html content intercepted with WriteFile hook is not through mojo but written to a cache file

Question

html content intercepted with WriteFile hook is not through mojo but written to a cache file

hoster356 opened this issue 3 years ago · comments

I was just trying the method explained here and hooked WriteFile to intercept and edit html pages. I could edit headers successfully and the edited ones were shown in network tab in the developer tools. but the html was never edited even the logged html to disk was edited successfully ! I used GetFileInformationByHandleEx to retrieve the filename WriteFile is writing to and logged it with the buffer and I saw that mojo intercepted data contained mostly unreadable bytes and the headers between them but the html content was coming from writing to chrome cache files ! I was doing all tests with Accept-Encoding header cleared with an extension and ensured there was no compression at all.

batsec · Answer 1 · Fri Mar 05 2021 06:33:02 GMT+0800 (China Standard Time)

Ah that's a really interesting find, well done. Though it does make me wonder how the html content is actually being sent to the render.

hoster356 · Answer 2 · Fri Mar 05 2021 06:49:35 GMT+0800 (China Standard Time)

this article https://developers.google.com/web/updates/2018/09/inside-browser-part2 says that data is sent from the browser process (network service ?) to the render through ipc, so I think it is shared memory because mojo also supports this or it can be passed through legacy ipc ?

hoster356 · Answer 3 · Fri Mar 05 2021 20:34:22 GMT+0800 (China Standard Time)

it is for sure shared memory !
from https://github.com/chromium/chromium/blob/master/services/network/url_loader.cc the response body is being transferred with mojo data pipes mojo::CreateDataPipe which is based on shared memory as stated by mojo documentation. Mojo places a lock object in the shared buffer to synchronize write and read but notifications to start read and when read is complete seems to be sent via the ordinary pipe channel.

when searching for a method to sniff mojo shared memory I got into this project https://github.com/tomer8007/chromium-ipc-sniffer (mentioned in your blog) and found that it says :

"
However, this project won't see anything that doesn't go over pipes, which is mostly shared memory IPC:

Mojo data pipe contents (raw networking buffers, audio, etc.) <---
Sandbox IPC
Possibly more things
"

so the answer was here from the beginning !

hoster356 · Answer 4 · Fri Mar 05 2021 21:25:38 GMT+0800 (China Standard Time)

notification of shared memory writable and readable is based on mojo::SimpleWatcher

once the response if being received from network the renderer will receiver a handle to the shared memory to consume the html which will be written directly from the network stack into the shared memory buffer using OnStartLoadingResponseBody the decompression is handled by the network service and the renderer will be fed ready html content