This time I have to deal with the software is a more useful agent software (I don't know if this article should not hide the file name), the algorithm has analyzed many times, I will no longer repeat. I will discuss an actual application: If you want to use someone else's machine to access the Internet, I don't want him to discover easily (it seems to have this idea?). And this software will load an icon in the taskbar after starting, so it is more contradictory! So I have to solve him! First let's order your ideas: To join and delete icons to the system tray, you must use shell32.Shell_notifyicona this function, that is, when the software is started, it must be called this function to add its own icon to the system tray; When the software is turned off, he also calls this function to delete the icon. Let's check the WinAPI function table to determine how this function is used and format. Const NIM_ADD = & H0 // this is the parameter icon added to the tray Const NIM_MODIFY = & H1 Const NIM_DELETE = & H2 // this is to remove the icon from the tray parameter Const NIF_MESSAGE = & H1 Const NIF_ICON = & H2 Const NIF_TIP = & H4 Declare Function Shell_NotifyIcon Lib " Shell32.dll "Alias" shell_notifyicona "(Byval DwMessage As Long, LPDATA AS NOTIFYICONDATA) AS Long's parameters of the 2 functions must be recorded below! We use WinASM32 to disassemble software, find shell32.shell_notifyicona in the function to see how to call him in the system, double-click several times we found that this function is called 3. Let's first analyze the role of this 3 place calls: First, the software starts to add an icon to the taskbar of the system; then, to complete the animation of icons (people who write the program should know, do animation The simple method is that the back-and-back icon can be completed); Finally, to delete the icon of the taskbar when you exit the software. Probably this is 3.
This is just a preliminary analysis of our dynamic tracking: In order to analyze how the software is called, you must use TRW2000 or SICE dynamic tracking. We will use the BPX shell_notifyicona breakpoint. After blocking, use F12 to take a look at the software if call, and use Parameter! First came the following: This is where the call is launched: * Possible Reference to String Resource ID = 00114: "CCProxy" |: 00408770 6A72 push 00000072: 00408772 51 push ecx: 00408773 C68424F424000005 mov byte ptr [esp 000024F4], 05: 0040877B E8C0890100 call 00421140: 00408780 83C408 add esp, 00000008: 00408783 50 push eax: 00408784 8D4C2414 lea ecx, dword ptr [esp 14]: 00408788 C68424F024000006 mov byte ptr [esp 000024F0], 06: 00408790 E818910300 call 004418AD: 00408795 8D4C2414 lea ecx, dword ptr [esp 14]: 00408799 C68424EC24000005 mov byte ptr [esp 000024EC], 05: 004087A1 E8CE8F0300 call 00441774: 004087A6 8B7C2410 mov edi, dword ptr [esp 10]: 004087AA 83C9FF or ecx, FFFFFFFF : 004087AD 33c0 XOR EAX, EAX: 004087AF 8D95F8090000 Lea EDX, DWORD PTR [EBP
000009F8]: 004087B5 F2 repnz: 004087B6 AE scasb: 004087B7 F7D1 not ecx: 004087B9 2BF9 sub edi, ecx: 004087BB 53 push ebx: 004087BC 8BC1 mov eax, ecx: 004087BE 8BF7 mov esi, edi: 004087C0 8BFA mov edi, edx: 004087C2 6A00 PUSH 00000000 / / See it is 0: 004087C4 C1E902 SHR ECX, 02 // This is no effect because it is changed in the following: 004087c7 f3 repz // system switch icon, it will be changed below: 004087C8 A5 movsd: 004087C9 8BC8 mov ecx, eax: 004087CB 83E103 and ecx, 00000003: 004087CE F3 repz: 004087CF A4 movsb * Reference To: SHELL32.Shell_NotifyIconA, Ord: 0079h // call the function |: 004087D0 