Chrome修改添加JS与dll交互

注入dll后拦截js相关函数, 可以通讯以及控制
安全沙箱问题前面有写文章
为了方便快速, 使用Uint8Array::Set 函数拦截
之前尝试了 crypto.subtle 相关的函数, 这些函数速度很慢, 而且是异步, 很不方便

C++ 的dll代码

BOOL	CChrome::HookUint8ArraySetByte()
{
	BYTE	*pCode;
	BOOL	bRetVal;

	bRetVal = FindModCode("chrome.dll", "5589E553575683E4F883EC5089D3894C24108B7508A1240071A831E88944244889D0250000FCFF", &pCode);
	if(bRetVal == FALSE)
		return FALSE;

	bRetVal = AsmHook::Hook(pCode, &Hook_Uint8ArraySetByte, this, &Info_Uint8ArraySetByte, sizeof(void*)*0);
	return TRUE;
}

#define Uint8Array_ObjDatSize							0x0017
#define Uint8Array_ObjDat								0x001B
#define Uint8Array_ObjDatOffset							0x001F
#define ArySet_ObjDat									0x0007
#define ArySet_ObjDatOffset								0x0007

const	int		CMD_Index = 1000;
const	int		CMD_Value = 0x32650000;

AsmHook::HOOK_INFO	Info_Uint8ArraySetByte;
BOOL WINAPIV Hook_Uint8ArraySetByte(VOID *pUserParam, AsmHook::PUSHAD_DAT *pReg)
{
	CChrome			*pThis = (CChrome *)pUserParam;

#ifdef _WIN64
	return TRUE;
#else
	//	BOOL		bRetVal;
	void		*backaddr;
	void		**params;
	void		*Uint8Array, *ecx, *ArySet;
	int			nCount, nOffset, nDatOft, nDatSize, nCmdValue;
	BYTE		*pDat, *pSetDat;
	CHAR		*pCmd;

	AsmHook::GetCallParam32(pReg, backaddr, params);

	ecx = (void *)pReg->Ecx;
	ArySet = (void *)pReg->Edx;
	Uint8Array = params[0];
	nCount = (int)params[1];
	nOffset = (int)params[2];
	
	GetObjProp(Uint8Array, nDatSize, Uint8Array_ObjDatSize);
	GetObjProp(Uint8Array, pDat, Uint8Array_ObjDat);
	GetObjProp(Uint8Array, nDatOft, Uint8Array_ObjDatOffset);
	pDat += nDatOft;

	GetObjProp(ArySet, pSetDat, ArySet_ObjDat);
	pSetDat += ArySet_ObjDatOffset;
	nCount;

	nCmdValue = *(int *)pSetDat;
	nCmdValue >>= 1;
	if(nOffset == CMD_Index && nCmdValue == CMD_Value && nCount == 1 && nDatSize > 1024)
	{
		pCmd = (CHAR *)pDat;
		pDat += 1024;
		nDatSize -= 1024;
		pThis->OnCmdDat(pCmd, pDat, nDatSize);
	}

	return TRUE;
#endif
}

BOOL	CChrome::OnCmdDat(CHAR *pCmd, BYTE *pDat, int nSize)
{
	CDatString	datCmd;
	CHAR		szCmd[256], szName[256];
	CHAR		*pText;

	if(pCmd[0] != '#')
		return FALSE;

	datCmd.ParseString(pCmd+1);
	szCmd[0] = 0;
	datCmd.GetData("cmd", szCmd, sizeof(szCmd));
	if(strcmp(szCmd, "WriteLog") == 0)
	{
		szName[0] = 0;
		datCmd.GetData("name", szName, sizeof(szName));
		pText = (CHAR *)pDat;
		CmdWriteLog(szName, pText);
	}

	return FALSE;
}

Js代码

function	DllSendCmd(cmd, dat)
{
	const CMD_Index = 1000;
	const CMD_Value = 0x32650000;
	var encoder = new TextEncoder();
	var cmd_dat = encoder.encode(cmd+"\0");
	var send_dat = new Uint8Array(1024+dat.length);
	send_dat.set(cmd_dat, 0);
	send_dat.set(dat, 1024);
	
	send_dat.set([CMD_Value], CMD_Index);
}


function	DllWriteLog(log_name, log_text)
{
	var	cmd = "#cmd=WriteLog;name=" + log_name;
	var dat = encoder.encode(log_text + "\0");
	DllSendCmd(cmd, dat);
}
posted @ 2024-02-07 18:35  Yofoo  阅读(61)  评论(0编辑  收藏  举报