Remove the taskbar icon

The software I want to deal with this time is a relatively useful agent software (I don't know whether to hide the file name in this article). The algorithm has been analyzed many times and I will not repeat it anymore. I am going to discuss a practical application: If you want to use someone else's machine to access the Internet and don't want it to be easily discovered (as if everyone has such an idea ?). After the software is started, an icon will be loaded in the taskbar. This is a conflict! That's why I want to solve it!

First, let's start with the following ideas:

To add and delete icons to and from the system tray, you must use the shell32.shell _ policyicona function. That is to say, when the software starts, you must call this function to add your icons to the system tray; when the software is disabled, he also calls this function to delete the icon.

Check the winapi function table to determine the usage and format of the function.

Const nim_add = & H0 // This is the parameter for adding an icon to the tray
Const nim_modify = & H1
Const nim_delete = & H2 // This is the parameter for deleting the icon from the tray

Const nif_message = & H1
Const nif_icon = & H2
Const nif_tip = & h4

Declare function shell_policyicon lib "shell32.dll" alias "shell_policyicona" (byval dwmessage as long, lpdata

Notifyicondata) as long

The parameters of the above two functions must be noted down below!

We use winasm32 to disassemble the software and look for the shell32.shell _ policyicona function in the function to see how to call it. we double-click it several times and find that there are three calls in the software. Let's analyze the functions of the three parts called by the software:

First, the software starts to add an icon to the system's taskbar. Then, you need to complete the animation of the icon (the person who has written the program should know, the easy way to do the animation is to switch the icon back and forth.) Finally, delete the taskbar icon when you exit the software. This is probably the three places.

This is only a preliminary analysis of the following dynamic tracking:

To analyze how the software is called, we must use trw2000 or sice for dynamic tracking. We will break down the BPX shell_policyicona breakpoint and use F12 to check if the software is called and the parameters are used!

First come to the following:

Here is where the software is called at startup:

* Possible reference to string resource id = 00114: "CCProxy"
|
: 00408770 6a72 push 00000072
: 00408772 51 push ECx
: 00408773 c681_f0000000005 mov byte PTR [esp + 000024f4], 05
: 0040877b e8c0890100 call 00421140
: 00408780 83c408 add ESP, 00000008
: 00408783 50 push eax
: 00408784 8d4c2414 Lea ECx, dword ptr [esp + 14]
: 00408788 c68213f024000006 mov byte PTR [esp + 11624f0], 06
: 00408790 e818910300 call 004418ad
: 00408795 8d4c2414 Lea ECx, dword ptr [esp + 14]
: 00408799 c68417ec24000005 mov byte PTR [esp + 11624ec], 05
: 004087a1 e8ce8f0300 call 00441774
: 004087a6 8b7c2410 mov EDI, dword ptr [esp + 10]
: 004087aa 83c9ff or ECX, ffffffff
: 004087ad 33c0 XOR eax, eax
: 004087af 8d95f8090000 Lea edX, dword ptr [EBP + 000009f8]
: 004087b5 F2 repnz
: 004087b6 AE scasb
: 004087b7 f7d1 not ECx
: 004087b9 2bf9 sub EDI, ECx
: 004087bb 53 push EBX
: 004087bc 8bc1 mov eax, ECx
: 004087be 8bf7 mov ESI, EDI
: 004087c0 8bfa mov EDI, EDX
: 004087c2 6a00 push 00000000 // have you seen it? Here is 0
: 004087c4 c1e902 SHR ECx, 02 // It does not work here, because even if it is changed below
: 004087c7 F3 repz // The system switch icon is generated again.
: 004087c8 A5 movsd
: 004087c9 8bc8 mov ECx, eax
: 004087cb 83e103 and ECx, 00000003
: 004087ce F3 repz
: 004087cf A4 movsb

* Reference to: shell32.shell _ policyicona, ord: 0079 H // call a function
|
: 004087d0 ff1570e34400 call dword ptr [0044e370] // if the call process is successful, 1 is returned; otherwise, 0 is returned.
: 004087d6 8d4c2410 Lea ECx, dword ptr [esp + 10]
: 004087da c681_ec2421302 mov byte PTR [esp + 12724ec], 02
: 004087e2 e88d8f0300 call 00441774

* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 00408717 (c)
|
: 004087e7 55 push EBP
: 004087e8 e803920100 call 004219f0
: 004087ed 83c404 add ESP, 00000004
: 004087f0 8d4c241c Lea ECx, dword ptr [esp + 1C]
: 004087f4 51 push ECx
: 004087f5 e878390300 call 0043c172
: 004087fa 8b10 mov edX, dword ptr [eax]
: 004087fc 8d44241c Lea eax, dword ptr [esp + 1C]

* Possible stringdata ref from data obj-> "% H: % m: % s"
|
: 00408800 68bcd64500 push 0045d6bc
: 00408805 50 push eax
: 00408806 8d4c242c Lea ECx, dword ptr [esp + 2C]
: 0040880a 8954242c mov dword ptr [esp + 2C], EDX
: 0040880e e872390300 call 0043c185
: 00408813 50 push eax
: 00408814 8d4c2424 Lea ECx, dword ptr [esp + 24]

* Possible stringdata ref from data obj-> ""
|
: 00408818 6828d14500 push 0045d128
: 0040881d 51 push ECx
: 0040881e c681_f0000000007 mov byte PTR [esp + 000024f8], 07
: 00408826 e8ec910300 call 00441a17

