Chrome修改添加JS与dll交互
注入dll后拦截js相关函数, 可以通讯以及控制
安全沙箱问题前面有写文章
为了方便快速, 使用Uint8Array::Set 函数拦截
之前尝试了 crypto.subtle 相关的函数, 这些函数速度很慢, 而且是异步, 很不方便
C++ 的dll代码
BOOL CChrome::HookUint8ArraySetByte()
{
BYTE *pCode;
BOOL bRetVal;
bRetVal = FindModCode("chrome.dll", "5589E553575683E4F883EC5089D3894C24108B7508A1240071A831E88944244889D0250000FCFF", &pCode);
if(bRetVal == FALSE)
return FALSE;
bRetVal = AsmHook::Hook(pCode, &Hook_Uint8ArraySetByte, this, &Info_Uint8ArraySetByte, sizeof(void*)*0);
return TRUE;
}
#define Uint8Array_ObjDatSize 0x0017
#define Uint8Array_ObjDat 0x001B
#define Uint8Array_ObjDatOffset 0x001F
#define ArySet_ObjDat 0x0007
#define ArySet_ObjDatOffset 0x0007
const int CMD_Index = 1000;
const int CMD_Value = 0x32650000;
AsmHook::HOOK_INFO Info_Uint8ArraySetByte;
BOOL WINAPIV Hook_Uint8ArraySetByte(VOID *pUserParam, AsmHook::PUSHAD_DAT *pReg)
{
CChrome *pThis = (CChrome *)pUserParam;
#ifdef _WIN64
return TRUE;
#else
// BOOL bRetVal;
void *backaddr;
void **params;
void *Uint8Array, *ecx, *ArySet;
int nCount, nOffset, nDatOft, nDatSize, nCmdValue;
BYTE *pDat, *pSetDat;
CHAR *pCmd;
AsmHook::GetCallParam32(pReg, backaddr, params);
ecx = (void *)pReg->Ecx;
ArySet = (void *)pReg->Edx;
Uint8Array = params[0];
nCount = (int)params[1];
nOffset = (int)params[2];
GetObjProp(Uint8Array, nDatSize, Uint8Array_ObjDatSize);
GetObjProp(Uint8Array, pDat, Uint8Array_ObjDat);
GetObjProp(Uint8Array, nDatOft, Uint8Array_ObjDatOffset);
pDat += nDatOft;
GetObjProp(ArySet, pSetDat, ArySet_ObjDat);
pSetDat += ArySet_ObjDatOffset;
nCount;
nCmdValue = *(int *)pSetDat;
nCmdValue >>= 1;
if(nOffset == CMD_Index && nCmdValue == CMD_Value && nCount == 1 && nDatSize > 1024)
{
pCmd = (CHAR *)pDat;
pDat += 1024;
nDatSize -= 1024;
pThis->OnCmdDat(pCmd, pDat, nDatSize);
}
return TRUE;
#endif
}
BOOL CChrome::OnCmdDat(CHAR *pCmd, BYTE *pDat, int nSize)
{
CDatString datCmd;
CHAR szCmd[256], szName[256];
CHAR *pText;
if(pCmd[0] != '#')
return FALSE;
datCmd.ParseString(pCmd+1);
szCmd[0] = 0;
datCmd.GetData("cmd", szCmd, sizeof(szCmd));
if(strcmp(szCmd, "WriteLog") == 0)
{
szName[0] = 0;
datCmd.GetData("name", szName, sizeof(szName));
pText = (CHAR *)pDat;
CmdWriteLog(szName, pText);
}
return FALSE;
}
Js代码
function DllSendCmd(cmd, dat)
{
const CMD_Index = 1000;
const CMD_Value = 0x32650000;
var encoder = new TextEncoder();
var cmd_dat = encoder.encode(cmd+"\0");
var send_dat = new Uint8Array(1024+dat.length);
send_dat.set(cmd_dat, 0);
send_dat.set(dat, 1024);
send_dat.set([CMD_Value], CMD_Index);
}
function DllWriteLog(log_name, log_text)
{
var cmd = "#cmd=WriteLog;name=" + log_name;
var dat = encoder.encode(log_text + "\0");
DllSendCmd(cmd, dat);
}