├── CONTRIBUTING.md ├── LICENSE ├── README.md └── ssl_logger.py /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to Contribute 2 | 3 | We'd love to accept your patches and contributions to this project. There are just a few small guidelines you need to follow. 4 | 5 | ## Contributor License Agreement 6 | 7 | Contributions to this project must be accompanied by a Contributor License Agreement. You (or your employer) retain the copyright to your contribution, this simply gives us permission to use and redistribute your contributions as part of the project. Head over to to see your current agreements on file or to sign a new one. 8 | 9 | You generally only need to submit a CLA once, so if you've already submitted one (even if it was for a different project), you probably don't need to do it again. 10 | 11 | ## Code reviews 12 | 13 | All submissions, including submissions by project members, require review. We use GitHub pull requests for this purpose. Consult [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more information on using pull requests. -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ssl_logger 2 | 3 | Decrypts and logs a process's SSL traffic. 4 | 5 | The functionality offered by *ssl_logger* is intended to mimic [Echo Mirage](http://resources.infosecinstitute.com/echo-mirage-walkthrough/)'s SSL logging functionality on Linux and macOS. 6 | 7 | ## Basic Usage 8 | 9 | `python ssl_logger.py [-pcap ] [-verbose] ` 10 | 11 | Arguments: 12 | 13 | -pcap Name of PCAP file to write 14 | -verbose Show verbose output 15 | Process whose SSL calls to log 16 | 17 | Examples: 18 | 19 | ssl_logger.py -pcap ssl.pcap openssl 20 | ssl_logger.py -verbose 31337 21 | ssl_logger.py -pcap log.pcap -verbose wget 22 | 23 | ## Full Example 24 | 25 | ``` 26 | geffner@ubuntu:~$ # Make a local pipe for input to our openssl client 27 | geffner@ubuntu:~$ mkfifo pipe 28 | 29 | geffner@ubuntu:~$ # Create our openssl client, which will receive input from our pipe 30 | geffner@ubuntu:~$ openssl s_client -ign_eof -connect example.org:443 > /dev/null 2> /dev/null < pipe & 31 | [1] 98954 32 | 33 | geffner@ubuntu:~$ # Begin writing the request to our pipe 34 | geffner@ubuntu:~$ printf "GET / HTTP/1.0\nHost:example.org\n" > pipe 35 | 36 | geffner@ubuntu:~$ # Begin logging the SSL traffic for our openssl client process 37 | geffner@ubuntu:~$ python ssl_logger.py -verbose 98954 & 38 | [2] 98962 39 | Press Ctrl+C to stop logging. 40 | 41 | geffner@ubuntu:~$ # Write the final line-feed to our pipe to complete the HTTP request 42 | geffner@ubuntu:~$ printf "\n" > pipe 43 | SSL Session: 1820201001719DF42ECCA1D289C3D32E0AA0454B50E8AF00E8A65B0108F209A8 44 | [SSL_write] 100.97.20.44:45836 --> 93.184.216.34:443 45 | 00000000: 0A . 