Cloud Control Configuration Ignore Switch: However, it was found that Sogou Input Method would ignore the global notification switch (ignore_sglb_switch), the local Sogou notification switch (ignore_sys_switch), and the Sogou Input Method settings switch (ignore_ime_switch) based on the configuration sent by Cloud Control (systoast_general_config_1), and it would also ignore the switches configured by users. In the actual test, it was found that if the switch in the system was turned off, the pop-up window could not be displayed.

In addition, the Cloud Control configuration obtained during the analysis did not contain the ignore_ime_switch field, indicating that the pop-up window switch provided by Sogou Input Method under the current Cloud Control configuration is effective.

Load the promotion module and call the entry point and cgbp export function: Subsequently, the decrypted promotion module is loaded into memory manually. After completing operations such as checking the PE header, performing section mapping, conducting relocation processing, repairing the import table, and modifying section permissions, the module entry point is called for initialization. Subsequently, the cgbp export function address is obtained by traversing the export functions, and the function is called, thereby entering the main logic of the promotion module.

Decrypt the promotion module: The downloaded brspgchange20250811x64_a.dat file has been encrypted. To decrypt it, you need to use the key (98c0b113a40fe1790d9e116d75dcfcff) in the cloud control configuration and the string "secret" to perform an exclusive-OR operation to generate a new key. Then, use this new key as the encryption key to decrypt the file using the AES algorithm in CBC mode.

Task information is saved to the registry: First, the seven key parameters in the cloud configuration are connected with underscores: task_body_md5, version, durings_s, cycle_c_s, count, probalility, no_active_s. These parameters are then subjected to MD5 hashing to obtain the MD5 value. Subsequently, the allowed_p, MD5 value, let_{current time}, during_{durings}, and remain_{remaining task execution count} (which is decremented by 1 each time a task is executed) are connected by semicolons, and the resulting string is written to the registry under the HKEY_CURRENT_USER\SOFTWARE\SystemTask key, in the task_{allowed_p} subkey.

1. First, read the task__{allowed_p} key in the HKEY_CURRENT_USER\SOFTWARE\SystemTask entry. If the key exists, read its let_{last_task_execution_time} and remain_{remaining_task_execution_counts} values for subsequent detection purposes.
2. Check whether the current time period falls within the allowed_t (allowed task execution time period). According to the cloud control configuration (0-28800; 43200-50400; 75600-86400), the time periods are 21:00 to 8:00 the next day and 12:00 to 14:00. This is likely to avoid working hours and prevent technical staff from replicating the phenomenon.
3. Use the GetLastInputInfo function to detect whether the user's inactivity time exceeds the no_active_s (inactivity time) threshold.
4. Obtain the remainder by dividing a random number by 100 and checking whether it is greater than the probability (probalility).
5. Check whether the remaining task execution count is greater than 0.
6. Verify whether the interval between the current time and the last task execution time exceeds the during_s (task execution interval) threshold.
7. Finally, save the tasvk information to the registry and start executing the task.

Setting Shiply SDK parameters: In the SGBizLauncher.exe program, the configuration will be retrieved via the Shiply SDK. Before this, parameters such as APPID, APPKEY, BundleID, and the application version need to be set. After testing, it was found that APPID and APPKEY are key parameters, which will determine the configuration retrieved.

Configuration retrieval source: Sogou Input Method will use the SGBizLauncher.exe program with the additional parameter -lappid=configupdate to retrieve the cloud control configuration. The SGBizLauncher.exe program will be executed by the input method component SogouPY.ime, with an execution interval of once every six hours. This input method component is a DLL file that will be loaded when the user switches to Sogou Input Method.

The PrintNightmare vulnerability can be understood as a bypass of the CVE-2021-1675 patch. This article takes the exploit provided in Mimikatz[3] as an example to analyze the vulnerability.

The PrintNightmare vulnerability exploited in Mimikatz uses another print service API: RpcAsyncAddPrinterDriver to bypass the permission check in the aforementioned patch. As shown in Figure 2, this API can also set a flag to increase APD_INSTALL_WARNED_DRIVER. Since this function does not add a verification process, it can perfectly bypass the subsequent bittest check and achieve malicious DLL loading and code execution.

黑客网络攻防联系；@comeblackgirl

Specifically, a permission check has been added to AddPrinterDriverEx. The key points are the three functions YIsElevated, YIsElevationRequered, and RunningAsLUA. When v12 == 0, v13 == 1, and v9 == 1, the 0x8000 in flag will be removed by the & operation, resulting in a failed permission verification when calling SplAddPrinterDriverEx later, which prevents the vulnerability from occurring.

The vulnerability occurs in the AddPrinterDriverEx function, which has three parameters. The third parameter is a flag with a special value that is not mentioned in the official documentation: APD_INSTALL_WARNED_DRIVER = 0x00008000. According to the code logic in Figure 1, before calling InternalAddPrinterDriverEx, the 0xf bit of the flag is checked by bittest. If the value is 1, the value of v12 will still be 0, allowing you to bypass the Access check in line 24 and successfully call InternalAddPrinterDriverEx.