对于"国家义务教育质量监测网络测试系统"的分析
前言
班级群里老师发了一个神奇的软件。
一群家长尝试用手机打开exe文件
按照文档里写的使用方法进行测试,精美的UI令我感受到了一股浓浓的 Electron 味道。
安装包拆包
用压缩软件打开安装包。解压后使用 tree 命令查看文件目录:
卷 Windows 11 的文件夹 PATH 列表
卷序列号为 CEAC-CD06
C:.
│ installer.exe
│
└─$PLUGINSDIR
│ modern-wizard.bmp
│ nsDialogs.dll
│ nsExec.dll
│ nsis7z.dll
│ nsProcess.dll
│ StdUtils.dll
│ System.dll
│ UAC.dll
│ WinShell.dll
│
└─app-32.7z //这原本是个 .7z 压缩包,这是解压后的目录。
│ chrome_100_percent.pak
│ chrome_200_percent.pak
│ d3dcompiler_47.dll
│ ffmpeg.dll
│ icudtl.dat
│ libEGL.dll
│ libGLESv2.dll
│ LICENSE.electron.txt
│ LICENSES.chromium.html
│ resources.pak
│ snapshot_blob.bin
│ v8_context_snapshot.bin
│ vk_swiftshader.dll
│ vk_swiftshader_icd.json
│ vulkan-1.dll
│ 国家义务教育质量监测网络测试系统.exe
│
├─locales
│ af.pak
│ am.pak
│ ar.pak
│ bg.pak
│ bn.pak
│ ca.pak
│ cs.pak
│ da.pak
│ de.pak
│ el.pak
│ en-GB.pak
│ en-US.pak
│ es-419.pak
│ es.pak
│ et.pak
│ fa.pak
│ fi.pak
│ fil.pak
│ fr.pak
│ gu.pak
│ he.pak
│ hi.pak
│ hr.pak
│ hu.pak
│ id.pak
│ it.pak
│ ja.pak
│ kn.pak
│ ko.pak
│ lt.pak
│ lv.pak
│ ml.pak
│ mr.pak
│ ms.pak
│ nb.pak
│ nl.pak
│ pl.pak
│ pt-BR.pak
│ pt-PT.pak
│ ro.pak
│ ru.pak
│ sk.pak
│ sl.pak
│ sr.pak
│ sv.pak
│ sw.pak
│ ta.pak
│ te.pak
│ th.pak
│ tr.pak
│ uk.pak
│ ur.pak
│ vi.pak
│ zh-CN.pak
│ zh-TW.pak
│
└─resources
│ app.asar
│ elevate.exe
│
├─client
│ child-questionaire-release-v2.5.0.asar
│
└─keyboard
lock.exe
unlock.exe
注意到 app.asar、LICENSE.electron.txt 以及 LICENSES.chromium.html 等文件,基本可以确定是使用 Electron 开发的了。竟然没删许可证
安装
安装后的文件目录如下:
P:.
│ chrome_100_percent.pak
│ chrome_200_percent.pak
│ d3dcompiler_47.dll
│ ffmpeg.dll
│ icudtl.dat
│ libEGL.dll
│ libGLESv2.dll
│ LICENSE.electron.txt
│ LICENSES.chromium.html
│ resources.pak
│ snapshot_blob.bin
│ Uninstall 国家义务教育质量监测网络测试系统.exe
│ v8_context_snapshot.bin
│ vk_swiftshader.dll
│ vk_swiftshader_icd.json
│ vulkan-1.dll
│ 国家义务教育质量监测网络测试系统.exe
│
├─locales
│ af.pak
│ am.pak
│ ar.pak
│ bg.pak
│ bn.pak
│ ca.pak
│ cs.pak
│ da.pak
│ de.pak
│ el.pak
│ en-GB.pak
│ en-US.pak
│ es-419.pak
│ es.pak
│ et.pak
│ fa.pak
│ fi.pak
│ fil.pak
│ fr.pak
│ gu.pak
│ he.pak
│ hi.pak
│ hr.pak
│ hu.pak
│ id.pak
│ it.pak
│ ja.pak
│ kn.pak
│ ko.pak
│ lt.pak
│ lv.pak
│ ml.pak
│ mr.pak
│ ms.pak
│ nb.pak
│ nl.pak
│ pl.pak
│ pt-BR.pak
│ pt-PT.pak
│ ro.pak
│ ru.pak
│ sk.pak
│ sl.pak
│ sr.pak
│ sv.pak
│ sw.pak
│ ta.pak
│ te.pak
│ th.pak
│ tr.pak
│ uk.pak
│ ur.pak
│ vi.pak
│ zh-CN.pak
│ zh-TW.pak
│
└─resources
│ app.asar
│ elevate.exe
│
├─client
│ child-questionaire-release-v2.5.0.asar
│
└─keyboard
lock.exe
unlock.exe
可见,app-32.7z 中的目录被解压,同时安装包根目录的卸载文件也被解压到这里。
拆包
目录下有一些 .asar 文件。这是一种归档文件,可以将多个文件打包成一个文件,但是没有压缩功能。
使用 npm 安装 asar 工具进行解包。不过拆包后发现其文件使用 bytecode-loader 进行混淆,已经无法阅读。
lock.exe / unlock.exe
在 安装目录\resources\keyboard 下有两个程序:lock.exe 与 unlock.exe。执行 lock.exe 时 360 会报毒;执行后,会发现任务栏消失、注册表被禁用等。unlock.exe 负责让系统恢复正常。
机惨时可以拷贝到别人电脑上运行
上传 360 沙箱云与微步云沙箱,360 沙箱云判定为病毒。
其具有北师大的数字签名。
使用工具分析其行为,过滤掉一些无用信息并导出为csv文件,如下所示:
lock.csv
时间,进程名,进程ID,任务组ID,动作,路径,参数,结果,
16:04:15:024,"lock.exe","10972:0","10972","EXEC_destroy","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\lock.exe","parent_pid:19780 cmdline:'""P:\Program Files (x86)\eachinacoreframe\resources\keyboard\lock.exe"" ' ","0x00000000 [操作成功完成。 ]",""
16:04:56:555,"lock.exe","11060:0","11060","EXEC_destroy","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\lock.exe","parent_pid:19780 cmdline:'""P:\Program Files (x86)\eachinacoreframe\resources\keyboard\lock.exe"" ' ","0x00000000 [操作成功完成。 ]",""
16:04:57:989,"lock.exe","18528:0","18528","EXEC_create","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\lock.exe","parent_pid:19780 cmdline:'""P:\Program Files (x86)\eachinacoreframe\resources\keyboard\lock.exe"" ' image_base:0x0000000000190000 image_size:0x0002B000 ","0x00000000 [操作成功完成。 ]",""
16:04:57:990,"lock.exe","18528:16216","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\ACP","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:57:991,"lock.exe","18528:16216","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\OEMCP","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:57:993,"lock.exe","18528:16216","18528","REG_getval","HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wow64\x86\","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:57:993,"lock.exe","18528:16216","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\ACP","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:57:993,"lock.exe","18528:16216","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\OEMCP","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:57:997,"lock.exe","18528:16216","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\LongPathsEnabled","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:003,"lock.exe","18528:16216","18528","FILE_touch","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\keyboardhook.log","access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000005 options:0x00000060 ","0x00000000 [操作成功完成。 ]",""
