网络嗅探器无广告版,系统安全网络嗅探类软件去广告分析

系统安全网络嗅探类软件去广告分析 - 电脑安全 - 电脑教程网
站点导航
相关链接

系统安全网络嗅探类软件去广告分析

日期:2007-03-27   荐:
·一键修复所有系统安全漏洞!·岂能儿戏:组策略在系统安全方面的应用·深度挖掘 Windows系统安全模式应用技巧·拒绝陌生人 开机密码保护系统安全·系统安全之解开恶意被锁上的注册表·系统安全的王牌 我的无敌影子系统·保护系统安全 反间谍软件大阅兵·为了系统安全千万别做这些傻事·网络系统安全漏洞分类研究(上)·网吧系统安全防护   首先用Peid查壳,程序并没有加壳是Delphi编写的。用dede打开程序并分析,分析的过程中我们就要猜测广告是通过什么方式被设置或下载的。

  分析完成后,我们首先来看看主窗体中的窗体资源,很快可以发现用来播放广告的组件是TWBS1。

  代码如下:

object pnl3: TPanel Left = 244 Top = 0 Width = 470 Height = 60 Color = clWhite TabOrder = 0 object TWBS1: TWebBrowser Left = -11 Top = -17 Width = 580 Height = 193 TabOrder = 0 ControlData = { 4C000000F23B0000F21300000000000000000000000000000000000000000000 000000004C000000000000000000000001000000E0D057007335CF11AE690800 2B2E126208000000000000004C0000000114020000000000C000000000000046 8000000000000000000000000000000000000000000000000000000000000000 00000000000000000100000000000000000000000000000000000000} end end

  懂Delphi得朋友可能很快就会想到,这个组件通常是通过Navigate或Navigate2来设置url显示网页的。如

procedure Navigate(const URL: WideString); overload;

  我们猜测Navigate可能是在主窗体的OnCreate或者某个TTimer组件的OnTimer中调用,所以来到dede中选择过程页,接着选择Unit1既主窗体的单元找到FormCreate过程对应与OnCreate事件。


·一键修复所有系统安全漏洞!·岂能儿戏:组策略在系统安全方面的应用·深度挖掘 Windows系统安全模式应用技巧·拒绝陌生人 开机密码保护系统安全·系统安全之解开恶意被锁上的注册表·系统安全的王牌 我的无敌影子系统·保护系统安全 反间谍软件大阅兵·为了系统安全千万别做这些傻事·网络系统安全漏洞分类研究(上)·网吧系统安全防护

  代码如下:

