buttoning a shirt can be seen on the bodyguard in counting to the interface features, there are still shielded QQ software upgrades, Tencent hijacked browser,
GHD NZ, shielding a characteristic process to start a list of QQ, QQ software, backup and restore features 4 hidden, they are Config . ini file as alternate control. After thinking, the control file in buttoning a shirt bodyguard installation pack does no cater, will not automatically generated afterward the installation is only feasible from 360 In other words, users were unable to control these hidden features, but do not understand the position of its activation and entry into coerce.
technical details:
users buttoned bodyguard (1.0.0.1004 version), it will own the main function module QGuard.dll access through the global anchor into the process of Tencent QQ, QQ, and the process of intercepting system calls ShellExecuteExW and CreateProcessInternalW and so on, all pay care to Config.ini files (hidden feature activation file), if it is found namely the file exists, the file contents will be based on features narrated to the activation of hidden action.
4 on hidden features of existing code analysis, we can speculate Config.ini file by least the retinue four kinds of switches:
[Main]
DisableUpdate = 1 / / QQ automatic update shield, causing the user perception of the QQ software can not upgrade.
DisableBrowser = 1 / / kidnap the browser's start QQ and replaced with 360
Com = ; ; ... ...
/ / automatically start the specified image name shield QQ process cases of the table to start.
enable_repair = 1 / / open the backup QQ argument: whether to open the box to guide users to backup QQ playing software
MaxNotifyCount = 50 / / open the export QQ parameters: maximum number of shells box
FirstNotify = 1 / / open the backup parameters QQ: QQ started playing box period (sec)
<Users can not use any hidden items feature set is turned off operation)
a hidden function: activated automatically shield QQ software upgrade
function of the hidden field:
the hidden function is activated, QQ security components,
GHD Blue Butterfly 2011, QQ itself can not properly update other software upgrades (no knowledge of the user, it will not get any peccadillo messages), QQ software will become a
buttoned bodyguards QGuard.dll following the interception ShellExecuteExW and CreateProcessInternalW start after the upgrade process QQ IM (QQ shield upgrade) to upgrade part of the code identification and screening.
start is if we ascertain auclt.exe, SelfUpdate.exe and QQSafeud.exe and Config.ini file DisableUpdate = 1 will ignore the real system cry, the upgrade process starts QQ failure. These actions will remind the user no!
hidden functions II: the process of activated along to the specified list of blocked startup programs QQ
function of the hidden field:
the invisible function is stimulated, ambition be based above the distribution of the Config.ini 360 apt specify the process appoint to QQ begin the agenda filter. This will permit 360 to be controlled quite easily start a program to intercept QQ.
bodyguards will try to read in the buttoned installation directory 360 360safe 360QGuard Config.ini beneath the basic opener in the Main Com beneath the field (refer to above Config.ini framework). As Config.ini the default installation does not exist can not understand the specific absences of this screening process, but by analyzing the code that this field is a Buttoning a shirt guard to stop all file names in this list start the same process.
following is a list of some of QQ shield launcher code
following: clasping a shirt reading the code account bodyguards QGuard.dll safeguard
addition will be in% AppData% reads the configuration file UserConfig.ini component fields, each of which mirrors the 0 and 1 were afterward screened for the process of switching.
% AppData% 360QGuard UserConfig.ini reads as usual:
[component]
= 0 | 1
hidden functions III: activation of the QQ software, browser hijacking (replaced by 360 browser)
function of the hidden field:
this feature activated, QQ process starts the process of the browser (URL with parameters browse mode) will be replaced starting 360SE to guide (the browser embodying 360 cases). Since the function is to intercept the API, so regardless of the user to set the default browser is, Tencent QQ and regardless of which browser the new selection will be hijacked into a 360SE (PS: the hidden features not only hijacked TTraveler.exe, QQBrowser.exe, configuration can upgrade at any time according to the specified process name hijacked browser.)
this QQ chat software users with the views of all URL links will have been 360SE access.
buttoned bodyguards QGuard.dll blockers and found that the program was launched QQ IM Tencent browser (TTraveler.exe and QQBrowser.exe),
GHD Hair Straightener NZ, and the contents of the documents in Config.ini DisableBrowser = 1, will start the QQ IM automatically replace the browser 360 browser.
In addition, read through the final line of the Call InitComponent% AppData% is situated in the configuration file UserConfig.ini component items in the name of the image if the specified name, if found will be replaced by browser 360.
hidden functions IV: activation of the QQ software to trick users to back up (and may make resumption actions)
function of the hidden field:
the hidden function is activated,
GHD Straighteners NZ, will be based on the delivery of the Config.ini 360 parameters in the configuration software to adviser users to back up to 360 QQ specified directory, and can be restored through the buttoned bodyguards.
fill in the config.ini in the upon information, QQ will start the following dialog box appears.
QQ here you can maim the automatic update feature. Backup button to back up all file will be QQ to 360 of the configuration directory. As shown below:
pertinent code is It’s about time:
analysis summary:
buttoned as 360 of these bodyguards is highly targeted to 4 hidden functions (for the QQ software) and have:
1, without the user knowingly sabotage the normal operation of other software rogue software features.
2, bypassing the user to control the functional properties of the back gate hidden trigger.
3, into the additional processes, modify the regular function of the plug-in operation mode functions.
these techniques normally merely in the Trojans,
GHD Diamond Flag 2011, backdoors, viruses discerned this type of spiteful software in a This can well understand why the 360 makes it so temporary, Tencent why it is so petulant.
with:
from Baidu, retard out Wikipedia's meaning of a digit of public awareness:
plug: plug-in generally refers to a microcomputer fleeing a program triggered at some event, to be spliced to the space of dissimilar program (usually triggered by the trigger accident has a keyboard,
GHD, mouse, trigger, trigger messages, etc.), hanging The purpose then is to alteration constantly been articulated program operates.
backdoor function: refers to the software to bypass the security control of the aisle from the secretive process to obtain access to the means or systems.
New rogue software development: New rogue software plug-ins may not be bundled with the new hooliganism, including willfully obstructs the use of other similar software, the new hooliganism hooliganism, including his own BUG or said to be a good feature to this purpose to cover up their sordid, are able in the new rogue psychology, the psychological study of the user and let in purely, and use this kind of psychological help to do their own entity.