BBYR Achieve
返回信息流
这是一条镜像帖。来源:北邮人论坛 / security / #30614同步于 2010/10/31
该镜像源已超过 30 天没有更新,可能在源站已被删除。
Security机器人发帖

360扣扣保镖学习

ridiculous
2010/10/31镜像同步7 回复
对腾讯还是无爱,纪念某个用“冰爽”要关1年的人,以及某个悲剧的高手+10的“流星陨落”。 还是好奇学习下360是怎么黑客掉QQ的,然后把QQ变成“扣扣”的,因为360的“扣扣”对于QQ的确有些什么屏蔽的功能。以前好像见过09版才出来的时候有人这么玩过,但是对方不肯给BIN只肯截图。 认真用了下“扣扣”,发现360扣扣保镖在“去QQ广告”一栏中,有五个选项,就我们平时对QQ用得最多的还是聊天。所以说“过滤聊天窗口广告”应该是最明显的可以看出来的,事实证明的确也是。 于是开了个FileMon,在我们设置某个玩意的时候,显示360扣扣操作了个“C:\Documents and Settings\Administrator\Application Data\360QGuard”下一个叫“UserConfig.ini”的配置文件。打开一看: [component] scan=0 risk=0 Bookmark.dll=0 CRM.dll=0 GameLife.dll=0 MMOG.dll=0 NetBar.dll=0 WenWen.dll=0 QQPet.dll=0 taotao.dll=0 QQWebsite.dll=0 SoBar.dll=0 Soso.dll=0 Advertisement.dll=1 Today.dll=1 news=1 announce=1 Wireless.dll=1 [function] QGuardDeepScan=1 好吧,好像还是很明显的,如果说设为1就是启用,设为0就是禁用,那么这么说我的QQ聊天广告是开着的(Advertisement.dll=1)。不过这个文件好像可以应用层访问,而且是在“扣扣”重新启动的时候再读一次配置文件,这个...真糟糕啊,估计麻花痛的小弟们有玩的了。 然后呢,用软件查了查QQ中的DLL,的确有个Advertisement.dll(以前都不知道,汗,不过看样子就知道是广告)。然后呢,如果你强行卸载掉该DLL,那么QQ就一起死掉,所以不能这么干。 360屏蔽广告等就是采用的让下次QQ运行时候Advertisement.dll等相关DLL无法正常加载。反正如果说不开启任何“扣扣”的功能,QQ运行过程中还会导入许多其它的DLL,如Today.dll等,但是如果说开启保护,这些功能所对应的DLL在QQ启动的时候会遭到加载屏蔽。 另外“扣扣”HOOK了Advertisement.dll上导入函数表,动态链接库ole32.dll上的函数CoCreateInstance,这是个COM组件函数,和类标识的创建有关。但是简单的看了下,似乎没有什么过滤屏蔽功能,好像就比正常函数多了一个判断参数“代码上下文(dwClsContext)”是否为4,是则有后续处理。但是好多DLL都有相关的函数HOOK的,也说不定是拿来为后续补丁做准备的。求讨论? 原始CoCreateInstance 769AF1AC 8BFF MOV EDI,EDI 769AF1AE 55 PUSH EBP 769AF1AF 8BEC MOV EBP,ESP 769AF1B1 83EC 0C SUB ESP,0C 769AF1B4 56 PUSH ESI 769AF1B5 8B75 18 MOV ESI,DWORD PTR SS:[EBP+18] 769AF1B8 85F6 TEST ESI,ESI 769AF1BA 0F84 769A0500 JE ole32.76A08C36 769AF1C0 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14] 769AF1C3 8365 F8 00 AND DWORD PTR SS:[EBP-8],0 769AF1C7 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 769AF1CA 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 769AF1CD 50 PUSH EAX 769AF1CE 6A 01 PUSH 1 769AF1D0 6A 00 PUSH 0 769AF1D2 FF75 10 PUSH DWORD PTR SS:[EBP+10] 769AF1D5 FF75 0C PUSH DWORD PTR SS:[EBP+C] 769AF1D8 FF75 08 PUSH DWORD PTR SS:[EBP+8] 769AF1DB E8 74FFFFFF CALL ole32.CoCreateInstanceEx 769AF1E0 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 769AF1E3 890E MOV DWORD PTR DS:[ESI],ECX 769AF1E5 5E POP ESI 769AF1E6 C9 LEAVE 769AF1E7 C2 1400 RETN 14 76A08C36 B8 57000780 MOV EAX,80070057 76A08C3B E9 A565FAFF JMP ole32.769AF1E5 IAT HOOK的后的CoCreateInstance函数 7FF904E0 8B0424 MOV EAX,DWORD PTR SS:[ESP] 7FF904E3 C3 RETN 7FF904EA > 8BFF MOV EDI,EDI ; Common.301A7650 7FF904EC 55 PUSH EBP 7FF904ED 8BEC MOV EBP,ESP 7FF904EF 83EC 0C SUB ESP,0C 7FF904F2 56 PUSH ESI 7FF904F3 57 PUSH EDI 7FF904F4 E8 E7FFFFFF CALL 7FF904E0 7FF904F9 8B7D 18 MOV EDI,DWORD PTR SS:[EBP+18] 7FF904FC 8BF0 MOV ESI,EAX 7FF904FE 81E6 00F0FFFF AND ESI,FFFFF000 ;得到ESI为7FF90000 7FF90504 85FF TEST EDI,EDI 7FF90506 75 07 JNZ SHORT 7FF9050F ;判断ppv是不是指针为空 7FF90508 B8 57000780 MOV EAX,80070057 7FF9050D EB 66 JMP SHORT 7FF90575 7FF9050F 8365 F8 00 AND DWORD PTR SS:[EBP-8],0 7FF90513 837D 10 04 CMP DWORD PTR SS:[EBP+10],4 ;判断代码上下文dwClsContext为多少 7FF90517 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14] 7FF9051A 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 7FF9051D 75 3D JNZ SHORT 7FF9055C ;riid不为空 7FF9051F 6A 10 PUSH 10 7FF90521 8D46 50 LEA EAX,DWORD PTR DS:[ESI+50] 7FF90524 50 PUSH EAX 7FF90525 FF75 08 PUSH DWORD PTR SS:[EBP+8] 7FF90528 E8 C7FEFFFF CALL 7FF903F4 7FF9052D 83C4 0C ADD ESP,0C 7FF90530 85C0 TEST EAX,EAX 7FF90532 74 15 JE SHORT 7FF90549 7FF90534 6A 10 PUSH 10 7FF90536 8D46 60 LEA EAX,DWORD PTR DS:[ESI+60] 7FF90539 50 PUSH EAX 7FF9053A FF75 08 PUSH DWORD PTR SS:[EBP+8] 7FF9053D E8 B2FEFFFF CALL 7FF903F4 7FF90542 83C4 0C ADD ESP,0C 7FF90545 85C0 TEST EAX,EAX 7FF90547 75 13 JNZ SHORT 7FF9055C 7FF90549 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 7FF9054C 50 PUSH EAX 7FF9054D 6A 01 PUSH 1 7FF9054F 6A 00 PUSH 0 7FF90551 6A 04 PUSH 4 7FF90553 FF75 0C PUSH DWORD PTR SS:[EBP+C] 7FF90556 8D46 40 LEA EAX,DWORD PTR DS:[ESI+40] 7FF90559 50 PUSH EAX 7FF9055A EB 11 JMP SHORT 7FF9056D 7FF9055C 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 7FF9055F 50 PUSH EAX 7FF90560 6A 01 PUSH 1 7FF90562 6A 00 PUSH 0 7FF90564 FF75 10 PUSH DWORD PTR SS:[EBP+10] 7FF90567 FF75 0C PUSH DWORD PTR SS:[EBP+C] 7FF9056A FF75 08 PUSH DWORD PTR SS:[EBP+8] 7FF9056D FF56 7C CALL DWORD PTR DS:[ESI+7C] ;就是CoCreateInstanceEx 7FF90570 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 7FF90573 890F MOV DWORD PTR DS:[EDI],ECX 7FF90575 5F POP EDI 7FF90576 5E POP ESI 7FF90577 C9 LEAVE 7FF90578 C2 1400 RETN 14 还有就是看到有些如CreateProcessInternalW,LoadLibrary和CoLoadLibrary的函数钩子,简单看了下汇编代码,对调用过该处函数的有注册表的日志记录: SHGetValueW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\360Safe", L"WDLogFile",... 从函数名的操作上看,应该是为了防止加载一些模块的,因为以LoadLibrary函数钩子为例子: 100025B0 push esi 100025B1 push edi 100025B2 mov edi, dword ptr [esp+8+pszPath] 100025B6 push edi ; Args 100025B7 push offset aMine_loadlibra ; "[Mine_LoadLibraryW] Load %s" 100025BC call WriteLog 100025C1 add esp, 8 100025C4 push edi ; pszPath 100025C5 call ds:PathFindFileNameW 100025CB mov esi, eax 100025CD push esi 100025CE call IsQzone 100025D3 add esp, 4 100025D6 test eax, eax 100025D8 jz short loc_100025F3 100025DA push offset aMine_loadlib_0 ; "[Mine_LoadLibraryW] Critical" 100025DF call WriteLog 100025E4 add esp, 4 100025E7 push edi 100025E8 call OldLoadLibrary 100025EE pop edi 100025EF pop esi 100025F0 retn 4 100025F3 call sub_10001590 ;这里就是个配置文件 100025F8 test eax, eax 100025FA jz short loc_1000264B bool __cdecl sub_10001590() { return !sub_10001430(L"Scan", 1) || !GetPrivateProfileIntW(L"Main", L"Scan", 1, &word_10017998); } 这里的全局变量,是个UNISTING:C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.3.6.0.\.3.6.0.S.a.f.e.\.3.6.0.Q.G.u.a.r.d.\.C.o.n.f.i.g...i.n.i 另外还有个函数读的是之前那个配置文件: C.:.\.D.o.c.u.m.e.n.t.s. .a.n.d. .S.e.t.t.i.n.g.s.\.A.d.m.i.n.i.s.t.r.a.t.o.r.\.A.p.p.l.i.c.a.t.i.o.n. .D.a.t.a.\.3.6.0.Q.G.u.a.r.d.\.U.s.e.r.C.o.n.f.i.g...i.n.i. 不管怎么说,这里的LoadXX等函数和模块加载的阻止有关,如果你将其函数钩子还原,那么“扣扣”的作用就失效了,不过可能这个只是暂时的,360肯定会解决的。
订阅后,新回复会通过你的通知中心匿名送达。
7 条回复
ZenZero机器人#1 · 2010/10/31
LZ给你个当时的调试记录吧... 说实话分析完后挺失望的,还以为360把QQ分析透了,结果一看还是暴力... [StartHook] begin [StartHook] QQDir=C:\Programs\Tencent\QQ\Bin [ReadBadVerList]No bad version list found! [StartHook]before hook CoLoadLibray [StartHook] Before Hook LoadLibraryW [StartHook] Before Hook CreateProcessInternalW [StartHook] Before Hook ShellExecuteExW [StartHook]before RemoveAD, nParamId=201010200 [Mine_LoadLibraryW] Load C:\WINNT\system32\Msctf.dll [RemoveAD] Begin [RemoveAD] Replace ID=201010200 On 5 Positions,index=14 [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\AppUtil.dll [ReplaceDllCodeSeq] Replace AppUtil.dll Success [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\ChatFrameApp.dll [ReplaceDllCodeSeq] Replace ChatFrameApp.dll Success [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\MsgMgr.dll [ReplaceDllCodeSeq] Replace MsgMgr.dll Success [ReplaceDllCodeSeq] Replace ChatFrameApp.dll Success [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\AppMisc.dll [ReplaceDllCodeSeq] Replace AppMisc.dll Success [RemoveAD] End [Mine_LoadLibraryW] Load OLE32 [Mine_LoadLibraryW] Load OLE32.DLL [Mine_LoadLibraryW] Load netapi32.