16:04:58:003,"lock.exe","18528:16216","18528","FILE_write","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\keyboardhook.log","offset:0x00000000 datalen:0x0000001A ","0x00000000 [操作成功完成。 ]",""
16:04:58:003,"lock.exe","18528:0","18528","FILE_open","C:\Windows\SysWOW64\uxtheme.dll","access:0x00100021 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 ","0x00000000 [操作成功完成。 ]",""
16:04:58:006,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:012,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\1252","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:012,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\AllowDeprecatedCP","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:012,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:012,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\1256","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:019,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\1251","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:020,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\1254","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:023,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\1250","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:030,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\1253","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:042,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\1257","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:049,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\1255","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:051,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\932","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:052,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\949","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:065,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\874","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:58:068,"lock.exe","18528:23036","18528","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\1258","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:59:699,"lock.exe","18528:16216","18528","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr","type:0x00000004 datalen:4 data:'01 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation","type:0x00000004 datalen:4 data:'01 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword","type:0x00000004 datalen:4 data:'01 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableSwitchUserOption","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableSwitchUserOption","type:0x00000004 datalen:4 data:'01 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoChangeStartMenu","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoChangeStartMenu","type:0x00000004 datalen:4 data:'01 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose","type:0x00000004 datalen:4 data:'01 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:59:700,"lock.exe","18528:16216","18528","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff","type:0x00000004 datalen:4 data:'01 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:04:59:701,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:59:701,"lock.exe","18528:16216","18528","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","type:0x00000004 datalen:4 data:'01 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:04:59:701,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:04:59:701,"lock.exe","18528:16216","18528","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders","type:0x00000004 datalen:4 data:'01 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:04:59:701,"lock.exe","18528:0","18528","FILE_open","C:\Windows\SysWOW64\windows.storage.dll","access:0x00100021 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 ","0x00000000 [操作成功完成。 ]",""
16:04:59:701,"lock.exe","18528:0","18528","FILE_open","C:\Windows\SysWOW64\WinTypes.dll","access:0x00100021 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 ","0x00000000 [操作成功完成。 ]",""
16:05:13:795,"unlock.exe","15872:0","15872","EXEC_destroy","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\unlock.exe","parent_pid:19780 cmdline:'""P:\Program Files (x86)\eachinacoreframe\resources\keyboard\unlock.exe"" ' ","0x00000000 [操作成功完成。 ]",""