FF1570E34400 call dword ptr [0044E370] / / calling procedure successful return 1 else return 0: 004087D6 8D4C2410 lea ecx, dword ptr [esp 10]: 004087DA C68424EC24000002 mov byte ptr [esp 000024EC], 02: 004087E2 E88D8F0300 call 00441774 * Referenced by a (U) nconditional or (C) Onditional Jump at Address: |: 00408717 (C) |: 004087E 7 55 push ebp: 004087E8 E803920100 call 004219F0: 004087ED 83C404 add esp, 00000004: 004087F0 8D4C241C lea ecx, dword ptr [esp 1C]: 004087F4 51 push ecx: 004087F5 E878390300 call 0043C172: 004087FA 8B10 mov edx, dword ptr [eax] : 004087FC 8D44241C lea eax, dword ptr [esp 1C] * Possible StringData Ref from Data Obj -> "% H:% M:% S" |: 00408800 68BCD64500 push 0045D6BC: 00408805 50 push eax: 00408806 8D4C242C lea ecx, dword PTR [ESP 2C]: 0040880A 8954242C MOV DWORD PTR [ESP
2C], edx: 0040880E E872390300 call 0043C185: 00408813 50 push eax: 00408814 8D4C2424 lea ecx, dword ptr [esp 24] * Possible StringData Ref from Data Obj -> "" |: 00408818 6828D14500 push 0045D128: 0040881D 51 push ecx: 0040881E C68424F824000007 mov byte ptr [esp 000024F8], 07: 00408826 E8EC910300 call 00441A17 * Possible StringData Ref from Data Obj -> "" |: 0040882B 6828D14500 push 0045D128: 00408830 8D542418 lea edx, dword ptr [esp 18]: 00408834 50 push eax: 00408835 52 push edx: 00408836 C68424F824000008 mov byte ptr [esp 000024F8], 08: 0040883E E860910300 call 004419A3: 00408843 8B00 mov eax, dword ptr [eax]: 00408845 8BCD mov ecx, ebp: 00408847 50 push eax - -------------------------------------------------- ---------------------- Here is the call to form an animation:: 00409669 8D542414 Lea EDX, DWORD PTR [ESP 14] * Possible Reference To String RES ource ID = 00114: "CCProxy" |: 0040966D 6A72 push 00000072: 0040966F 52 push edx: 00409670 C784243014000000000000 mov dword ptr [esp 00001430], 00000000: 0040967B E8C07A0100 call 00421140: 00409680 83C408 add esp, 00000008: 00409683 50 push eax: 00409684 8D4C2414 lea ecx, dword ptr [esp 14]: 00409688 C684242C14000001 mov byte ptr [esp 0000142C], 01: 00409690 E818820300 call 004418AD: 00409695 8D4C2414 lea ecx, dword ptr [esp 14]: 00409699 C684242814000000 mov byte ptr [ ESP
00001428], 00: 004096A1 E8CE800300 call 00441774: 004096A6 8B7C2410 mov edi, dword ptr [esp 10]: 004096AA 83C9FF or ecx, FFFFFFFF: 004096AD 33C0 xor eax, eax: 004096AF 8D95F8090000 lea edx, dword ptr [ebp 000009F8]: 004096B5 F2 repnz: 004096B6 AE scasb: 004096B7 F7D1 not ecx: 004096B9 2BF9 sub edi, ecx: 004096BB 53 push ebx: 004096BC 8BC1 mov eax, ecx: 004096BE 8BF7 mov esi, edi: 004096C0 8BFA mov edi, edx: 004096C2 6A00 push 00000000 // Although it is also 0 but here is called to form an animation: 004096C4 C1E902 SHR ECX, 02 // If you don't want him to change the parameters, you will do 6A00-> 6A02: 004096C7 f3 repz: 004096C8 A5 MOVSD: 004096C9 8BC8 mov ecx, eax: 004096CB 83E103 and ecx, 00000003: 004096CE F3 repz: 004096CF A4 movsb * Reference To: SHELL32.Shell_NotifyIconA, Ord: 0079h |: 004096D0 8B3570E34400 mov esi, dword ptr [0044E370]: 004096D6 FFD6 cal l esi: 004096D8 8B4D1C mov ecx, dword ptr [ebp 1C] * Possible StringData Ref from Data Obj -> "CCProxy System Tray Icon Message" |: 004096DB 68C8D64500 push 0045D6C8: 004096E0 C70358000000 mov dword ptr [ebx], 00000058: 004096E6 898DE4090000 mov dword ptr [ebp 000009E4], ecx: 004096EC C785E80900000A000000 mov dword ptr [ebp 000009E8], 0000000A: 004096F6 C785EC09000002000000 mov dword ptr [ebp 000009EC], 00000002 * Reference To: USER32.RegisterWindowMessageA, Ord: 0200h |: 00409700 FF1578E54400 Call dword PTR [0044E5785F0090000 MOV DWORD PTR [EBP