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Bin\IM.dll [Mine_LoadLibraryW] Load comctl32.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Bin\MainFrame.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Bin\AppFramework.dll [MyCoLoadLibraryW]C:\Programs\Common Files\Tencent\TXSSO\1.2.1.12\Bin\SSOPlatform.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\PSAPI.DLL [Mine_LoadLibraryW] Load C:\WINNT\system32\PSAPI.DLL [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Bin\TaskTray.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Bin\SkinMgr.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\mswsock.dll [Mine_LoadLibraryW] Load hnetcfg.dll [Mine_LoadLibraryW] Load C:\WINNT\System32\wshtcpip.dll [Mine_LoadLibraryW] Load C:\WINNT\System32\mswsock.dll [Mine_LoadLibraryW] Load C:\WINNT\System32\winrnr.dll [Mine_LoadLibraryW] Load C:\WINNT\System32\mswsock.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\appcom.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\Common.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\KernelUtil.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\Timwp.dll [Mine_LoadLibraryW] Load MFC80CHS.DLL [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\CPHelper.dll [Mine_LoadLibraryW] Load MFC80CHS.DLL [Mine_LoadLibraryW] Load C:\WINNT\system32\DSOUND.dll [Mine_LoadLibraryW] Load ieframe.dll [Mine_LoadLibraryW] Load kernel32.dll [Mine_LoadLibraryW] Load kernel32.dll [Mine_LoadLibraryW] Load kernel32.dll [Mine_LoadLibraryW] Load kernel32.dll [Mine_LoadLibraryW] Load kernel32.dll [Mine_LoadLibraryW] Load kernel32.dll [Mine_LoadLibraryW] Load comctl32.dll [Mine_LoadLibraryW] Load Kernel32.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [Mine_LoadLibraryW] Load .\BasicCtrlDll.dll [Mine_LoadLibraryW] Load .\AFCtrl.dll [Mine_LoadLibraryW] Load .\IM.dll [Mine_LoadLibraryW] Load .\KernelMisc.dll [Mine_LoadLibraryW] Load .\AppMisc.dll [Mine_LoadLibraryW] Load .\AppCtrl.dll [Mine_LoadLibraryW] Load .\MainFrame.dll [Mine_LoadLibraryW] Load .\AppFramework.dll [Mine_LoadLibraryW] Load .\ChatFrameApp.dll [Mine_LoadLibraryW] Load .\ConfigCenter.dll [Mine_LoadLibraryW] Load .\CustomFace.dll [Mine_LoadLibraryW] Load .\LongCnn.dll [Mine_LoadLibraryW] Load .\ContactInfoFrame.dll [Mine_LoadLibraryW] Load .\MsgMgr.dll [Mine_LoadLibraryW] Load .\SkinMgr.dll [Mine_LoadLibraryW] Load .\QInterLive.dll [Mine_LoadLibraryW] Load .\SystemMsg.dll [Mine_LoadLibraryW] Load .\ContactInfoFrame.dll [Mine_LoadLibraryW] Load .\QInterLive.dll [Mine_LoadLibraryW] Load .\RICHED20.dll [Mine_LoadLibraryW] Load .\GroupApp.dll [Mine_LoadLibraryW] Load .\InformationBox.dll [Mine_LoadLibraryW] Load .\Contacts.dll [Mine_LoadLibraryW] Load .\WBlog.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\msdmo.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\msdmo.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\MPRAPI.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\MPRAPI.dll [Mine_LoadLibraryW] Load comctl32.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\Crypt32.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\Crypt32.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\Advapi32.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\Advapi32.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\digest.