Browser Helper Object: Difference between revisions

Content deleted Content added

Inline

Latest revision as of 00:58, 12 May 2024

A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window.

BHOs are still supported as of Windows 10, through Internet Explorer 11, while BHOs are not supported in Microsoft Edge.

Implementation

Each time a new instance of Internet Explorer starts, it checks the Windows Registry for the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. If Internet Explorer finds this key in the registry, it looks for a CLSID key listed below the key. The CLSID keys under Browser Helper Objects tell the browser which BHOs to load. Removing the registry key prevents the BHO from being loaded. For each CLSID that is listed below the BHO key, Internet Explorer calls CoCreateInstance to start the instance of the BHO in the same process space as the browser. If the BHO is started and implements the IObjectWithSite interface, it can control and receive events from Internet Explorer. BHOs can be created in any language that supports COM.^[1]

Examples

Some modules enable the display of different file formats not ordinarily interpretable by the browser. The Adobe Acrobat plug-in that allows Internet Explorer users to read PDF files within their browser is a BHO.

Other modules add toolbars to Internet Explorer, such as the Alexa Toolbar that provides a list of web sites related to the one you are currently browsing, or the Google Toolbar that adds a toolbar with a Google search box to the browser user interface.

The Conduit toolbars are based on a BHO that can be used on Internet Explorer 7 and up. This BHO provides a search facility that connects to Microsoft's Bing search.

Concerns

The BHO API exposes hooks that allow the BHO to access the Document Object Model (DOM) of the current page and to control navigation. Because BHOs have unrestricted access to the Internet Explorer event model, some forms of malware (such as adware and spyware) have also been created as BHOs.^[2]^[3]

For example, the Download.ject malware is a BHO that is activated when a secure HTTP connection is made to a financial institution, then begins to record keystrokes for the purpose of capturing user passwords. The MyWay Searchbar tracks users' browsing patterns and passes the information it records to third parties. The C2.LOP malware adds links and popups of its own to web pages in order to drive users to pay-per-click websites.^{[citation needed]}

Many BHOs introduce visible changes to a browser's interface, such as installing toolbars in Internet Explorer and the like, but others run without any change to the interface. This renders it easy for malicious coders to conceal the actions of their browser add-on, especially since, after being installed, the BHO seldom requires permission before performing further actions. For instance, variants of the ClSpring trojan use BHOs to install scripts to provide a number of instructions to be performed such as adding and deleting registry values and downloading additional executable files, all completely transparently to the user.^[4]

In response to the problems associated with BHOs and similar extensions to Internet Explorer, Microsoft debuted an Add-on Manager in Internet Explorer 6 with the release of Service Pack 2 for Windows XP (updating it to IE6 Security Version 1, a.k.a. SP2). This utility displays a list of all installed BHOs, browser extensions and ActiveX controls, and allows the user to enable or disable them at will. There are also free tools (such as BHODemon) that list installed BHOs and allow the user to disable malicious extensions. Spybot S&D advanced mode has a similar tool built in to allow the user to disable installed BHO.

References

^ Roberts Scott, Programming Microsoft Internet Explorer 5, Microsoft Press, 1999, ISBN 0-7356-0781-8
^ "Browser Hijack Objects (BHOs)". Malwarebytes Labs. Retrieved 2021-12-05.
^ Park, Beomsoo; Hong, Sungjin; Oh, Jaewook; Lee, Heejo (2005). Kantor, Paul; Muresan, Gheorghe; Roberts, Fred; Zeng, Daniel D.; Wang, Fei-Yue; Chen, Hsinchun; Merkle, Ralph C. (eds.). "Defending a Web Browser Against Spying with Browser Helper Objects". Intelligence and Security Informatics. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer: 638–639. doi:10.1007/11427995_85. ISBN 978-3-540-32063-0.
^ Computer Associates malware entry at ca.com, retrieved 1/16/2009

External links

Sites.google.com Archived 2014-12-24 at the Wayback Machine

Microsoft sites

IEHelper-Attaching to Internet Explorer 4.0 by Using a Browser Helper Object
Control Internet Explorer Add-ons with Add-on Manager – an article on Microsoft.com that explains this new feature of Windows XP Service Pack 2
Building Browser Helper Objects with Visual Studio 2005 – an October 2006 MSDN article by Tony Schreiner and John Sudds

