From f303334ff577079764db601c5c3c0f98169f8960 Mon Sep 17 00:00:00 2001 From: Fernando Date: Wed, 18 Jan 2017 21:26:26 +0100 Subject: [PATCH 1/6] mshtml hook for document.write --- insn/iexplore.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/insn/iexplore.yml b/insn/iexplore.yml index d5fb24b65..6ce7fb88b 100644 --- a/insn/iexplore.yml +++ b/insn/iexplore.yml @@ -13,3 +13,15 @@ JsGlobalObjectDefaultEvalHelper: offset: 0x14c30a stack: 8 logging: u script stk0 + 0x555f7a9e: + offset: 0x14c31c + stack: 8 + logging: u script stk0 + +CDocumentWriteIteratorCurrent: + module: mshtml + offsets: + 0x5565CF99: + offset: 0x46264A + stack: 16 + logging: u write stk0 From d80a3088d5cffb2b4666e1d797c12b5cf120e326 Mon Sep 17 00:00:00 2001 From: Fernando Date: Tue, 24 Jan 2017 14:43:08 +0100 Subject: [PATCH 2/6] Script src change hook --- insn/iexplore.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/insn/iexplore.yml b/insn/iexplore.yml index 6ce7fb88b..dd980c432 100644 --- a/insn/iexplore.yml +++ b/insn/iexplore.yml @@ -25,3 +25,11 @@ CDocumentWriteIteratorCurrent: offset: 0x46264A stack: 16 logging: u write stk0 + +CScriptDataOnSrcChange: + module: mshtml + offsets: + 0x5565CF99: + offset: 0x15FFB5 + stack: 4 + logging: u src *(wchar_t **) stk0 From 0d53cf7cb309ac283a4c1bbb952076f4abc51345 Mon Sep 17 00:00:00 2001 From: Fernando Date: Wed, 25 Jan 2017 14:11:24 +0100 Subject: [PATCH 3/6] Img put source hook --- insn/iexplore.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/insn/iexplore.yml b/insn/iexplore.yml index dd980c432..f4d17b9c5 100644 --- a/insn/iexplore.yml +++ b/insn/iexplore.yml @@ -33,3 +33,11 @@ CScriptDataOnSrcChange: offset: 0x15FFB5 stack: 4 logging: u src *(wchar_t **) stk0 + +CImgElement_putSrc: + module: mshtml + offsets: + 0x5565CF99: + offset: 0x487770 + stack: 8 + logging: u src stk0 From 9b407db68712f14475b78da4058fdb4e0f13dd86 Mon Sep 17 00:00:00 2001 From: Fernando Date: Thu, 26 Jan 2017 13:37:45 +0100 Subject: [PATCH 4/6] Add more IE11 hooks --- insn/iexplore.yml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/insn/iexplore.yml b/insn/iexplore.yml index f4d17b9c5..a9ef4c0a2 100644 --- a/insn/iexplore.yml +++ b/insn/iexplore.yml @@ -2,7 +2,7 @@ global: category: iexplore mode: iexplore -JsGlobalObjectDefaultEvalHelper: +JsGlobalObject_DefaultEvalHelper: module: jscript9 offsets: 0x555fea21: @@ -18,7 +18,7 @@ JsGlobalObjectDefaultEvalHelper: stack: 8 logging: u script stk0 -CDocumentWriteIteratorCurrent: +CDocument_WriteIterator_current: module: mshtml offsets: 0x5565CF99: @@ -26,7 +26,7 @@ CDocumentWriteIteratorCurrent: stack: 16 logging: u write stk0 -CScriptDataOnSrcChange: +CScriptData_onSrcChange: module: mshtml offsets: 0x5565CF99: @@ -41,3 +41,19 @@ CImgElement_putSrc: offset: 0x487770 stack: 8 logging: u src stk0 + +CElement_InjectHTML: + module: mshtml + offsets: + 0x5565CF99: + offset: 0x1242CC + stack: 0xC + logging: u written stk0 + +CFrameElement_putSrc: + module: mshtml + offsets: + 0x5565CF99: + offset: 0x1611B0 + stack: 8 + logging: u src stk0 From 957ea800b64e5a2143d6cedbe9cb95a95566bc63 Mon Sep 17 00:00:00 2001 From: Fernando Date: Fri, 27 Jan 2017 09:43:57 +0100 Subject: [PATCH 5/6] Add JS navigation hook --- insn/iexplore.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/insn/iexplore.yml b/insn/iexplore.yml index a9ef4c0a2..f8f64baa0 100644 --- a/insn/iexplore.yml +++ b/insn/iexplore.yml @@ -57,3 +57,11 @@ CFrameElement_putSrc: offset: 0x1611B0 stack: 8 logging: u src stk0 + +CWindow_Navigate: + module: mshtml + offsets: + 0x5565CF99: + offset: 0x363CB0 + stack: 0x40 + logging: u url stk0 From f6d5b1c0b3268c5af6c614355fb4c3f09f71589c Mon Sep 17 00:00:00 2001 From: Fernando Date: Thu, 2 Feb 2017 09:53:28 +0100 Subject: [PATCH 6/6] Save history hook --- insn/iexplore.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/insn/iexplore.yml b/insn/iexplore.yml index f8f64baa0..6754d03e2 100644 --- a/insn/iexplore.yml +++ b/insn/iexplore.yml @@ -65,3 +65,11 @@ CWindow_Navigate: offset: 0x363CB0 stack: 0x40 logging: u url stk0 + +CWindow_SaveHistory: + module: mshtml + offsets: + 0x5565CF99: + offset: 0x456971 + register: ecx + logging: u savedEntry ecx