├── .gitignore ├── PrototypeChain_hook ├── Fetch │ └── Fetch-API.js ├── XMLHTTPRequest │ ├── XMLHttpRequest.js │ └── based.js ├── split │ └── split.js └── websocket.js ├── README.md ├── attr_hook └── cookie │ ├── base.js │ ├── based.js │ ├── encapsulated.js │ └── hookCookieExample.js └── obj_hook ├── Funtion.js ├── HookSetInterval.js ├── base64 ├── base64.js └── btoa.js ├── evel └── eval.js └── json ├── JsonInfo.js └── json_stringingstringe.js /.gitignore: -------------------------------------------------------------------------------- 1 | ### macOS template 2 | # General 3 | .DS_Store 4 | .AppleDouble 5 | .LSOverride 6 | 7 | # Icon must end with two \r 8 | Icon 9 | 10 | # Thumbnails 11 | ._* 12 | 13 | # Files that might appear in the root of a volume 14 | .DocumentRevisions-V100 15 | .fseventsd 16 | .Spotlight-V100 17 | .TemporaryItems 18 | .Trashes 19 | .VolumeIcon.icns 20 | .com.apple.timemachine.donotpresent 21 | 22 | # Directories potentially created on remote AFP share 23 | .AppleDB 24 | .AppleDesktop 25 | Network Trash Folder 26 | Temporary Items 27 | .apdisk 28 | 29 | .idea/* -------------------------------------------------------------------------------- /PrototypeChain_hook/Fetch/Fetch-API.js: -------------------------------------------------------------------------------- 1 | 2 | 'use strict'; 3 | (function () { 4 | window.au_fetch = window.fetch; 5 | window.fetch = function (url) { 6 | console.log(url); 7 | return window.au_fetch.apply(window, arguments).then((response) => { 8 | const reader = response.body.getReader(); 9 | const stream = new ReadableStream({ 10 | start(controller) { 11 | function push() { 12 | // "done"是一个布尔型,"value"是一个Unit8Array 13 | reader.read().then((e) => { 14 | let { done, value } = e; 15 | // 判断是否还有可读的数据? 16 | console.log(done, new TextDecoder("utf-8").decode(value)); 17 | if (done) { 18 | // 告诉浏览器已经结束数据发送 19 | controller.close(); 20 | return; 21 | } 22 | // 取得数据并将它通过controller发送给浏览器 23 | controller.enqueue(value); 24 | push(); 25 | }); 26 | } 27 | push(); 28 | } 29 | }); 30 | let ret = new Response(stream, { headers: { "Content-Type": "text/html" } }) 31 | console.log(stream, ret); 32 | return ret; 33 | }); 34 | }; 35 | }) -------------------------------------------------------------------------------- /PrototypeChain_hook/XMLHTTPRequest/XMLHttpRequest.js: -------------------------------------------------------------------------------- 1 | 2 | 3 | // perfect 4 | (function () { 5 | alert('Start Hook'); 6 | 7 | // create function cache 8 | function hook() { 9 | XMLHttpRequest.prototype.setRequestHeader_cache = XMLHttpRequest.prototype.setRequestHeader; 10 | XMLHttpRequest.prototype.setRequestHeader = function (val) { 11 | console.log("Hook val", val); 12 | debugger; 13 | return XMLHttpRequest.prototype.setRequestHeader_cache(val); 14 | } 15 | // 16 | XMLHttpRequest.toString = function (){ 17 | return "function XMLHttpRequest() { [native code] }"; 18 | }; 19 | XMLHttpRequest.prototype.setRequestHeader_cache = undefined; 20 | XMLHttpRequest.length = 1; 21 | } 22 | 23 | hook() 24 | }()); 25 | 26 | // Specific 27 | // if want hook setHeader whne name is token 28 | // (function () { 29 | // alert('Start Hook'); 30 | // // create function cache 31 | // function hook() { 32 | // XMLHttpRequest.prototype.setRequestHeader_cache = XMLHttpRequest.prototype.setRequestHeader; 33 | // XMLHttpRequest.prototype.setRequestHeader = function (val) { 34 | // if (val.indexOf("Safe") > -1) { 35 | // console.log("Hook val", val); 36 | // let ret = XMLHttpRequest.prototype.setRequestHeader_cache(val); 37 | // debugger; 38 | // return ret 39 | // } 40 | // return XMLHttpRequest.prototype.setRequestHeader_cache(val); 41 | // } 42 | // } 43 | // 44 | // hook() 45 | // }()); 46 | 47 | // (function () { 48 | // console.log('start time:', new Date()['valueOf']()) 49 | // let h = document.createElement('div'); 