background
Before there is a business need, grab personal information (authorized) user at the bank. However, due to security controls, the program can not be entered in the password box, making it impossible to crawl.
Bank water, in terms of net loan platform that is very important to credit data. I know, there is better control of reptiles for the security issues headache, and even have a special outsourcing, to find a solution.
I did try various search and found that most methods are ineffective. But bank credit data collection, and indeed some platforms are doing, it shows that this problem can be broken, and that there is nothing to worry about, and little by little to Jing Xiaxin.
This article share some relevant information, but not disclose specific solutions. Presumably for many people it can be considered a well-being posted.
First on several papers.
"Keyboard input Security Studies" (link: https://pan.baidu.com/s/1Vu4k7EkCz3LkI0ulvkopMg Password: p7fa)
, "Development Bank online payment" (link: https://pan.baidu.com/s/1dLK_v2UW- oNEHfEnF-yY5Q password: qmy9)
"drive mount the invasion of online banking and the corresponding defense style" (link: https://pan.baidu.com/s/1w1J0KRQWMPVJOMEoKxKghg password: iyry)
"WDM-based multi-function mouse and keyboard driven design and Implementation "(link: https://pan.baidu.com/s/1ED3NQZRpsdzwxvCzgJiovw password: shf7)
text
I try
First you should know that security controls will certainly make an encrypted password. Bank security encryption level is basically not a direct positive break, so the simulation directly on the browser bar. However, in the password box, webdriver key input by a variety of positions are invalid. Doubts began. .
Think, security controls is a separate exe installed on the system, it may be called something other than the password of the browser, so the browser layer analog input is invalid. It would change the system-level analog input bar. Come, python call winAPI Interface Analog keyboard input, invalid; QuickMacro invalid.
Strange, again. Screen keyboard, invalid. I usually use the two computers, shared between mouse and keyboard with mousewithoutborders. Found that direct keyboard input stage function, but can not enter another machine, the password input box, how did not press Enter.
Well, monitored by the keyboard hook keyboard input about it. Found normal password, to monitor the character becomes empty. It seems encryption controls before the hook layer to move the hands and feet.
I have seen the control of the white paper, how to say how, indeed these are HOOK off, I have tried. Indeed nothing works. The industry said that some people use JS to solve, this person I do not know that you are my gods, NB, NB, heard about them.
Seek reasons
The above is the warm-up operation started. Searching for keyboard input before a key transfer process, then the search function (purpose) security controls and implementation principle.
Baidu Google search easily get, I will not say. Here we mention some of the more critical content.
Windows operating system, PS / 2 keyboard input process information transmitted as follows:
1) The user hits a key, when a key is pressed, the keyboard sends a corresponding electrical signal to the motherboard of a computer keyboard controller (the i8042);
2) the controller telling the CPU that the keyboard key is pressed while the key information is written in the form of the keyboard scan code keyboard I / O ports (port save key scan codes 0x60, 0x64 port keyboard controller state record), and generates a terminal requests IRQ1;
. 3) found in the operating system corresponding to the IRQ1 interrupt number (normally is 0x93) IOAPIC the relocation table, the address of the interrupt handler corresponding to the interrupt to look up the interrupt vector table in accordance with (the IDT), interrupt handler was called Routine (ISR) for processing; the ISR read port 0x60 keyboard scan codes, and convert them into a system scan code package IO request packet (IRP) containing key information, the IRP sent to the keyboard port driver (PS / 2 keyboard prt.sys port driver is the i8042);
. 4) driving the keyboard port key information is sent to the keyboard class driver (Kdbclass.sys, all common types of keyboards);
5 The keyboard-type drive package key information to the system message sent csrss.exe, key information is first stored in the system message queue;
. 6) keystrokes Csrss.exe distributed to the respective application thread message queue;
7) focus window reads the program belongs to ASCII (if necessary, further passing through the input method editor processing IME) key information, and update the user interface from the call use32.dll thread message queue.
(Taken from the 2013 "keyboard to enter a security research")
Above, you can clearly see the flow transfer type PS / 2 keyboard. The bank's security controls, should be took data from the port Layer 2 encryption. In this case, we only need to query input characters keyboard scan codes, can be sent to the 60/64 port. In fact we found online most of the "simulated keyboard input drive level", are of this.
However, this is for a PS / 2 keyboard such terms. But at present only part of the old notebooks and desktops only retain PS / 2, it is now mainstream server only accepts USB keyboards. Therefore, the transmission port to the keyboard scan code in this way is not easy.
Come, and then look at the security control principle.
As shown above, the principle of protection AcitveX security control as follows:
1, when the user input focus positioned on security control, ready for password input, activate the corresponding security controls.
2, the user characters on the keyboard, to generate a corresponding electrical signal. The corresponding interrupt IRQ touch operating system.
3, the operating system calls the keyboard driver corresponding electrical signals to explain the character represented, and the corresponding data encryption. Driving out of character interpretation to the operating system message queue.
4, security controls received cipher text stored in the privacy controls within control, and then displays an asterisk (*) on the screen, and continue to stop the spread of characters.
