├── sslhook ├── sslhook.def ├── nodebug.cpp ├── pcap.h ├── install.cpp ├── Trace.h ├── Trace.c ├── modnotify.cpp ├── sslhook.vcxproj.filters ├── modnotify.h ├── sslhook.vcxproj ├── pcap.cpp ├── openssl.cpp ├── sslhook.cpp └── detours.h ├── .gitignore ├── sslhook_sample.ini ├── LICENCE.TXT ├── sslhook.sln └── README.md /sslhook/sslhook.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | hook 3 | hookopenssl 4 | DllRegisterServer 5 | DllUnregisterServer -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # ignore all files of types: 2 | *.aps 3 | *.bsc 4 | *.cache 5 | *.exe 6 | *.idb 7 | *.map 8 | *.lib 9 | *.ncb 10 | *.obj 11 | *.old 12 | *.opensdf 13 | *.pdb 14 | *.res 15 | *.sbr 16 | *.sdf 17 | *.suo 18 | *.user 19 | *.zip 20 | 21 | # ignore the following files: 22 | BuildLog.htm 23 | 24 | # ignore the following directories - they can occur 25 | # anywhere under the repo 26 | Debug/ 27 | Release/ 28 | ipch/ 29 | 30 | 31 | -------------------------------------------------------------------------------- /sslhook/nodebug.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "detours.h" 3 | 4 | static BOOL (WINAPI * TargetIsDebuggerPresent)() = IsDebuggerPresent; 5 | static BOOL WINAPI DetourIsDebuggerPresent() 6 | { 7 | return FALSE; 8 | } 9 | 10 | // 11 | 12 | void allow_debugging() 13 | { 14 | DetourTransactionBegin(); 15 | DetourUpdateThread(GetCurrentThread()); 16 | DetourAttach((PVOID*)&TargetIsDebuggerPresent, DetourIsDebuggerPresent); 17 | DetourTransactionCommit(); 18 | } 19 | 20 | void restore_debugging() 21 | { 22 | DetourTransactionBegin(); 23 | DetourUpdateThread(GetCurrentThread()); 24 | DetourDetach((PVOID*)&TargetIsDebuggerPresent, DetourIsDebuggerPresent); 25 | DetourTransactionCommit(); 26 | } -------------------------------------------------------------------------------- /sslhook/pcap.h: -------------------------------------------------------------------------------- 1 | // 2 | // pcap.h 3 | // 4 | // Simple routines for writing socket data into PCAP format 5 | // 6 | // www.catch22.net 7 | // 8 | // Copyright (C) 2013 James Brown 9 | // Please refer to the file LICENCE.TXT for copying permission 10 | // 11 | 12 | #ifndef APP_PCAP_INCLUDED 13 | #define APP_PCAP_INCLUDED 14 | 15 | typedef struct 16 | { 17 | FILE * fp; 18 | size_t seq; 19 | size_t ack; 20 | } PCAP; 21 | 22 | PCAP * pcap_init(FILE *fp); 23 | void pcap_free(PCAP *pcap); 24 | 25 | void pcap_data_send(PCAP *p, void *buf, size_t len, SOCKADDR_IN *local, SOCKADDR_IN *peer); 26 | void pcap_data_recv(PCAP *p, void *buf, size_t len, SOCKADDR_IN *local, SOCKADDR_IN *peer); 27 | 28 | #endif -------------------------------------------------------------------------------- /sslhook_sample.ini: -------------------------------------------------------------------------------- 1 | ; 2 | ; On 32bit windows: 3 | ; 4 | ; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows 5 | ; AppInit_DLLs: 6 | ; LoadAppInit_DLLs: 0x1 7 | ; 8 | ; On 64bit windows: 9 | ; 10 | ; HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows 11 | ; AppInit_DLLs: 12 | ; LoadAppInit_DLLs: 0x1 13 | ; 14 | ; [target.exe] 15 | ; targetDLL=BASENAME.DLL 16 | ; SSL_Read=10001234 ; the RVA of SSL_Read 17 | ; SSL_Read=10004567 ; the RVA of SSL_Write 18 | ; 19 | [sonos.exe] 20 | targetDLL=sclib_csharp.DLL 21 | SSL_Read=102D1570 22 | SSL_Write=102D15C0 23 | BIO_Ctrl=102A3EA0 24 | 25 | 26 | -------------------------------------------------------------------------------- /sslhook/install.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define APPINIT_PATH L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" 4 | #define APPINIT_NAME L"AppInit_DLLs" 5 | #define LOADINIT_NAME L"LoadAppInit_DLLs" 6 | 7 | extern HMODULE g_hModule; 8 | 9 | static void remove_string(WCHAR *s1, WCHAR *s2) 10 | { 11 | } 12 | /* 13 | 14 | HRESULT WINAPI DllRegisterServer() 15 | { 16 | HRESULT hr = E_FAIL; 17 | 18 | hr = RegOpenKeyEx(HKEY_LOCAL_MACHINE, APPINIT_PATH, 0, KEY_SET_VALUE, &hKey); 19 | 20 | if(S_OK == hr) 21 | { 22 | GetModuleFileName(g_hModule, szPath, MAX_PATH); 23 | 24 | 25 | RegSetValueEx(hKey, APPINIT_NAME, 0, REG_SZ, 0, 0); 26 | 27 | DWORD enable = 1; 28 | RegSetValueEx(hKey, LOADINIT_NAME, 0, REG_DWORD, (BYTE*)&enable, sizeof(DWORD)); 29 | 30 | RegCloseKey(hKey); 31 | } 32 | 33 | return hr; 34 | } 35 | 36 | HRESULT WINAPI DllUnregisterServer() 37 | { 38 | } 39 | */ -------------------------------------------------------------------------------- /LICENCE.TXT: -------------------------------------------------------------------------------- 1 | Copyright (C) 2013 James Brown 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is 8 | furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in 11 | all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 19 | THE SOFTWARE. 