很多人第一反应就是cookie,没错这是个好办法: div style="width: expression(if(document.cookie.indexOf('xxxx')0){alert(1);document.cookie='xxxx=1;'+document.cookie;})">/div> 不过这样写有个问题,就是被攻击者浏览器只能执行一次你的alert,cookie的作用域大于一次页面执行,适合用来做跨页面的标识,而不是仅仅用来控制一个页面里的某段代码的执行次数,而且你测试起来也挺麻烦,弄得不好就要清cookie。
循着这个思路很自然就会想到在页面里设置标识,于是就有了第二种方法: div style="width: expression(if(!window.xxx){alert(1);window.xxx=1;})">/div> 使用全局变量来做标识,使我的代码在这个页面级别只执行一次,这样是一个比较完美的办法,也是目前被使用的最多的办法。
至此,我和expression的恩怨总算可以告一段落,整个世界清静了。 /* * FileName: IEAlertPatch.c * Version: 1.0 * Contact: luoluonet@yahoo.cn * P.S: Thanks zzzEVAzzz, he found out the API that alert uses. */ #include Windows.h> #include Tlhelp32.h> #include Imagehlp.h>
// // Get system version // bRet = GetVersionEx((OSVERSIONINFO *)osvi); if (! bRet) { osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); bRet = GetVersionEx((OSVERSIONINFO *)osvi); if (! bRet) goto FreeAndExit; }
// Verify if it is NT system if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) { pId = GetProcessIdByName(procName); if (pId != 0) HookAlert(pId); }
FreeAndExit: return 0;
} // // End of WinMain //
// // @Name: GetProcessIdByName // @Author: luoluo // @Time: 2005-04-17 // @Param: lpProcessName spacifies the ProcessName // @Ret: if success, return the process id // if failed, return 0 // DWORD WINAPI GetProcessIdByName(LPCTSTR lpProcessName) { HANDLE hSnapshot; DWORD dwRet = 0; LPPROCESSENTRY32 pPe32; BOOL bRet;
// Get all the processes in the snapshot hSnapshot = CreateToolhelp32Snapshot(0x00000002, 0); if (hSnapshot == INVALID_HANDLE_VALUE) { goto FreeAndExit; }
// Open remote process hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, pId); if (hProcess == NULL) { goto FreeAndExit; }
// Read 5 byte from function to be hooked bRetVal = ReadProcessMemory(hProcess, (LPCVOID)dwMessageBoxIndirectW, szOldCode, sizeof(szOldCode), NULL); if (! bRetVal) { goto FreeAndExit; }
// Allocate memory from remote process lpCodeMemory = VirtualAllocEx(hProcess, NULL, dwHookCodeLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (lpCodeMemory == NULL) { goto FreeAndExit; }
// Query the page information ZeroMemory(mbi, sizeof(MEMORY_BASIC_INFORMATION)); szRet = VirtualQueryEx(hProcess, lpCodeMemory, mbi, sizeof(MEMORY_BASIC_INFORMATION)); if (szRet == 0) { goto FreeAndExit; }
// Modify the page protection for write bRetVal = VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, mbi.Protect); if (! bRetVal) { goto FreeAndExit; }
// the function has been hooked if (szOldCode[0] == ((unsigned char)'\xE9')) { dwJmpOffset = (*((int*)(szOldCode + 1))) + dwMessageBoxIndirectW + 5 - ((DWORD)lpCodeMemory) - dwHookCodeLen + 5; memcpy(szOldCode + 1, (LPVOID)(dwJmpOffset), 4); }
// debugger present and breakpoint here if (szOldCode[0] == '\xCC') { goto FreeAndExit; }
// copy the start code of funciton hooked to the end of hook code memcpy((LPVOID)(((DWORD)lpHookCode) + dwHookCodeLen - 10), szOldCode, sizeof(szOldCode));
// code jmp back to function hooked memset((LPVOID)(((DWORD)lpHookCode) + dwHookCodeLen - 5), '\xE9', 1); dwJmpOffset = dwMessageBoxIndirectW - ((DWORD)lpCodeMemory) - dwHookCodeLen + 5; memcpy((LPVOID)(((DWORD)lpHookCode) + dwHookCodeLen - 4), (LPVOID)(dwJmpOffset), 4);
// Write my code to remote process memory bRetVal = WriteProcessMemory(hProcess, lpCodeMemory, lpHookCode, dwHookCodeLen, 0); if (! bRetVal) { VirtualFreeEx(hProcess, lpCodeMemory, dwHookCodeLen, MEM_RELEASE); goto FreeAndExit; }
// Modify the page protection to protect bRetVal = VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, mbi.Protect, dwOldProtect); if (! bRetVal) { goto FreeAndExit; }
// Query the page information ZeroMemory(mbi, sizeof(MEMORY_BASIC_INFORMATION)); szRet = VirtualQueryEx(hProcess, (LPVOID)dwMessageBoxIndirectW, mbi, sizeof(MEMORY_BASIC_INFORMATION)); if (szRet == 0) { goto FreeAndExit; }
// Modify the page protection for write bRetVal = VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, mbi.Protect); if (! bRetVal) { goto FreeAndExit; }
// Write hook code to the functon to be hooked bRetVal = WriteProcessMemory(hProcess, (LPVOID)dwMessageBoxIndirectW, szJmpCode, sizeof(szJmpCode), 0); if (! bRetVal) { goto FreeAndExit; }
// Modify the page protection to protect bRetVal = VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, mbi.Protect, dwOldProtect); if (! bRetVal) { goto FreeAndExit; }
FreeAndExit: if (hProcess != NULL) { CloseHandle(hProcess); } if (hToken != NULL) { CloseHandle(hToken); } if (lpHookCode != NULL) { free(lpHookCode); lpHookCode = NULL; }