50 | // let opening = false; 51 | // let isopen = false; 52 | // Object.defineProperty(h, 'id', { 53 | // get: function () { 54 | // if (!opening) { 55 | // console.log('打开控制台了', new Date()['valueOf']()); 56 | // isopen = true; 57 | // } 58 | // isopen = true; 59 | // } 60 | // }) 61 | // }()); -------------------------------------------------------------------------------- /PrototypeChain_hook/XMLHTTPRequest/based.js: -------------------------------------------------------------------------------- 1 | // basic 2 | !function hook() { 3 | alert("start Hook"); 4 | XMLHttpRequest.prototype.setRequestHeader = function () { 5 | debugger; 6 | }}(); 7 | -------------------------------------------------------------------------------- /PrototypeChain_hook/split/split.js: -------------------------------------------------------------------------------- 1 | !function () { 2 | alert('Start Hook'); 3 | // create function cache 4 | function hook() { 5 | String.prototype.split_cache = String.prototype.split 6 | String.prototype.split = function (val) { 7 | // Gets the variable of the current scope 8 | let str = this.String(); 9 | console.log('Arguments:', val) 10 | debugger; 11 | return str.split_cache(val); 12 | } 13 | 14 | } 15 | hook() 16 | }(); -------------------------------------------------------------------------------- /PrototypeChain_hook/websocket.js: -------------------------------------------------------------------------------- 1 | WebSocket.prototype.senda = WebSocket.prototype.send; 2 | WebSocket.prototype.send = function (data) { 3 | console.info("Hook WebSocket", data); 4 | return this.senda(data); 5 | } 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # JsHookScript 2 | 3 | We know that JS reverse analysis is very slow and difficult, so how to simplify this process. 4 | Hook will benefit you and me a lot 5 | 6 | JsHoook Script is Js Hook axiom。it want tell you how to use js to hook 7 | 8 | ## JSHook menu(PC) 9 | 10 | ### Hook function 11 | 12 | - [x] Hook Everthing of eval 13 | - [x] Hook Everthing of Base64 14 | 15 | ### Hook Attributes 16 | 17 | - [x] Hook Everthing of cookie 18 | 19 | ### Hook Prototype chain 20 | 21 | - [x] Hook String of split 22 | - [x] Hook Everthing of Function 23 | 24 | ## JSHook Theorem 25 | 26 | ### Hook function or object 27 | 28 | #### Theorem 29 | 30 | 0. Tips A hint might be a good choice 31 | 32 | ```js 33 | alter("Start Hooking...") 34 | ``` 35 | 36 | 1. Building replica function objects, Prepare the hook 37 | 38 | ```js 39 | var func_cache = func; 40 | ``` 41 | 42 | 2. rewrite function to hook; 43 | 44 | ```js 45 | func = function() { 46 | // your hook logic 47 | 48 | return func_cache; 49 | } 50 | ``` 51 | 52 | 3. Disguise the prototype 53 | 54 | #### Sample code 55 | 56 | ```js 57 | // example hook eval 58 | (function () { 59 | // 0.Tips A hint might be a good choice 60 | alert('Start Hooking ...'); 61 | // 1.Building replica function objects, Prepare the hook 62 | function Hooker(obj, attr) { 63 | // 2. rewrite function to hook; 64 | var func = obj[attr] 65 | obj[attr] = function () { 66 | console.log('hooked', obj, attr, arguments); 67 | var result = func.apply(obj, arguments); 68 | debugger; 69 | console.log('result', result); 70 | return result; 71 | } 72 | //3.Disguise the prototype 73 | attr.toString = function () { 74 | return "function eval() { [native code] }"; 75 | }; 76 | attr.length = 1; 77 | } 78 | Hooker(window, 'eval') 79 | })() 80 | ``` 81 | 82 | ### Hook attribute 83 | 84 | > Object.defineProperty() 85 | > 86 | > The static method `Object.defineProperty()` defines a new property directly on an object, or modifies an existing property on an object, and returns the object. 87 | 88 | #### Theorem 89 | 90 | 0. Tips A hint might be a good choice 91 | 92 | ```js 93 | alter("Start Hooking...") 