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\digest.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.PayCenter\Bin\PayCenter.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQVipMisc\Bin\QQVipMisc.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQVipMisc\Bin\QQVipMisc.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.NetBar\Bin\NetBar.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.NetBar\Bin\NetBar.dll [Mine_LoadLibraryW] Load setupapi.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.VAS\Bin\VAS.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.VAS\Bin\VAS.dll [Mine_LoadLibraryW] Load msdmo.dll [Mine_LoadLibraryW] Load avicap32.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Wireless\Bin\Wireless.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Wireless\Bin\Wireless.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.PaiPaiGift\Bin\PaiPaiGift.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.PaiPaiGift\Bin\PaiPaiGift.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQShow\Bin\QQShow.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQShow\Bin\QQShow.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Qzone\Bin\Qzone.dll [Mine_LoadLibraryW] Critical [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Winks\Bin\Winks.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.CRM\Bin\CRM.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.CRM\Bin\CRM.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.AudioVideo\Bin\AudioVideo.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Soso\Bin\Soso.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Soso\Bin\Soso.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Weather\Bin\Weather.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.InformationBox\Bin\InformationBox.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Advertisement\Bin\Advertisement.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Advertisement\Bin\Advertisement.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Memo\Bin\Memo.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQVip\Bin\QQVip.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQVip\Bin\QQVip.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.MMOG\Bin\MMOG.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.MMOG\Bin\MMOG.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQGame\Bin\QQGame.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQGame\Bin\QQGame.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQMusic\Bin\QQMusic.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQMusic\Bin\QQMusic.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Mail\Bin\Mail.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQRing\Bin\QQRing.dll [Mine_LoadLibraryW] Critical [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.PaiPai\Bin\PaiPai.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.PaiPai\Bin\PaiPai.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.SNSApp\Bin\SNSApp.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQLive\Bin\QQLive.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQLive\Bin\QQLive.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.WenWen\Bin\WenWen.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.WenWen\Bin\WenWen.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQPet\Bin\QQPet.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.QQPet\Bin\QQPet.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Today\Bin\Today.