Key fingerprint 9EF0 C41A FBA5 64AA 650A 0259 9C6D CD17 283E 454C

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQQBBGBjDtIBH6DJa80zDBgR+VqlYGaXu5bEJg9HEgAtJeCLuThdhXfl5Zs32RyB
I1QjIlttvngepHQozmglBDmi2FZ4S+wWhZv10bZCoyXPIPwwq6TylwPv8+buxuff
B6tYil3VAB9XKGPyPjKrlXn1fz76VMpuTOs7OGYR8xDidw9EHfBvmb+sQyrU1FOW
aPHxba5lK6hAo/KYFpTnimsmsz0Cvo1sZAV/EFIkfagiGTL2J/NhINfGPScpj8LB
bYelVN/NU4c6Ws1ivWbfcGvqU4lymoJgJo/l9HiV6X2bdVyuB24O3xeyhTnD7laf
epykwxODVfAt4qLC3J478MSSmTXS8zMumaQMNR1tUUYtHCJC0xAKbsFukzbfoRDv
m2zFCCVxeYHvByxstuzg0SurlPyuiFiy2cENek5+W8Sjt95nEiQ4suBldswpz1Kv
n71t7vd7zst49xxExB+tD+vmY7GXIds43Rb05dqksQuo2yCeuCbY5RBiMHX3d4nU
041jHBsv5wY24j0N6bpAsm/s0T0Mt7IO6UaN33I712oPlclTweYTAesW3jDpeQ7A
ioi0CMjWZnRpUxorcFmzL/Cc/fPqgAtnAL5GIUuEOqUf8AlKmzsKcnKZ7L2d8mxG
QqN16nlAiUuUpchQNMr+tAa1L5S1uK/fu6thVlSSk7KMQyJfVpwLy6068a1WmNj4
yxo9HaSeQNXh3cui+61qb9wlrkwlaiouw9+bpCmR0V8+XpWma/D/TEz9tg5vkfNo
eG4t+FUQ7QgrrvIkDNFcRyTUO9cJHB+kcp2NgCcpCwan3wnuzKka9AWFAitpoAwx
L6BX0L8kg/LzRPhkQnMOrj/tuu9hZrui4woqURhWLiYi2aZe7WCkuoqR/qMGP6qP
EQRcvndTWkQo6K9BdCH4ZjRqcGbY1wFt/qgAxhi+uSo2IWiM1fRI4eRCGifpBtYK
Dw44W9uPAu4cgVnAUzESEeW0bft5XXxAqpvyMBIdv3YqfVfOElZdKbteEu4YuOao
FLpbk4ajCxO4Fzc9AugJ8iQOAoaekJWA7TjWJ6CbJe8w3thpznP0w6jNG8ZleZ6a
jHckyGlx5wzQTRLVT5+wK6edFlxKmSd93jkLWWCbrc0Dsa39OkSTDmZPoZgKGRhp
Yc0C4jePYreTGI6p7/H3AFv84o0fjHt5fn4GpT1Xgfg+1X/wmIv7iNQtljCjAqhD
6XN+QiOAYAloAym8lOm9zOoCDv1TSDpmeyeP0rNV95OozsmFAUaKSUcUFBUfq9FL
uyr+rJZQw2DPfq2wE75PtOyJiZH7zljCh12fp5yrNx6L7HSqwwuG7vGO4f0ltYOZ
dPKzaEhCOO7o108RexdNABEBAAG0Rldpa2lMZWFrcyBFZGl0b3JpYWwgT2ZmaWNl
IEhpZ2ggU2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBLZXkgKDIwMjEtMjAyNCmJBDEE
EwEKACcFAmBjDtICGwMFCQWjmoAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
nG3NFyg+RUzRbh+eMSKgMYOdoz70u4RKTvev4KyqCAlwji+1RomnW7qsAK+l1s6b
ugOhOs8zYv2ZSy6lv5JgWITRZogvB69JP94+Juphol6LIImC9X3P/bcBLw7VCdNA
mP0XQ4OlleLZWXUEW9EqR4QyM0RkPMoxXObfRgtGHKIkjZYXyGhUOd7MxRM8DBzN
yieFf3CjZNADQnNBk/ZWRdJrpq8J1W0dNKI7IUW2yCyfdgnPAkX/lyIqw4ht5UxF
