热血江湖-专题文章

透视木马程序开发技术（中）

2006-11-28 12:10

上一期我们推出《透视木马程序开发技术（上）》这期我们推出这个系列的第二部份，希望能对你了解木马技术以便安全的管理你的计算机提供一定的帮助。

4、木马程序的建立连接的隐藏

木马程序的数据传递方法有很多种，其中最常见的要属TCP,UDP传输数据的方法了，通常是利用Winsock与目标机的指定端口建立起连接，使用send和recv等API进行数据的传递，但是由于这种方法的隐蔽性比较差，往往容易被一些工具软件查看到，最简单的，比如在命令行状态下使用netstat命令，就可以查看到当前的活动TCP，UDP连接。

C:\Documents and Settings\bigball>netstat -n

Active Connections

Proto Local Address Foreign Address State
TCP 192.0.0.9:1032 64.4.13.48:1863 ESTABLISHED
TCP 192.0.0.9:1112 61.141.212.95:80 ESTABLISHED
TCP 192.0.0.9:1135 202.130.239.223:80 ESTABLISHED
TCP 192.0.0.9:1142 202.130.239.223:80 ESTABLISHED
TCP 192.0.0.9:1162 192.0.0.8:139 TIME_WAIT
TCP 192.0.0.9:1169 202.130.239.159:80 ESTABLISHED
TCP 192.0.0.9:1170 202.130.239.133:80 TIME_WAIT

C:\Documents and Settings\bigball>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP Liumy:echo Liumy:0 LISTENING
TCP Liumy:discard Liumy:0 LISTENING
TCP Liumy:daytime Liumy:0 LISTENING
TCP Liumy:qotd Liumy:0 LISTENING
TCP Liumy:chargen Liumy:0 LISTENING
TCP Liumy:epmap Liumy:0 LISTENING
TCP Liumy:microsoft-ds Liumy:0 LISTENING
TCP Liumy:1025 Liumy:0 LISTENING
TCP Liumy:1026 Liumy:0 LISTENING
TCP Liumy:1031 Liumy:0 LISTENING
TCP Liumy:1032 Liumy:0 LISTENING
TCP Liumy:1112 Liumy:0 LISTENING
TCP Liumy:1135 Liumy:0 LISTENING
TCP Liumy:1142 Liumy:0 LISTENING
TCP Liumy:1801 Liumy:0 LISTENING
TCP Liumy:3372 Liumy:0 LISTENING
TCP Liumy:3389 Liumy:0 LISTENING
TCP Liumy:netbios-ssn Liumy:0 LISTENING
TCP Liumy:1028 Liumy:0 LISTENING
TCP Liumy:1032 msgr-ns19.msgr.hotmail.com:1863 ESTAB
TCP Liumy:1112 szptt61.141.szptt.net.cn:http ESTABLI
TCP Liumy:1135 202.130.239.223:http ESTABLISHED
TCP Liumy:1142 202.130.239.223:http ESTABLISHED
TCP Liumy:1162 W3I:netbios-ssn TIME_WAIT
TCP Liumy:1170 202.130.239.133:http TIME_WAIT
TCP Liumy:2103 Liumy:0 LISTENING
TCP Liumy:2105 Liumy:0 LISTENING
TCP Liumy:2107 Liumy:0 LISTENING
UDP Liumy:echo *:*
UDP Liumy:discard *:*
UDP Liumy:daytime *:*
UDP Liumy:qotd *:*
UDP Liumy:chargen *:*
UDP Liumy:epmap *:*
UDP Liumy:snmp *:*
UDP Liumy:microsoft-ds *:*
UDP Liumy:1027 *:*
UDP Liumy:1029 *:*
UDP Liumy:3527 *:*
UDP Liumy:4000 *:*
UDP Liumy:4001 *:*
UDP Liumy:1033 *:*
UDP Liumy:1148 *:*
UDP Liumy:netbios-ns *:*
UDP Liumy:netbios-dgm *:*
UDP Liumy:isakmp *:*