Comments on: bpmtk: Spying on IE http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/ (blog 'DidierStevens) Thu, 29 Jul 2010 03:37:46 +0000 hourly 1 http://wordpress.com/ By: Pablo http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34189 Pablo Mon, 09 Feb 2009 18:17:43 +0000 http://didierstevens.wordpress.com/?p=340#comment-34189 I was able to hook on IE7 by using EasyHook library, but no by using BPMTK or similar IAT patching systems. I was able to hook on IE7 by using EasyHook library, but no by using BPMTK or similar IAT patching systems.

]]> By: max http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34186 max Sat, 07 Feb 2009 15:06:03 +0000 http://didierstevens.wordpress.com/?p=340#comment-34186 I have successfully hooked the functions by the way of modifying the first 5 bytes in the function code, which jmp to the hook function. Patching IAT may not work in such a situation. I have successfully hooked the functions by the way of modifying the first 5 bytes in the function code, which jmp to the hook function. Patching IAT may not work in such a situation.

]]> By: Lucy http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34179 Lucy Thu, 05 Feb 2009 04:26:16 +0000 http://didierstevens.wordpress.com/?p=340#comment-34179 Hi Max It seems all of us are trying to hook IE7 using Didier code. I have also tried same way usig "W" instead of "A" but failed :( Hopefully Didier will give us another version which will hook both IE6 & IE7. Waiting for Didier. Hi Max
It seems all of us are trying to hook IE7 using Didier code. I have also tried same way usig “W” instead of “A” but failed :(
Hopefully Didier will give us another version which will hook both IE6 & IE7. Waiting for Didier.

]]> By: max http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34174 max Mon, 02 Feb 2009 04:30:05 +0000 http://didierstevens.wordpress.com/?p=340#comment-34174 Very Interesting information. When I opened IE with blank page, and then close ie. The debugview give such information: [1316] Hook WinINet DLL_PROCESS_ATTACH [1316] WININET.dll HttpOpenRequestW (42164050) 420D102F -> 10001000 [1316] WININET.dll InternetConnectW (42164080) 420D1002 -> 100010A0 [1316] WININET.dll HttpSendRequestW (4216404C) 420E2566 -> 10001110 [1316] WININET.dll InternetReadFile (42164078) 420D0E0E -> 10001170 [1316] Unhook WinINet DLL_PROCESS_DETACH [1316] WININET.dll HttpOpenRequestW (42164050) 10001000 -> 420D102F [1316] WININET.dll InternetConnectW (42164080) 100010A0 -> 420D1002 [1316] WININET.dll HttpSendRequestW (4216404C) 10001110 -> 420E2566 [1316] WININET.dll InternetReadFile (42164078) 10001170 -> 420D0E0E It seemed that hooking and restoring the functions are both ok. But if I do some requests, things changed. [3376] Hook WinINet DLL_PROCESS_ATTACH [3376] WININET.dll HttpOpenRequestW (42164050) 420D102F -> 10001000 [3376] WININET.dll InternetConnectW (42164080) 420D1002 -> 100010A0 [3376] WININET.dll HttpSendRequestW (4216404C) 420E2566 -> 10001110 [3376] WININET.dll InternetReadFile (42164078) 420D0E0E -> 10001170 [3376] www.mobilesaid.com [3376] GET [3376] /ip.php [3376] Accept-Language: en-US [3376] UA-CPU: x86 [3376] Accept-Encoding: gzip, deflate [3376] HookInternetReadFile dwNumberOfBytesToRead 00000012 [3376] HookInternetReadFile *lpdwNumberOfBytesRead 00000012 data 205.209.139.221@US [3376] Unhook WinINet DLL_PROCESS_DETACH [3376] WININET.dll HttpOpenRequestW (42164050) 41FE5D52 -> 420D102F [3376] WININET.dll InternetConnectW (42164080) 41FE5B78 -> 420D1002 [3376] WININET.dll HttpSendRequestW (4216404C) 420007F5 -> 420E2566 [3376] WININET.dll InternetReadFile (42164078) 41FEABA4 -> 420D0E0E Look at the addresses of the hooked functions when detach. It have been changed. Who changed the addresses? But the IE7 works really ok, at the same time the hooks did not work. Does IE5 and IE6 have the same problem? Very Interesting information. When I opened IE with blank page, and then close ie. The debugview give such information:
[1316] Hook WinINet DLL_PROCESS_ATTACH
[1316] WININET.dll HttpOpenRequestW (42164050) 420D102F -> 10001000
[1316] WININET.dll InternetConnectW (42164080) 420D1002 -> 100010A0
[1316] WININET.dll HttpSendRequestW (4216404C) 420E2566 -> 10001110
[1316] WININET.dll InternetReadFile (42164078) 420D0E0E -> 10001170
[1316] Unhook WinINet DLL_PROCESS_DETACH
[1316] WININET.dll HttpOpenRequestW (42164050) 10001000 -> 420D102F
[1316] WININET.dll InternetConnectW (42164080) 100010A0 -> 420D1002
[1316] WININET.dll HttpSendRequestW (4216404C) 10001110 -> 420E2566
[1316] WININET.dll InternetReadFile (42164078) 10001170 -> 420D0E0E
It seemed that hooking and restoring the functions are both ok.