46 | 47 | SSL Session: 1820201001719DF42ECCA1D289C3D32E0AA0454B50E8AF00E8A65B0108F209A8 48 | [SSL_read] 93.184.216.34:443 --> 100.97.20.44:45836 49 | 00000000: 48 54 54 50 2F 31 2E 30 20 32 30 30 20 4F 4B 0D HTTP/1.0 200 OK. 50 | 00000010: 0A 41 63 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 .Accept-Ranges: 51 | 00000020: 62 79 74 65 73 0D 0A 43 61 63 68 65 2D 43 6F 6E bytes..Cache-Con 52 | 00000030: 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 36 30 trol: max-age=60 53 | 00000040: 34 38 30 30 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 4800..Content-Ty 54 | 00000050: 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D 0A 44 pe: text/html..D 55 | 00000060: 61 74 65 3A 20 54 68 75 2C 20 32 32 20 4A 75 6E ate: Thu, 22 Jun 56 | 00000070: 20 32 30 31 37 20 31 35 3A 31 36 3A 35 32 20 47 2017 15:16:52 G 57 | 00000080: 4D 54 0D 0A 45 74 61 67 3A 20 22 33 35 39 36 37 MT..Etag: "35967 58 | 00000090: 30 36 35 31 22 0D 0A 45 78 70 69 72 65 73 3A 20 0651"..Expires: 59 | 000000A0: 54 68 75 2C 20 32 39 20 4A 75 6E 20 32 30 31 37 Thu, 29 Jun 2017 60 | 000000B0: 20 31 35 3A 31 36 3A 35 32 20 47 4D 54 0D 0A 4C 15:16:52 GMT..L 61 | 000000C0: 61 73 74 2D 4D 6F 64 69 66 69 65 64 3A 20 46 72 ast-Modified: Fr 62 | 000000D0: 69 2C 20 30 39 20 41 75 67 20 32 30 31 33 20 32 i, 09 Aug 2013 2 63 | 000000E0: 33 3A 35 34 3A 33 35 20 47 4D 54 0D 0A 53 65 72 3:54:35 GMT..Ser 64 | 000000F0: 76 65 72 3A 20 45 43 53 20 28 72 68 76 2F 38 31 ver: ECS (rhv/81 65 | 00000100: 38 46 29 0D 0A 56 61 72 79 3A 20 41 63 63 65 70 8F)..Vary: Accep 66 | 00000110: 74 2D 45 6E 63 6F 64 69 6E 67 0D 0A 58 2D 43 61 t-Encoding..X-Ca 67 | 00000120: 63 68 65 3A 20 48 49 54 0D 0A 43 6F 6E 74 65 6E che: HIT..Conten 68 | 00000130: 74 2D 4C 65 6E 67 74 68 3A 20 31 32 37 30 0D 0A t-Length: 1270.. 69 | 00000140: 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 Connection: clos 70 | 00000150: 65 0D 0A 0D 0A e.... 71 | 72 | SSL Session: 1820201001719DF42ECCA1D289C3D32E0AA0454B50E8AF00E8A65B0108F209A8 73 | [SSL_read] 93.184.216.34:443 --> 100.97.20.44:45836 74 | 00000000: 3C 21 64 6F 63 74 79 70 65 20 68 74 6D 6C 3E 0A . 75 | 00000010: 3C 68 74 6D 6C 3E 0A 3C 68 65 61 64 3E 0A 20 20 .. 76 | 00000020: 20 20 3C 74 69 74 6C 65 3E 45 78 61 6D 70 6C 65 Example 77 | 00000030: 20 44 6F 6D 61 69 6E 3C 2F 74 69 74 6C 65 3E 0A Domain. 78 | 00000040: 0A 20 20 20 20 3C 6D 65 74 61 20 63 68 61 72 73 . . 80 | 00000060: 20 20 3C 6D 65 74 61 20 68 74 74 70 2D 65 71 75 . . ...< 133 | 000003B0: 62 6F 64 79 3E 0A 3C 64 69 76 3E 0A 20 20 20 20 body>.
. 134 | 000003C0: 3C 68 31 3E 45 78 61 6D 70 6C 65 20 44 6F 6D 61

Example Doma 135 | 000003D0: 69 6E 3C 2F 68 31 3E 0A 20 20 20 20 3C 70 3E 54 in

.

T 136 | 000003E0: 68 69 73 20 64 6F 6D 61 69 6E 20 69 73 20 65 73 his domain is es 137 | 000003F0: 74 61 62 6C 69 73 68 65 64 20 74 6F 20 62 65 20 tablished to be 138 | 139 | SSL Session: 1820201001719DF42ECCA1D289C3D32E0AA0454B50E8AF00E8A65B0108F209A8 140 | [SSL_read] 93.184.216.34:443 --> 100.97.20.44:45836 141 | 00000000: 75 73 65 64 20 66 6F 72 20 69 6C 6C 75 73 74 72 used for illustr 142 | 00000010: 61 74 69 76 65 20 65 78 61 6D 70 6C 65 73 20 69 ative examples i 143 | 00000020: 6E 20 64 6F 63 75 6D 65 6E 74 73 2E 20 59 6F 75 n documents. You 144 | 00000030: 20 6D 61 79 20 75 73 65 20 74 68 69 73 0A 20 20 may use this. 145 | 00000040: 20 20 64 6F 6D 61 69 6E 20 69 6E 20 65 78 61 6D domain in exam 146 | 00000050: 70 6C 65 73 20 77 69 74 68 6F 75 74 20 70 72 69 ples without pri 147 | 00000060: 6F 72 20 63 6F 6F 72 64 69 6E 61 74 69 6F 6E 20 or coordination 148 | 00000070: 6F 72 20 61 73 6B 69 6E 67 20 66 6F 72 20 70 65 or asking for pe 149 | 00000080: 72 6D 69 73 73 69 6F 6E 2E 3C 2F 70 3E 0A 20 20 rmission.