Listings and examples

CLSID List – master list created by Tony Kleinkramer, which attempts to record and identify every BHO available (previously located at – the now defunct – castlecops.com) – also includes Toolbar, Explorer Bar and URLSearchHook GUIDs
C++ example code for a BHO
C# example code for a BHO

[1] Roberts Scott, Programming Microsoft Internet Explorer 5, Microsoft Press, 1999, ISBN 0-7356-0781-8

[2] "Browser Hijack Objects (BHOs)". Malwarebytes Labs. Retrieved 2021-12-05.

[3] Park, Beomsoo; Hong, Sungjin; Oh, Jaewook; Lee, Heejo (2005). Kantor, Paul; Muresan, Gheorghe; Roberts, Fred; Zeng, Daniel D.; Wang, Fei-Yue; Chen, Hsinchun; Merkle, Ralph C. (eds.). "Defending a Web Browser Against Spying with Browser Helper Objects". Intelligence and Security Informatics. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer: 638–639. doi:10.1007/11427995_85. ISBN 978-3-540-32063-0.

[4] Computer Associates malware entry at ca.com, retrieved 1/16/2009

[1]

[2]

[3]

[4]

@@ Line 1: / Line 1: @@
-[[Image:Am addon manager.png|right|thumb|Add-on Manager from Windows XP SP2 Internet Explorer]]
+{{Short description|Plug-in module for Internet Explorer}}
+[[File:Am addon manager.png|right|thumb|Add-on Manager from [[Windows XP]] SP2 Internet Explorer]]
-A '''Browser Helper Object''' ('''BHO''') is a [[Library (computer science)|DLL]] [[Module (programming)|module]] designed as a [[Plug-in (computing)|plugin]] for [[Microsoft]]'s [[Internet Explorer]] [[web browser]] to provide added functionality.  BHOs were introduced in October 1997 with the release of [[Internet Explorer 4|version 4]] of Internet Explorer.  Most BHOs are loaded once by each new instance of Internet Explorer.  However, in the case of [[Windows Explorer]], a new instance is launched for each window.
+A '''Browser Helper Object''' ('''BHO''') is a [[Library (computer science)|DLL]] [[Module (programming)|module]] designed as a [[Plug-in (computing)|plugin]] for the [[Microsoft]] [[Internet Explorer]] [[web browser]] to provide added functionality. BHOs were introduced in October 1997 with the release of [[Internet Explorer 4|version 4]] of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of [[Windows Explorer]], a new instance is launched for each window.
+BHOs are still supported as of Windows 10, through [[Internet Explorer 11]], while BHOs are not supported in [[Microsoft Edge]].
 == Implementation ==
+Each time a new instance of Internet Explorer starts, it checks the [[Windows Registry]] for the key ''HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects''. If Internet Explorer finds this key in the registry, it looks for a [[Universally unique identifier#In COM|CLSID]] key listed below the key. The CLSID keys under Browser Helper Objects tell the browser which BHOs to load. Removing the registry key prevents the BHO from being loaded. For each CLSID that is listed below the BHO key, Internet Explorer calls CoCreateInstance to start the instance of the BHO in the same process space as the browser. If the BHO is started and implements the IObjectWithSite interface, it can control and receive events from Internet Explorer. BHOs can be created in any language that supports [[Component Object Model|COM]].<ref>Roberts Scott, ''Programming Microsoft Internet Explorer 5'', Microsoft Press, 1999, {{ISBN|0-7356-0781-8}}</ref>
-Each time a new instance of Internet Explorer starts, it checks the [[Windows Registry|windows registry]] for the following key:<br />
-''HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects''<br />
-If Internet Explorer finds this key in the registry, it looks for a [[CLSID]] key listed below the key. The CLSID keys under Browser Helper Objects tell the browser which BHOs to load. Removing the registry key prevents the BHO from being loaded.<br />
-For each CLSID that is listed below the BHO key, Internet Explorer calls CoCreateInstance to start the instance of the BHO in the same process space as the browser. If the BHO is started and implements the IObjectWithSite interface, it can control and receive events from Internet Explorer. BHOs can be created in any language that supports [[Component Object Model|COM]].<ref>Roberts Scott, ''Programming Microsoft Internet Explorer 5'', Microsoft Press, 1999, ISBN 0-7356-0781-8</ref>
-== Examples of BHO ==
+== Examples ==
+Some modules enable the display of different file formats not ordinarily interpretable by the browser.  The [[Adobe Acrobat]] plug-in that allows Internet Explorer users to read [[Portable Document Format|PDF]] files within their browser is a BHO.
-Some modules enable the display of different file formats not ordinarily interpretable by the browser.  The [[Adobe Acrobat]] plug-in that allows Internet Explorer users to read [[Portable Document Format|PDF]] files within their browser is a BHO.