00505F34 55 push ebp 00505F35 8BEC mov ebp, esp 00505F37 6A00 push $00 00505F39 6A00 push $00 00505F3B 6A00 push $00 00505F3D 53 push ebx 00505F3E 56 push esi 00505F3F 8BD8 mov ebx, eax 00505F41 33C0 xor eax, eax 00505F43 55 push ebp * Possible String Reference to: '閗囡?腚^[嬪]? | 00505F44 68AC605000 push $005060AC ***** TRY | 00505F49 64FF30 push dword ptr fs:[eax] 00505F4C 648920 mov fs:[eax], esp 00505F4F A124175100 mov eax, dword ptr [$00511724] 00505F54 8B00 mov eax, [eax] 00505F56 8B9340020000 mov edx, [ebx $0240] * Reference to: Chart.TCustomChart.SetTitle(TCustomChart;TChartTitle); | or: Chart.TCustomChart.SetFoot(TCustomChart;TChartTitle); | or: Chart.TCustomChart.SetBackWall(TCustomChart;TChartWall); | or: Chart.TCustomChart.SetLeftWall(TCustomChart;TChartWall); | or: Chart.TCustomChart.SetBottomWall(TCustomChart;TChartWall); | or: ComCtrls.TCustomTreeView.SetTreeNodes(TCustomTreeView;TTreeNodes); | 00505F5C E8630CF8FF call 00486BC4 00505F61 BAC0605000 mov edx, $005060C0 * Reference to control TWBS1 : N.A. | 00505F66 8B830C040000 mov eax, [ebx $040C] * Reference to : TWebBrowser._PROC_0048FEB4() | 00505F6C E8439FF8FF call 0048FEB4 00505F71 C6052C3E510000 mov byte ptr [$00513E2C], $00 * Possible String Reference to: 'setting.ini' | 00505F78 B808615000 mov eax, $00506108 * Reference to: SysUtils.FileExists(AnsiString):Boolean; | 00505F7D E8F233F0FF call 00409374 00505F82 84C0 test al, al 00505F84 7520 jnz 00505FA6 00505F86 66A114615000 mov ax, word ptr [$00506114] 00505F8C 50 push eax 00505F8D 6A00 push $00 00505F8F B101 mov cl, $01 00505F91 BA20615000 mov edx, $00506120 * Reference to control bsSkinMessage1 : N.A. | 00505F96 8B8398030000 mov eax, [ebx $0398] | 00505F9C E8170DFFFF call 004F6CB8 00505FA1 E9EB000000 jmp 00506091 00505FA6 8D55F8 lea edx, [ebp-$08] 00505FA9 A124175100 mov eax, dword ptr [$00511724] 00505FAE 8B00 mov eax, [eax] * Reference to: DdeMan.TDdeMgr.GetExeName(TDdeMgr):AnsiString; | or: Forms.TApplication.GetExeName(TApplication):AnsiString; | 00505FB0 E8CB16F8FF call 00487680 00505FB5 8B45F8 mov eax, [ebp-$08] 00505FB8 8D55FC lea edx, [ebp-$04] * Reference to: SysUtils.ExtractFileDir(AnsiString):AnsiString; | 00505FBB E88435F0FF call 00409544 00505FC0 8D45FC lea eax, [ebp-$04] * Possible String Reference to: '\SETTING.INI' | 00505FC3 BA44615000 mov edx, $00506144 * Reference to: System.@LStrCat; | 00505FC8 E897EAEFFF call 00404A64 00505FCD 8B4DFC mov ecx, [ebp-$04] 00505FD0 B201 mov dl, $01 00505FD2 A1705B4300 mov eax, dword ptr [$00435B70] * Reference to: AxCtrls.TOleStream.Create(TOleStream;boolean;IStream); | or: HelpIntfs.THelpViewerNode.Create(THelpViewerNode;boolean;ICustomHelpViewer); | or: IniFiles.TCustomIniFile.Create(TCustomIniFile;boolean;AnsiString); | or: SysUtils.Exception.Create(Exception;boolean;AnsiString); | 00505FD7 E844FCF2FF call 00435C20 00505FDC 8BF0 mov esi, eax 00505FDE 89B390040000 mov [ebx $0490], esi 00505FE4 685C615000 push $0050615C 00505FE9 8D45F4 lea eax, [ebp-$0C] 00505FEC 50 push eax * Possible String Reference to: 'title' | 00505FED B97C615000 mov ecx, $0050617C * Possible String Reference to: 'system' | 00505FF2 BA8C615000 