Bundling and installing browsers: Technical Analysis of dog search input methods

I don't know when the internet will become a sogou browser. After uninstalling the SDK, it will be installed in a few days. Sogou is also a decent name, and software will be bundled with such bad means! What is the difference between this and virus ?!

It took time to reproduce sogou's promotion methods.Debug information output switchIf a registry value is added, the debugging information will be displayed if the key value is available. When debugview is enabled, You can monitor what small actions sogou is doing:

Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\SogouInput]"lotusdebug"=dword:00000001

 

& Amp; lt; IMG src = "http://image.3001.net/images/20141030/14146512775743.jpg! Small "Title =" 001.jpg" style = "float: none"/& amp; gt; & amp; lt;/P & amp; amp; gt;

If 360 is not installed on the computer, go to the server to download and run a promotion program. This address is a silent promotion package on the sogou Server:

http://download.ie.sogou.com/se/semini/SEMini_3.0.0.571_7805.exe

If the computer has 360, the cloud control code of the browser used to promote the sogou input method is in the memory. The process is like this:

Step 1, Silent download. Sogoucloud.exe communicates with the cloud and downloads the sogou browser installation package based on cloud commands. The cloud control data domain name request contains the following packet capture content:

& Amp; lt; IMG src = "http://image.3001.net/images/20141030/14146512784585.jpg! Small "Title =" 002.jpg" style = "float: none"/& amp; gt; & amp; lt;/P & amp; amp; gt;

Step 2,Decrypt the code from the request contentThe code function downloads the installation package from the official sogou website, creates a random directory, and puts the installation package in. These are the directories of some common download tools, for example, you can put the sogou browser installation package in the download directory of 360, Baidu, or thunder, whether or not these software is installed on your computer:

& Amp; lt; IMG src = "http://image.3001.net/images/20141030/14146513956993.jpg! Small "Title =" 003.jpg"/& amp; gt; & amp; lt;/P & amp; gt;

The installation package of sogou browser will also be placed in the following fixed places, all of which are directories of sogou input method, saving you the need to download the package next time. You can search for files like sgim_sehelper.bin in the red-winning path, which are the installation packages of sogou Browser:

& Amp; lt; IMG src = "http://image.3001.net/images/20141030/14146515736871.jpg! Small "Title =" 04.jpg"/& amp; gt; & amp; lt;/P & amp; gt;

Step 3Simulate user clicks to install sogou Browser. Sogou in explorer. IME will download the remote control shellcode and select the time to promote the browser. The browser automatically simulates and clicks the downloaded browser by sending messages through postmessagew. The installation package of this browser also hides the installation interface through inter-process communication, so it is inexplicably installed. If you keep staring at it, you will only see a folder suddenly opened on the computer, and it will be turned off, and then there will be an additional sogou browser.

& Amp; lt; IMG src = "http://image.3001.net/images/20141030/14146515835369.jpg! Small "Title =" 05.jpg"/& amp; gt; & amp; lt;/P & amp; gt;

Postmessagew analog clicks are the most common plug-ins I used to write, but I used to operate games and sogou for rogue promotion.

Reposted by: freebuf. com

 

Bundling and installing browsers: Technical Analysis of dog search input methods