Extract network speed monitoring from 360 security guard

Recently, I want to use a software for network speed monitoring to check my computer and which process occupies a large amount of network resources. I found that network monitoring in 360 is good. I can see the bandwidth used by each process, but I don't want to install the entire 360 security guard, so I decided to extract some of the network monitoring functions and use them separately.

First, open the security guard's network monitoring function and use procexp.exe (thisProgramIf the startup fails, the command parameter may not be input. Of course, the commandlinefound in procexp.exeis empty, so 360apploader.exe clears it, and sets the value of Debugger under the registration item of image file operation in the Windows registry to windbg. Run windbgwith 360apploader.exe, and obtain the command parameter as follows:

 "C: \ Program Files \ 360 \ 360safe \ 360apploader.exe"/module = NetMon \ 360netfos. dll/compatible = 1/create = createpage/init = initpage/uninit = uninitpage/canrun = issupported/border = 5/Title = 360 traffic monitoring/wndclass = q360netfosclass/disableskin = 1

Copy 360apploader.exe and the corresponding NetMon directory according to this command. Run 360apploader.exe directly using windbg. of course, you need to input the arguments above. During the runtime, copy all modules that cannot be loaded from the original installation directory, and then run them separately.

These are the basic files, where config is the interface configuration file, you can not.

 

Then, run 360apploader.exe/module = NetMon \ 360netfos directly in the file generated by Beibei. dll/compatible = 1/create = createpage/init = initpage/uninit = uninitpage/canrun = issupported/border = 5/Title = 360 traffic monitoring/wndclass = q360netfosclass/disableskin = 1 you can use the network monitoring function.

You can also create a shortcut for 360apploader.exe and enter the preceding parameters in the shortcut target, for example, incomplete display)

 

Of course, there are still some problems. When the program starts, it will prompt that some files under the deepsacn directory cannot be found. These files are useless for network monitoring and are used for scanning. If you don't want the prompt to pop up, you can copy the deepscan directory and several files under it.

 

In fact, we can estimate that we can use depend.exe To See That 360netfos. dll will export functions.

Createpage, initpage, uninitpage, issupported, estimated all processedCodeBoth are in 360netfos.dll, and 360apploader.exe only provides a display container, just like the extended page in the exporer attribute of windows. All the items to be processed are displayed in your own Explorer plug-in DLL.

 

 

Upload File to see what the original processing logic is. (This file is not large and has not been shelled ). Today, I am not going to disassemble my work. Get it done later. If you want to disassemble the analysis logic, Ida + windbg (or OD) is recommended ).

 

The files I extracted below. All files are 360 original files, all of which have 360 company digital signatures, and I have not modified them.

Netmon.rar

Directly run the"360apploader.exe-Shortcut".
Optional bytes must be set to 360apploader.exe. You can refer to the readme.txt file.