mov edx, $0050618C 00505FF7 8BC6 mov eax, esi 00505FF9 8B30 mov esi, [eax] 00505FFB FF16 call dword ptr [esi] 00505FFD 8B55F4 mov edx, [ebp-$0C] 00506000 8BC3 mov eax, ebx * Reference to: Controls.TControl.SetText(TControl;TCaption); | 00506002 E8C913F6FF call 004673D0 00506007 B201 mov dl, $01 * Reference to control btn3 : N.A. | 00506009 8B83EC030000 mov eax, [ebx $03EC] 0050600F 8B08 mov ecx, [eax] 00506011 FF5164 call dword ptr [ecx $64] 00506014 C6839804000000 mov byte ptr [ebx $0498], $00 0050601B 33D2 xor edx, edx * Reference to control bsSkinNotebook1 : N.A. | 0050601D 8B83BC030000 mov eax, [ebx $03BC] * Reference to : TbsPageAccess._PROC_004C5988() | 00506023 E860F9FBFF call 004C5988 00506028 803D483E510000 cmp byte ptr [$00513E48], $00 0050602F 752B jnz 0050605C 00506031 6A01 push $01 * Possible String Reference to: 'autoRun' | 00506033 B99C615000 mov ecx, $0050619C * Possible String Reference to: 'system' | 00506038 BA8C615000 mov edx, $0050618C 0050603D 8B8390040000 mov eax, [ebx $0490] 00506043 8B30 mov esi, [eax] 00506045 FF5610 call dword ptr [esi $10] 00506048 84C0 test al, al 0050604A 7410 jz 0050605C 0050604C BAB80B0000 mov edx, $00000BB8 * Reference to control tmr2 : N.A. | 00506051 8B834C030000 mov eax, [ebx $034C] * Reference to: ExtCtrls.TTimer.SetInterval(TTimer;Cardinal); | or: IBDatabase.TIBTimer.SetInterval(TIBTimer;Cardinal); | 00506057 E8F4E2F2FF call 00434350 0050605C 8D83A8040000 lea eax, [ebx $04A8] * Reference to: System.@LStrClr(void;void); | 00506062 E835E7EFFF call 0040479C 00506067 8D83AC040000 lea eax, [ebx $04AC] * Reference to: System.@LStrClr(void;void); | 0050606D E82AE7EFFF call 0040479C 00506072 33C0 xor eax, eax 00506074 8983B4040000 mov [ebx $04B4], eax 0050607A 33C0 xor eax, eax 0050607C 8983B8040000 mov [ebx $04B8], eax 00506082 33C0 xor eax, eax 00506084 8983BC040000 mov [ebx $04BC], eax 0050608A C605353E510000 mov byte ptr [$00513E35], $00 00506091 33C0 xor eax, eax 00506093 5A pop edx 00506094 59 pop ecx 00506095 59 pop ecx 00506096 648910 mov fs:[eax], edx ****** FINALLY | * Possible String Reference to: '^[嬪]? | 00506099 68B3605000 push $005060B3 0050609E 8D45F4 lea eax, [ebp-$0C] 005060A1 BA03000000 mov edx, $00000003 * Reference to: System.@LStrArrayClr(void;void;Integer); | 005060A6 E815E7EFFF call 004047C0 005060AB C3 ret * Reference to: System.@HandleFinally; | 005060AC E96BE0EFFF jmp 0040411C 005060B1 EBEB jmp 0050609E ****** END | 005060B3 5E pop esi 005060B4 5B pop ebx 005060B5 8BE5 mov esp, ebp 005060B7 5D pop ebp 005060B8 C3 ret


·一键修复所有系统安全漏洞!·岂能儿戏:组策略在系统安全方面的应用·深度挖掘 Windows系统安全模式应用技巧·拒绝陌生人 开机密码保护系统安全·系统安全之解开恶意被锁上的注册表·系统安全的王牌 我的无敌影子系统·保护系统安全 反间谍软件大阅兵·为了系统安全千万别做这些傻事·网络系统安全漏洞分类研究(上)·网吧系统安全防护

  看完上面代码很多朋友可能已经发现了关键位置在这里:

00505F61 BAC0605000 mov edx, $005060C0 * Reference to control TWBS1 : N.A. | 00505F66 8B830C040000 mov eax, [ebx $040C] * Reference to : TWebBrowser._PROC_0048FEB4()

  它就是设置广告的地方了,只要nop掉,软件的广告就去掉了。这个call的参数为:

edx:要设置的url eax:self指针(TWebBrowser类的) TWebBrowser._PROC_0048FEB4()可能就是Navigate。

  补丁后运行程序,程序不在显示广告去除完成。

  经验总结

  多借助分析工具给出的提示可以让我们事半功倍。

标签:

Powered by 电脑教程网 © 2004-2015 pc.ximizi.com Inc.