20 | -------------------------------------------------------------------------------- /sslhook/Trace.h: -------------------------------------------------------------------------------- 1 | // 2 | // Trace.h 3 | // 4 | // www.catch22.net 5 | // 6 | // Copyright (C) 2012 James Brown 7 | // Please refer to the file LICENCE.TXT for copying permission 8 | // 9 | 10 | // 11 | // Use: TRACE for TCHAR-strings 12 | // TRACEA for char-strings 13 | // TRACEW for WCHAR-strings 14 | // 15 | 16 | #ifndef TRACE_INCLUDED 17 | #define TRACE_INCLUDED 18 | 19 | #ifdef __cplusplus 20 | extern "C" { 21 | #endif 22 | 23 | void TraceA(LPCSTR szFmt, ...); 24 | void TraceW(LPCWSTR szFmt, ...); 25 | void TraceErr(DWORD err); 26 | 27 | #ifdef _DEBUG 28 | 29 | #define TRACEERR(err) TraceErr(err) 30 | 31 | #ifdef UNICODE 32 | #define TRACE TraceW 33 | #else 34 | #define TRACE TraceA 35 | #endif 36 | 37 | #define TRACEA TraceA 38 | #define TRACEW TraceW 39 | 40 | #else //ifndef DEBUG 41 | 42 | #define TRACEERR(err) 43 | 44 | #ifdef UNICODE 45 | #define TRACE //1 ? ((void)0) : TraceW 46 | #else 47 | #define TRACE //1 ? ((void)0) : TraceA 48 | #endif 49 | 50 | #define TRACEA //1 ? ((void)0) : TraceA 51 | #define TRACEW //1 ? ((void)0) : TraceW 52 | 53 | #endif //DEBUG 54 | 55 | #ifdef UNICODE 56 | #define ODB TraceW 57 | #else 58 | #define ODB TraceA 59 | #endif 60 | 61 | #define ODBW TraceW 62 | #define ODBA TraceA 63 | 64 | #ifdef __cplusplus 65 | } 66 | #endif 67 | 68 | #endif -------------------------------------------------------------------------------- /sslhook.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sslhook", "sslhook\sslhook.vcxproj", "{13D5662D-FFC1-4CB9-9B28-A2879F7C3CCF}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "detours", "..\detours\detours.vcxproj", "{237F0F4A-5F70-4223-A23A-7BBD49FC5C24}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {13D5662D-FFC1-4CB9-9B28-A2879F7C3CCF}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {13D5662D-FFC1-4CB9-9B28-A2879F7C3CCF}.Debug|Win32.Build.0 = Debug|Win32 16 | {13D5662D-FFC1-4CB9-9B28-A2879F7C3CCF}.Release|Win32.ActiveCfg = Release|Win32 17 | {13D5662D-FFC1-4CB9-9B28-A2879F7C3CCF}.Release|Win32.Build.0 = Release|Win32 18 | {237F0F4A-5F70-4223-A23A-7BBD49FC5C24}.Debug|Win32.ActiveCfg = Debug|Win32 19 | {237F0F4A-5F70-4223-A23A-7BBD49FC5C24}.Debug|Win32.Build.0 = Debug|Win32 20 | {237F0F4A-5F70-4223-A23A-7BBD49FC5C24}.Release|Win32.ActiveCfg = Release|Win32 21 | {237F0F4A-5F70-4223-A23A-7BBD49FC5C24}.Release|Win32.Build.0 = Release|Win32 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | sslhook 2 | ------- 3 | 4 | SSLHOOK is a Win32 DLL that allows hooking of the OpenSSL functions SSL_read and SSL_write. 5 | 6 | Version 1 is designed to work against statically-compiled versions of OpenSSL (rather than the DLL version). As such sslhook requires some preconfiguration, which requires knowledge of the relative addresses of the SSL_read and SSL_write functions in the target binary. 7 | 8 | Installation 9 | ------------ 10 | 11 | Running SSLHOOK on Win32 requires the following registry settings: 12 | 13 | > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows 14 | > AppInit_DLLs: 15 | > LoadAppInit_DLLs: 0x1 16 | 17 | On 64bit windows: 18 | 19 | > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows 20 | > AppInit_DLLs: 21 | > LoadAppInit_DLLs: 0x1 22 | 23 | 24 | Configuration 25 | ------------- 26 | 27 | Configuration is by way of an INI file. SSLHOOK will read a file called sslhook.ini that must exist in the same directory as sslhook.dll. Each process to target must have its own section in the INI file, and the RVA (relative virtual address) of SSL_Read and SSL_Write provided. The DLL that the OpenSSL functions are linked into must also be specified withe the targetDLL parameter. 