 Other modules add toolbars to Internet Explorer, such as the [[Alexa Toolbar]] that provides a list of web sites related to the one you are currently browsing, or the [[Google Toolbar]] that adds a toolbar with a Google search box to the browser [[user interface]].
-The Conduit toolbars are based on a BHO that can be used on [[Internet Explorer 7]] and up. This BHO provides a search facility that connects to [[Microsoft]]'s [[Bing]] search. However, security firm [[Sophos]] is of the opinion that this BHO is [[malware]] that connects to malware-infected Internet content.
+The Conduit toolbars are based on a BHO that can be used on [[Internet Explorer 7]] and up. This BHO provides a search facility that connects to [[Microsoft]]'s [[Bing (search engine)|Bing]] search.
-==Concerns==
+== Concerns ==
+The BHO [[application programming interface|API]] exposes [[hooking|hook]]s that allow the BHO to access the [[Document Object Model]] (DOM) of the current page and to control navigation. Because BHOs have unrestricted access to the Internet Explorer event model, some forms of [[malware]] (such as adware and spyware) have also been created as BHOs.<ref>{{Cite web|title=Browser Hijack Objects (BHOs)|url=https://blog.malwarebytes.com/threats/browser-hijack-objects-bhos/|access-date=2021-12-05|website=Malwarebytes Labs|language=en-US}}</ref><ref>{{Cite journal |last=Park |first=Beomsoo |last2=Hong |first2=Sungjin |last3=Oh |first3=Jaewook |last4=Lee |first4=Heejo |date=2005 |editor-last=Kantor |editor-first=Paul |editor2-last=Muresan |editor2-first=Gheorghe |editor3-last=Roberts |editor3-first=Fred |editor4-last=Zeng |editor4-first=Daniel D. |editor5-last=Wang |editor5-first=Fei-Yue |editor6-last=Chen |editor6-first=Hsinchun |editor7-last=Merkle |editor7-first=Ralph C. |title=Defending a Web Browser Against Spying with Browser Helper Objects |url=https://link.springer.com/chapter/10.1007/11427995_85 |journal=Intelligence and Security Informatics |series=Lecture Notes in Computer Science |language=en |location=Berlin, Heidelberg |publisher=Springer |pages=638–639 |doi=10.1007/11427995_85 |isbn=978-3-540-32063-0}}</ref>
-The BHO [[application programming interface|API]] exposes [[hooking|hook]]s that allow the BHO to access the [[Document Object Model]] (DOM) of the current page and to control navigation. Because BHOs have unrestricted access to the Internet Explorer event model, some forms of [[malware]] have also been created as BHOs.  For example, the [[Download.ject]] malware installs a BHO that would activate upon detecting a secure [[HTTP]] connection to a financial institution, [[keystroke logging|record the user's keystrokes]] (intending to capture passwords) and transmit the information to a website used by Russian [[computer crime|computer criminals]].  Other BHOs such as the [[MyWay Searchbar]] track users' browsing patterns and pass the information they record to third parties.
+For example, the [[Download.ject]] malware is a BHO that is activated when a secure [[HTTP]] connection is made to a financial institution, then begins to [[keystroke logging|record keystrokes]] for the purpose of capturing user passwords. The [[MyWay Searchbar]] tracks users' browsing patterns and passes the information it records to third parties. The [[C2.LOP]] malware adds links and popups of its own to web pages in order to drive users to [[pay-per-click]] websites.{{cn|date=May 2021}}
-Many BHOs introduce visible changes to a browser's interface, such as installing toolbars in Internet Explorer and the like, but others run without any change to the interface.  This renders it easy for malicious coders to conceal the actions of their browser add-on, especially since, after being installed, the BHO seldom requires permission before performing further actions.  For instance, variants of the ClSpring trojan use BHOs to install scripts to provide a number of instructions to be performed such as adding and deleting registry values and downloading additional executable files, all completely transparently to the user.<ref>Computer Associates malware entry at [http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=42280 ca.com], retrieved 1/16/2009</ref> The [[DyFuCA]] spyware even replaces Internet Explorer's general error page with an ad page.
+Many BHOs introduce visible changes to a browser's interface, such as installing toolbars in [[Internet Explorer]] and the like, but others run without any change to the interface.  This renders it easy for malicious coders to conceal the actions of their browser add-on, especially since, after being installed, the BHO seldom requires permission before performing further actions.  For instance, variants of the ClSpring trojan use BHOs to install scripts to provide a number of instructions to be performed such as adding and deleting registry values and downloading additional executable files, all completely transparently to the user.<ref>Computer Associates malware entry at [http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=42280 ca.com], retrieved 1/16/2009</ref>
-In response to the problems associated with BHOs and similar extensions to Internet Explorer, Microsoft debuted an ''Add-on Manager'' in [[Internet Explorer 6]] with the release of [[Windows XP#Service Pack 2|Service Pack 2]] for [[Windows XP]] (updating it to IE6 Security Version 1, a.k.a. SP2).  This utility displays a list of all installed BHOs, [[browser extension]]s and [[ActiveX control]]s, and allows the user to enable or disable them at will.  There are also free tools (such as BHODemon) that list installed BHOs and allow the user to disable malicious extensions.  [[Spybot – Search & Destroy|Spybot S&D]] advanced  mode has a similar tool built in to allow the user to disable installed BHOs.
+In response to the problems associated with BHOs and similar extensions to Internet Explorer, Microsoft debuted an ''Add-on Manager'' in [[Internet Explorer 6]] with the release of [[Windows XP#Service Pack 2|Service Pack 2]] for [[Windows XP]] (updating it to IE6 Security Version 1, a.k.a. SP2).  This utility displays a list of all installed BHOs, [[browser extension]]s and [[ActiveX control]]s, and allows the user to enable or disable them at will.  There are also free tools (such as BHODemon) that list installed BHOs and allow the user to disable malicious extensions.  [[Spybot – Search & Destroy|Spybot S&D]] advanced  mode has a similar tool built in to allow the user to disable installed BHO.
-{{update|date=September 2011}}
-In IE9 Beta, BHOs and toolbars are not loaded when a link pinned to the taskbar is accessed.
-==See also==
+== See also ==
-*[[Rootkit]]
+*[[Browser extension]]
+*[[Plug-in (computing)]]
+*[[HTML Components]]
+*[[Add-on (Mozilla)]]
+*[[Google Chrome Extensions]]
 == References ==
 <references/>
-==External links==
+== External links ==
-*[https://sites.google.com/site/bhosearch/ Sites.google.com]
+*[https://sites.google.com/site/bhosearch/ Sites.google.com] {{Webarchive|url=https://web.archive.org/web/20141224114851/https://sites.google.com/site/bhosearch/ |date=2014-12-24 }}
-===Microsoft sites===
+=== Microsoft sites ===
 *[http://support.microsoft.com/default.aspx?scid=kb%3BEN-US%3Bq179230 ''IEHelper-Attaching to Internet Explorer 4.0 by Using a Browser Helper Object'']
-*[http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx Control Internet Explorer Add-ons with Add-on Manager] - an article on Microsoft.com that explains this new feature of Windows XP Service Pack 2
+*[https://web.archive.org/web/20050109091250/http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx Control Internet Explorer Add-ons with Add-on Manager]{{snd}}an article on Microsoft.com that explains this new feature of Windows XP Service Pack 2
-*[http://msdn2.microsoft.com/en-us/library/bb250489.aspx Building Browser Helper Objects with Visual Studio 2005] - an October 2006 MSDN article by Tony Schreiner and John Sudds
+*[http://msdn2.microsoft.com/en-us/library/bb250489.aspx Building Browser Helper Objects with Visual Studio 2005]{{snd}}an October 2006 MSDN article by Tony Schreiner and John Sudds
-===Listings and examples===
+=== Listings and examples ===
-*[http://www.systemlookup.com/lists.php?list=1 CLSID List] - master list created by Tony Kleinkramer, which attempts to record and identify every BHO available (previously located at - the now defunct - [[CastleCops|castlecops.com]])
+*[http://www.systemlookup.com/lists.php?list=1 CLSID List]{{snd}}master list created by Tony Kleinkramer, which attempts to record and identify every BHO available (previously located at{{snd}}the now defunct{{snd}}[[CastleCops|castlecops.com]]){{snd}}also includes Toolbar, Explorer Bar and URLSearchHook GUIDs
 *[http://www.adp-gmbh.ch/win/com/bho.html C++ example code for a BHO]
-*[http://www.codeproject.com/KB/cs/Attach_BHO_with_C_.aspx C# example code for a BHO]
+*[http://www.codeproject.com/Articles/19971/How-to-attach-to-Browser-Helper-Object-BHO-with-C C# example code for a BHO]
+{{Information security}}
 {{Microsoft APIs}}
 {{Internet Explorer}}
+{{Web interfaces}}
 [[Category:Internet Explorer]]
-[[da:Browser Helper Object]]
-[[de:Browser Helper Object]]
-[[es:Browser Helper Object]]
-[[it:Browser Helper Object]]
-[[ja:Browser Helper Object]]
-[[pt:Browser Helper Object]]
-[[ru:Browser Helper Object]]
-[[zh:浏览器帮助对象]]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Hacktivism Insecure direct object reference Keystroke loggers Logic bombs Time bombs Fork bombs Zip bombs Fraudulent dialers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Security information and event management (SIEM) Runtime application self-protection Site isolation