. 150 | 00000090: 20 20 3C 70 3E 3C 61 20 68 72 65 66 3D 22 68 74

More informat 154 | 000000D0: 69 6F 6E 2E 2E 2E 3C 2F 61 3E 3C 2F 70 3E 0A 3C ion...

.< 155 | 000000E0: 2F 64 69 76 3E 0A 3C 2F 62 6F 64 79 3E 0A 3C 2F /div>... 157 | ``` 158 | 159 | ## Dependencies 160 | This program uses the [frida](https://www.frida.re/) framework to perform code injection. 161 | 162 | Frida can be installed as follows: `sudo pip install frida` 163 | 164 | ## TODO 165 | 166 | - Add support for processes that communicate via SSL without using [libssl](https://wiki.openssl.org/index.php/Libssl_API). 167 | - Allow user to run *ssl_logger* before starting the process to be logged. 168 | 169 | 170 | ## Disclaimer 171 | 172 | This is not an official Google product. -------------------------------------------------------------------------------- /ssl_logger.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All Rights Reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Decrypts and logs a process's SSL traffic. 16 | 17 | Hooks the functions SSL_read() and SSL_write() in a given process and logs the 18 | decrypted data to the console and/or to a pcap file. 19 | 20 | Typical usage example: 21 | 22 | ssl_log("wget", "log.pcap", True) 23 | 24 | Dependencies: 25 | frida (https://www.frida.re/): 26 | sudo pip install frida 27 | hexdump (https://bitbucket.org/techtonik/hexdump/) if using verbose output: 28 | sudo pip install hexdump 29 | """ 30 | 31 | __author__ = "geffner@google.com (Jason Geffner)" 32 | __version__ = "1.0" 33 | 34 | 35 | import argparse 36 | import os 37 | import platform 38 | import pprint 39 | import random 40 | import signal 41 | import socket 42 | import struct 43 | import time 44 | 45 | import frida 46 | 47 | try: 48 | import hexdump # pylint: disable=g-import-not-at-top 49 | except ImportError: 50 | pass 51 | 52 | 53 | _FRIDA_SCRIPT = """ 54 | /** 55 | * Initializes 'addresses' dictionary and NativeFunctions. 56 | */ 57 | function initializeGlobals() 58 | { 59 | global.addresses = {}; 60 | 61 | var resolver = new ApiResolver("module"); 62 | 63 | var exps = [ 64 | ["*libssl*", 65 | ["SSL_read", "SSL_write", "SSL_get_fd", "SSL_get_session", 66 | "SSL_SESSION_get_id"]], 67 | [Process.platform == "darwin" ? "*libsystem*" : "*libc*", 68 | ["getpeername", "getsockname"]] 69 | ]; 70 | for (var i = 0; i < exps.length; i++) 71 | { 72 | var lib = exps[i][0]; 73 | var names = exps[i][1]; 74 | 75 | for (var j = 0; j < names.length; j++) 76 | { 77 | var name = names[j]; 78 | var matches = resolver.enumerateMatchesSync("exports:" + lib + "!" + 79 | name); 80 | if (matches.length == 0) 81 | { 82 | throw "Could not find " + lib + "!" + name; 83 | } 84 | else if (matches.length != 1) 85 | { 86 | // Sometimes Frida returns duplicates. 87 | var address = 0; 88 | var s = ""; 89 | var duplicates_only = true; 90 | for (var k = 0; k < matches.length; k++) 91 | { 92 | if (s.length != 0) 93 | { 94 | s += ", "; 95 | } 96 | s += matches[k].name + "@" + matches[k].address; 97 | if (address == 0) 98 | { 99 | address = matches[k].address; 100 | } 101 | else if (!address.equals(matches[k].address)) 102 | { 103 | duplicates_only = false; 104 | } 105 | } 106 | if (!duplicates_only) 107 | { 108 | throw "More than one match found for " + lib + "!" + name + ": " + 109 | s; 110 | } 111 | } 112 | addresses[name] = matches[0].address; 113 | } 114 | } 115 | 116 | global.SSL_get_fd = new NativeFunction(addresses["SSL_get_fd"], "int", 117 | ["pointer"]); 118 | global.SSL_get_session = new