Check HTML code for malware before rendering

Hello friends,

I'm having an idea of making a small program to check HTML code of web browsers (IE, FireFox, Chrome) before letting them rendering. The purpose of this is to check if the HTML contains dangerous JS code, if it does then replace the whole HTML with a pre given HTML (to inform the user that the website contains malware).

I don't know where to start (Hook? Packet Sniffing?...) cuz I've just started learning C++ for 4 days (before that I was coding PHP and JS for many years). Moving from web coding to desktop coding is a challenge for me. So please help, thank you.
Every browser has a documented way for writing plugins, use it.
Hi,

I have knowledge in this field quite a bit.

First OpenProcess of a Target Application then Just WriteProcessMemory your hook code instead of using memcpy() (As if it were locally). For the hook callbacks, you allocate memory, write the code to that memory, and then point your hook JMPs/whatever to that code.

Make sure hook callback code is position-independent.


Functions to Hook: DnsQuery just to effect the Internet Explorer but I am not going to give you functions for Hooking Firefox or Chrome sorry.

After hooking DnsQuery you can compare it to a list of Blacklisted Websites possibly in a *.txt file or a custom file.


Or alternate and more effective:

You can hook other Wininet functions which are desgined to get data back & inject them into all processes leave System Processes alone as they can cause a issue if you crash that process.Then simply check the received data and use a if statement to compare the HTML.

Beware some processes are protected by denying access to its handle.

Advice:

If can understand the theory I would be surprised as most Newbies should not be attempting these subjects as you will be confused.
GL
Last edited on
Hey SpaceWorm,

Thank you so much for your answer. Now I know what to do:
- Learn how the Windows works (the most important step!?)
- Learn how to deal with Processes
- Learn how to deal with Hooking

@modoran: I'm not trying to write plugins, I want to make a stand-alone program :D
@modoran: I'm not trying to write plugins, I want to make a stand-alone program :D


So what's the problem ? Use a plugin and communicate with your main program using some form of IPC (inter-process communication).
@modorn

The problem with your idea is that it will only be compatible with some browsers whereas my suggested idea will work for every internet browser.

Of course mine could be much more complex but It pays of quite well if all is done perfectly.
@modorn

The problem with your idea is that it will only be compatible with some browsers whereas my suggested idea will work for every internet browser.


You can hook other Wininet functions which are desgined to get data back & inject them into all processes



The only browser I know to use WinInet is Internet Explorer (and every other application that uses Trident engine), so how your solution will work for every browser ?
well, As good as you said it but all the engines or what ever use low level windows native functions such as WSPSend() and other WSP functions. Right!

@SpaceWorm: hey friend, I don't want to hook DnsQuery (to get the URLs), what I want is to get the HTML (before rendering). Don't worry, after getting it I know how to deal with it. So what function do I need to reach the goal?
Last edited on
Hi,

These things are easy just look here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa384322(v=vs.85).aspx

to find what you need
Hi SpaceWorm,

My friend told me about API Hooking (function Recv). Do you know about it?
Yes, I do know recv but better idea would be to hook WSPRecv() as it is a lower level Network function thus you will capture it as i transmits from ntdll.KiSystemFastCall this way you will be hooking the lowest level from Ring3 to a Network function.

WSP functions are Layered Socket Providers function set.

especially when hooking. Hooking WSPRecv instead of say, recv(), allows you to avoid fighting over the same scraps as other Website Checkers if they also intend on hooking ws2_32.recv().


Also I never use Wininet but I am not sure if any Wininet functions link back into send() or recv().
Try Reverse Engineer the Function.
GL
Last edited on
Wow SpaceWorm how long did it take you to reach this level?
Hi,

Did I answer you question successfully?

It took me 7\8 years to reach this "level. Thanks for taking interest.
Update:

As windows starting from XP till 8 allows Hot-patching to it's means that hooking these functions would be fairly straightforward, meaning there would be no injecting DLL's and such but just do a Remote Code Injection into all processes. A Learning resource for Hot-Patch method of Hooking: http://www.codeproject.com/Articles/27339/API-hooking-for-hotpatchable-operating-systems

The only downfall is that you cannot do a system-wide hook into both x86 - x64. This can be over come by changing Code-Segments.

I have prepared few macro'es to swap code segments
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#define Op(a) __asm __Opit (a)

#define X64_Start_with_DS(_DS) \
{ \
	Op(0x6A) Op(_DS)                     \
	Op(0xE8) Op(0) Op(0) Op(0) Op(0)      \
	Op(0x83) Op(4) Op(0x24) Op(5)         \
	Op(0xCB)                             \
}

#define X64_End_with_DS(_DS) \
{ \
	Op(0xE8) Op(0) Op(0) Op(0) Op(0)    \
	Op(0xC7) Op(0x44) Op(0x24) Op(4)    \
	Op(_DS) Op(0) Op(0) Op(0)          \
	Op(0x83) Op(4) Op(0x24) Op(0xD)     \
	Op(0xCB)                             \
}

#define X64_Run() X64_Start_with_DS(0x33)
#define X64_Stop() X64_End_with_DS(0x23) 


After X64_Start() is executed the CPU will switch to x64 code segment, this way you can execute x64 code.

AWARE:
You need to export x64 Functions via a Memory trick then use typedef to cast the function to trick the compiler into generating a fake function.
Also make sure to generate a DWORD based Assembly to break the stack.



Thanks!



Last edited on
Yes sir you have answered all my questions successfully. But it takes time for me to follow it. I've been coding PHP for 6 7 years but I'm a completely noob at Windows thing. I don't even know how the Windows really works @@!

How long had you been coding DOS before switched to Windows? And how long does it take to master the Windows?
Hi,

Well, I have never used DOS but my first Platform was Windows XP , Now I use Windows 7.

Trust me I am not a master in windows, I may be knowledgeable but no way am I master.

Basically it takes decades to understand how windows works till Kernel Level but after 5 years of Windows Programming Knowledge it starts to remain quite less thrilling and more painful for instance currently I am programming Bootkit for reasearch purposes and that involves me bypassing ALSR and such which is a pain.

Trust me learn Assembly both x86 and x64 it will help you understand why Stack and RAM and such are such a big deal. This will allow you to understand all Hooking and stuff. with ease.
Last edited on
Hello SpaceWorm,

Can we be friend? Please allow me to add you in Facebook. ASM takes too much and it's too complicated for a newbie like me. But in the future after getting to know the Windows a little bit, I will move to ASM :D. I will focus on malware programming for good purposes.

My Facebook: http://facebook.com/inanobot

Please add me or you can leave your facebook url here I will add you.
Hi,

I do not have Face book. Feel free to Private Message me regarding any question you may have in mind. Especially anything relating Windows API.

As for Malware programming, I would suggest you look at the Malware Analysis and Malware structure. This would give you a better understanding how Malware(s) really work internally.

The issue with your "HTML scanner" is, many malware(s) spread using JDB , Java drive by, which is impossible to detect of course you can see if Java is being used but games also use Java so expect, many false-positives. There are Exploit packs such as Black Hole Exploit pack which are almost FUD , fully undetectable, in the sense that even modern AV solutions fail detecting these backdoor(s).

This job would be very hard, I can help you with few parts and such because I did program Malware for research purposes and I know how to avoid it so I can help program.

By the way try hook GetTcpTable() function it will help you hell of a lot becuase it will show you all processes network status and network usage this way is a un-wanted software is connecting to a unknown IP you can Botkill it via removing it from registry and other Start-up places.

Thanks!
Topic archived. No new replies allowed.