Skip to content

Instantly share code, notes, and snippets.

@Gi7w0rm

Gi7w0rm/HookNMonitor.js

Created January 21, 2025 17:21
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Gi7w0rm/502b21dff815ba73661888c446d85e5d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Gi7w0rm/502b21dff815ba73661888c446d85e5d to your computer and use it in GitHub Desktop.
Download ZIP
JavaScript code to use with chromes Dev console to hook certain functions in order to reveal what data is being processed.
Raw
HookNMonitor.js
(function() {
// Configuration object for monitoring
const MONITOR_CONFIG = {
// Enable/disable specific hooks
hooks: {
function: true,
atob: true,
decodeURI: true,
eval: false,
webSocket: true,
functionCall: true
},
// Monitored patterns
domains: [
'chatjsdvcss.com',
'jsmanifestgls.com'
],
paths: [
'require.min.js',
'captcha.js'
],
suspiciousPatterns: [
'alob',
'wss://',
'fromCharCode',
'atob('
]
};
// Create secure console
const secureConsole = (function() {
const cleanConsole = Object.create(window.console);
const methods = ['log', 'warn', 'info', 'error'];
methods.forEach(method => {
cleanConsole[method] = window.console[method].bind(window.console);
});
return cleanConsole;
})();
// Helper function to safely encode strings for logging
function safeEncode(input) {
if (input === undefined) return 'undefined';
if (input === null) return 'null';
if (typeof input === 'string') {
return {
raw: String(input), // Ensure string conversion
hex: Array.from(input).map(char => {
// Always use hex representation to avoid URL encoding issues
return `\\x${char.charCodeAt(0).toString(16).padStart(2, '0')}`;
}).join(''),
// Explicitly handle + character in URL encoding
base64: btoa(input.replace(/\+/g, '%2B')) // Preserve + characters
};
}
return input;
}
// Simple Function.prototype.call hook
if (MONITOR_CONFIG.hooks.functionCall) {
const originalCall = Function.prototype.call;
let isMonitoring = false;
Function.prototype.call = function() {
if (isMonitoring) {
return originalCall.apply(this, arguments);
}
try {
isMonitoring = true;
// Log all function calls that we can stringify
if (this && this.toString) {
const funcStr = String(this);
// Only log if function content contains suspicious patterns
if (MONITOR_CONFIG.suspiciousPatterns.some(pattern => funcStr.includes(pattern))) {
secureConsole.warn('[SECURE-DEBUG] Suspicious Function.call:', {
function: safeEncode(funcStr),
arguments: Array.from(arguments).map(arg => {
try {
return arg && arg.toString ? safeEncode(String(arg)) : arg;
} catch(e) {
return 'unable to stringify argument';
}
})
});
}
}
const result = originalCall.apply(this, arguments);
return result;
} catch(e) {
secureConsole.error('[SECURE-DEBUG] Error in call monitoring:', e);
return originalCall.apply(this, arguments);
} finally {
isMonitoring = false;
}
};
}
// Hook Function constructor but preserve original behavior exactly
if (MONITOR_CONFIG.hooks.function) {
const OriginalFunction = window.Function;
window.Function = function() {
// Monitor the function creation
const funcStr = arguments[arguments.length - 1];
if (typeof funcStr === 'string' &&
MONITOR_CONFIG.suspiciousPatterns.some(pattern => funcStr.includes(pattern))) {
secureConsole.warn('[SECURE-DEBUG] Suspicious function definition:', {
function: safeEncode(funcStr)
});
}
// Important: Use new.target to properly handle constructor calls
if (new.target) {
return Reflect.construct(OriginalFunction, arguments, new.target);
}
return OriginalFunction.apply(this, arguments);