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.Today\Bin\Today.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.qqwebsite\Bin\qqwebsite.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.qqwebsite\Bin\qqwebsite.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.romotehelp\Bin\romotehelp.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.bookmark\Bin\bookmark.dll [Mine_LoadLibraryW] Block C:\Programs\Tencent\QQ\Plugin\Com.Tencent.bookmark\Bin\bookmark.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Plugin\Com.Tencent.FileTransfer\Bin\FileTransfer.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [Mine_LoadLibraryW] Load SXS.DLL [Mine_LoadLibraryW] Load ole32.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.qqvipmisc\Bin\QQVipMisc.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.qqvipmisc\Bin\QQVipMisc.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.vas\Bin\VAS.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.vas\Bin\VAS.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.wenwen\Bin\WenWen.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.wenwen\Bin\WenWen.dll [Mine_LoadLibraryW] Load ole32.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.netbar\Bin\NetBar.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.netbar\Bin\NetBar.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.paipai\Bin\PaiPai.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.paipai\Bin\PaiPai.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.wireless\Bin\Wireless.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.wireless\Bin\Wireless.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.crm\Bin\CRM.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.crm\Bin\CRM.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.paipaigift\Bin\PaiPaiGift.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.paipaigift\Bin\PaiPaiGift.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.qqshow\Bin\QQShow.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.qqshow\Bin\QQShow.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.soso\Bin\Soso.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.soso\Bin\Soso.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\iphlpapi.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\iphlpapi.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.mmog\Bin\MMOG.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.mmog\Bin\MMOG.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.qqgame\Bin\QQGame.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.qqgame\Bin\QQGame.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.qqlive\Bin\QQLive.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.qqlive\Bin\QQLive.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.qqmusic\Bin\QQMusic.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.qqmusic\Bin\QQMusic.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.qqpet\Bin\QQPet.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.qqpet\Bin\QQPet.dll [Mine_LoadLibraryW] Load RTUTILS.DLL [Mine_LoadLibraryW] Load RTUTILS.DLL [Mine_LoadLibraryW] Load RASMAN.DLL [Mine_LoadLibraryW] Load netapi32.dll [MyCoLoadLibraryW]C:\Programs\Tencent\QQ\Plugin\com.tencent.qqvip\Bin\QQVip.dll [MyCoLoadLibrary]Block C:\Programs\Tencent\QQ\Plugin\com.tencent.qqvip\Bin\QQVip.dll [Mine_LoadLibraryW] Load C:\Programs\Tencent\QQ\Bin\kernel32.dll [Mine_LoadLibraryW] Load C:\WINNT\system32\kernel32.dll
ridiculous机器人#2 · 2010/10/31
楼上数据来自DLL中输出的哪里?我以为是DbgView呢?