16:05:14:064,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:14:087,"lock.exe","18528:16216","18528","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:377,"unlock.exe","23844:0","23844","EXEC_create","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\unlock.exe","parent_pid:19780 cmdline:'""P:\Program Files (x86)\eachinacoreframe\resources\keyboard\unlock.exe"" ' image_base:0x00000000009A0000 image_size:0x00010000 ","0x00000000 [操作成功完成。 ]",""
16:05:15:378,"unlock.exe","23844:1252","23844","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\ACP","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:378,"unlock.exe","23844:1252","23844","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\OEMCP","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:380,"unlock.exe","23844:1252","23844","REG_getval","HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wow64\x86\","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:380,"unlock.exe","23844:1252","23844","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\ACP","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:380,"unlock.exe","23844:1252","23844","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage\OEMCP","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:383,"unlock.exe","23844:1252","23844","REG_getval","HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\LongPathsEnabled","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:393,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:393,"unlock.exe","23844:1252","23844","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr","type:0x00000004 datalen:4 data:'00 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:393,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:394,"unlock.exe","23844:1252","23844","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation","type:0x00000004 datalen:4 data:'00 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword","type:0x00000004 datalen:4 data:'00 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableSwitchUserOption","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableSwitchUserOption","type:0x00000004 datalen:4 data:'00 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoChangeStartMenu","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoChangeStartMenu","type:0x00000004 datalen:4 data:'00 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose","type:0x00000004 datalen:4 data:'00 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff","type:0x00000004 datalen:4 data:'00 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","type:0x00000004 datalen:4 data:'00 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:1252","23844","REG_setval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders","type:0x00000004 datalen:4 data:'00 00 00 00 ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:395,"unlock.exe","23844:0","23844","FILE_open","C:\Windows\SysWOW64\uxtheme.dll","access:0x00100021 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 ","0x00000000 [操作成功完成。 ]",""
16:05:15:398,"unlock.exe","23844:1252","23844","REG_getval","HKEY_USERS\S-1-5-21-1325780520-25236661-3167418138-1001\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme","type:0x00000000 datalen:0 data:","0x00000000 [操作成功完成。 ]",""
16:05:15:398,"unlock.exe","23844:0","23844","FILE_open","C:\Windows\SysWOW64\windows.storage.dll","access:0x00100021 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 ","0x00000000 [操作成功完成。 ]",""
16:05:15:398,"unlock.exe","23844:0","23844","FILE_open","C:\Windows\SysWOW64\WinTypes.dll","access:0x00100021 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 ","0x00000000 [操作成功完成。 ]",""
16:05:15:699,"lock.exe","18528:0","18528","FILE_modified","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\keyboardhook.log","","0x00000000 [操作成功完成。 ]",""
16:05:15:703,"unlock.exe","23844:0","23844","EXEC_destroy","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\unlock.exe","parent_pid:19780 cmdline:'""P:\Program Files (x86)\eachinacoreframe\resources\keyboard\unlock.exe"" ' ","0x00000000 [操作成功完成。 ]",""
16:05:15:705,"lock.exe","18528:0","18528","EXEC_destroy","P:\Program Files (x86)\eachinacoreframe\resources\keyboard\lock.exe","parent_pid:19780 cmdline:'""P:\Program Files (x86)\eachinacoreframe\resources\keyboard\lock.exe"" ' ","0x00000000 [操作成功完成。 ]",""
其所有具体操作有(有“?”的为不确定项):
- 禁用任务管理器
- 禁止锁屏
- 禁止修改密码
- 禁止切换用户(?)
- 禁止修改开始菜单(?)
- 禁止电源菜单
- 禁止注销(?)
- 禁止
win+r启动运行框 - 禁止设置文件夹(?)
同时,他可以禁用 ctrl 等按键,这应该是用 hook 实现的。隐藏开始菜单的方法,猜测是调用了 winuser.h 中的 ShowWindow() 函数。
结语
至此,应用分析完毕。破解 lock 的方法还在考虑中。
浙公网安备 33010602011771号