94 | ``` 95 | 96 | 1. Building replica function objects, Prepare the hook 97 | 98 | ```js 99 | var func = obj[attr] 100 | ``` 101 | 102 | 2. Bind monitor function to hook; 103 | 104 | ```js 105 | Object.defineProperty(obj, 'attr', { 106 | set: function() { 107 | // your hook logic, when set attr(Commonly used) 108 | }, 109 | get: function() { 110 | // your hook logic, when set attr(Not Commonly used) 111 | } 112 | }) 113 | ``` 114 | 115 | > note: 116 | > 117 | > When all objects are bound before binding, it becomes invalid 118 | 119 | #### Sample code 120 | 121 | ```js 122 | (function() { 123 | // 0.Tips A hint might be a good choice 124 | alert("Starting Hook") 125 | // 1. Building replica function objects, Prepare the hook 126 | cookie_cache = document.cookie 127 | // 2. Bind monitor function to hook; 128 | Object.defineProperty(document, 'cookie', { 129 | get: function() { 130 | debugger; 131 | return cookie_cache; 132 | }, 133 | set: function() { 134 | debugger; 135 | return cookie_cache; 136 | } 137 | }) 138 | }()) 139 | ``` 140 | 141 | ### Hook according to the prototype chain 142 | 143 | > Sometimes we want to hook the method of a function, but the above method is difficult to satisfy. According to the prototype chain, it can be done easily 144 | 145 | #### Theorem 146 | 147 | 0. Tips A hint might be a good choice 148 | 149 | ```js 150 | alter("Start Hooking...") 151 | ``` 152 | 153 | 1. Building replica function Prototype chain objects, Prepare the hook 154 | 155 | ```js 156 | let function.prototype.func_cache = function.prototype.func; 157 | ``` 158 | 159 | 2. rewrite function to hook; 160 | 161 | ```js 162 | func = function() { 163 | // your hook logic 164 | 165 | return func_cache; 166 | } 167 | ``` 168 | 169 | 3. Disguise the prototype 170 | 171 | ```js 172 | 1.Disguise toString 173 | attr.toString = function () { 174 | return "function func() { [native code] }"; 175 | }; 176 | 2. Disguise length 177 | attr.length = 1; 178 | 3.remove cache 179 | function.prototype.func_cache = undefined 180 | ``` 181 | 182 | Sample code 183 | 184 | ```js 185 | (function () { 186 | // 0.Tips A hint might be a good choice 187 | alert('Start Hook'); 188 | function hook() { 189 | // 1.Building replica function Prototype chain objects, Prepare the hook 190 | XMLHttpRequest.prototype.setRequestHeader_cache = XMLHttpRequest.prototype.setRequestHeader; 191 | // 2.rewrite function to hook; 192 | XMLHttpRequest.prototype.setRequestHeader = function (val) { 193 | console.log("Hook val", val); 194 | debugger; 195 | return XMLHttpRequest.prototype.setRequestHeader_cache(val); 196 | } 197 | // Disguise the prototype 198 | XMLHttpRequest.toString = function (){ 199 | return "function XMLHttpRequest() { [native code] }"; 200 | }; 201 | XMLHttpRequest.prototype.setRequestHeader_cache = undefined; 202 | XMLHttpRequest.length = 1; 203 | } 204 | hook() 205 | }()); 206 | ``` 207 | 208 | 209 | ## AST-Hook 210 | 211 | [ast-hook-for-js-RE](https://github.com/JSREI/ast-hook-for-js-RE) -------------------------------------------------------------------------------- /attr_hook/cookie/base.js: -------------------------------------------------------------------------------- 1 | ~function () { 2 | alert("Starting Hook") 3 | Object.defineProperty(document, 'cookie', { 4 | get() { 5 | debugger; 6 | }, 7 | set() { 8 | debugger; 9 | } 10 | }) 11 | }(); -------------------------------------------------------------------------------- /attr_hook/cookie/based.js: -------------------------------------------------------------------------------- 1 | // Special hook 2 | ~function () { 3 | alert("Starting Hook"); 4 | let cookie_cache = document.cookie; 5 | Object.defineProperty(document, 'cookie', { 6 | get() { 7 | return cookie_cache; 8 | }, 9 | set(val) { 10 | if (val.indexOf('GW1gelwM5YZuT') > -1) { 11 | debugger; 12 | } 13 | return cookie_cache; 14 | } 15 | }) 16 | }(); -------------------------------------------------------------------------------- /attr_hook/cookie/encapsulated.js: -------------------------------------------------------------------------------- 1 | !function () { 2 | alert("Starting Hook") 3 | 4 | function hook(obj, attr) { 5 | let attr_cache = obj[attr]; 6 | Object.defineProperty(obj, attr, { 7 | get() { 8 | debugger; 9 | return attr_cache; 10 | }, 11 | set() { 12 | console.log('Hooked', arguments) 13 | debugger; 14 | return attr_cache; 15 | } 16 | }) 17 | } 18 | 19 | hook(document, 'cookie') 20 | }(); -------------------------------------------------------------------------------- /attr_hook/cookie/hookCookieExample.js: -------------------------------------------------------------------------------- 1 | var cookie_cache = document.cookie; 2 | Object.defineProperty(document, 'cookie', { 3 | get: function () { 4 | console.log('Getting cookie'); 5 | return cookie_cache; 6 | }, 7 | set: function (val) { 8 | console.log('Setting cookie', val); 9 | var cookie = val.split(";")[0]; 10 | var ncookie = cookie.split("="); 11 | var flag = false; 12 | var cache = cookie_cache.split("; "); 13 | cache = cache.map(function (a) { 14 | if (a.split("=")[0] === ncookie[0]) { 15 | flag = true; 16 | return cookie; 17 | } 18 | return a; 19 | }) 20 | cookie_cache = cache.join("; "); 21 | if (!flag) { 22 | cookie_cache += cookie + "; "; 23 | } 24 | this._value = val; 25 | return cookie_cache; 26 | }, 27 | }); 28 | -------------------------------------------------------------------------------- /obj_hook/Funtion.js: -------------------------------------------------------------------------------- 1 | // Hook Function 2 | (function() { 3 | alert(1); 4 | let construtor_cache = window.constructor; 5 | Function.prototype.constructor = function(d) { 6 | if (d === "debugger") { 7 | console.log("constructor:", d); 8 | debugger; 9 | return null; 10 | } 11 | return construtor_cache(d); 12 | } 13 | }()) -------------------------------------------------------------------------------- /obj_hook/HookSetInterval.js: -------------------------------------------------------------------------------- 1 | let _setInterval = setInterval; 2 | setInterval = function (a, b) { 3 | if (a.toString().indexOf("debugger") !== -1) { 4 | return null; 5 | } 6 | _setInterval(a, b); 7 | }; -------------------------------------------------------------------------------- /obj_hook/base64/base64.js: -------------------------------------------------------------------------------- 1 | 2 | base64Hook_1 = function () { 3 | 'use strict' 4 | // 0.Injection feedback, when start hook will have a prompt 5 | alert('Start Hooking ...'); 6 | // 1. rewrite 7 | } 8 | 9 | 10 | // (function() { 11 | // 'use strict' 12 | // alert('Start Hooking ...'); 13 | // function hook(obj, attr) { 14 | // let func = obj[String(attr)]; 15 | // obj[attr] = function() { 16 | // console.log('hooked', obj, attr, arguments) 17 | // let ret = func.apply(obj, arguments); 18 | // console.log('result', ret); 19 | // debugger; 20 | // return ret; 21 | // }; 22 | // // Disguise the prototype 23 | // attr.toString = function() { 24 | // return "function btoa() { [native code] }"; 25 | // }; 26 | // attr.length = 1; 27 | // }; 28 | // hook(window, btoa); 29 | // }()); -------------------------------------------------------------------------------- /obj_hook/base64/btoa.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/azwpayne/JsHookScript/25cd2366825225294bdd408268458f972ce53316/obj_hook/base64/btoa.js -------------------------------------------------------------------------------- /obj_hook/evel/eval.js: -------------------------------------------------------------------------------- 1 | // ==UserScript== 2 | // @name Hook Everthing of eval 3 | // @namespace http://tampermonkey.net/ 4 | // @version 0.1 5 | // @description Try to Hook Everthing eval 6 | // @author Payne 7 | // @match * 8 | // @grant none 9 | // @run-at document-start 10 | // ==/UserScript== 11 | 12 | (function() { 13 | // 0.Tips 14 | alert('Start Hooking ...'); 15 | // Building replica function objects, Prepare the hook 16 | let eval_new = eval; 17 | //rewrite function to hook; 18 | eval = function(val) { 19 | console.log('Hooked :', val); 20 | debugger; 21 | return eval_new(val) 22 | }; 23 | // Disguise the prototype 24 | eval.toString = function() { 25 | return "function eval() { [native code] }" 26 | }; 27 | eval.length = 1; 28 | })(); 29 | // ===================================2=================================== 30 | 31 | 32 | (function() { 33 | // 0.Tips 34 | alert('Start Hooking ...'); 35 | // Building replica function objects, Prepare the hook 36 | let eval_new = window.eval; 37 | //rewrite function to hook; 38 | window.eval = function(val) { 39 | console.log('Hooked :', val, window, eval, arguments); 40 | debugger; 41 | return eval_new(val) 42 | }; 43 | // Disguise the prototype 44 | window.eval.toString = function() { 45 | return "function eval() { [native code] }" 46 | }; 47 | window.eval.length = 1; 48 | })(); 49 | 50 | // ====================================3=================================== 51 | 52 | (function() { 53 | // 0.Tips 54 | alert('Start Hooking ...'); 55 | // Building replica function objects, Prepare the hook 56 | let eval_new = window.eval; 57 | //rewrite function to hook; 58 | window.eval = function(val) { 59 | console.log('Hooked :', val, window, eval, arguments); 60 | let result = eval_new.apply(window.eval, arguments) 61 | debugger; 62 | console.log('result', result) 63 | return result 64 | }; 65 | // Disguise the prototype 66 | window.eval.toString = function() { 67 | return "function eval() { [native code] }" 68 | }; 69 | window.eval.length = 1; 70 | })(); 71 | 72 | // ====================================4=================================== 73 | 74 | (function() { 75 | alert('Start Hooking ...'); 76 | function Hooker(obj, attr) { 77 | let func = obj[attr] 78 | obj[attr] = function() { 79 | console.log('hooked', obj, attr, arguments); 80 | let result = func.apply(obj, arguments); 81 | debugger; 82 | console.log('result', result); 83 | return result; 84 | }; 85 | // Disguise the prototype 86 | attr.toString = function() { 87 | return "function eval() { [native code] }"; 88 | }; 89 | attr.length = 1; 90 | } 91 | Hooker(window, 'eval') 92 | })() -------------------------------------------------------------------------------- /obj_hook/json/JsonInfo.js: -------------------------------------------------------------------------------- 1 | var my_stringify = JSON.stringify; 2 | JSON.stringify = function (params) { 3 | console.log("json_stringify:", params); 4 | return json_stringify(params); 5 | }; 6 | 7 | var my_parse = JSON.parse; 8 | JSON.parse = function (params) { 9 | console.log("json_parse:", params); 10 | return json_parse(params); 11 | }; 12 | -------------------------------------------------------------------------------- /obj_hook/json/json_stringingstringe.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Hook Json Parsing and stringification 3 | * */ 4 | 5 | function HookJsonParsing() { 6 | alert("start Hook Json Parsing...") 7 | let func = JSON.stringify; 8 | JSON.stringify = function () { 9 | console.log('Detect arguments', arguments); 10 | debugger; 11 | let result = func.apply(func, arguments); 12 | console.log("Result:", result); 13 | return result; 14 | } 15 | } 16 | 17 | function HookJsonStringification() { 18 | alert("start Hook Json Parsing...") 19 | let func = JSON.parse; 20 | JSON.parse = function () { 21 | console.log('Detect arguments', arguments); 22 | debugger; 23 | let result = func.apply(func, arguments); 24 | console.log("Result:", result); 25 | return result; 26 | } 27 | } 28 | 29 | 30 | 31 | --------------------------------------------------------------------------------