28 | 29 | For example: 30 | 31 | > [target.exe] 32 | > targetDLL=BASENAME.DLL 33 | > SSL_Read=10001234 ; the RVA of SSL_Read 34 | > SSL_Read=10004567 ; the RVA of SSL_Write 35 | 36 | Capturing output 37 | ---------------- 38 | 39 | Output can be captured through the SysInternals DebugView program. Output is also written in PCAP format which can be viewed with Wireshark. 40 | -------------------------------------------------------------------------------- /sslhook/Trace.c: -------------------------------------------------------------------------------- 1 | // 2 | // Trace.c 3 | // 4 | // www.catch22.net 5 | // 6 | // Copyright (C) 2012 James Brown 7 | // Please refer to the file LICENCE.TXT for copying permission 8 | // 9 | 10 | // 11 | // MODULE: Trace.c 12 | // 13 | // PURPOSE: Provides TRACE macros (ala MFC) which wrap the 14 | // OutputDebugString API call - removing these 15 | // calls in release build. 16 | // 17 | // USAGE: TRACE(...) for TCHAR-strings 18 | // TRACEA(...) for char-strings 19 | // TRACEW(...) for WCHAR-strings 20 | // 21 | // HISTORY: v1.0 16/04/2002 J Brown - Initial version 22 | // 23 | 24 | #define WIN32_LEAN_AND_MEAN 25 | #define _CRT_SECURE_NO_WARNINGS 26 | 27 | #include 28 | #include 29 | #include 30 | #include "Trace.h" 31 | 32 | //#ifdef _DEBUG 33 | 34 | #ifdef _CONSOLE 35 | #define OUTPUTA(s) printf("%s", s) 36 | #define OUTPUTW(s) wprintf(L"%s", s) 37 | #else 38 | #define OUTPUTA(s) OutputDebugStringA(s) 39 | #define OUTPUTW(s) OutputDebugStringW(s) 40 | #endif 41 | 42 | // 43 | // Wide-character (UNICODE) version 44 | // 45 | void TraceW(LPCWSTR szFmt, ...) 46 | { 47 | wchar_t szBuf[0x400]; 48 | 49 | va_list arg; 50 | 51 | if(szFmt == 0) return; 52 | 53 | va_start(arg, szFmt); 54 | 55 | _vsnwprintf(szBuf, 0x400, szFmt, arg); 56 | OUTPUTW(szBuf); 57 | 58 | va_end(arg); 59 | } 60 | 61 | // 62 | // Single-character (ANSI) version 63 | // 64 | void TraceA(LPCSTR szFmt, ...) 65 | { 66 | char szBuf[0x400]; 67 | 68 | va_list arg; 69 | 70 | if(szFmt == 0) return; 71 | 72 | va_start(arg, szFmt); 73 | 74 | _vsnprintf(szBuf, 0x400, szFmt, arg); 75 | OUTPUTA(szBuf); 76 | 77 | va_end(arg); 78 | } 79 | 80 | void TraceErr(DWORD err) 81 | { 82 | LPVOID lpMsgBuf; 83 | FormatMessageA( 84 | FORMAT_MESSAGE_ALLOCATE_BUFFER | 85 | FORMAT_MESSAGE_FROM_SYSTEM | 86 | FORMAT_MESSAGE_IGNORE_INSERTS, 87 | NULL, 88 | err, 89 | MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 90 | (LPSTR) &lpMsgBuf, 91 | 0, 92 | NULL 93 | ); 94 | 95 | TraceA( "[%x] %s\n", err, (lpMsgBuf ? lpMsgBuf : "unknown")); 96 | LocalFree( lpMsgBuf ); 97 | } 98 | 99 | //#endif -------------------------------------------------------------------------------- /sslhook/modnotify.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // modnotify.cpp 3 | // 4 | // DLL load notification 5 | // 6 | // www.catch22.net 7 | // 8 | // Copyright (C) 2013 James Brown 9 | // Please refer to the file LICENCE.TXT for copying permission 10 | // 11 | 12 | #include 13 | #include "modnotify.h" 14 | 15 | static PVOID cookie; 16 | 17 | static PLDR_REGISTER_DLL_NOTIFICATION LdrRegisterDllNotification = 0; 18 | static PLDR_UNREGISTER_DLL_NOTIFICATION LdrUnRegisterDllNotification = 0; 19 | 20 | // we will call this function whenever a DLL is loaded 21 | void module_loaded(PVOID base, WCHAR *name, WCHAR *path); 22 | 23 | static VOID CALLBACK LdrDllNotification( 24 | _In_ ULONG NotificationReason, 25 | _In_ PCLDR_DLL_NOTIFICATION_DATA NotificationData, 26 | _In_opt_ PVOID Context 27 | ) 28 | { 29 | if(NotificationReason == LDR_DLL_NOTIFICATION_REASON_LOADED) 30 | { 31 | WCHAR szPath[MAX_PATH]; 32 | lstrcpyn(szPath, NotificationData->Loaded.FullDllName->Buffer, NotificationData->Loaded.FullDllName->Length); 33 | 34 | WCHAR szName[MAX_PATH]; 35 | lstrcpyn(szName, NotificationData->Loaded.BaseDllName->Buffer, NotificationData->Loaded.BaseDllName->Length); 36 | 37 | module_loaded(NotificationData->Loaded.DllBase, szName, szPath); 38 | } 39 | } 40 | 41 | static PVOID GetNativeProc(char *name) 42 | { 43 | return GetProcAddress(GetModuleHandle(L"ntdll.dll"), name); 44 | } 45 | 46 | BOOL init_dll_notify() 47 | { 48 | NTSTATUS status = 1; 49 | 50 | LdrRegisterDllNotification = (PLDR_REGISTER_DLL_NOTIFICATION)GetNativeProc("LdrRegisterDllNotification"); 51 | LdrUnRegisterDllNotification = (PLDR_UNREGISTER_DLL_NOTIFICATION)GetNativeProc("LdrUnRegisterDllNotification"); 52 | 53 | if(LdrRegisterDllNotification) 54 | { 55 | status = LdrRegisterDllNotification( 56 | 0, // must be zero 57 | LdrDllNotification, 58 | 0, // context, 59 | &cookie 60 | ); 61 | } 62 | 63 | return status == 0; 64 | } 65 | 66 | BOOL deinit_dll_notify() 67 | { 68 | NTSTATUS status = 1; 69 | 70 | if(LdrUnRegisterDllNotification) 71 | { 72 | status = LdrUnRegisterDllNotification(cookie); 73 | cookie = 0; 74 | } 75 | 76 | return status == 0; 77 | } 78 | -------------------------------------------------------------------------------- /sslhook/sslhook.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | 41 | 42 | Source Files 43 | 44 | 45 | 46 | 47 | Header Files 48 | 49 | 50 | Header Files 51 | 52 | 53 | Header Files 54 | 55 | 56 | Header Files 57 | 58 | 59 | -------------------------------------------------------------------------------- /sslhook/modnotify.h: -------------------------------------------------------------------------------- 1 | // 2 | // modnotify.h 3 | // 4 | // DLL load notification 5 | // 6 | // www.catch22.net 7 | // 8 | // Copyright (C) 2013 James Brown 9 | // Please refer to the file LICENCE.TXT for copying permission 10 | // 11 | 12 | 13 | #ifndef LDR_NOTIFY_INCLUDED 14 | #define LDR_NOTIFY_INCLUDED 15 | 16 | #include 17 | #include 18 | 19 | typedef const UNICODE_STRING * PCUNICODE_STRING; 20 | 21 | typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA { 22 | ULONG Flags; //Reserved. 23 | PCUNICODE_STRING FullDllName; //The full path name of the DLL module. 24 | PCUNICODE_STRING BaseDllName; //The base file name of the DLL module. 25 | PVOID DllBase; //A pointer to the base address for the DLL in memory. 26 | ULONG SizeOfImage; //The size of the DLL image, in bytes. 27 | } LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA; 28 | 29 | typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA { 30 | ULONG Flags; //Reserved. 31 | PCUNICODE_STRING FullDllName; //The full path name of the DLL module. 32 | PCUNICODE_STRING BaseDllName; //The base file name of the DLL module. 33 | PVOID DllBase; //A pointer to the base address for the DLL in memory. 34 | ULONG SizeOfImage; //The size of the DLL image, in bytes. 35 | } LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA; 36 | 37 | typedef union _LDR_DLL_NOTIFICATION_DATA { 38 | LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; 39 | LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; 40 | } LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA; 41 | 42 | typedef const _LDR_DLL_NOTIFICATION_DATA * PCLDR_DLL_NOTIFICATION_DATA; 43 | 44 | typedef VOID (CALLBACK * PLDR_DLL_NOTIFICATION_FUNCTION)( 45 | _In_ ULONG NotificationReason, 46 | _In_ PCLDR_DLL_NOTIFICATION_DATA NotificationData, 47 | _In_opt_ PVOID Context 48 | ); 49 | 50 | typedef NTSTATUS (NTAPI * PLDR_REGISTER_DLL_NOTIFICATION)( 51 | _In_ ULONG Flags, 52 | _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, 53 | _In_opt_ PVOID Context, 54 | _Out_ PVOID *Cookie 55 | ); 56 | 57 | 58 | typedef NTSTATUS (NTAPI * PLDR_UNREGISTER_DLL_NOTIFICATION)( 59 | _In_ PVOID Cookie 60 | ); 61 | 62 | #define LDR_DLL_NOTIFICATION_REASON_LOADED 1 63 | #define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2 64 | 65 | #endif 66 | 67 | -------------------------------------------------------------------------------- /sslhook/sslhook.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {13D5662D-FFC1-4CB9-9B28-A2879F7C3CCF} 15 | Win32Proj 16 | sslhook 17 | 18 | 19 | 20 | DynamicLibrary 21 | true 22 | Unicode 23 | 24 | 25 | DynamicLibrary 26 | false 27 | true 28 | Unicode 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | true 42 | 43 | 44 | false 45 | 46 | 47 | 48 | 49 | 50 | Level3 51 | Disabled 52 | WIN32;_DEBUG;_WINDOWS;_USRDLL;SSLHOOK_EXPORTS;%(PreprocessorDefinitions) 53 | 54 | 55 | Windows 56 | true 57 | 58 | 59 | 60 | 61 | Level3 62 | 63 | 64 | MaxSpeed 65 | true 66 | true 67 | WIN32;NDEBUG;_WINDOWS;_USRDLL;SSLHOOK_EXPORTS;%(PreprocessorDefinitions) 68 | 69 | 70 | Windows 71 | true 72 | true 73 | true 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | {237f0f4a-5f70-4223-a23a-7bbd49fc5c24} 97 | 98 | 99 | 100 | 101 | 102 | -------------------------------------------------------------------------------- /sslhook/pcap.