I'm having an idea of making a small program to check HTML code of web browsers (IE, FireFox, Chrome) before letting them rendering. The purpose of this is to check if the HTML contains dangerous JS code, if it does then replace the whole HTML with a pre given HTML (to inform the user that the website contains malware).
I don't know where to start (Hook? Packet Sniffing?...) cuz I've just started learning C++ for 4 days (before that I was coding PHP and JS for many years). Moving from web coding to desktop coding is a challenge for me. So please help, thank you.
First OpenProcess of a Target Application then Just WriteProcessMemory your hook code instead of using memcpy() (As if it were locally). For the hook callbacks, you allocate memory, write the code to that memory, and then point your hook JMPs/whatever to that code.
Make sure hook callback code is position-independent.
Functions to Hook: DnsQuery just to effect the Internet Explorer but I am not going to give you functions for Hooking Firefox or Chrome sorry.
After hooking DnsQuery you can compare it to a list of Blacklisted Websites possibly in a *.txt file or a custom file.
Or alternate and more effective:
You can hook other Wininet functions which are desgined to get data back & inject them into all processes leave System Processes alone as they can cause a issue if you crash that process.Then simply check the received data and use a if statement to compare the HTML.
Beware some processes are protected by denying access to its handle.
If can understand the theory I would be surprised as most Newbies should not be attempting these subjects as you will be confused.
@SpaceWorm: hey friend, I don't want to hook DnsQuery (to get the URLs), what I want is to get the HTML (before rendering). Don't worry, after getting it I know how to deal with it. So what function do I need to reach the goal?
Yes, I do know recv but better idea would be to hook WSPRecv() as it is a lower level Network function thus you will capture it as i transmits from ntdll.KiSystemFastCall this way you will be hooking the lowest level from Ring3 to a Network function.
WSP functions are Layered Socket Providers function set.
especially when hooking. Hooking WSPRecv instead of say, recv(), allows you to avoid fighting over the same scraps as other Website Checkers if they also intend on hooking ws2_32.recv().
Also I never use Wininet but I am not sure if any Wininet functions link back into send() or recv().
Try Reverse Engineer the Function.
After X64_Start() is executed the CPU will switch to x64 code segment, this way you can execute x64 code.
You need to export x64 Functions via a Memory trick then use typedef to cast the function to trick the compiler into generating a fake function.
Also make sure to generate a DWORD based Assembly to break the stack.
Yes sir you have answered all my questions successfully. But it takes time for me to follow it. I've been coding PHP for 6 7 years but I'm a completely noob at Windows thing. I don't even know how the Windows really works @@!
How long had you been coding DOS before switched to Windows? And how long does it take to master the Windows?
Well, I have never used DOS but my first Platform was Windows XP , Now I use Windows 7.
Trust me I am not a master in windows, I may be knowledgeable but no way am I master.
Basically it takes decades to understand how windows works till Kernel Level but after 5 years of Windows Programming Knowledge it starts to remain quite less thrilling and more painful for instance currently I am programming Bootkit for reasearch purposes and that involves me bypassing ALSR and such which is a pain.
Trust me learn Assembly both x86 and x64 it will help you understand why Stack and RAM and such are such a big deal. This will allow you to understand all Hooking and stuff. with ease.
Can we be friend? Please allow me to add you in Facebook. ASM takes too much and it's too complicated for a newbie like me. But in the future after getting to know the Windows a little bit, I will move to ASM :D. I will focus on malware programming for good purposes.
I do not have Face book. Feel free to Private Message me regarding any question you may have in mind. Especially anything relating Windows API.
As for Malware programming, I would suggest you look at the Malware Analysis and Malware structure. This would give you a better understanding how Malware(s) really work internally.
The issue with your "HTML scanner" is, many malware(s) spread using JDB , Java drive by, which is impossible to detect of course you can see if Java is being used but games also use Java so expect, many false-positives. There are Exploit packs such as Black Hole Exploit pack which are almost FUD , fully undetectable, in the sense that even modern AV solutions fail detecting these backdoor(s).
This job would be very hard, I can help you with few parts and such because I did program Malware for research purposes and I know how to avoid it so I can help program.
By the way try hook GetTcpTable() function it will help you hell of a lot becuase it will show you all processes network status and network usage this way is a un-wanted software is connecting to a unknown IP you can Botkill it via removing it from registry and other Start-up places.