js中常见的hook脚本
常见HOOK脚本
-
hook脚本注入的时机:
- 对于系统函数,选择在网页运行之前进行hook
- 对于普通函数,在调用的地方设置断点,运行时注入js hook,在函数被调用之前就进行修改
-
扩展参考
-
cookie
(function () { 'use strict'; var cookie_cache = document.cookie; Object.defineProperty(document, 'cookie', { get: function() { console.log('Getting cookie'); return cookie_cache; }, set: function(val) { if (val.indexOf('FSSBBIl1UgzbN7N80S') != -1) { debugger; } // debugger; console.log('Setting cookie', val); var cookie = val.split(";")[0]; var ncookie = cookie.split("="); var flag = false; var cache = cookie_cache.split("; "); cache = cache.map(function(a){ if (a.split("=")[0] === ncookie[0]){ flag = true; return cookie; } return a; }) cookie_cache = cache.join("; "); if (!flag){ cookie_cache += cookie + "; "; } this._value = val; return cookie_cache; }, }); })();
-
headers
(function () { var org = window.XMLHttpRequest.prototype.setRequestHeader; window.XMLHttpRequest.prototype.setRequestHeader = function (key, value) { if (key == 'Authorization') { debugger; } return org.apply(this, arguments); }; })();
-
url
(function () { var open = window.XMLHttpRequest.prototype.open; window.XMLHttpRequest.prototype.open = function (method, url, async) { if (url.indexOf("login") != -1) { debugger; } return open.apply(this, arguments); }; })();
-
eval
(function() { // 保存原始方法 var eval_ = eval; // 重写 eval var myeval = function(src) { if(src.includes('debugger')){ src = src.replace(/debugger\s*;?/g, '') } return eval_(src); } // 屏蔽 JS 中对原生函数 native 属性的检测 var myeval_ = myeval.bind(null); myeval_.toString = function(){ return eval_.toString(); }; Object.defineProperty(window, 'eval', { value: myeval_ }); })();
-
JSON.stringify和JSON.parse
(function() { 'use strict'; var my_stringify = JSON.stringify; JSON.stringify = function (params){ console.log("json_stringify:", params); return my_stringify(params); }; var my_parse = JSON.parse; JSON.parse = function (params){ console.log("json_parse:", params); return my_parse(params); }; })();
-
websocket
(function() { WebSocket.prototype._send = WebSocket.prototype.send; WebSocket.prototype.send = function (data){ console.log(`hook WebSocket.send|data:${data}`) debugger; return WebSocket.prototype._send.apply(this, arguments) } })();
-
RegExp
(function () { 'use strict'; var _RegExp = RegExp; RegExp = function (pattern, modifiers) { console.log("hook到RegExp"); debugger; if (modifiers) { return _RegExp(pattern, modifiers); } else { return _RegExp(pattern); } }; RegExp.toString = function () { return "function setInterval() { [native code] }" }; })();
-
过debugger
(function () { 'use strict'; // hook eval中的debugger var eval_ = window.eval; window.eval = function (x) { if(x.includes('debugger')){ console.log('eval debugger...') } return eval_(x.replace(/debugger\s*;?/g, '')); }; window.eval.toString = function () { return eval_.toString(); }; // hook构造函数中的debugger; function Closure(injectFunction) { return function() { if (!arguments.length) return injectFunction.apply(this, arguments) arguments[arguments.length - 1] = arguments[arguments.length - 1].replace(/debugger/g, ""); return injectFunction.apply(this, arguments) } } var oldFunctionConstructor = window.Function.prototype.constructor; window.Function.prototype.constructor = Closure(oldFunctionConstructor) window.Function.prototype.constructor.prototype = window.Function.prototype; // 使原型链更完整 //fix native function window.Function.prototype.constructor.toString = oldFunctionConstructor.toString.bind(oldFunctionConstructor); var oldFunction = Function; window.Function = Closure(oldFunction) window.Function.toString = oldFunction.toString.bind(oldFunction); // hook setInterval中的debugger var _setInterval = setInterval; setInterval = function (a, b) { if (a.toString().indexOf("debugger") != -1) { return null; } return _setInterval(a, b); }; // hook setTimeout中的debugger var _setTimeout = setTimeout; setTimeout = function (a, b) { if (a.toString().indexOf("debugger") != -1) { return null; } return _setTimeout(a, b); } })();