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // pcap.cpp 3 | // 4 | // Simple routines for writing socket data into PCAP format 5 | // 6 | // www.catch22.net 7 | // 8 | // Copyright (C) 2012 James Brown 9 | // Please refer to the file LICENCE.TXT for copying permission 10 | // 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | #include "pcap.h" 17 | 18 | #pragma pack(push, 1) 19 | 20 | typedef unsigned int uint32; 21 | typedef unsigned short uint16; 22 | typedef unsigned char uint8; 23 | typedef int int32; 24 | 25 | #define PCAP_MAGIC 0xa1b2c3d4 26 | #define PCAP_VER_MAJOR 2 27 | #define PCAP_VER_MINOR 4 28 | 29 | #define LINKTYPE_NULL 0 30 | #define LINKTYPE_ETHERNET 1 31 | #define LINKTYPE_IPV4 228 32 | #define LINKTYPE_IPV6 229 33 | 34 | #define IP_PROTO_TCP 6 35 | 36 | #define PCAP_SENDING 1 37 | #define PCAP_RECEIVING 2 38 | 39 | // PCAP file header 40 | typedef struct pcap_hdr_s { 41 | uint32 magic_number; // magic number 42 | uint16 version_major; // major version number 43 | uint16 version_minor; // minor version number 44 | int32 thiszone; // GMT to local correction 45 | uint32 sigfigs; // accuracy of timestamps 46 | uint32 snaplen; // max length of captured packets, in octets 47 | uint32 network; // data link type 48 | } pcap_hdr_t; 49 | 50 | // PCAP packet header 51 | typedef struct pcaprec_hdr_s { 52 | uint32 ts_sec; // timestamp seconds 53 | uint32 ts_usec; // timestamp microseconds 54 | uint32 incl_len; // number of octets of packet saved in file 55 | uint32 orig_len; // actual length of packet 56 | } pcaprec_hdr_t; 57 | 58 | // IP header 59 | typedef struct ip_hdr_s { 60 | uint8 verlen; // 4bits version, 4bits header len 61 | uint8 service; // 0 62 | uint16 len; // 63 | uint16 id; 64 | uint8 flags; 65 | uint8 fragoff; 66 | uint8 ttl; 67 | uint8 protocol; 68 | uint16 checksum; 69 | uint32 source; 70 | uint32 dest; 71 | } ip_hdr; 72 | 73 | // TCP header 74 | typedef struct tcp_hdr_s 75 | { 76 | uint16 srcport; 77 | uint16 dstport; 78 | uint32 seq; 79 | uint32 ack; 80 | uint8 len; 81 | uint8 flags; 82 | uint16 winsize; 83 | uint16 checksum; 84 | uint16 padding; 85 | } tcp_hdr; 86 | 87 | #pragma pack(pop) 88 | 89 | // 90 | // Initialize the PCAP file using an existing FILE* 91 | // The returned PCAP object must be used in future 92 | // calls to write_pcap 93 | // 94 | PCAP * pcap_init(FILE *fp) 95 | { 96 | PCAP *p; 97 | 98 | if((p = (PCAP*)malloc(sizeof(PCAP))) == 0) 99 | return 0; 100 | 101 | p->fp = fp; 102 | p->ack = 1; 103 | p->seq = 1; 104 | 105 | // pcap file header 106 | pcap_hdr_t hdr = 107 | { 108 | PCAP_MAGIC, // magic 109 | PCAP_VER_MAJOR, // version major 110 | PCAP_VER_MINOR, // version minor 111 | 0, // GMT timezone offset 112 | 0, // timestamp accuracy 113 | 0xFFFF, // max length of packets 114 | LINKTYPE_IPV4 // data link type 115 | }; 116 | 117 | fwrite(&hdr, sizeof(hdr), 1, fp); 118 | return p; 119 | } 120 | 121 | static void pcap_write(PCAP *p, int flags, void *buf, size_t len, SOCKADDR_IN *source, SOCKADDR_IN *dest) 122 | { 123 | size_t total_len = sizeof(ip_hdr) + sizeof(tcp_hdr) + len; 124 | short id = 0; 125 | 126 | clock_t t = clock(); 127 | 128 | // write pcap header 129 | pcaprec_hdr_t hdr = 130 | { 131 | (int32)(t / CLOCKS_PER_SEC), 132 | (int32)(t % CLOCKS_PER_SEC) * CLOCKS_PER_SEC, 133 | total_len, 134 | total_len 135 | }; 136 | 137 | fwrite(&hdr, sizeof(hdr), 1, p->fp); 138 | 139 | uint32 destaddr, srcaddr; 140 | uint16 destport;//, srcport; 141 | //uint32 seqnum, acknum; 142 | 143 | if(flags & PCAP_SENDING) 144 | { 145 | destaddr = dest->sin_addr.S_un.S_addr; 146 | destport = 147 | srcaddr = source->sin_addr.S_un.S_addr; 148 | 149 | } 150 | 151 | // write IP header 152 | ip_hdr ip = 153 | { 154 | 0x45, // version 4, 20 bytes 155 | 0x00, 156 | htons(total_len), // total length 157 | htons(id), // identification 158 | 0x40, // flags 159 | 0x00, 160 | 0x80, // ttl 161 | IP_PROTO_TCP, // protocol = tcp 162 | 0x0000, // no checksum 163 | flags & PCAP_SENDING ? source->sin_addr.S_un.S_addr : dest->sin_addr.S_un.S_addr, 164 | flags & PCAP_SENDING ? dest->sin_addr.S_un.S_addr : source->sin_addr.S_un.S_addr, 165 | }; 166 | 167 | fwrite(&ip, sizeof(ip), 1, p->fp); 168 | 169 | uint32 seq = flags & PCAP_SENDING ? p->seq : p->ack; 170 | uint32 ack = flags & PCAP_SENDING ? p->ack : p->seq; 171 | 172 | // tcp header 173 | tcp_hdr tcp = 174 | { 175 | flags & PCAP_SENDING ? source->sin_port : htons(80), 176 | flags & PCAP_SENDING ? htons(80) : source->sin_port, 177 | htonl(seq), // seq 178 | htonl(ack), // ack 179 | 0x50, // length (20 bytes) 180 | 0x18, // PSH,ACK 181 | htons(16425), // window size 182 | 0x0000, // checksum 183 | 0x0000 // padding 184 | }; 185 | 186 | fwrite(&tcp, sizeof(tcp), 1, p->fp); 187 | 188 | // update the TCP sequence numbers AFTER writing the TCP header 189 | if(flags & PCAP_SENDING) p->seq += len; 190 | else p->ack += len; 191 | 192 | // finally write the IP payload 193 | fwrite(buf, 1, len, p->fp); 194 | } 195 | 196 | void pcap_data_send(PCAP *p, void *buf, size_t len, SOCKADDR_IN *local, SOCKADDR_IN *peer) 197 | { 198 | pcap_write(p, PCAP_SENDING, buf, len, local, peer); 199 | } 200 | 201 | void pcap_data_recv(PCAP *p, void *buf, size_t len, SOCKADDR_IN *local, SOCKADDR_IN *peer) 202 | { 203 | pcap_write(p, PCAP_RECEIVING, buf, len, local, peer); 204 | } 205 | 206 | void pcap_free(PCAP *p) 207 | { 208 | free(p); 209 | } 210 | -------------------------------------------------------------------------------- /sslhook/openssl.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // openssl.cpp 3 | // 4 | // OpenSSL static hooking 5 | // 6 | // www.catch22.net 7 | // 8 | // Copyright (C) 2013 James Brown 9 | // Please refer to the file LICENCE.TXT for copying permission 10 | // 11 | 12 | #define _CRT_SECURE_NO_WARNINGS 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include "detours.h" 19 | #include "Trace.h" 20 | 21 | using std::map; 22 | #pragma comment(lib, "ws2_32") 23 | 24 | #define PCAP_FORMAT 25 | #ifdef PCAP_FORMAT 26 | #include "pcap.h" 27 | #endif 28 | 29 | WCHAR logDir[MAX_PATH]; 30 | extern HMODULE g_hModule; 31 | void dump_ptr(char *prefix, PVOID p); 32 | 33 | typedef struct 34 | { 35 | int type; 36 | } BIO_METHOD; 37 | 38 | typedef struct bio_st 39 | { 40 | BIO_METHOD *method; 41 | void *callback; 42 | char *cb_arg; 43 | int init; 44 | int shutdown; 45 | int flags; 46 | int retry_reason; 47 | int num; 48 | void *ptr; 49 | struct bio_st *next_bio; 50 | struct bio_st *prev_bio; 51 | int refs; 52 | unsigned long num_read; 53 | unsigned long num_write; 54 | } BIO; 55 | 56 | 57 | typedef struct 58 | { 59 | int version; 60 | int type; 61 | void * method; //SSL3 62 | 63 | BIO *rbio; 64 | BIO *wbio; 65 | BIO *bbio; 66 | 67 | int rwstate; 68 | int in_handshake; 69 | void *handshake_func; 70 | 71 | int server; // server/client 72 | int new_session; 73 | int quiet_shutdown; 74 | int shutdown; 75 | int state; 76 | int rstate; 77 | 78 | void *init_buf; 79 | void *init_msg; 80 | int init_num; 81 | int init_off; 82 | 83 | unsigned char *packet; 84 | unsigned int packet_length; 85 | 86 | } SSL; 87 | 88 | #define BIO_C_GET_FD 105 89 | #define BIO_TYPE_DESCRIPTOR 0x0100 90 | 91 | typedef int (__cdecl * SSL_PROTO)(SSL *s, void *buf, int len); 92 | 93 | typedef void* (__cdecl * BIO_NEWMEMBUF_PROTO)(void *buf, size_t len); 94 | 95 | SSL_PROTO Target_SSL_read = 0; 96 | SSL_PROTO Target_SSL_write = 0; 97 | BIO_NEWMEMBUF_PROTO Target_BIO_newmembuf = 0; 98 | 99 | int BIO_get_fd(SSL *s) 100 | { 101 | int sock = -1; 102 | if(s && s->rbio) sock = s->rbio->num; 103 | else if(s && s->wbio) sock = s->wbio->num; 104 | return sock; 105 | } 106 | 107 | SOCKADDR_IN sslHost(SSL *s) 108 | { 109 | int sock = BIO_get_fd(s); 110 | 111 | SOCKADDR_IN addr = { 0 }; 112 | int addr_len = sizeof(addr); 113 | 114 | getsockname(sock, (struct sockaddr*)&addr, &addr_len); 115 | return addr; 116 | } 117 | 118 | SOCKADDR_IN sslPeer(SSL *s) 119 | { 120 | int sock = BIO_get_fd(s); 121 | 122 | SOCKADDR_IN addr = { 0 }; 123 | int addr_len = sizeof(addr); 124 | 125 | getpeername(sock, (struct sockaddr*)&addr, &addr_len); 126 | return addr; 127 | } 128 | 129 | std::map logSession; 130 | 131 | PCAP * createLog(IN_ADDR peer_addr) 132 | { 133 | WCHAR name[MAX_PATH]; 134 | SYSTEMTIME st; 135 | GetLocalTime(&st); 136 | 137 | #ifdef PCAP_FORMAT 138 | WCHAR ext[] = L"pcap"; 139 | #else 140 | WCHAR ext[] = L"txt"; 141 | #endif 142 | 143 | swprintf_s(name, MAX_PATH, L"%s\\%hs - %04d-%02d-%02d - %02d%02d%02d.