5, when the user clicks on the login page submit button, security controls to be notified commit action. Dynamic security controls will be encrypted password is added to the page you want to submit the form, and then submit the form.
6, IE the form data to the server via the HTTPS channel, the corresponding processing.
Rely on Microsoft's driver, first get to the user mode and kernel mode upper viruses and Trojans (such as hook and tampering SSDT, system services API) to keyboard input, to prevent viruses and Trojans to get keyboard input. . .
Excerpt from the paper "Development Bank online payment", Zhangchun He, 2010.
Ah, no wonder I have used invalid API system and hook, the original security control before the data has been encrypted. Learn where encryption security controls that we have to simulate it before just fine. 3, the operating system calls the keyboard driver corresponding electrical signals to explain the character represented, and the corresponding data encryption. Windows system comes with keyboard driver for standard USB keyboard. But some special games like keyboard, often write their own keyboard driver, we can find the relevant development information. In addition, some gaming mouse and keyboard input on the requirements of high response, often as practice security controls as direct read out of the drive interpret the data. We just need to find the appropriate plug-ins, but also make some reference.
"Drive Mount online banking and the corresponding defense invasion mode", is monitored by the drive mount entered password. However, offense and defense is a game process, both of which are constantly in development, technology constantly updated. .
Epilogue
This is purely bullsh * t, I just did some technical sharing, I can not urge you climb Oh data bank.
Digression
Recently, the group said last year in a judgment documents, reptiles defendant, the legal year in prison.
Ah, another reptile case.
Zhashui it, check the eye in the sky advertising have done the subway, and a big wall advertising Intuit prestige; credit data synchronization service, is a few cents to a few dollars range, this water, this data. .
Zhashui it, reptiles engineers should not be limited to reptiles, can mess things safe, you play big data. Now we are in another climb, climb together, a personal data 100 a person we climb again, why bother. .
---------------------
Author: Nine tea
Source: CSDN
Original: https: //blog.csdn.net/Bone_ACE/article/details/80765299
Copyright: This article is a blogger original article, reproduced, please attach Bowen link!
---------------------
Thank the author: https://blog.csdn.net/Bone_ACE/article/details/80765299 .
If this approach proves follow. Plus write a manual robot (not so complicated), the future is the era of artificial intelligence, artificial intelligence face, there is a RPA, I feel powerless in vain that company, and now the RPA technology is almost like people do. You can also use the company's technology sandbox ANDROID version, as well as with the IOS Jailbreak IOS is waste. Bank XXXX any plug-ins, no matter what the technology, the whole process HOOK any part of any vain. Here the question is why the phone to be installed and escape the sandbox, the ghost chant. My own phone was only used these things in itself undermine the security system, if the destruction of the security system, what security is nonsense. My own phone Huawei old phone, my baby, not messing around.
Future together with image verification code and server, are not possible. There ah, used the RPA, together with AI, many free, or can do.
After it, do a little intelligence, voice level, then, go after it. It is a bottomless pit. . . . . Remember that as a last resort, do not do this road.
Leaders do companies need to do, you say no solution! As long as we unite technical self-confidence, it will protect and support to win. Establish a secure system.
I also tried to break the front, nor can not, you weigh it. But quite troublesome, the key change is also a plug out of the heavy, very difficult to find the key point.
[
Recently, the group said last year in a judgment documents, reptiles defendant, the legal year in prison. Ah, another reptile case. Zhashui it, check the eye in the sky advertising have done the subway, and a big wall advertising Intuit prestige; credit data synchronization service, is a few cents to a few dollars range, this water, this data. .
Zhashui it, reptiles engineers should not be limited to reptiles, can mess things safe, you play big data. Now we are in another climb, climb together, a personal data 100 a person we climb again, why bother.. ] And so on and so on the way, I do not agree. The following reasons:Thank you, but I do not agree, reptiles engineer innocent! Not a last resort, engineers, programmers will not do.
These are leaders such as head or for year-end awards, the company's profits to madness, in front of huge profits, even listed companies to participate in them, great leadership word, you do not do it, do get out, you still eat it? Engineers will not raise eight hundred years, do online banking reptile will not get a dime, but just to make a living.
As I see from the subway, advertising is the most funny, a lot of publicity in order to protect the rich celebrities ivory Please do not kill animals as ridiculous.
Ask: ordinary people will buy ivory chopsticks, you do gambling dice? Metro subway is poor, where to write to whom?
There are real estate heavyweights that you do not buy enough, advertising is to say, they can be exempt ivory chopsticks. ]
Our house was on the line snapping branches, squatting noodles, talk ye blanket, no money gambling, poker on the line. Is this world, I can not read. .
=========================================
Really a waste it? No, remember that no matter how good things can not prevent inner demons and greedy boss.
How to achieve, the landlord has to say. Involving sensitive information, technology is innocent, just to survive.
If the boss asks you to do, do not do technology should straighten backs! A knife forcing you to mix your mouth the way, remember do not say! This is for himself.
Many listed companies do such a thing, but the listing is to misappropriating, not a hacker software to play black obtain high-tech, shameless!
These are just bragging force. . . . . . . . Yesterday, I drank too much, poor health, only a glass of wine, to dream, to write down the dream is always so beautiful.