JS常用HOOK脚本

Hook 定义

Hook 技术又叫做钩子函数，在系统没有调用该函数之前，钩子程序就 先捕获该消息 ，钩子函数 先得到控制权

这时钩子函数既可以 加工处理（改变）该函数的执行行为，还可以强制结束消息的传递

简单来说，就是把系统的程序拉出来变成我们自己执行代码片段。

在 js 中，系统程序可以指浏览器 API，也可以指代码中实现的一些方法等

Hook 步骤

1、寻找 hook 点

2、编写 hook 逻辑

3、调试

注：最常用的是hook cookie response open 表单

常见 hook 脚本

COOKIE

(function() {
    // 严谨模式 检查所有错误
    'use strict';
	var cookieTemp = "";
    Object.defineProperty(document, 'cookie', {set: function(val) {console.log('Hook 捕获到 cookie 设置 ->', val);
				cookieTemp = val;
				return val;
		},
		get: function()
		{return cookieTemp;}
    });
})();

 HEADER

(function () {
    var org = window.XMLHttpRequest.prototype.setRequestHeader;
    window.XMLHttpRequest.prototype.setRequestHeader = function (key, value) {if (key == 'Authorization') {debugger;}
        return org.apply(this, arguments);
    };
})();

URL / XHR

(function () {
    var open = window.XMLHttpRequest.prototype.open;
    window.XMLHttpRequest.prototype.open = function (method, url, async) {if (url.indexOf("login") != -1) {debugger;}
        return open.apply(this, arguments);
    };
})();

FETCH

(function () {let fetchCache = Object.getOwnPropertyDescriptor(window, "fetch");
    Object.defineProperty(window, "fetch", {value: function (url) {console.log("Hook fetch url =>", url);
            debugger;
            return fetchCache.value.apply(this, arguments);
        }
    });
})();

EVAL

(function() {
    var eval_ = eval;
    // 重写 eval
    var myeval = function(src) {if(src.includes('debugger')){src = src.replace(/debuggers*;?/g, '')
        }
        return eval_(src);
    }
    var myeval_ = myeval.bind(null);
    myeval_.toString = function(){return eval_.toString();
    };
    Object.defineProperty(window, 'eval', {value: myeval_});
})();


var a=eval+""
var _eval=eval
eval=function(arg){console.log(arg)
    return _eval(arg)
}
eval.toString=function(){return "function eval() {[native code] }"}
var _old=Function.prototype.toString.call
Function.prototype.toString.call=function(arg){if(arg==eval)
    return "function eval() { [native code] }"
    return _old(arg);

}
console.log(Function.prototype.toString.call(eval))

JSON

// JSON.stringify   ------------------------------------------
(function() {
    var stringify = JSON.stringify;
    JSON.stringify = function(params) {console.log("Hook JSON.stringify ——>", params);
        debugger;
        return stringify(params);
    }
})();

// JSON.parse   ------------------------------------------
(function() {
    var parse = JSON.parse;
    JSON.parse = function(params) {console.log("Hook JSON.parse ——>", params);
        debugger;
        return parse(params);
    }
})();

无限 DEBUGGER 

(function () {
    let constructorCache = Function.prototype.constructor;
    Function.prototype.constructor = function (string) {if (string === "debugger") {console.log("Hook constructor debugger!");
            return function () {};
        }
        return constructorCache(string);
    };
})();



Function.prototype.constructor_bk = Function.prototype.constructor
Function.prototype.constructor = function(){if (arguments[0]=="debugger"){return function () {};}else{return Function.prototype.constructor_bk.apply(this, arguments)
    }
}

WEBSOCKET

(function () {
    let sendCache = WebSocket.prototype.send;
    WebSocket.prototype.send = function (data) {console.info("Hook WebSocket send =>", data);
        return sendCache(data);
    };
})();

 CONSOLE

(function () {
    let consoleCache = console.log;
    console.log = function (msg) {consoleCache("Hook console.log =>", msg);
        if(msg === "value") {debugger;}
        consoleCache(msg);
    };
})();

CREATEELEMENT

(function () {
    let createElementCache = document.createElement;
    document.createElement = function (tagName) {console.info("Hook createElement tagName =>", tagName);
        if(tagName === "div") {debugger;}
        return createElementCache(tagName);
    };
})();

GETELEMENTBYID

(function () {
    let getElementByIdCache = document.getElementById;
    document.getElementById = function (id) {console.info("Hook getElementById id =>", id);
        if (id === "spiderapi") {debugger;}
        return getElementByIdCache(id);
    };
})();

 SETATTRIBUTE

(function () {
    let setAttributeCache = window.Element.prototype.setAttribute;
    window.Element.prototype.setAttribute = function (name, value) {console.info("Hook setAttribute name => %s, value => %s", name, value);
        if (name === "value") {debugger;}
        return setAttributeCache(name, value);
    };
})();

 SETINTERVAL / SETTIMEOUT

(function () {
    let setIntervalCache = setInterval;
    setInterval = function (func, delay) {console.log("Hook setInterval func => %s, delay => %s", func, delay);
        debugger;
        return setIntervalCache(func, delay);
    };
})();



(function () {
    let setTimeoutCache = setTimeout;
    setTimeout = function (func, delay) {console.log("Hook setTimeout func => %s, delay => %s", func, delay);
        debugger;
        return setTimeoutCache(func, delay);
    };
})();

原型链

// 备份原函数，并添加至原型链
String.prototype.split_ = String.prototype.split;
// hook split 方法
String.prototype.split = function(val){str = this.toString();
    debugger;
    return str.split_(val);
};
// 过检测
String.prototype.split.toString = function (){return "function split() {[native code] }";
}