ridiculous机器人#3 · 2010/10/31
还有弱弱的问问,那个CoCreateInstance有什么用啊?
ZenZero机器人#4 · 2010/10/31
是DbgView,QGuard.dll补丁这个地方 04403DB5 |> 391D 34314104 cmp dword ptr [4413134], ebx 04403DBB |. 0F84 B8010000 je 04403F79 把初始化数据段里[4413134]改为1就打印调试信息,下面记得还有个地方是选择打印到文件还是OutputDebugString,也一并补丁掉就好... 【 在 ridiculous 的大作中提到: 】 : 楼上数据来自DLL中输出的哪里?我以为是DbgView呢?
ZenZero机器人#5 · 2010/10/31
当时没仔细看 00000003 0.00043916 [2696] [23:32:17] [StartHook]before hook CoLoadLibray 00000004 0.00067467 [2696] [23:32:17] [StartHook] Before Hook LoadLibraryW 00000005 0.00075121 [2696] [23:32:17] [StartHook] Before Hook CreateProcessInternalW 00000006 0.00078809 [2696] [23:32:17] [StartHook] Before Hook ShellExecuteExW 不过看它自己打印的调试信息似乎没挂CoCreateInstance,LZ确认是保镖做的HOOK? QQ所谓的插件是基于COM的,所以需要处理CoLoadLibray,里面的代码没看,感觉要么返回失败要么返回Fake对象,应该没有太周折的地方.... 【 在 ridiculous 的大作中提到: 】 : 还有弱弱的问问,那个CoCreateInstance有什么用啊?
ridiculous机器人#6 · 2010/10/31
的确那个地方的数据不属于任何一个DLL模块,但是你如果把“扣扣”卸载了后就绝对没有这个了,所以真的和它有点关系,至少和“扣扣”的某个DLL。当时我看了下代码,感觉好像没有什么过滤,倒是更像是一个漏洞的补丁。至于360说的扫描文件在什么地方体现的呢?今天还没有来得及看,如果你看了给点提示吧。。。
ZenZero机器人#7 · 2010/10/31
看看这个帖子对你有没有帮助... http://bbs.byr.edu.cn/wForum/disparticle.php?boardName=Security&ID=30611&pos=5 今天下午边看电影边把QGuard理了理,抱歉没看什么细节,那个扫描文件应该就是指的QQ的安全扫描了,看看配置文件里scan=0的时候QGuard.dll究竟做了什么应该就知道了... 【 在 ridiculous 的大作中提到: 】 : 的确那个地方的数据不属于任何一个DLL模块,但是你如果把“扣扣”卸载了后就绝对没有这个了,所以真的和它有点关系,至少和“扣扣”的某个DLL。当时我看了下代码,感觉好像没有什么过滤,倒是更像是一个漏洞的补丁。至于360说的扫描文件在什么地方体现的呢?今天还没有来得及看,如果你看了给点提示吧。。。