The Truman show: the Hacking Team Win32 monitor code analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201564750
Type myhack58
Reporter 佚名
Modified 2015-07-17T00:00:00


Hacking Team,an Italian software company. Their company is mainly to governments and legal bodies selling intrusion and surveillance software. 7 on the 5th night by the hacker attack, 400G of information were to leak, 0Day, various exploits also together is known around the world know, which is the company's most famous is its RSC(Remote Control System, remote control system part of the source code were also leaked, which is monitoring the platform to MacOS to Symbian, all you well-known platform included. In the leaked document we find that there are for Win32 platform monitoring code, The monitoring scope of large also is let people surprised, from the browser to all kinds of social software, covered by the scope of the only you think, no he is monitoring. Win32 monitoring to achieve: Win32. monitor the module code is located in the/core-win32-master folder, in the analysis of their module source code and found that its monitoring module is a Dynamic Link Library module, the main file is as follows: ! Figure 1 Its main function is to include: Steal mainstream browser Cookies and other account information, such as Chrome, FireFox, IExplorer Monitoring the mainstream social software, such as ICQ, version from 7. 0 to 8. 0, the MsnLive,relates to the version from 8 5 to 2 0 1 0,Skype version from 2. 0 to 4. 0, Yahoo Messenger,version from 7. 0 to 1 0. x On the user Screen, WIFI, microphone and other various information of the monitoring Its monitoring range is so comprehensive, you can imagine one but your PC is invaded, then your privacy has been completely does not exist, because all your operations are on someone else's monitor. Through the analysis, can be found in its def there. ! Figure 2 Wherein HM_sMain interface for the core framework, its main function is to initialize the various different types of monitoring processing with start with other different types of processing. Next brief look at HM_sMain this interface. First HM_sMain will call the InitAgents function to initialize its various types of monitoring process events. ! Figure 3 From which initialization information can be seen, the Hacking Team is located in Win32 under the monitoring information so full, in which case you still have privacy at all?, already can not be together happily play it. For these events registration will eventually call AM_MonitorRegister this function, this function is relatively simple, just put the different event handler function to a global array of structures. ! Figure 4 ! Figure 5 From which members can see AMDispatchStruct structure of the main body holds a variety of monitoring events in the initialization function. This array of structures is a follow-up to monitor messages sent important basis principles with the windows message dispatch mechanism. Then create a AM_Main thread, and the function of the main left and right similar to the Windows message callback, the main is to distribute a variety of monitoring message. ! Figure 6 ! Figure 7 The final AM_Dispatch will be invoked before a different type of monitoring message processing function. The monitoring module implementation: Its main monitoring system is divided into 5 modules, different modules corresponding to different monitoring purposes, the module main has HM_IMAgent(social class software monitoring HM_MailAgent the e-mail information monitoring HM_MicAgent(microphones and other equipment monitoring HM_PWDAgent users account information stolen, the Social browser Monitoring Centre. A simple description under which part of the module's function and role. HM_IMAgent module: Which module is located in the\core-win32-master\HM_IMAgent, its code file as follows: ! Figure 8 From the code you can see that for different social networking software to design the different modules to steal user information. The following Msn Live 2 0 0 9 as an example: Its module main function is to get the user list with the history. The following is GrabUserList implementation code: ! Figure 9 In fact, now the technique is mainly use to obtain the form of the title continues the enumeration MsnLive user data. PWDAGENT module: In fact now located in the\core-win32-master\HM_PWDAgent, the file structure is as follows: ! Figure 1 0 Which to for outlook program, for example: Its main function is DumpOutlook with DumpOutlookxp these two functions, its main function is to steal the user's Outlook account information. ! Figure 1 1 HM_MailAgent module: The module source code is located in\core-win32-master\HM_MailAgent, its file structure is as follows: ! Figure 1 2

[1] [2] next