%ls", 144 | logDir, 145 | inet_ntoa(peer_addr), 146 | st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond, 147 | ext); 148 | 149 | FILE *fp = _wfopen(name, L"wb"); 150 | 151 | #ifdef PCAP_FORMAT 152 | PCAP *p = pcap_init(fp); 153 | #endif 154 | 155 | return p; 156 | } 157 | 158 | PCAP * getSession(SSL*s) 159 | { 160 | std::map::iterator it; 161 | 162 | SOCKADDR_IN peer_addr = sslPeer(s); 163 | 164 | it = logSession.find(peer_addr.sin_addr.S_un.S_addr); 165 | 166 | if(it != logSession.end()) 167 | { 168 | return it->second; 169 | } 170 | else 171 | { 172 | PCAP *p = createLog(peer_addr.sin_addr); 173 | logSession[peer_addr.sin_addr.S_un.S_addr] = p; 174 | return p; 175 | } 176 | } 177 | 178 | int Detour_SSL_read(SSL *s, void *buf, int len) 179 | { 180 | int ret = Target_SSL_read(s, buf, len); 181 | 182 | if(ret > 0) 183 | { 184 | PCAP *fp = getSession(s); 185 | 186 | #ifdef PCAP_FORMAT 187 | SOCKADDR_IN h = sslHost(s); 188 | SOCKADDR_IN d = sslPeer(s); 189 | pcap_data_recv(fp, buf, ret, &h, &d); 190 | #else 191 | if(memcmp(buf, "HTTP/1.1", 8) == 0) 192 | fwrite("\r\n\r\n", 1, 4, fp); 193 | 194 | fwrite(buf, 1, ret, fp); 195 | #endif 196 | fflush(fp->fp); 197 | } 198 | 199 | return ret; 200 | } 201 | 202 | int Detour_SSL_write(SSL *s, void *buf, int len) 203 | { 204 | int ret = Target_SSL_write(s, buf, len); 205 | 206 | if(ret > 0) 207 | { 208 | //FILE *fp = getSession(s); 209 | PCAP *fp = getSession(s); 210 | 211 | #ifdef PCAP_FORMAT 212 | SOCKADDR_IN h = sslHost(s); 213 | SOCKADDR_IN d = sslPeer(s); 214 | pcap_data_send(fp, buf, ret, &h, &d); 215 | #else 216 | if(memcmp(buf, "POST ", 5) == 0 || memcmp(buf, "GET ", 4) == 0) 217 | fwrite("\r\n\r\n", 1, 4, fp); 218 | 219 | fwrite(buf, 1, ret, fp); 220 | #endif 221 | fflush(fp->fp); 222 | } 223 | 224 | return ret; 225 | } 226 | 227 | void * Detour_BIO_newmembuf(void *buf, size_t len) 228 | { 229 | TraceA("BIO_new_mem_buf %x %d\n", buf, len); 230 | 231 | WCHAR name[MAX_PATH]; 232 | static int counter = 0; 233 | swprintf_s(name, MAX_PATH, L"%s\\%d.cer", logDir, counter++); 234 | 235 | FILE *fp = _wfopen(name, L"wb"); 236 | 237 | if(fp) 238 | { 239 | fwrite(buf, 1, len, fp); 240 | fclose(fp); 241 | } 242 | 243 | return Target_BIO_newmembuf(buf, len); 244 | } 245 | 246 | void Hook_OpenSSL(DWORD_PTR write_addr, DWORD_PTR read_addr, DWORD_PTR bio_newmem)//, DWORD_PTR bio_addr) 247 | { 248 | // create the log directory 249 | GetModuleFileName(g_hModule, logDir, MAX_PATH); 250 | WCHAR *sep = wcsrchr(logDir, '\\'); 251 | if(sep) *sep = '\0'; 252 | wcscat_s(logDir, MAX_PATH, L"\\log"); 253 | CreateDirectory(logDir, 0); 254 | 255 | Target_SSL_read = (SSL_PROTO)read_addr; 256 | Target_SSL_write = (SSL_PROTO)write_addr; 257 | Target_BIO_newmembuf = (BIO_NEWMEMBUF_PROTO)bio_newmem; 258 | 259 | DetourTransactionBegin(); 260 | DetourUpdateThread(GetCurrentThread()); 261 | 262 | DetourAttach(&(PVOID&)Target_SSL_read, Detour_SSL_read); 263 | DetourAttach(&(PVOID&)Target_SSL_write, Detour_SSL_write); 264 | 265 | if(Target_BIO_newmembuf) 266 | DetourAttach(&(PVOID&)Target_BIO_newmembuf, Detour_BIO_newmembuf); 267 | 268 | DetourTransactionCommit(); 269 | } 270 | 271 | void UnHook_OpenSSL() 272 | { 273 | DetourTransactionBegin(); 274 | DetourUpdateThread(GetCurrentThread()); 275 | 276 | DetourDetach(&(PVOID&)Target_SSL_read, Detour_SSL_read); 277 | DetourDetach(&(PVOID&)Target_SSL_write, Detour_SSL_write); 278 | 279 | if(Target_BIO_newmembuf) 280 | DetourDetach(&(PVOID&)Target_BIO_newmembuf, Detour_BIO_newmembuf); 281 | 282 | Target_SSL_write = 0; 283 | Target_SSL_read = 0; 284 | Target_BIO_newmembuf = 0; 285 | 286 | DetourTransactionCommit(); 287 | 288 | std::map::iterator it; 289 | for(it = logSession.begin(); it != logSession.end(); it++) 290 | { 291 | PCAP *p = it->second; 292 | fclose(p->fp); 293 | pcap_free(p); 294 | } 295 | } 296 | -------------------------------------------------------------------------------- /sslhook/sslhook.