VGrva3PoepPir0TeKP3M0BMxpsxYSVOdwcsnkMzMlQ7TOJlsEdtKQwxjV6a1vH+t
k4TpR4aG8fS7ZtGzxcxPylhndiiRVwdYitr5nKeBP69aWH9uLcpIzplXm4DcusUc
Bo8KHz+qlIjs03k8hRfqYhUGB96nK6TJ0xS7tN83WUFQXk29fWkXjQSp1Z5dNCcT
sWQBTxWxwYyEI8iGErH2xnok3HTyMItdCGEVBBhGOs1uCHX3W3yW2CooWLC/8Pia
qgss3V7m4SHSfl4pDeZJcAPiH3Fm00wlGUslVSziatXW3499f2QdSyNDw6Qc+chK
hUFflmAaavtpTqXPk+Lzvtw5SSW+iRGmEQICKzD2chpy05mW5v6QUy+G29nchGDD
rrfpId2Gy1VoyBx8FAto4+6BOWVijrOj9Boz7098huotDQgNoEnidvVdsqP+P1RR
QJekr97idAV28i7iEOLd99d6qI5xRqc3/QsV+y2ZnnyKB10uQNVPLgUkQljqN0wP
XmdVer+0X+aeTHUd1d64fcc6M0cpYefNNRCsTsgbnWD+x0rjS9RMo+Uosy41+IxJ
6qIBhNrMK6fEmQoZG3qTRPYYrDoaJdDJERN2E5yLxP2SPI0rWNjMSoPEA/gk5L91
m6bToM/0VkEJNJkpxU5fq5834s3PleW39ZdpI0HpBDGeEypo/t9oGDY3Pd7JrMOF
zOTohxTyu4w2Ql7jgs+7KbO9PH0Fx5dTDmDq66jKIkkC7DI0QtMQclnmWWtn14BS
KTSZoZekWESVYhORwmPEf32EPiC9t8zDRglXzPGmJAPISSQz+Cc9o1ipoSIkoCCh
2MWoSbn3KFA53vgsYd0vS/+Nw5aUksSleorFns2yFgp/w5Ygv0D007k6u3DqyRLB
W5y6tJLvbC1ME7jCBoLW6nFEVxgDo727pqOpMVjGGx5zcEokPIRDMkW/lXjw+fTy
c6misESDCAWbgzniG/iyt77Kz711unpOhw5aemI9LpOq17AiIbjzSZYt6b1Aq7Wr
aB+C1yws2ivIl9ZYK911A1m69yuUg0DPK+uyL7Z86XC7hI8B0IY1MM/MbmFiDo6H
dkfwUckE74sxxeJrFZKkBbkEAQRgYw7SAR+gvktRnaUrj/84Pu0oYVe49nPEcy/7
5Fs6LvAwAj+JcAQPW3uy7D7fuGFEQguasfRrhWY5R87+g5ria6qQT2/Sf19Tpngs
d0Dd9DJ1MMTaA1pc5F7PQgoOVKo68fDXfjr76n1NchfCzQbozS1HoM8ys3WnKAw+
Neae9oymp2t9FB3B+To4nsvsOM9KM06ZfBILO9NtzbWhzaAyWwSrMOFFJfpyxZAQ
8VbucNDHkPJjhxuafreC9q2f316RlwdS+XjDggRY6xD77fHtzYea04UWuZidc5zL
VpsuZR1nObXOgE+4s8LU5p6fo7jL0CRxvfFnDhSQg2Z617flsdjYAJ2JR4apg3Es
G46xWl8xf7t227/0nXaCIMJI7g09FeOOsfCmBaf/ebfiXXnQbK2zCbbDYXbrYgw6
ESkSTt940lHtynnVmQBvZqSXY93MeKjSaQk1VKyobngqaDAIIzHxNCR941McGD7F
qHHM2YMTgi6XXaDThNC6u5msI1l/24PPvrxkJxjPSGsNlCbXL2wqaDgrP6LvCP9O
uooR9dVRxaZXcKQjeVGxrcRtoTSSyZimfjEercwi9RKHt42O5akPsXaOzeVjmvD9
EB5jrKBe/aAOHgHJEIgJhUNARJ9+dXm7GofpvtN/5RE6qlx11QGvoENHIgawGjGX
Jy5oyRBS+e+KHcgVqbmV9bvIXdwiC4BDGxkXtjc75hTaGhnDpu69+Cq016cfsh+0
XaRnHRdh0SZfcYdEqqjn9CTILfNuiEpZm6hYOlrfgYQe1I13rgrnSV+EfVCOLF4L
P9ejcf3eCvNhIhEjsBNEUDOFAA6J5+YqZvFYtjk3efpM2jCg6XTLZWaI8kCuADMu
