Embedded Chromium Framework (CEF for short) is an open source project established by Marshall Greenblatt in 2008. Its main purpose is to develop a Webbrowser control based on Google Chromium, supporting user plug-ins, protocols, Javascript objects and javascript extensions, host programs can freely control resources to download, navigate, scroll down, print, etc., and support high performance and Html5 with Google Chrome.



Hook technology, also known as Hook function, is a method of hijacking the original function to run the code you need to execute on the basis of the original function, at this time, your code can obtain the program context (parameters, etc.) of the original function.



Due to a sudden whim to climb the data of the articles on wechat public account, I looked up the relevant materials, and found that most of them are packet capture, which requires a lot of steps and configuration to climb, and the efficiency is not very high, so I want to Hook the relevant API of Cef to do it. In the process of Hook, I accidentally found that the startup parameters of the built-in browser of wechat were not written down, and found the startup parameters of wechat itself. I tried to add and run the startup parameters in the command line according to Cef’s startup parameters, and found that the wechat team did not limit the startup parameters.


In this case, you can add –remote-debugging-port=8000 to the startup parameter to enable Cef remote debugging. This can be found when accessing the address http://localhost:8000/ when opened with the built-in browser





This page is generated after remote debugging is enabled by Chromium. When the browser page is opened on wechat PC, the corresponding debugging page will be generated on this page, and the page will be blank when clicked. Devtools_resources.pak (this file contains non-localized resources required by Chrome Developer tools, without this file, Chrome Developer tools will not run), wechat installation packages are missing Devtools_resources.pak. Pak file of the corresponding version needs to be installed in the wechat startup directory. – it will be prompted when accessing pak files after installation




Because the Google version I used is too high, this function cannot be executed, so the console page cannot be generated. At this time, you can access it by changing the version of the corresponding function. I am using Opera 66.0.3515.115, and the console page is displayed after entering





Also, when you right-click a page in the built-in browser, you’ll notice that the right button option has a few more buttons




You can now debug the built-in browser page by opening the console.


Also due to the existence of remote debugging protocols

Chromedevtools. Making. IO/devtools – pr…

You can even control the browser using a programming language

 


Attached is the remote control code. Please refer to the address above for details of the protocol. The protocol version of wechat built-in browser is 1.1, and the details cannot be found

Because of the remote protocol, I tried to remove the devtools_resources.pak file from the wechat directory and enable the remote debugging protocol. At this time, I right-click on the browser page, and other options have disappeared. Only the original options are left, but I can still use the debugging protocol to connect to the debugging port. And you can still manipulate the browser page when the page is closed.




const CDP = require('chrome-remote-interface');async function example() {    let client; try {        // connect to endpoint client = await CDP({ port: 8000, local: true }); const { Network, Page, Runtime } = client; // setup handlers Network.requestWillBeSent((params) => { }); Network.responseReceived((params) => { }) // enable events then start! await Network.enable(); await Page.enable(); Page.navigate({ url: 'chrome://version' }).then((res) => { }); await Page.loadEventFired(); } catch (err) { console.error(err); } finally { if (client) { await client.close(); } }} example();
Copy the code


What can be done with this method?

Scenario 1 A hacker modifies the startup file in the wechat directory, starts wechat with another startup file, adds a remote debugging port, and monitors whether the user has opened the page. Since wechat has just been started, it cannot be remotely connected until the first page is opened
http://localhost:port/jsonCheck whether the page is open or not. When the user opens the first page, he will be connected. When the user closes the page, he will secretly carry out various operations in the background (login to various third-party pages requiring wechat authorization, and obtain the user’s Cookie value for various operations after successful login).

Scenario 2 Wechat public account article data crawl all kinds of third-party wechat authorization to obtain data using wechat multiple open with debugging protocol for large-scale????



Thank you so much for your information


Devtools_resources.pak download address

Link: pan.baidu.com/s/12ZaPeLaR…

Extract the code ytyz

Tencent network location: share.weiyun.com/55lX4Ff

Wechat built-in browser version information

Due to the different pak files of each wechat version, it is recommended to run the above code to the following page and then place pak files according to the value of resources-dir-path