But if I do some requests, things changed.
[3376] Hook WinINet DLL_PROCESS_ATTACH
[3376] WININET.dll HttpOpenRequestW (42164050) 420D102F -> 10001000
[3376] WININET.dll InternetConnectW (42164080) 420D1002 -> 100010A0
[3376] WININET.dll HttpSendRequestW (4216404C) 420E2566 -> 10001110
[3376] WININET.dll InternetReadFile (42164078) 420D0E0E -> 10001170
[3376] http://www.mobilesaid.com
[3376] GET
[3376] /ip.php
[3376] Accept-Language: en-US
[3376] UA-CPU: x86
[3376] Accept-Encoding: gzip, deflate
[3376] HookInternetReadFile dwNumberOfBytesToRead 00000012
[3376] HookInternetReadFile *lpdwNumberOfBytesRead 00000012 data 205.209.139.221@US
[3376] Unhook WinINet DLL_PROCESS_DETACH
[3376] WININET.dll HttpOpenRequestW (42164050) 41FE5D52 -> 420D102F
[3376] WININET.dll InternetConnectW (42164080) 41FE5B78 -> 420D1002
[3376] WININET.dll HttpSendRequestW (4216404C) 420007F5 -> 420E2566
[3376] WININET.dll InternetReadFile (42164078) 41FEABA4 -> 420D0E0E

Look at the addresses of the hooked functions when detach. It have been changed. Who changed the addresses? But the IE7 works really ok, at the same time the hooks did not work.
Does IE5 and IE6 have the same problem?

]]> By: max http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34173 max Mon, 02 Feb 2009 03:40:14 +0000 http://didierstevens.wordpress.com/?p=340#comment-34173 Internetreadfile hooks OK now, but still works on the first request. Can you tell why and how to solve this problem? Thank you very much. Internetreadfile hooks OK now, but still works on the first request. Can you tell why and how to solve this problem? Thank you very much.

]]> By: max http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34171 max Sun, 01 Feb 2009 16:34:22 +0000 http://didierstevens.wordpress.com/?p=340#comment-34171 And when I hook Internetreadfile, it made the ie7 crash. And when I hook Internetreadfile, it made the ie7 crash.

]]> By: max http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34170 max Sun, 01 Feb 2009 15:04:36 +0000 http://didierstevens.wordpress.com/?p=340#comment-34170 A problem, the hook really works the first time httpopenrequest is called. It seems it does not work on all the following requests. Could you tell me why. Tested on IE7 and xp sp3. I have modified your code to hook httpopenrequestw. A problem, the hook really works the first time httpopenrequest is called.
It seems it does not work on all the following requests. Could you tell me why.
Tested on IE7 and xp sp3. I have modified your code to hook httpopenrequestw.

]]> By: Lucy http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34167 Lucy Sun, 01 Feb 2009 08:09:26 +0000 http://didierstevens.wordpress.com/?p=340#comment-34167 Hi Whenever you publish about IE7 please inform in this thread. This is because I don't want to miss it! Hi
Whenever you publish about IE7 please inform in this thread. This is because I don’t want to miss it!

]]> By: Smith http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34164 Smith Fri, 30 Jan 2009 17:23:19 +0000 http://didierstevens.wordpress.com/?p=340#comment-34164 Hi Didier I don't know why Lucy want this. But I can tell you why I need it badly. Infact everywhere now there is IE7. You know IE6 is obsolete. I am researching for a large software development which will work on Firefox, IE and opera. In that case the most problem we face about IE7. We found almost way. But your article shows us some way. This is really great article. Many thanks again. I hope you will find a method for IE7 as well as you are really great. Hi Didier
I don’t know why Lucy want this. But I can tell you why I need it badly. Infact everywhere now there is IE7. You know IE6 is obsolete.
I am researching for a large software development which will work on Firefox, IE and opera. In that case the most problem we face about IE7. We found almost way. But your article shows us some way. This is really great article. Many thanks again.
I hope you will find a method for IE7 as well as you are really great.

]]> By: Didier Stevens http://blog.didierstevens.com/2008/03/19/bpmtk-spying-on-ie/#comment-34163 Didier Stevens Fri, 30 Jan 2009 13:47:03 +0000 http://didierstevens.wordpress.com/?p=340#comment-34163 @Lucy Why do you need this? I'm wondering why I'm getting all these requests for IE7? @Lucy Why do you need this? I’m wondering why I’m getting all these requests for IE7?

]]>