JS常用HOOK脚本
Hook定义
Hook 技术又叫做钩子函数,在系统没有调用该函数之前,钩子程序就先捕获该消息,钩子函数先得到控制权
这时钩子函数既可以加工处理(改变)该函数的执行行为,还可以强制结束消息的传递
简单来说,就是把系统的程序拉出来变成我们自己执行代码片段。
在 js 中,系统程序可以指浏览器API,也可以指代码中实现的一些方法等
Hook 步骤
1、寻找 hook 点
2、编写 hook 逻辑
3、调试
注:最常用的是hook cookie response open 表单
常见hook脚本
COOKIE
(function() {//严谨模式 检查所有错误'use strict';var cookieTemp = "";Object.defineProperty(document, 'cookie', {set: function(val) {console.log('Hook捕获到cookie设置->', val);cookieTemp = val;return val;},get: function(){return cookieTemp;}});
})();HEADER
(function () {var org = window.XMLHttpRequest.prototype.setRequestHeader;window.XMLHttpRequest.prototype.setRequestHeader = function (key, value) {if (key == 'Authorization') {debugger;}return org.apply(this, arguments);};
})();URL / XHR
(function () {var open = window.XMLHttpRequest.prototype.open;window.XMLHttpRequest.prototype.open = function (method, url, async) {if (url.indexOf("login") != -1) {debugger;}return open.apply(this, arguments);};
})();FETCH
(function () {let fetchCache = Object.getOwnPropertyDescriptor(window, "fetch");Object.defineProperty(window, "fetch", {value: function (url) {console.log("Hook fetch url => ", url);debugger;return fetchCache.value.apply(this, arguments);}});
})();EVAL
(function() {var eval_ = eval;// 重写 evalvar myeval = function(src) {if(src.includes('debugger')){src = src.replace(/debugger\s*;?/g, '')}return eval_(src);}var myeval_ = myeval.bind(null);myeval_.toString = function(){return eval_.toString();};Object.defineProperty(window, 'eval', {value: myeval_});
})();var a=eval+""
var _eval=eval
eval=function(arg){
console.log(arg)return _eval(arg)
}
eval.toString=function(){return "function eval() { [native code] }"}
var _old=Function.prototype.toString.call
Function.prototype.toString.call=function(arg){if(arg==eval)return "function eval() { [native code] }"return _old(arg);}
console.log(Function.prototype.toString.call(eval))JSON
// JSON.stringify ------------------------------------------
(function() {var stringify = JSON.stringify;JSON.stringify = function(params) {console.log("Hook JSON.stringify ——> ", params);debugger;return stringify(params);}
})();// JSON.parse ------------------------------------------
(function() {var parse = JSON.parse;JSON.parse = function(params) {console.log("Hook JSON.parse ——> ", params);debugger;return parse(params);}
})();无限 DEBUGGER
(function () {let constructorCache = Function.prototype.constructor;Function.prototype.constructor = function (string) {if (string === "debugger") {console.log("Hook constructor debugger!");return function () {};}return constructorCache(string);};
})();Function.prototype.constructor_bk = Function.prototype.constructor
Function.prototype.constructor = function(){if (arguments[0]=="debugger"){return function () {};}else{return Function.prototype.constructor_bk.apply(this, arguments)}
}WEBSOCKET
(function () {let sendCache = WebSocket.prototype.send;WebSocket.prototype.send = function (data) {console.info("Hook WebSocket send => ", data);return sendCache(data);};
})();
CONSOLE
(function () {let consoleCache = console.log;console.log = function (msg) {consoleCache("Hook console.log =>", msg);if(msg === "value") {debugger;}consoleCache(msg);};
})();
CREATEELEMENT
(function () {let createElementCache = document.createElement;document.createElement = function (tagName) {console.info("Hook createElement tagName => ", tagName);if(tagName === "div") {debugger;}return createElementCache(tagName);};
})();GETELEMENTBYID
(function () {let getElementByIdCache = document.getElementById;document.getElementById = function (id) {console.info("Hook getElementById id => ", id);if (id === "spiderapi") {debugger;}return getElementByIdCache(id);};
})();SETATTRIBUTE
(function () {let setAttributeCache = window.Element.prototype.setAttribute;window.Element.prototype.setAttribute = function (name, value) {console.info("Hook setAttribute name => %s, value => %s", name, value);if (name === "value") {debugger;}return setAttributeCache(name, value);};
})();SETINTERVAL / SETTIMEOUT
(function () {let setIntervalCache = setInterval;setInterval = function (func, delay) {console.log("Hook setInterval func => %s, delay => %s", func, delay);debugger;return setIntervalCache(func, delay);};
})();(function () {let setTimeoutCache = setTimeout;setTimeout = function (func, delay) {console.log("Hook setTimeout func => %s, delay => %s", func, delay);debugger;return setTimeoutCache(func, delay);};
})();原型链
// 备份原函数,并添加至原型链
String.prototype.split_ = String.prototype.split;
// hook split 方法
String.prototype.split = function(val){str = this.toString();debugger;return str.split_(val);
};
// 过检测
String.prototype.split.toString = function (){return "function split() { [native code] }";
}- hook 正则 test 方法,使其总是返回 true
RegExp.prototype.test_ = RegExp.prototype.test; RegExp.prototype.test = function (val) {return true; }; RegExp.prototype.test.toString = function () {return "function test() { [native code] }" }