Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of the full version of Hook IE and the modification of the URL. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

Text

Import a wave of references first

# include

# include

# include

# include

Using std::string

Using namespace std

# pragma comment (lib, "wininet.lib")

First of all, we know that the functions of the http application layer are basically in wininet.dll, so we export the list of functions of wininet.dll (I use ProcessHacker here)

We have to intercept Url, so we first need to find the functions related to Url. The Delay here verifies that it is invalid to delay importing IAT HOOK when I said that wininet.dll is delayed.

Here we find the function InternetCrackUrl, and the above InternetConnect looks very useful, debugging IE at the break point of this function here I use the open source x64_dbg input instruction bp InternetConnectW

In this way, we can be sure that IE will inevitably execute this function when visiting the URL. We need to inline hook it to avoid digging holes to explain that IAT Hook is not feasible. IE browsers do DelayLoad, but wininet.dll is not loaded at first. By looking for wininet.h, we can get the parameters and type of the function.

Typedef HINTERNET (WINAPI * tInternetConnectWFunc) (HINTERNET hInternet, LPCWSTR lpszServerName, INTERNET_PORT nServerPort, LPCWSTR lpszUserName, LPCWSTR lpszPassword, DWORD dwService, DWORD dwFlags, DWORD_PTR dwContext)

Be careful to introduce wininet.h, or there will be types that can't be found.

Next we need to prepare a variable to store the original call to the function

TInternetConnectWFunc oInternetConnectWFunc

Then you need to write a new callback for this function. Note that Hook and UnHook are used here and need to be declared in the header now. In addition, the conversion function WCharToMByte will be given at the end of the article.

HINTERNET WINAPI hkInternetConnectW (HINTERNET hInternet,//internet handle (as I understand it) LPCWSTR lpszServerName,// server name INTERNET_PORT nServerPort,// port LPCWSTR lpszUserName, LPCWSTR lpszPassword, DWORD dwService, DWORD dwFlags, DWORD_PTR dwContext) {UnHook (); / / release hook first and get the return value after re-Hook oInternetConnectWFunc = (tInternetConnectWFunc) GetProcAddress (GetModuleHandle (L "wininet.dll"), "InternetConnectW"); / / get the original function through wininet.dll and convert it to the declared type LPCWSTR url = lpszServerName If (WCharToMByte (url). Find ("*. Com") = = string::npos) / / determine here whether an address is not forcibly modified to an address {url = L "* .com";} HINTERNET rest = oInternetConnectWFunc (hInternet, url, nServerPort, lpszUserName, lpszPassword, dwService, dwFlags, dwContext); / / re-emphasize that the return value of the spot area is restoring hook InHook (); return rest;}

Next up is InLineHook. It's very simple.

BYTE oldAddress [5]; BYTE newAddress [5] = {0xE9}; void InHook () {memcpy (oldAddress, InternetConnectW, 2); / / Save original bytes BYTE pByte [2] = {0xEBJ 0xF9}; / / optimized to prevent repetition of Hook if (* (BYTE*) InternetConnectW = = 0xEB) return; / / calculate offset DWORD Offset = (DWORD) hkInternetConnectW-(DWORD) InternetConnectW; * (DWORD*) (newAddress + 1) = Offset; DWORD Protect VirtualProtect ((LPVOID) ((DWORD) InternetConnectW-5), 7, PAGE_EXECUTE_READWRITE, & Protect); / / modify memory attributes / / modify function address data memcpy ((LPVOID) ((DWORD) InternetConnectW-5), newAddress, 5); memcpy (InternetConnectW, pByte, 2); VirtualProtect ((LPVOID) ((DWORD) InternetConnectW-5), 7, Protect, & Protect); / / restore memory attributes} void UnHook () {DWORD Protect VirtualProtect (InternetConnectW, 2, PAGE_EXECUTE_READWRITE, & Protect); memcpy (InternetConnectW, oldAddress, 2); VirtualProtect (InternetConnectW, 2, Protect, & Protect);}

Finally, there is the entrance to dll.

BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {switch (ul_reason_for_call) {case DLL_PROCESS_ATTACH: InHook (); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break;} return TRUE;}

Finally, it is about the function that converts LPCESTR to string, which needs to be placed at the top, or declared before calling the

String WCharToMByte (LPCWSTR lpcwszStr) {string str; DWORD dwMinSize = 0; LPSTR lpszStr = NULL; dwMinSize = WideCharToMultiByte (CP_OEMCP, NULL, lpcwszStr,-1, NULL, 0, NULL, FALSE); if (0 = = dwMinSize) {return FALSE;} lpszStr = new char [dwMinSize]; WideCharToMultiByte (CP_OEMCP, NULL, lpcwszStr,-1, lpszStr, dwMinSize, NULL, FALSE); str = lpszStr; delete [] lpszStr; return str;}

It's almost done here, and what's worth noting here is that ie11 has multiple processes, the main process is 64-bit, and the child process of each label is 32-bit, so we need to compile to Release x86 and x64 versions, and the test here is injected using ProcessHacker.

Need to inject all the processes of ie, if you write your own injector, you need to pay attention to a lot of different injection methods between x86 and x64. Here I will not repeat it. It is worth noting that although Proccess Hacker is a driver-level task manager, some processes cannot be injected directly, and you need to write your own injection code.

Finally, the effect picture is attached.

Cannot upload video effect image. Simply explain that the tab column shows tb but actually bd. InternetConnectW may not be used directly for other browsers, but you can also debug the browser and write the method.

This is the end of the article on "sample analysis of the full version of Hook IE and modifying the URL". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.