NativeFunction(addresses["SSL_get_session"], 119 | "pointer", ["pointer"]); 120 | global.SSL_SESSION_get_id = new NativeFunction(addresses["SSL_SESSION_get_id"], 121 | "pointer", ["pointer", "pointer"]); 122 | global.getpeername = new NativeFunction(addresses["getpeername"], "int", ["int", 123 | "pointer", "pointer"]); 124 | global.getsockname = new NativeFunction(addresses["getsockname"], "int", ["int", 125 | "pointer", "pointer"]); 126 | } 127 | initializeGlobals(); 128 | 129 | /** 130 | * Returns a dictionary of a sockfd's "src_addr", "src_port", "dst_addr", and 131 | * "dst_port". 132 | * @param {int} sockfd The file descriptor of the socket to inspect. 133 | * @param {boolean} isRead If true, the context is an SSL_read call. If 134 | * false, the context is an SSL_write call. 135 | * @return {dict} Dictionary of sockfd's "src_addr", "src_port", "dst_addr", 136 | * and "dst_port". 137 | */ 138 | function getPortsAndAddresses(sockfd, isRead) 139 | { 140 | var message = {}; 141 | 142 | var addrlen = Memory.alloc(4); 143 | var addr = Memory.alloc(16); 144 | 145 | var src_dst = ["src", "dst"]; 146 | for (var i = 0; i < src_dst.length; i++) 147 | { 148 | Memory.writeU32(addrlen, 16); 149 | if ((src_dst[i] == "src") ^ isRead) 150 | { 151 | getsockname(sockfd, addr, addrlen); 152 | } 153 | else 154 | { 155 | getpeername(sockfd, addr, addrlen); 156 | } 157 | message[src_dst[i] + "_port"] = Memory.readU16(addr.add(2)); 158 | message[src_dst[i] + "_addr"] = Memory.readU32(addr.add(4)); 159 | } 160 | 161 | return message; 162 | } 163 | 164 | /** 165 | * Get the session_id of SSL object and return it as a hex string. 166 | * @param {!NativePointer} ssl A pointer to an SSL object. 167 | * @return {dict} A string representing the session_id of the SSL object's 168 | * SSL_SESSION. For example, 169 | * "59FD71B7B90202F359D89E66AE4E61247954E28431F6C6AC46625D472FF76336". 170 | */ 171 | function getSslSessionId(ssl) 172 | { 173 | var session = SSL_get_session(ssl); 174 | if (session == 0) 175 | { 176 | return 0; 177 | } 178 | var len = Memory.alloc(4); 179 | var p = SSL_SESSION_get_id(session, len); 180 | len = Memory.readU32(len); 181 | 182 | var session_id = ""; 183 | for (var i = 0; i < len; i++) 184 | { 185 | // Read a byte, convert it to a hex string (0xAB ==> "AB"), and append 186 | // it to session_id. 187 | session_id += 188 | ("0" + Memory.readU8(p.add(i)).toString(16).toUpperCase()).substr(-2); 189 | } 190 | 191 | return session_id; 192 | } 193 | 194 | Interceptor.attach(addresses["SSL_read"], 195 | { 196 | onEnter: function (args) 197 | { 198 | var message = getPortsAndAddresses(SSL_get_fd(args[0]), true); 199 | message["ssl_session_id"] = getSslSessionId(args[0]); 200 | message["function"] = "SSL_read"; 201 | this.message = message; 202 | this.buf = args[1]; 203 | }, 204 | onLeave: function (retval) 205 | { 206 | retval |= 0; // Cast retval to 32-bit integer. 207 | if (retval <= 0) 208 | { 209 | return; 210 | } 211 | send(this.message, Memory.readByteArray(this.buf, retval)); 212 | } 213 | }); 214 | 215 | Interceptor.attach(addresses["SSL_write"], 216 | { 217 | onEnter: function (args) 218 | { 219 | var message = getPortsAndAddresses(SSL_get_fd(args[0]), false); 220 | message["ssl_session_id"] = getSslSessionId(args[0]); 221 | message["function"] = "SSL_write"; 222 | send(message, Memory.readByteArray(args[1], parseInt(args[2]))); 223 | }, 224 | 225 | onLeave: function (retval) 226 | { 227 | } 228 | }); 229 | """ 230 | 231 | 232 | # ssl_session[] = (, 233 | # ) 234 | ssl_sessions = {} 235 | 236 | 237 | def ssl_log(process, pcap=None, verbose=False, remote=False): 238 | """Decrypts and logs a process's SSL traffic. 