yrQxGrM8yIGvBndrlmmljUqlc8/Nq9rcLVFDsVqb9wOZjrCIJ7GEUD6bRuolmRPE
SLrpP5mDS+wetdhLn5ME1e9JeVkiSVSFIGsumZTNUaT0a90L4yNj5gBE40dvFplW
7TLeNE/ewDQk5LiIrfWuTUn3CqpjIOXxsZFLjieNgofX1nSeLjy3tnJwuTYQlVJO
3CbqH1k6cOIvE9XShnnuxmiSoav4uZIXnLZFQRT9v8UPIuedp7TO8Vjl0xRTajCL
PdTk21e7fYriax62IssYcsbbo5G5auEdPO04H/+v/hxmRsGIr3XYvSi4ZWXKASxy
a/jHFu9zEqmy0EBzFzpmSx+FrzpMKPkoU7RbxzMgZwIYEBk66Hh6gxllL0JmWjV0
iqmJMtOERE4NgYgumQT3dTxKuFtywmFxBTe80BhGlfUbjBtiSrULq59np4ztwlRT
wDEAVDoZbN57aEXhQ8jjF2RlHtqGXhFMrg9fALHaRQARAQABiQQZBBgBCgAPBQJg
Yw7SAhsMBQkFo5qAAAoJEJxtzRcoPkVMdigfoK4oBYoxVoWUBCUekCg/alVGyEHa
ekvFmd3LYSKX/WklAY7cAgL/1UlLIFXbq9jpGXJUmLZBkzXkOylF9FIXNNTFAmBM
3TRjfPv91D8EhrHJW0SlECN+riBLtfIQV9Y1BUlQthxFPtB1G1fGrv4XR9Y4TsRj
VSo78cNMQY6/89Kc00ip7tdLeFUHtKcJs+5EfDQgagf8pSfF/TWnYZOMN2mAPRRf
fh3SkFXeuM7PU/X0B6FJNXefGJbmfJBOXFbaSRnkacTOE9caftRKN1LHBAr8/RPk
pc9p6y9RBc/+6rLuLRZpn2W3m3kwzb4scDtHHFXXQBNC1ytrqdwxU7kcaJEPOFfC
XIdKfXw9AQll620qPFmVIPH5qfoZzjk4iTH06Yiq7PI4OgDis6bZKHKyyzFisOkh
DXiTuuDnzgcu0U4gzL+bkxJ2QRdiyZdKJJMswbm5JDpX6PLsrzPmN314lKIHQx3t
NNXkbfHL/PxuoUtWLKg7/I3PNnOgNnDqCgqpHJuhU1AZeIkvewHsYu+urT67tnpJ
AK1Z4CgRxpgbYA4YEV1rWVAPHX1u1okcg85rc5FHK8zh46zQY1wzUTWubAcxqp9K
1IqjXDDkMgIX2Z2fOA1plJSwugUCbFjn4sbT0t0YuiEFMPMB42ZCjcCyA1yysfAd
DYAmSer1bq47tyTFQwP+2ZnvW/9p3yJ4oYWzwMzadR3T0K4sgXRC2Us9nPL9k2K5
TRwZ07wE2CyMpUv+hZ4ja13A/1ynJZDZGKys+pmBNrO6abxTGohM8LIWjS+YBPIq
trxh8jxzgLazKvMGmaA6KaOGwS8vhfPfxZsu2TJaRPrZMa/HpZ2aEHwxXRy4nm9G
Kx1eFNJO6Ues5T7KlRtl8gflI5wZCCD/4T5rto3SfG0s0jr3iAVb3NCn9Q73kiph
PSwHuRxcm+hWNszjJg3/W+Fr8fdXAh5i0JzMNscuFAQNHgfhLigenq+BpCnZzXya
01kqX24AdoSIbH++vvgE0Bjj6mzuRrH5VJ1Qg9nQ+yMjBWZADljtp3CARUbNkiIg
tUJ8IJHCGVwXZBqY4qeJc3h/RiwWM2UIFfBZ+E06QPznmVLSkwvvop3zkr4eYNez
cIKUju8vRdW6sxaaxC/GECDlP0Wo6lH0uChpE3NJ1daoXIeymajmYxNt+drz7+pd
jMqjDtNA2rgUrjptUgJK8ZLdOQ4WCrPY5pP9ZXAO7+mK7S3u9CTywSJmQpypd8hv
8Bu8jKZdoxOJXxj8CphK951eNOLYxTOxBUNB8J2lgKbmLIyPvBvbS1l1lCM5oHlw
WXGlp70pspj3kaX4mOiFaWMKHhOLb+er8yh8jspM184=
=5a6T
-----END PGP PUBLIC KEY BLOCK-----

