|
|
|
|
|
|
by userbinator
4221 days ago
|
|
|
detekt.exe imports from WS2_32.DLL "ntohl" function, which shouldn't be a cause for concern, but then shortly after startup it does spawn another instance of itself, which listens... debugging into the child process, I set a breakpoint on all of ws2_32.dll's functions and resume, leading to this: 0350F024 012D4110 /CALL to socket from _socket.012D410A
0350F028 00000002 |Family = AF_INET
0350F02C 00000001 |Type = SOCK_STREAM
0350F030 00000000 \Protocol = IPPROTO_IP
0350F034 012DBAD8 _socket.012DBAD8
0350F038 02D93610
0350F03C 00000000
0350F040 00000001
0350F044 00000002
0350F048 1E0C18A8 RETURN to python27.1E0C18A8
This leads back to _socket.pyd , sip.pyd, and eventually QtCore4.dll. Tracing a bit further, I see what's happening:It starts a local Python web server in order to serve the main dialog of the application, the one with the language selector, which is an HTML page embedded in a browser control. No wonder it hung when you denied the connection and showed a blank frame. If you let it continue and figure out where it's listening, you can actually visit the page in your web browser and see the program's dialog. One of the most convoluted ways to display a dialog I've ever seen, and probably worth a "WTF?", but I don't think it's intended to be malicious. The developer could've handled this a bit better, that's for sure. |
|
|
consider that the majority of the people who aim to download and use this THING are those who do something against their government's red lines. This is quiet enough to make this THING a good Trojan horse for hiding anything than can track/detect(detekt!?) an activist. serving the main dialog of the application may be merely a camouflage for other uses of Python inside the file.
any idea?