};
Object.setPrototypeOf(window.Function, OriginalFunction);
Object.setPrototypeOf(window.Function.prototype, OriginalFunction.prototype);
}
// Hook atob but preserve original behavior
if (MONITOR_CONFIG.hooks.atob) {
const originalAtob = window.atob;
window.atob = function(str) {
try {
secureConsole.log('[SECURE-DEBUG] atob called with:', {
input: safeEncode(str),
inputLength: str ? str.length : 0
});
const result = originalAtob.apply(this, arguments);
secureConsole.log('[SECURE-DEBUG] atob result:', {
result: safeEncode(result)
});
return result;
} catch(e) {
secureConsole.warn('[SECURE-DEBUG] Invalid atob input:', {
input: safeEncode(str),
error: e.message
});
return '';
}
};
}
// Hook decodeURI but preserve original behavior
if (MONITOR_CONFIG.hooks.decodeURI) {
const originalDecodeURI = window.decodeURI;
window.decodeURI = function(str) {
try {
secureConsole.log('[SECURE-DEBUG] decodeURI called with:', {
input: safeEncode(str)
});
const result = originalDecodeURI.apply(this, arguments);
secureConsole.log('[SECURE-DEBUG] decodeURI result:', {
result: safeEncode(result)
});
return result;
} catch(e) {
secureConsole.warn('[SECURE-DEBUG] decodeURI error:', {
input: safeEncode(str),
error: e.message
});
throw e;
}
};
}
// Hook eval with minimal wrapping
if (MONITOR_CONFIG.hooks.eval) {
const originalEval = window.eval;
const wrappedEval = function(code) {
try {
return originalEval.apply(this, arguments);
} catch(e) {
secureConsole.error('[SECURE-DEBUG] eval error');
throw e;
}
};
Object.defineProperty(wrappedEval, 'name', {
value: 'eval',
configurable: true
});
Object.getOwnPropertyNames(originalEval).forEach(prop => {
try {
Object.defineProperty(wrappedEval, prop,
Object.getOwnPropertyDescriptor(originalEval, prop) || {});
} catch(e) {}
});
window.eval = wrappedEval;
}
// Hook WebSocket but preserve original behavior
if (MONITOR_CONFIG.hooks.webSocket) {
const OriginalWebSocket = window.WebSocket;
window.WebSocket = function(url, options) {
secureConsole.warn('[SECURE-DEBUG] WebSocket connection attempted:', {
url: safeEncode(String(url)),
options: options
});
const ws = new OriginalWebSocket(url, options);
const originalOnMessage = ws.onmessage;
ws.onmessage = function(event) {
try {
const data = event.data;
secureConsole.warn('[SECURE-DEBUG] WebSocket message received:', {
rawData: safeEncode(String(data)),
dataLength: data.length,
hexDump: Array.from(new Uint8Array(data instanceof ArrayBuffer ? data : new TextEncoder().encode(String(data))))
.map(b => b.toString(16).padStart(2, '0'))
.join(' ')
});
} catch(e) {
secureConsole.error('[SECURE-DEBUG] WebSocket message monitoring error:', e);
}
if(originalOnMessage) {
return originalOnMessage.apply(this, arguments);
}
};
return ws;
};
Object.setPrototypeOf(window.WebSocket, OriginalWebSocket);
Object.setPrototypeOf(window.WebSocket.prototype, OriginalWebSocket.prototype);
window.WebSocket.CONNECTING = OriginalWebSocket.CONNECTING;
window.WebSocket.OPEN = OriginalWebSocket.OPEN;
window.WebSocket.CLOSING = OriginalWebSocket.CLOSING;
window.WebSocket.CLOSED = OriginalWebSocket.CLOSED;
}
secureConsole.log('[SECURE-DEBUG] Monitoring hooks installed successfully', {
activeHooks: Object.entries(MONITOR_CONFIG.hooks)
.filter(([, enabled]) => enabled)
.map(([name]) => name),
monitoredDomains: MONITOR_CONFIG.domains,
monitoredPaths: MONITOR_CONFIG.paths,
suspiciousPatterns: MONITOR_CONFIG.suspiciousPatterns
});
})();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment