Finding SSL_Write Problems

zabuz · August 31, 2015

i have seen several posts about SSL_Write , Netripper and all that, but something really gets me confused when i try to hook it , Maybe, thats what is confusing the other fellow whos been working on it for sometime

Today i decided to have a look about Hooking SSL_Write and i decided to try out with source code from rohitab, credits goes to Napalm.

my source code looks like this


#include "stdafx.h"
#include <Windows.h>
#include <stdlib.h>
#include <stdio.h>

using namespace std;

struct SECTION_INFO
{
	DWORD dwStartAddress;
	DWORD dwSize;
};


DWORD (*OldSSL_Write)(void *s, const void *buf, int len);

BOOL PatchAPI(LPSTR lpszLib, LPSTR lpszFunc, FARPROC *lpOldFunc, FARPROC fpNewFunc) // by Napalm
{
	BOOL	bResult = FALSE;
	DWORD   dwProtect;
	LPBYTE  lpPatch;
	FARPROC fpOldFunc;

	fpOldFunc = GetProcAddress(LoadLibrary(lpszLib), lpszFunc);
	if(fpOldFunc){
		lpPatch = (LPBYTE)fpOldFunc - 5;
		if(!memcmp(lpPatch, "\x90\x90\x90\x90\x90\x8B\xFF", 7)){
			if(VirtualProtect(lpPatch, 7, PAGE_EXECUTE_READWRITE, &dwProtect)){
				*lpPatch = 0xE9;
				*(LPDWORD)(lpPatch + 1) = (DWORD)((LONG)fpNewFunc - (LONG)fpOldFunc);
				*(LPDWORD)lpOldFunc = ((DWORD)fpOldFunc + 2);
				InterlockedExchange((LPLONG)fpOldFunc, (LONG)((*(LPDWORD)fpOldFunc & 0xFFFF0000) | 0xF9EB));
				VirtualProtect(lpPatch, 7, dwProtect, NULL);
				bResult = TRUE;
			}
		}
	}

	return bResult;
}

DWORD SearchMemory(void* p_pvStartAddress, DWORD p_dwSize, void *p_pvBuffer, DWORD p_dwBufferSize)
{
	unsigned char *pByte = (unsigned char *)p_pvStartAddress;

	for(size_t i = 0; i < p_dwSize - p_dwBufferSize; i++)
	{
		if(memcmp(pByte + i, p_pvBuffer, p_dwBufferSize) == 0)
		{
			return (DWORD)(pByte + i);
		}
	}

	OutputDebugStringA("[ERROR] SearchMemory did not find the pattern!");

	return 0;
}

DWORD SearchMemoryByN(void* p_pvStartAddress, DWORD p_dwSize, void *p_pvBuffer, DWORD p_dwBufferSize, unsigned int p_nN)
{
	unsigned char *pByte = (unsigned char *)p_pvStartAddress;
	unsigned int n = 0;

	for(size_t i = 0; i < p_dwSize - p_dwBufferSize; i++)
	{
		// Find each occurence and return the N'th one

		if(memcmp(pByte + i, p_pvBuffer, p_dwBufferSize) == 0)
		{
			n++;
			if(n == p_nN) return (DWORD)(pByte + i);
		}
	}

	OutputDebugStringA("[ERROR] SearchMemory did not find the pattern!");

	return 0;
}

int WINAPI NewSSL_Write(void *s, const void *buf, int len)
{
	return OldSSL_Write(s, buf, len);
}


 SECTION_INFO GetModuleSection(LPCSTR p_sModule, LPCSTR p_sSection)
{
	SECTION_INFO oSectionData = {0, 0};
	bool bFound = 0;

	HANDLE hLib = LoadLibraryA(p_sModule);
	if (!hLib)
	{
		OutputDebugStringA("[ERROR] Cannot Find Chrome.dll\n");
	}

			IMAGE_DOS_HEADER dos;
			IMAGE_NT_HEADERS ntHeaders;
			IMAGE_SECTION_HEADER *pSections = NULL;

			// Get DOS/PE header

			memcpy(&dos, (void *)p_sModule, sizeof(IMAGE_DOS_HEADER));
			memcpy(&ntHeaders, (void *)((DWORD)p_sModule + dos.e_lfanew), sizeof(IMAGE_NT_HEADERS));

			// Get sections

			pSections = new IMAGE_SECTION_HEADER[ntHeaders.FileHeader.NumberOfSections];

			if(pSections == NULL)
			{
				OutputDebugStringA("[ERROR] Cannot allocate space for sections: ");
			}

			// Copy

			memcpy(pSections, (void *)((DWORD)p_sModule + dos.e_lfanew + sizeof(IMAGE_NT_HEADERS)), 
				ntHeaders.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER));

			for(size_t j = 0; j < ntHeaders.FileHeader.NumberOfSections; j++)

				{
					oSectionData.dwSize = pSections[j].SizeOfRawData;
					oSectionData.dwStartAddress = (DWORD)p_sModule +  pSections[j].VirtualAddress;

				}
					return oSectionData;
}

void HookChromeBoringSSL()
{	
	SECTION_INFO rdata = {0, 0};
	SECTION_INFO text  = {0, 0};

	unsigned char PSH_string[] = {0x68, 0x00, 0x00, 0x00, 0x00};
	unsigned char SSL_string[] = "c:\\b\\build\\slave\\win\\build\\src\\third_party\\boringssl\\src\\ssl\\ssl_lib.c";
	const unsigned int nBytesBeforeRead  = 17;
	const unsigned int nBytesBeforeWrite = 17;
	const unsigned int READ_IND  = 17;
	const unsigned int WRITE_IND = 15;

	rdata = GetModuleSection("chrome.dll", ".rdata");
	text  = GetModuleSection("chrome.dll", ".text");

	SearchMemoryByN((void *)text.dwStartAddress, text.dwSize, (void *)PSH_string, 5, READ_IND);
	SearchMemoryByN((void *)text.dwStartAddress, text.dwSize, (void *)PSH_string, 5, WRITE_IND);

	if(PatchAPI("chrome.dll", "SSL_Write", (FARPROC *)&OldSSL_Write, (FARPROC)NewSSL_Write))
	{
		MessageBoxA(NULL,"Hooked","",MB_OK);
	}// Using Napalms Patch 
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch(ul_reason_for_call)
	{
	   case DLL_PROCESS_ATTACH:
		HookChromeBoringSSL();
	   break;
	   case DLL_PROCESS_DETACH:
	   break;
	   case DLL_THREAD_ATTACH:
	   break;
	   case DLL_THREAD_DETACH:
	   break;
	}
	return TRUE;
}

Had to cull a lot of things from Netripper, but i dont see it to pop out the MessageBox,"Hooked " .

Started to seem like i dont know what i'm Doing.

Edited August 31, 2015 by zabuz

Nytro · August 31, 2015

Lame.

Sign In

Finding SSL_Write Problems

Recommended Posts

zabuz

Nytro

Browse

Activity

Pages