		

Contact

If you need help using Tor you can contact WikiLeaks for assistance in setting it up using our simple webchat available at: https://wikileaks.org/talk

If you can use Tor, but need to contact WikiLeaks for other reasons use our secured webchat available at http://wlchatc3pjwpli5r.onion

We recommend contacting us over Tor if you can.

Tor

Tor is an encrypted anonymising network that makes it harder to intercept internet communications, or see where communications are coming from or going to.

In order to use the WikiLeaks public submission system as detailed above you can download the Tor Browser Bundle, which is a Firefox-like browser available for Windows, Mac OS X and GNU/Linux and pre-configured to connect using the anonymising system Tor.

Tails

If you are at high risk and you have the capacity to do so, you can also access the submission system through a secure operating system called Tails. Tails is an operating system launched from a USB stick or a DVD that aim to leaves no traces when the computer is shut down after use and automatically routes your internet traffic through Tor. Tails will require you to have either a USB stick or a DVD at least 4GB big and a laptop or desktop computer.

Tips

Our submission system works hard to preserve your anonymity, but we recommend you also take some of your own precautions. Please review these basic guidelines.

1. Contact us if you have specific problems

If you have a very large submission, or a submission with a complex format, or are a high-risk source, please contact us. In our experience it is always possible to find a custom solution for even the most seemingly difficult situations.

2. What computer to use

If the computer you are uploading from could subsequently be audited in an investigation, consider using a computer that is not easily tied to you. Technical users can also use Tails to help ensure you do not leave any records of your submission on the computer.

3. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection – it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly. This includes other media organisations.

After

1. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection – it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly. This includes other media organisations.

2. Act normal

If you are a high-risk source, avoid saying anything or doing anything after submitting which might promote suspicion. In particular, you should try to stick to your normal routine and behaviour.

3. Remove traces of your submission

If you are a high-risk source and the computer you prepared your submission on, or uploaded it from, could subsequently be audited in an investigation, we recommend that you format and dispose of the computer hard drive and any other storage media you used.

In particular, hard drives retain data after formatting which may be visible to a digital forensics team and flash media (USB sticks, memory cards and SSD drives) retain data even after a secure erasure. If you used flash media to store sensitive data, it is important to destroy the media.

If you do this and are a high-risk source you should make sure there are no traces of the clean-up, since such traces themselves may draw suspicion.

4. If you face legal action

If a legal action is brought against you as a result of your submission, there are organisations that may help you. The Courage Foundation is an international organisation dedicated to the protection of journalistic sources. You can find more details at https://www.couragefound.org.

WikiLeaks publishes documents of political or historical importance that are censored or otherwise suppressed. We specialise in strategic global publishing and large archives.

The following is the address of our secure site where you can anonymously upload your documents to WikiLeaks editors. You can only access this submissions system through Tor. (See our Tor tab for more information.) We also advise you to read our tips for sources before submitting.

http://ibfckmpsmylhbfovflajicjgldsqpc75k5w454irzwlh7qifgglncbad.onion

If you cannot use Tor, or your submission is very large, or you have specific requirements, WikiLeaks provides several alternative methods. Contact us to discuss how to proceed.


A technical analysis of the Chinese 'Green Dam Youth-Escort' censorship software

From WikiLeaks

Jump to: navigation, search

June 10, 2009

The Green Dam censorship/spy software is mandated to be installed on all Chinese personal computers sold as of July 1, 2009[1]

绿坝-花季护航软件技术分析
A Technical Analysis of the 'Green Dam-Youth Escort' Software


协作组编写 A collaborative work
2009年6月 June, 2009

Contents

关于 About


绿坝-花季护航是金惠堵截黄色图像和不良信息专家系统的市场产品名。Green Dam is the informal name given to the expert system from Jinhui Technologies which blocks pornographic images and other "harmful" information.

金惠堵截黄色图像和不良信息专家系统 V2.51
项目总监 赵慧琴 Project Director: Zhao Huiqin
技术总监 周翚 Technical Director: Zhou Hui
总设计师 汤怀礼 Chief Designer: Tang Huaili
策划经理 何红杰 Project Manager: He Hongjie
项目工程师 李弼程 ,曹闻 ,彭天强 ,钟声 Project Engineers: Li Bicheng, Cao Wen, Peng Tianqiang, Zhong Sheng, Li Xiaohe, Li Yang, Zhang Wenzhong
李晓贺 ,李扬 ,李书进黄亮 ,张文中
测 试 Mary 马, Sharon 张, 董娟 Beta Testers: Mary Ma, Sharon Zhang, Dong Juan
文 档 张晨民,刘裕 ,Biddle 张 Documentation: Zhang Chenmin, Liu Yu, Biddle Zhang
系统支持 吴朝阳, 宜娟 ,刘移山 ,丁敏 Systems Support: Wu Chaoyang, Xuan Juan, Liu Yishan, Ding Min
金惠科技 版权 (c) 2005 所有权利保留 Http://www.zzjinhui.com ©2009 Jinhui Technologies. All Rights Reserved

