Hacker News new | past | comments | ask | show | jobs | submit login

Can anyone explain how the form grabbing for Chrome works? For a code base as large as Chrome's, how would one go about finding the function(s) involved with sending POST data? There was a thread on HN about a month ago about Hand of Thief which sparked my curiosity. I was able to write a crude form grabber for Firefox, but couldn't figure out how to do it for Chrome.

For Firefox, I know about PR_Write (There's some information for how to form grab Firefox under Windows which I found applicable). Since PR_Write function is in a shared library, you can use LD_PRELOAD to get Firefox to call your custom form-grabbing PR_Write, which can then call the original one.

Not trying to do anything malicious - just genuinely curious.




This applies if the function you are looking for is not easily accessible, i.e. not an exported symbol in some shared library.

You find the function you are interested in in Chromes code base, then look for it in the compiled binary or library its located in (with debug symbols, usually). You build a pattern from the functions code bytes. You then inject your evil library into the target process (also through LD_PRELOAD, but there are tons of ways) and have it search in the process memory for the function from the bytes you acquired previously. You temporarily change the page protections and overwrite the first few bytes of the target function to instead jump directly into your code.

You have to be careful with calling conventions or you will corrupt the stack, and often you want to preserve the original bytes of the function such that you can call into it from your replacement function.

This is what is called a hook, or a detour. Microsoft even has a library for this that does all of the previous in a neat package (http://research.microsoft.com/en-us/projects/detours/), but the basic redirection is very simple.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: