Mount the Alexa toolbar into a spyware Trojan

Source: Internet
Author: User
Alexa is a Web site that publishes global website rankings and its Web site is http://www.alexa.com. Alexa collects access data from global websites by installing the Alexa Toolbar on the client, ranking global websites based on the data, similar to statistics on TV rating. Alexa Toolbar is an Internet Explorer plug-in similar to Google Toolbar. You can download it from the URL below: http://download.alexa.com/index.cgi.

I. How Alexa works

Alexa tool bar is an Internet plug-in based on BHO and Toolbar Bands technology. It exists in the system as a DLL file and is a COM component. IE will load it into its own process at runtime, therefore, the firewall generally cannot prohibit the software from accessing the network, which provides inherent convenience for the Trojan role and has the following advantages over the local Sniff Software's password collection: whether it is an HTTP or HTTPS website, whether or not the communication channel is encrypted, as long as it is an IE page form can be collected. For details, refer to Alexa ranking fraud solutions.

After the Alexa Toolbar is installed, the system generates two dll files, AlxTB1.dll and AlxRes. DLL, in some cases AlxTB2.dll, instead of AlxTB1.dll, in the system directory. That's because the Alexa Toolbar is automatically updated online ). The main binary code of the Alexa Toolbar is stored in the AlxTB1.dll file. This file is also registered into multiple COM components. It completes the COM interfaces of BHO and Toolbar Bands, the WebBrowser control of IE is encapsulated as a COM component for AlxRes. dll call. AlxRes. dll files only contain a small amount of binary code. A large amount of code is HTML and javascript code. They exist in AlxRes as resources. in the dll file, you can use res: // AlxRes. dll/CHTML/about.html to access these resources. Maybe you will wonder: why is the software code written in javascript not a website? This is where the Alexa tool is spam. The main interface of the Alexa Toolbar is implemented by HTML + javascript. These javascript codes call the COM interface implemented by AlxTB1.dll to implement all functions of the software. This not only results in low software efficiency, but also produces a large amount of resource leaks. It is definitely a development mode of VERY super SB, however, it makes it easy for us to modify the Alexa Toolbar-without the knowledge of CRACKER, we can modify the code of the Alexa toolbar as long as a PE resource modification tool.

II. Crack the Alexa toolbar

Of course, Alexa is not really silly. It is never so stupid that you can use resource modification tools to modify your code. In order to prevent the resources in AlxRes. dll from being modified at will, he adopted the file checksum protection method. If the file is found to be modified, it will refuse to be loaded. We must crack this protection mechanism before modifying the code.

AlxTB1.dll exports a function named ChecksumResources, which is used to calculate the file checksum. Use c32asm to disassemble the AlxRes. dll file, view the string call list, find the "ChecksumResources" string, and jump to the code that calls the string at 100017C0. Flip a few lines down, find a jump at 100017F6, use the brute-force method, and use the NOP command to overwrite the JNZ command. In layman's terms: AlxRes. the dll file offset "0x17F6" is changed to "90 90" for the two bytes "75 11". You can use hexadecimal editing software such as WinHex to modify it.

: 100017C0: 68 9C700010 PUSH 1000709C: BYJMP JmpBy: 100017A4, 100017B1,->: ChecksumResources
: 100017C5: 57 PUSH EDI
: 100017C6: FF15 1C500010 CALL [1000501C] >>>: KERNEL32.DLL: GetProcAddress
: 100017CC: 85C0 test eax, EAX
: 100017CE: 74 0E je short 100017DE: JMPDOWN
: 100017D0: 8D4D dc lea ecx, [EBP-24]
: 100017D3: 51 PUSH ECX
: 100017D4: FF35 44740010 push dword ptr [10007444]
: 100017DA: FFD0 CALL EAX
: 100017DC: 59 POP ECX
: 100017DD: 59 POP ECX
: 100017DE: 57 push edi: BYJMP JmpBy: 100017CE,
: 100017DF: FF15 18500010 CALL [10005018] >>>: KERNEL32.DLL: FreeLibrary
: 100017E5: 8D45 B8 lea eax, [EBP-48]
: 100017E8: 50 PUSH EAX
: 100017E9: 8D45 dc lea eax,

<

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.