1)国家公安部信息安全专用产品销售许可证(XKC30492)National Ministry of Public Safety Information Security Product Sales License No. XKC30492
2)国家发展和改革委员会批准(发改高技[2004]2040号)列入“重大软件产业化专项”,是全国同类过滤产品唯一批准项目 National Development and Reform Commission Approval (NDRC Circular[2004]#2040) as "Major Software Industrialization Project", the only approved filtering software project of its kind nationwide
3)国家科技部(国科发技字[2004]449号)批准为“技术创新基金项目” Ministry of Science and Technology (MOST Circular[2004]#449) Approval for "technological innovation project funding"
4)国家信息产业部(信部运[2005]9号)批准为“电子信息产业发展基金项目” Ministry of Industry and Information Technology (MIIT Circular[2005]#9) Approval for "electronic information industry development project funding"
国家互联网违法和不良信息举报中心(net.china.cn)唯一正式推荐 Only the China Internet Illegal Information Reporting Center (ciirc.china.cn) has officially recommended Green Dam.
第九届中国国际软件博览会荣获金奖 Awarded first prize at the Ninth Chinese International Software Expo
2005中国郑州先进适用技术交易会金奖 First prize at the 2005 Zhengzhou Advanced Adaptive Technology Trade Fair
郑州市科技进步一等奖 First prize in technological advancement from Zhengzhou City
金惠公司营销服务中心电话:0371-63697160,63697161 Jinhui Marketing Service Center: 0371-63697160
传真:0371-63697171 Fax: 0371-63697171





的和功能 Objectives and functions

以工信部,教育部,财政部和国务院新闻办为合作伙伴,绿坝目前有家庭版厂商版渠道版网吧版以及校园版(家庭版与校园版经校验后发现完全一致,没有发现有官员版)。With the Ministry of Industry and Information Technology, Ministry of Education, Ministry of Finance and State Council Information Department as its partners, Greed Dam currently offers Family, Commercial, Organization, Internet Bar and Campus Editions.

公开宣称的功能: 针对10-16岁青少年,过滤色情图片、色情内容、暴力内容
潜在功能:过滤政治内容? 过滤反审查软件(例如无界)?
Stated features: To protect minors from age 10-16 through the filtering of pornographic and violent images and content.
Latent features: To filter political content? To filter circumvention software (such as Wujie)?

还有一个绿坝网络版,在 http://www.zzjinhui.com/down/newServerCard.rar 可以下载。
There also exists a Network Edition of Green Dam, which can be downloaded here (.rar).

用性 Applicability

虽然产品声明的目标是针对10-16岁青少年,但是产品的约定安装机器并没有选择性,产品缺省假设每台被安装的机器都是青少年使用。目前该产品只提供Windows 版本,对IE、Google Chrome(因为采用了系统的网络设置)有效,对Firefox 无效。软件屏蔽的不良信息包括时政类的不良信息,软件并非采用一般软件的安装方式,对Firefox无效,关闭浏览器及将网址加入黑名单无确认。在IE下 ,对明显属于时政类“不良信息”的信息判断不稳定。对色情类“不良信息”的网页判断较准。换成Firefox后,软件没反应。
Current versions only support Windows; effective only when used in conjunction with Internet Explorer or Google Chrome, it has no effect when used with Firefox. The harmful information screened by the software includes politically-related harmful information, and the software relies on non-conventional methods to install, also ineffective within Firefox, closing the browser and adding the website address onto a banned list without confirmation. In Internet Explorer, the software's ability to classify clearly political content as "harmful information" is unreliable; for pornographic content, Green Dam is able to make relatively accurate assessments. When used with Firefox, however, the software shows no response.

产品当前支持的兼容性列表
Compatibility list of currently supported projects

序号 项目 内容 备注 Sequence / Item / Content/ Notes
操作系统 Operation Systems
1 Win98 兼容 不支持屏幕文字监控 1. Windows 98, compatible, text screening not supported
2 Win2000 兼容 2. Windows 2000, compatible
3 Winxp 兼容 3. Windows XP, compatible
4 Win vista 兼容 安装升级和卸载需管理员身份 4. Windows Vista, compatible, updates and uninstall can only be performed through User Account Control.
浏览器 Browsers
1 IE6.0/7.0 兼容 1. Internet Explorer 6.0/70, compatible
2 Opera 9.5 兼容 2. Opera 9.5, compatible
3 Firefox 2.0 兼容 3. Firefox 2.0, compatible
4 Netscape 9.0 兼容 4. Netscape 9.0, compatible
5 腾讯TT 3.0 兼容 5. Tencent Traveler 3.0, compatible
6 Maxthon 2.0 兼容 6. Maxthon 2.0, compatible
办公软件 Office Software
1 MS Office2003 兼容 1. Microsoft Office 2003, compatible
2 金山WPS 2007 兼容 2. Kingsoft WPS 2007, compatible
3 永中Office2007 兼容 Evermore Office 2007, compatible
杀毒软件 Anti-virus Software
1 卡巴斯基6/7 兼容 1. Kaspersky 6/7, compatible
2 瑞星19 兼容 2. Rising 19, compatible
3 江民2008 兼容 3. Jiangmin 2008, compatible
4 诺顿2008 兼容 4. Norton 2008, compatible
5 McAfee2008 兼容 5. McAfee 2008, compatible



术架构分析 Technical Framework Analysis

绿坝-花季护航”所有的文件都安装在系统目录(windows/system32)下,程序菜单没有提供卸载入口,后发现卸载功能在主程序的一个菜单里。在启用“绿坝-花季护航”的图片过滤功能时,软件自动清除的浏览器缓存。All files within "Green Dam-Youth Escort" are installed to the system directory (windows/system32), and while no means to uninstall are provided in the Applications menu, the option to uninstall can be found in a menu within the main program. When launching Green Dam's image filtering function, the software automatically clears the browser cache.