-
过constructor debugger
(function () { 'use strict'; // hook构造函数中的debugger; function Closure(injectFunction) { return function() { if (!arguments.length) return injectFunction.apply(this, arguments) arguments[arguments.length - 1] = arguments[arguments.length - 1].replace(/debugger/g, ""); return injectFunction.apply(this, arguments) } } var oldFunctionConstructor = window.Function.prototype.constructor; window.Function.prototype.constructor = Closure(oldFunctionConstructor) window.Function.prototype.constructor.prototype = window.Function.prototype; // 使原型链更完整 //fix native function window.Function.prototype.constructor.toString = oldFunctionConstructor.toString.bind(oldFunctionConstructor); var oldFunction = Function; window.Function = Closure(oldFunction) window.Function.toString = oldFunction.toString.bind(oldFunction); })();
-
过eval debugger
(function() { 'use strict'; var eval_ = window.eval; window.eval = function(x) { return eval_(x.replace(/debugger\s*;?/g,'')); }; window.eval.toString = function(){ return eval_.toString(); }; } )();
-
过setInterval / setTimeout定时器中的debugger
(function () { // hook setInterval中的debugger var _setInterval = setInterval; setInterval = function (a, b) { if (a.toString().indexOf("debugger") != -1) { return null; } return _setInterval(a, b); }; // hook setTimeout中的debugger var _setTimeout = setTimeout; setTimeout = function (a, b) { if (a.toString().indexOf("debugger") != -1) { return null; } return _setTimeout(a, b); } })();
-
-
过sojson头部字符串检测
(function() { var _RegExp = RegExp; RegExp = function(pattern, modifiers) { if (pattern == decodeURIComponent("%5Cw%2B%20*%5C(%5C)%20*%7B%5Cw%2B%20*%5B'%7C%22%5D.%2B%5B'%7C%22%5D%3B%3F%20*%7D") || pattern == decodeURIComponent("function%20*%5C(%20*%5C)") || pattern == decodeURIComponent("%5C%2B%5C%2B%20*(%3F%3A_0x(%3F%3A%5Ba-f0-9%5D)%7B4%2C6%7D%7C(%3F%3A%5Cb%7C%5Cd)%5Ba-z0-9%5D%7B1%2C4%7D(%3F%3A%5Cb%7C%5Cd))") || pattern == decodeURIComponent("(%5C%5C%5Bx%7Cu%5D(%5Cw)%7B2%2C4%7D)%2B")) { pattern = '.*?'; console.log("发现sojson检测特征,已帮您处理。") } if (modifiers) { console.log("疑似最后一个检测...已帮您处理。") console.log("已通过全部检测,请手动处理debugger后尽情调试吧!") return _RegExp(pattern, modifiers); } else { return _RegExp(pattern); } } ; RegExp.toString = function() { return _RegExp.toString(); } ; } )();
-
Function
(function () { let _myConstructor = Function.prototype.constructor Function.prototype.constructor = function () { let src = arguments[arguments.length - 1] if (src.includes('debugger')) { console.log('构造函数中发现debugger字符,正进行替换。。。') } arguments[arguments.length - 1] = src.replace(/debugger/ig, ' '); // 替换等长的空格 console.log("======== Function end ============="); return _myConstructor.apply(this, arguments) } Function.prototype.constructor.toString = function () { return _myConstructor.toString() } let _myFunction = Function Function = function () { let src = arguments[arguments.length - 1] if (src.includes('debugger')) { console.log('构造函数中发现debugger字符,正进行替换。。。') } arguments[arguments.length - 1] = src.replace(/debugger/ig, ' '); // 替换等长的空格 console.log("======== Function end ============="); return _myFunction.apply(this, arguments) } Function.toString = function () { return _myFunction.toString() } })();
hook所有函数