239 | 240 | Hooks the functions SSL_read() and SSL_write() in a given process and logs 241 | the decrypted data to the console and/or to a pcap file. 242 | 243 | Args: 244 | process: The target process's name (as a string) or process ID (as an int). 245 | pcap: The file path to which the pcap file should be written. 246 | verbose: If True, log the decrypted traffic to the console. 247 | 248 | Raises: 249 | NotImplementedError: Not running on a Linux or macOS system. 250 | """ 251 | 252 | if platform.system() not in ("Darwin", "Linux"): 253 | raise NotImplementedError("This function is only implemented for Linux and " 254 | "macOS systems.") 255 | 256 | def log_pcap(pcap_file, ssl_session_id, function, src_addr, src_port, 257 | dst_addr, dst_port, data): 258 | """Writes the captured data to a pcap file. 259 | 260 | Args: 261 | pcap_file: The opened pcap file. 262 | ssl_session_id: The SSL session ID for the communication. 263 | function: The function that was intercepted ("SSL_read" or "SSL_write"). 264 | src_addr: The source address of the logged packet. 265 | src_port: The source port of the logged packet. 266 | dst_addr: The destination address of the logged packet. 267 | dst_port: The destination port of the logged packet. 268 | data: The decrypted packet data. 269 | """ 270 | t = time.time() 271 | 272 | if ssl_session_id not in ssl_sessions: 273 | ssl_sessions[ssl_session_id] = (random.randint(0, 0xFFFFFFFF), 274 | random.randint(0, 0xFFFFFFFF)) 275 | client_sent, server_sent = ssl_sessions[ssl_session_id] 276 | 277 | if function == "SSL_read": 278 | seq, ack = (server_sent, client_sent) 279 | else: 280 | seq, ack = (client_sent, server_sent) 281 | 282 | for writes in ( 283 | # PCAP record (packet) header 284 | ("=I", int(t)), # Timestamp seconds 285 | ("=I", (t * 1000000) % 1000000), # Timestamp microseconds 286 | ("=I", 40 + len(data)), # Number of octets saved 287 | ("=i", 40 + len(data)), # Actual length of packet 288 | # IPv4 header 289 | (">B", 0x45), # Version and Header Length 290 | (">B", 0), # Type of Service 291 | (">H", 40 + len(data)), # Total Length 292 | (">H", 0), # Identification 293 | (">H", 0x4000), # Flags and Fragment Offset 294 | (">B", 0xFF), # Time to Live 295 | (">B", 6), # Protocol 296 | (">H", 0), # Header Checksum 297 | (">I", src_addr), # Source Address 298 | (">I", dst_addr), # Destination Address 299 | # TCP header 300 | (">H", src_port), # Source Port 301 | (">H", dst_port), # Destination Port 302 | (">I", seq), # Sequence Number 303 | (">I", ack), # Acknowledgment Number 304 | (">H", 0x5018), # Header Length and Flags 305 | (">H", 0xFFFF), # Window Size 306 | (">H", 0), # Checksum 307 | (">H", 0)): # Urgent Pointer 308 | pcap_file.write(struct.pack(writes[0], writes[1])) 309 | pcap_file.write(data) 310 | 311 | if function == "SSL_read": 312 | server_sent += len(data) 313 | else: 314 | client_sent += len(data) 315 | ssl_sessions[ssl_session_id] = (client_sent, server_sent) 316 | 317 | def on_message(message, data): 318 | """Callback for errors and messages sent from Frida-injected JavaScript. 319 | 320 | Logs captured packet data received from JavaScript to the console and/or a 321 | pcap file. See https://www.frida.re/docs/messages/ for more detail on 322 | Frida's messages. 