在windows目录下的xstring.s2g存放着该软件所有文件的安装路径。Within xstring.s2g, located in the Windows directory, there can be found all the installation paths for all the program's files.

运行时加载的模块:
驱动: C:Windows\system32\Drivers\mgtaki.sys
服务: C:Windows\MPSvcC.exe
启动项: C:Windows\system32\xnet2.exe
During operation, Green Dam installs the following modules:
Drivers:
C:Windows\system32\Drivers\mgtaki.sys
Service:
C:Windows\MPSvcC.exe
Launch:
C:Windows\system32\xnet2.exe


在system32中有个 filtport.dat 文件 ,默认内容是FreeGate/8567/tcp Urf/9666/tcp。

绿坝将密码用MD5算法转换后,以文本方式保存在C:\WINDOWS\system32目录下的kwpwf.dll文件中。以记事本打开该文件,以“D0970714757783E6CF17B26FB8E2298F”替换其内容后保存,即可将密码恢复为初始密码“112233”。
After Green Dam converts the password using the MD5 algorithm, it saves it in text format within the kwpwf.dll file located in the C:\WINDOWS\system32 directory. When opened using Notepad, if the content is then replaced with "D0970714757783E6CF17B26FB8E2298F" and saved, the password can then be restored to the original "112233".

绿坝的一个设置文件xnet2_lang.ini中有一行:AOption0_1117=发现不良网站自动向金惠公司报告。在system32中有个filtport.dat的文件,默认内容是FreeGate/8567/tcp Urf/9666/tcp,绿坝的过滤文件。
Within Green Dam installation file xnet2_lang.ini, one line reads: "
AOption0_1117=Upon discovery of harmful information, report automatically to Jinhui Corporation." Located in system32 in the file filtport.dat, the default content is "FreeGate/8567/tcp Urf/9666/tcp", suggesting that this is Green Dam's filtering file.

绿坝的通过网络自动更新,更新的网址为:http://www.zzjinhui.com/softpatch/ ,里面还包含一张美女图:
http://www.zzjinhui.com/softpatch/Image0.jpg 不知是何用意。在经过网络用户的分析后,发现 http://www.zzjinhui.com/softpatch/kwupdate.dat 此文件和屏蔽关键词和URL有关。有2个相关IP:211.161.1.134和 203.171.236.231,其中第二个IP指向 河南省郑州市景安计算机网络技术有限公司。(zzidc.com.cn)
Green Dam updates automatically online, and the update address is: http://www.zzjinhui.com/softpatch/; found therein is a pretty woman picture http://www.zzjinhui.com/softpatch/Image0.jpg although its purpose is unknown. Following analysis by Internet users, it was discovered that the file http://www.zzjinhui.com/softpatch/kwupdate.dat is related to the filtering of keywords and URLs. Connected to that are two IP addresses: 211.161.1.134 and 203.171.236.231; the second of the IP addresses belongs to Zhengzhou Giant Computer Network Technology Co. Ltd. in Henan province. (zzidc.com.cn)



使用测试和算法分析 Performance test and algorithm analysis

通过实际测试和用户反馈,发现绿坝的宣称功能的实现能力并不强,却没有避免在各个层面添加很多没有宣称的功能。部分用户的使用体验和讨论:
Through testing and user feedback, it has been noted that Green Dam's ability to achieve its stated function is in fact not that strong, and has not avoided including many additional undisclosed functions situated at various levels. Here is a sample of some users' user experiences and discussion:

像过滤 Image filtering

图像检测进程从待检图像队列中获取图像数据,先归一化图像尺寸,然后分离肤色区域和非肤色区域,在对肤色区域关系进行分析后去除干扰,提取区域的特征送入已训练SVM分类器。当图像被检为色情图像后送入人脸检测器,若人脸不是主要部分便确定为色情图像。这套算法的主要问题是,色情图像的识别严重依赖于肤色和肤色形状;而最后使用人脸检测加权判定也只是手工打补丁避免出现大幅人脸识别为色情图像问题的办法,且经验权值可靠性缺乏验证。
The process of image detection begins when visual data is obtaining as the image is in queue to be screened, first normalizing the image's size, then separating areas of skin tone from those without skin tone; analysis of the relationship between areas of skin tone is followed by removal of noises, then extraction of the area's characteristics, which are then input into a trained SVM classifier. Once the image has been deemed pornographic it is sent to a human face detector; if a human face is not the primary component, the image is then classified as pornography. The main problem with this algorithm is that recognition of pornographic images relies heavily on skin color and shape, and the final use of a human face detector in a weighted judgment is only a manual patch aimed at preventing the problematic occurrence of large faces being identified as pornography, but also the reliability of empirical weighting lacks verification.