* Possible stringdata ref from data obj-> ""
|
: 0040882b 6828d14500 push 0045d128
: 00408830 8d542418 Lea edX, dword ptr [esp + 18]
: 00408834 50 push eax
: 00408835 52 push edX
: 00408836 c681_f0000000008 mov byte PTR [esp + 000024f8], 08
: 0040883e e860910300 call 004419a3
: 00408843 8b00 mov eax, dword ptr [eax]
: 00408845 8bcd mov ECx, EBP
: 00408847 50 push eax

--------------------------------------------------------------------------

Here is the call to form an animation:

: 00409669 8d542414 Lea edX, dword ptr [esp + 14]

* Possible reference to string resource id = 00114: "CCProxy"
|
: 0040966d 6a72 push 00000072
: 0040966f 52 push edX
: 00409670 c7800003014000000000000 mov dword ptr [esp + 00001430], 00000000
: 0040967b e8c07a0100 call 00421140
: 00409680 83c408 add ESP, 00000008
: 00409683 50 push eax
: 00409684 8d4c2414 Lea ECx, dword ptr [esp + 14]
: 00409688 c682132c14000001 mov byte PTR [esp + 2017142c], 01
: 00409690 e818820300 call 004418ad
: 00409695 8d4c2414 Lea ECx, dword ptr [esp + 14]
: 00409699 c682132814000000 mov byte PTR [esp + 00001428], 00
: 004096a1 e8ce800300 call 00441774
: 004096a6 8b7c2410 mov EDI, dword ptr [esp + 10]
: 004096aa 83c9ff or ECX, ffffffff
: 004096ad 33c0 XOR eax, eax
: 004096af 8d95f8090000 Lea edX, dword ptr [EBP + 000009f8]
: 004096b5 F2 repnz
: 004096b6 AE scasb
: 004096b7 f7d1 not ECx
: 004096b9 2bf9 sub EDI, ECx
: 004096bb 53 push EBX
: 004096bc 8bc1 mov eax, ECx
: 004096be 8bf7 mov ESI, EDI
: 004096c0 8bfa mov EDI, EDX
: 004096c2 6a00 push 00000000 // although it is also 0 here, it is called to form an animation.
: 004096c4 c1e902 SHR ECx, 02 // change the parameter if you do not want it to be displayed. 6a00-> 6a02
: 004096c7 F3 repz
: 004096c8 A5 movsd
: 004096c9 8bc8 mov ECx, eax
: 004096cb 83e103 and ECx, 00000003
: 004096ce F3 repz
: 004096cf A4 movsb

* Reference to: shell32.shell _ policyicona, ord: 0079 H
|
: 004096d0 8b3570e34400 mov ESI, dword ptr [0044e370]
: 004096d6 ffd6 call ESI
: 004096d8 8b4d1c mov ECx, dword ptr [EBP + 1C]

* Possible stringdata ref from data obj-> "CCProxy System Tray Icon message"
|
: 004096db 68c8d64500 push 0045d6c8
: 004096e0 c70358000000 mov dword ptr [EBX], 00000058
: 004096e6 898de4090000 mov dword ptr [EBP + 000009e4], ECx
: 004096ec c785e80900000a000000 mov dword ptr [EBP + 000009e8], 0000000a
: 004096f6 c785ec09000002000000 mov dword ptr [EBP + 000009ec], 00000002

* Reference: user32.registerwindowmessagea, ord: 0200 H
|
: 00409700 ff1578e54400 call dword ptr [0044e578]
: 00409706 8985f0090000 mov dword ptr [EBP + 000009f0], eax
: 0040970c 8b1564164600 mov edX, dword ptr [0, 00461664]

---------------------------------------------------------------------------

Here is the function call part used to delete the icon when the software exits!

: 00409daf 90 NOP
: 00409db0 a1484b4600 mov eax, dword ptr [00464b48]
: 00409db5 56 push ESI
: 00409db6 85c0 test eax, eax
: 00409db8 8bf1 mov ESI, ECx
: 00409dba 750f JNE 00409dcb
: 00409dbc 8d86e0090000 Lea eax, dword ptr [ESI + 000009e0]
: 00409dc2 50 push eax
: 00409dc3 6a02 push 00000002 // check the comparison with the parameter values described above.

* Reference to: shell32.shell _ policyicona, ord: 0079 H // call a function
|
: 00409dc5 ff1570e34400 call dword ptr [0044e370] // if the call is successful, 1 is returned.

* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 00409dba (c)
|
: 00409dcb 8b0da8164600 mov ECx, dword ptr [004616a8]
: 00409dd1 e85a210000 call 0040bf30
: 00409dd6 8b0da8164600 mov ECx, dword ptr [004616a8]
: 00409ddc c7410400000000 mov [ECx + 04], 00000000
: 00409de3 8bce mov ECx, ESI
: 00409de5 c7059cd5450000000000 mov dword ptr [0045d59c], 00000000
: 00409def e853410300 call 0043df47
: 00409df4 5E pop ESI
: 00409df5 C3 RET

-------------------------------------------------------------------------

Now that we know the functions of these calls, let's make some modifications. When the software starts, it will add an icon to the taskbar. If it is changed, no answer will be provided. Why? Because the software will continue to use this function to switch the icon after adding the icon to complete the animation function, even if you modify the start part, it will also be generated when switching the icon, so you just need to change some function parameters for generating the animation!

Search string: 8bc18bf78bfa6a00c1e902
Change to:... 6a02 ......

In this way, after the software is started, no icons will be generated in the taskbar (The problem is solved)

For the first time, my younger brother wrote such an article with ideas and loopholes in the process. Please give me more advice and help.

If you have a better method, please send an email to powerboy_bcg # 163.com
Thank you!