323 | 324 | Args: 325 | message: A dictionary containing the message "type" and other fields 326 | dependent on message type. 327 | data: The string of captured decrypted data. 328 | """ 329 | if message["type"] == "error": 330 | pprint.pprint(message) 331 | os.kill(os.getpid(), signal.SIGTERM) 332 | return 333 | if len(data) == 0: 334 | return 335 | p = message["payload"] 336 | p["src_port"] = socket.ntohs(p["src_port"]) 337 | p["dst_port"] = socket.ntohs(p["dst_port"]) 338 | p["src_addr"] = socket.ntohl(p["src_addr"]) 339 | p["dst_addr"] = socket.ntohl(p["dst_addr"]) 340 | 341 | if verbose: 342 | src_addr = socket.inet_ntop(socket.AF_INET, 343 | struct.pack(">I", p["src_addr"])) 344 | dst_addr = socket.inet_ntop(socket.AF_INET, 345 | struct.pack(">I", p["dst_addr"])) 346 | print("SSL Session: " + p["ssl_session_id"]) 347 | print("[%s] %s:%d --> %s:%d" % ( 348 | p["function"], 349 | src_addr, 350 | p["src_port"], 351 | dst_addr, 352 | p["dst_port"])) 353 | hexdump.hexdump(data) 354 | print() 355 | if pcap: 356 | log_pcap(pcap_file, p["ssl_session_id"], p["function"], p["src_addr"], 357 | p["src_port"], p["dst_addr"], p["dst_port"], data) 358 | 359 | if remote: 360 | os.system("adb forward tcp:27042 tcp:27042") 361 | session=frida.get_remote_device().attach(process) 362 | else: 363 | session = frida.attach(process) 364 | 365 | if pcap: 366 | pcap_file = open(pcap, "wb", 0) 367 | for writes in ( 368 | ("=I", 0xa1b2c3d4), # Magic number 369 | ("=H", 2), # Major version number 370 | ("=H", 4), # Minor version number 371 | ("=i", time.timezone), # GMT to local correction 372 | ("=I", 0), # Accuracy of timestamps 373 | ("=I", 65535), # Max length of captured packets 374 | ("=I", 228)): # Data link type (LINKTYPE_IPV4) 375 | pcap_file.write(struct.pack(writes[0], writes[1])) 376 | 377 | script = session.create_script(_FRIDA_SCRIPT) 378 | script.on("message", on_message) 379 | script.load() 380 | 381 | print("Press Ctrl+C to stop logging.") 382 | try: 383 | signal.pause() 384 | except KeyboardInterrupt: 385 | pass 386 | 387 | session.detach() 388 | if pcap: 389 | pcap_file.close() 390 | 391 | 392 | if __name__ == "__main__": 393 | 394 | class ArgParser(argparse.ArgumentParser): 395 | 396 | def error(self, message): 397 | print("ssl_logger v" + __version__) 398 | print("by " + __author__) 399 | print() 400 | print("Error: " + message) 401 | print() 402 | print(self.format_help().replace("usage:", "Usage:")) 403 | self.exit(0) 404 | 405 | parser = ArgParser( 406 | add_help=False, 407 | description="Decrypts and logs a process's SSL traffic.", 408 | formatter_class=argparse.RawDescriptionHelpFormatter, 409 | epilog=r""" 410 | Examples: 411 | %(prog)s -pcap ssl.pcap openssl 412 | %(prog)s -verbose 31337 413 | %(prog)s -pcap log.pcap -verbose wget 414 | %(prog)s -pcap log.pcap -verbose -remote com.google.chrome 415 | """) 416 | 417 | args = parser.add_argument_group("Arguments") 418 | args.add_argument("-pcap", metavar="", required=False, 419 | help="Name of PCAP file to write") 420 | args.add_argument("-verbose", required=False, action="store_const", 421 | const=True, help="Show verbose output") 422 | args.add_argument("-remote", required=False, action="store_const", 423 | const=True, help="Attach a remote process") 424 | args.add_argument("process", metavar="", 425 | help="Process whose SSL calls to log") 426 | parsed = parser.parse_args() 427 | 428 | ssl_log(int(parsed.process) if parsed.process.isdigit() else parsed.process, 429 | parsed.pcap, parsed.verbose, parsed.remote) 430 | --------------------------------------------------------------------------------