v t e Microsoft APIs and frameworks
Graphics and UI	Desktop Window Manager Direct2D Direct3D D3D (extensions) GDI / GDI+ WPF Silverlight WinUI Windows Color System Windows Image Acquisition Windows Imaging Component DirectX Graphics Infrastructure (DXGI) Windows Advanced Rasterization Platform WinG
Audio	DirectMusic DirectSound DirectX plugin XACT Speech API XAudio2
Multimedia	DirectX Media Objects Video Acceleration Xinput DirectInput DirectShow Image Mastering API Managed DirectX Media Foundation XNA Windows Media Video for Windows
Web	MSHTML RSS Platform JScript VBScript BHO XDR SideBar Gadgets TypeScript
Data access	Data Access Components (MDAC) ADO ADO.NET ODBC OLE DB Extensible Storage Engine Entity Framework Sync Framework Access Database Engine MSXML OPC
Networking	Winsock LSP Winsock Kernel Filtering Platform NDIS Windows Rally BITS P2P API MSMQ MS MPI DirectPlay
Communication	Messaging API Telephony API WCF
Administration and management	Win32 console Windows Script Host WMI (extensions) PowerShell Task Scheduler Offline Files Shadow Copy Windows Installer Error Reporting Event Log Common Log File System
Component model	COM COM+ ActiveX Distributed Component Object Model .NET Framework
Libraries	Framework Class Library Microsoft Foundation Classes (MFC) Active Template Library (ATL) Windows Template Library (WTL)
Device drivers	WDM WDF KMDF UMDF WDDM NDIS UAA BDA VxD
Security	Crypto API CAPICOM Windows CardSpace Data Protection API Security Support Provider Interface (SSPI)
.NET	ASP.NET ADO.NET Remoting Silverlight TPL WCF WCS WPF WF
Software factories	EFx Factory Enterprise Library Composite UI CCF CSF
IPC	MSRPC Dynamic Data Exchange (DDE) Remoting WCF
Accessibility	Active Accessibility UI Automation
Text and multilingual support	DirectWrite Text Services Framework Text Object Model Input method editor Language Interface Pack Multilingual User Interface Uniscribe