从XFImage.xml可观察到,绿霸使用了OpenCV的haar分类器进行人脸检测。绿霸附带的cximage.dll、CImage.dll、xcore.dll和Xcv.dll也来自OpenCV的库文件。都反映出绿霸主要使用了OpenCV来进行图像方面的处理。不过就像一般国产软件的做法,绿霸大概也无视了OpenCV的BSD许可证。
From XFImage.xml it can be observed that Green Dam uses OpenCV's Haar classifier in undergoing human face detection. Included with Green Dam, cximage.dll, CImage.dll, xcore.dll and Xcv.dll, also library files from OpenCV. This all suggests that Green Dam primarily uses OpenCV to process images. However, as is done with much of
domestic Chinese software, Green Dam has disregarded OpenCV's BSD license.

金惠公司承诺
图像检测正检率>90%,误检率<7%,而检出率 = 正检率*色情图像比例 + (1 – 误检率)*(1–色情图像比例),在色情图像占1%时,检出率为93%。
Jinhui Corporation has committed to an accurate image detection rate of higher than 90%, and a false detection rate of less than 7%, with the detection rate=accurate detection rate*proportion of pornographic images+(1-false detection rate)*(1-proportion of pornographic images); with 1% of images being pornographic, the detection rate would be 93%.

字过滤 Text filtering

对政治性内容的分析,包括法轮功内容的过滤,使用了北京大正语言知识处理科技有限公司提供的文字过滤引擎HncEng.exe、HncEngPS.dll、SentenceObj.dll,数据文件HNCLIB/FalunWord.lib 中还包含以UTF-32LE编码的除法轮功外大量政治和色情有关的词汇。
An a
nalysis of political content, including the filtering of Falun Gong-related content, shows that used is Beijing Dazheng Language Technology Co. Ltd.'s text filtering engine, HncEng.exe, HncEngPS.dll and SentenceObj.dll, and within data file HNCLIB/FalunWord.lib, in UTF-32LE code, aside from Falun Gong there can also be found a large glossary related to political and pornographic content.

从数据文件HNCLIB/FalunWord.lib中分析出来的关键词列表:http://filetwt.com/f/bn734dm89h
更完整的解析出的关键词:
https://docs.google.com/View?docid=d7w7twp_977hcmc35g3

通过对http://www.hncit.com/update/ST771.rar的分析,对ST771.rar\ST771\package2 下的
hncldata_mdb.zip\L:\HncProjects\版权\检测版\升级包制作工具\2007.1.15\标准检测版\programfiles\hncldata.mdb进行分析后可以得到网址黑名单:http://paste.ubuntu.org.cn/15292

在北京大正语言知识处理科技有限公司网站上还可以找到未加密的关键词文件: http://docs.google.com/Doc?docid=dczkbptk_0ffc2hvc9&hl=en

测试版中的色情关键词:https://docs.google.com/View?id=ah27xz4pbz6s_22cgwh6xf7
非色情关键词:https://docs.google.com/View?id=ah27xz4pbz6s_24c6dw27g6
上级部门指示:https://docs.google.com/View?id=ah27xz4pbz6s_25fpx2qkhp

<font class="Apple-style-span" face="arial, helvetica, sans-serif">应用程序控制与过滤 Application control and filtering

对应用程序使用时间的控制 Regarding control over application usage time
' 控制未成年人上网、QQ、MSN及游戏的时间,避免过度沉溺于网络,有效戒除网瘾
,'

Green Dam controls the time minors spend online, using QQ or MSN, and playing games; by preventing overindulgence of the Internet, Green Dam effectively eliminates Internet addiction.

禁止各种网络游戏(如征途、魔兽世界)、聊天(如QQ、MSN)等程序,定制黑白名单过滤实效更强;'阻断以代理服务器或代理类软件而躲避网址屏蔽的匿名浏览(如自由门)。 (金惠堵截黄色图像及不良信息专家系统FAQ-20080520)

对应用程序的内容控制:Regarding control over content in applications

经过测试,发现如果在记事本或者WordPad中输入任何“法轮功”字样,都会关闭应用程序,但是在绘图板和MSN中输入这些字则不会有反应,这也说明其程序的不完备性。
Testing
has shown that if any word resembling "Falun Gong" is entered into either Notepad or WordPad, the application will shut down; however, typing the same characters into Paint or MSN Messenger bears no response, illustrating the incompleteness of the the program.

部分反编译的内容发现有多种应用程序是其监控的对象。
A segment of decompiled content shows the extent of the Green Dam's monitoring.

00468940 .wow.exe.魔兽世界....yaho
00468980 omessenger.exe..雅虎通..wangwang.exe....阿里旺旺....start.exe...
004689C0 网易POPO....网易popo....uc.exe..新浪UC..新浪uc..icq.exe.ICQ6....
00468A00 icq6....skype.exe...Skype...skype...eph.exe.e话通...doshow..msnm
00468A40 sgr.exe.MSN.msn messenger...qqgame.exe..QQ游戏..qq游戏..qqchat.e
00468A80 xe..QQ聊天室....qq聊天室....qq.exe..QQ..qq2.bitbomet.exe....BitC
00468AC0 omet....bitcomet....

对反审查软件的屏蔽:例如FreeGate。在system32中有个 filtport.dat 文件 默认内容是FreeGate/8567/tcp Urf/9666/tcp 两个进程:xdaemon.exe和xnet2.exe,进入无界页面会.....
经鉴定,是XDaemon.exe、XNet2.exe、gn.exe三个程序相互保护,防止被删掉和结束进程。 这是一种通常被病毒和流流氓软件所使用的技术。
Screening of anticircumvention software, such as FreeGate. In system32 there can be found a filtport.dat file whose default content reads:
FreeGate/8567/tcp Urf/9666/tcp. Two processes, xdaemon.exe and xnet2.exe, upon entering FreeGate will......
Following evaluation, three applications, XDaemon.exe, XNet2.exe and gn.exe, can be seen to be protecting one another, preventing each process from being deleted or interrupted, a kind of technique used by malware...


可能监控的程序:(来自injlib.exe, offset 89e8H)
Possibly monitored programs (found in injlib.exe, offset 89e8H):

editplus.exe
uedit32.exe
emeditor.exe
wordpad.exe
notepad.exe
wps.exe
wpp.exe
et.exe
powerpnt.exe
frontpg.exe
excel.exe
msaccess.exe
outlook.exe
winword.exe
mailmagic.exe
popo.exe
qqmail.exe
aixmail.exe
imapp.exe
incmail.exe
msimn.exe
dm2005.exe
foxmail.exe
googletalk.exe
miranda32.exe
imu.exe
ypager.exe
tmshell.exe
start.exe
uc.exe
icqchatrobot.exe
qq.exe
msnmsgr.exe
gsfbwsr.exe
greenbrowser.exe
touchnet.exe
theworld.exe
maxthon.exe
ttraveler.exe
netscp.exe
ge.exe
firefox.exe
opera.exe
netcaptor.exe
myie.exe
iexplore.exe
mmc.exe
regedit.exe
taskmgr.exe
mpsvcc.exe
xdaemon.exe
xnet2.exe

几乎市面上所有常见文本编辑工具(EditPlus, UltraEdit, EmEditor)、办公软件(WPS三部件,MS Office系列)、邮件客户端、IM客户端、浏览器都会受到监视。
It seems that nearly all text editors on the market (EditPlus, UltraEdit, EmEditor), office software suites (WPS, MS Office), e-mail clients, instant messaging clients and browsers, are being monitored.


络过滤 Internet filtering

“绿坝”通过Winsock2的SPI接口获取发送和接收的数据,对这些数据进行分析,获取HTTP数据,将HTTP数据解协议后,经过URL检测器,不良URL检测器和关键字检测器后,根据检测结果决定是否需要使用图像检测器,通过图像检测将新发现的不良网址提供给系统管理员。

"Green Dam" utilizes the Winsock2 SPI port to obtain data from both sender and recipient, and through analyzing these data, obtains http data. Having obtained http data protocol and run through a URL detector, a harmful URL detector and a keyword detector, Green Dam decides based on those results whether or not image detection is needed, and through image detection, addresses of websites containing harmful information are delivered to system management.

在风险

后门:绿霸本身的安全性就有很大疑问,这样一款小公司开发的软件很容易存在安全漏洞,一旦被黑客发现,则所有安装绿霸的电脑都成为黑客的“肉鸡”,如果其安装量大的话,完全有可能重演“暴风影音断网”的事件。

因为绿坝软件本身的多种不完善性,可能会导致客户端正常软件功能的失效(例如,关闭没有保存的正常工作文档而不提示保存)。

因为该软件所有技术参数的设置,都基于科技人员本人对于什么是色情图片的假设。这些假设反而强化了色情的窠臼和性/别不平等,对青少年不利。





相关文件

绿坝与政府的谈判响应书:https://docs.google.com/fileview?id=F.17d2bb7b-bddd-4e3e-a2a1-00d2ec5e569f&hl=zh_CN

“绿坝—花季护航”使用全攻略 http://tech.techweb.com.cn/redirect.php?tid=387273&goto=lastpost

Image:green-dam-1.jpg
Image:green-dam-2.jpg


Source documents

Personal tools