
c. Stealth is re-enabled as part of the server...save me the rhetoric...there are legitimatereasons for stealth in a server. It will effectively hide bo2k from any win9x processlist but unfortunatly it can't hide in NT type systems.  
d. Latest Plugins from the Novice page included  
  
  
\- New Client  
a. Allows option to get rid of disconnect request when closing dialog box  
b. Allows "right click" on server list window for connecting plugins  
c. Includes a new "plugins" button which allows for quick connects with all details filled in http://bo2k.sourceforge.net/novice/Client.htm  
d. Latest Plugins from the Novice page included  
  
  
  
  
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*  
  
  
1.1.2 (01/10/2003)  
\- Merged Novice's plugin changes to the main source tree. Increased stability and  
compatibility with Windows 2000 and XP Operating Systems.  
  
  
  
  
5 -- Credits, Contacts and Acknowledgments  
  
  
Packager: Novice, novice222 at users dot sourceforge dot net  
Contributing Developer: Novice, novice222 at users dot sourceforge dot net  
Thanks to Pillowtop, soupnut, DiggerX and Fluffy for testing.  
  
  
  
  
6 -- Conclusion and Notes  
  
  
The following websites may be of interest:  
  
  
http://www.bo2k.com/software/bo2k11.html  
http://bo2k.sf.net/Development

# 木马攻击与防范（转载） #

一、实验目的

1.熟悉木马的原理和使用方法，学会配制服务器端及客户端程序。

2.掌握木马防范的原理和关键技术。

二、实验原理

1.木马攻击：特洛伊木马（以下简称木马），英文叫做“Trojan horse”，其名称取自希腊神话的特洛伊木马记。它是一种基于远程控制的黑客工具，具有隐蔽性和破坏性的特点。大多数木马与正规的远程控制软件功能类似，如Symantec的pcAnywhere，但木马有一些明显的特点，例如它的安装和操作都是在隐蔽之中完成。攻击者经常把木马隐藏在一些游戏或小软件之中，诱使粗心的用户在自己的机器上运行。最常见的情况是，用户从不正规的网站上下载和运行了带恶意代码的软件，或者不小小心点击了带恶意代码的邮件附件。

大多数木马包括客户端和服务器端两个部分。攻击者利用一种称为绑定程序的工具将服务器绑定到某个合法软件上，只要用户一运行被绑定的合法软件，木马的服务器部分就在用户毫无知觉的情况下完成了安装过程。通常，木马的服务器部分都是可以定制的，攻击者可以定制的项目一般包括服务器运行的IP端口号、程序启动时机。如何发出调用、如何隐身、是否加密。另外，攻击者还可以设置登录服务器的密码，确定通信方式。木马攻击者既可以随心所欲的查看已被入侵的机器，也可以用广播方式发布命令，指示所有在他控制之下的木马一起行动，或者向更广泛的范围传播，或者做其他危险的事情。

木马的设计者为了防止木马被发现，会采用多种手段隐藏木马，这样用户即使发现感染了木马，也很难找到并清除它。木马的危害越来越大，保障安全的最好办法就是熟悉木马的类型、工作原理，掌握如何检测和预防这些代码。常见的木马，例如Back Orifice和SubSeven等，都是多用途的攻击工具包，功能非常全面，包括捕获屏幕、声音、视频内容的功能。这些木马可以当做键记录器、远程登录控制器、FTP服务器、HTTP服务器、Telnet服务器，还能够寻找和窃取密码。攻击者可以配置木马监听端口、运行方式，以及木马是否通过email、IRC或其他通信手段联系发起攻击的人。一些危害大的木马还有一定的反侦测能力，能够采取各种方式隐藏自身，加密通信，甚至提供了专业级的API供其他攻击者开发附加的功能。

木马程序中最著名的当属Back Orifice（BO2K）以多功能，代码简洁而著称。BO2K程序主要分成以下三个部分。

（1）bo2k.exe：这是服务器程序，它的作用就是负责执行入侵者的命令。

（2）bo2kgui.exe：这是BO2K的客户端程序，其主要作用就是用来控制服务器程序执行。

（3）bo2kcfg.exe：这是服务器设置程序，在使用bo2k.exe服务器程序之前，有一些相关的功能必须通过它来进行设置，如使用的TCP/IP端口、程序名称、密码等。

2.木马防范：为了防止用户发现，木马程序会想尽一切办法隐藏自己，主要途径有：在任务栏中隐藏，这是最基本的。只要把Form的Visible属性设为False、ShowInTaskBar设为False，程序运行时就不会出现在任务栏中了。在任务管理器中隐形：将程序设为“系统服务”可以伪装自己。当然它也会悄无声息的启动，木马会在每次用户启动时自动装载服务端，Windows系统启动时自动加载应用程序的方法，木马都会用上，如启动组、win.ini、system.ini、注册表等都是木马藏身的好地方。

目前除了上面介绍的隐身技术外，更隐藏的方法已经出现，那就是驱动程序及动态链接库技术。驱动程序及动态链接库技术和一般木马不同，它基本上摆脱了原有的木马模式——监听端口，而采用替代系统功能的方法（改写驱动程序或动态链接库）。这样做的结果是：系统中没有增加新的文件（所以不能用扫描的方法查杀），不需要打开新的端口（所以不能用端口监视的方法查杀），没有新的进程（所以使用进程查看的方法发现不了它，也不能用杀掉进程的方法终止它的运行）。在正常运行时木马几乎没有任何的症状，而一旦木马的控制端向被控制端发出特定的信息后，隐藏的程序就立即开始运作。

知道了木马的攻击原理和隐身方法，就可以采取措施进行防御了。

1.端口扫描；2.查看连接；3.检查注册表；4.查找文件。

三、实验环境

Windows操作系统，网络环境，BO2K软件，The cleaner软件。

四、实验步骤

任务一 木马的安装和使用

1.BO2K的安装：BO2K一般都是以压缩文件在网上发布的。下载并解压后打开即可看到图1所示文件，包括服务器bo2k.exe、服务器配置工具bo2kcfg.exe、客户端bo2kgui.exe，子文件夹plugins内包含用于扩展服务器和客户端功能的插件。

**图1**

2.服务器端程序的配置：

（1）启动BO2K的配置工具。运行bo2kcfg.exe，单击Open Server，输入要配置的服务器文件，选择图1中的bo2k.exe，如图2。

**图2**

（2）配置插件。单击Insert添加插件，插件放在图1所示的plugins文件夹中，添加的插件包括auth、enc、io、srv、misc目录下的所有DLL文件，如图3。