Hacking Team monitoring code analysis

Hacking Team monitoring code analysis

Hacking Team leaked a lot of monitoring code. For example, Soldier, a spyware program on Windows, is used to illegally listen to users' online information and local information. Let's analyze this project today.

Engineering Introduction

The project structure is as follows:

 

It contains two parts: Updater (upgrade) and Soldier. Let's take a look at Soldier.

The directory is as follows:

 

Main. cpp

The program entry checks whether the program is running in the virtual machine environment, checks whether the program is soft, and then initializes the program. Start background threads for network operations and various monitoring logic.

Proto. cpp

Monitoring data reporting management provides interfaces such as monitoring data encryption, reporting a single record, and reporting all data.

Receives and executes cloud control commands, such as configuration file updates and local directory information collection.

Conf. cpp

Load the configuration file and decide which functional modules are enabled Based on the configuration file.

Mods

Sub-directories under the MOD correspond to various monitoring modules to implement specific monitoring logic. The configuration file controls which monitoring modules are started.

Social, cloud, photo

Steal user information from facebook, gmail, twitter, Yahoo, and other social media sites based on settings, including messages, contacts, facebook albums, and googledoc.

The stealing process is to read the local cookies of the browser, find the corresponding cookies Based on the website domain name, and use these cookies to request user information from the website.

Position

Obtain Wi-Fi network information.

Clipbord

Obtain the clipboard information of the current window and report the title and process name of the current window.

Password

Try to obtain and decrypt the passwords saved by IE, Chrome, and Firefox.

Screenshot

Try to intercept the content of the current window.

Camera

Try to use the camera to capture video information.

Url

Try to get the browsing history of TorBrowser and Firefox.

Overall framework

Shows the logic framework of the entire monitoring tool. Each thread is separated by a dotted line:

 

This is a fully functional monitoring tool that can monitor users' online browsing information and local operation information, resulting in leakage of user privacy and important data; flexible cloud control mechanisms and Self-upgrade pose greater potential threats.