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // sslhook 3 | // 4 | // www.catch22.net 5 | // 6 | // Copyright (C) 2013 James Brown 7 | // Please refer to the file LICENCE.TXT for copying permission 8 | // 9 | 10 | #define _CRT_SECURE_NO_WARNINGS 11 | 12 | #include 13 | #include 14 | #include "detours.h" 15 | #include "Trace.h" 16 | 17 | //#pragma comment(lib, "detours.lib") 18 | //#define EXPORT comment(linker, "/EXPORT:hook=_hook@4") 19 | #define MakePtr( cast, ptr, addValue ) (cast)( (DWORD_PTR)(ptr) + (DWORD_PTR)(addValue)) 20 | 21 | PDETOUR_TRAMPOLINE Trampoline; 22 | 23 | HMODULE g_hModule; 24 | PVOID hookAddress = 0; 25 | 26 | void allow_debugging(); 27 | void restore_debugging(); 28 | void Hook_OpenSSL(DWORD_PTR write_addr, DWORD_PTR read_addr, DWORD bio_newmem); 29 | void UnHook_OpenSSL(); 30 | 31 | BOOL init_dll_notify(); 32 | BOOL deinit_dll_notify(); 33 | 34 | WCHAR szTargetDLL[MAX_PATH]; 35 | DWORD_PTR SSL_Read_Target = 0; 36 | DWORD_PTR SSL_Write_Target = 0; 37 | DWORD_PTR BIO_NewMem_Target = 0; 38 | 39 | void dump_ptr(char *prefix, PVOID p) 40 | { 41 | char buf[200]; 42 | 43 | __try 44 | { 45 | _snprintf(buf, 100, "%08X: %s: %s", p, prefix, p); 46 | TraceA(buf); 47 | } 48 | __except(EXCEPTION_EXECUTE_HANDLER) 49 | { 50 | _snprintf(buf, 100, "%08X: %s", p, prefix); 51 | TraceA(buf); 52 | } 53 | } 54 | 55 | void dump_ptrd(char *prefix, PVOID p) 56 | { 57 | __try 58 | { 59 | DWORD_PTR addr = *(DWORD_PTR *)p; 60 | dump_ptr(prefix, (PVOID)addr); 61 | } 62 | __except(EXCEPTION_EXECUTE_HANDLER) 63 | { 64 | 65 | } 66 | } 67 | 68 | typedef struct _PUSHAD 69 | { 70 | DWORD EDI; 71 | DWORD ESI; 72 | DWORD EBP; 73 | DWORD ESP; 74 | DWORD EBX; 75 | DWORD EDX; 76 | DWORD ECX; 77 | DWORD EAX; 78 | 79 | } PUSHAD, *PPUSHAD; 80 | 81 | void __fastcall dump(PUSHAD *regs) 82 | { 83 | dump_ptrd("ESP+0 ", (PVOID)(regs->ESP + 0)); 84 | dump_ptrd("ESP+4 ", (PVOID)(regs->ESP + 4)); 85 | dump_ptrd("ESP+8 ", (PVOID)(regs->ESP + 8)); 86 | dump_ptrd("ESP+C ", (PVOID)(regs->ESP + 0xC)); 87 | dump_ptrd("ESP+10", (PVOID)(regs->ESP + 0x10)); 88 | dump_ptrd("ESP+14", (PVOID)(regs->ESP + 0x14)); 89 | dump_ptrd("ESP+18", (PVOID)(regs->ESP + 0x18)); 90 | dump_ptrd("ESP+1C", (PVOID)(regs->ESP + 0x1C)); 91 | dump_ptr("EAX ", (PVOID)(regs->EAX)); 92 | dump_ptr("ECX ", (PVOID)(regs->ECX)); 93 | dump_ptr("EDX ", (PVOID)(regs->EDX)); 94 | } 95 | 96 | __declspec(naked) void smeg() 97 | { 98 | __asm pushad 99 | __asm mov ecx, esp 100 | __asm call [dump] 101 | __asm popad 102 | __asm jmp [Trampoline] 103 | } 104 | 105 | void Hook(DWORD_PTR addr) 106 | { 107 | hookAddress = (PVOID)addr; 108 | 109 | DetourTransactionBegin(); 110 | DetourUpdateThread(GetCurrentThread()); 111 | 112 | PVOID DetourPtr; 113 | PVOID TargetPtr; 114 | DetourAttachEx((PVOID*)&hookAddress, smeg, &Trampoline, &DetourPtr, &TargetPtr); 115 | DetourTransactionCommit(); 116 | 117 | TraceA("Hooked: %x\n", addr); 118 | } 119 | 120 | void Unhook() 121 | { 122 | DetourTransactionBegin(); 123 | DetourUpdateThread(GetCurrentThread()); 124 | DetourDetach((PVOID *)&hookAddress, smeg); 125 | DetourTransactionCommit(); 126 | 127 | TraceA("Unhooked: %x\n", hookAddress); 128 | hookAddress = 0; 129 | } 130 | 131 | HMODULE WINAPI Detoured() 132 | { 133 | return g_hModule; 134 | } 135 | 136 | DWORD_PTR OriginalImageBase(HMODULE hModule) 137 | { 138 | TCHAR szPath[MAX_PATH]; 139 | DWORD_PTR base = 0; 140 | GetModuleFileName(hModule, szPath, MAX_PATH); 141 | TraceA("FUCK: %ls\n", szPath); 142 | 143 | HANDLE hFile = CreateFile(szPath, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0); 144 | 145 | BYTE buf[0x1000]; 146 | DWORD len = 0; 147 | if(ReadFile(hFile, buf, 0x1000, &len, 0) && len) 148 | { 149 | PIMAGE_DOS_HEADER dosheader = (PIMAGE_DOS_HEADER)buf; 150 | PIMAGE_NT_HEADERS ntheaders = MakePtr(PIMAGE_NT_HEADERS, dosheader, dosheader->e_lfanew); 151 | base = ntheaders->OptionalHeader.ImageBase; 152 | TraceA("baseB: %x\n", base); 153 | } 154 | 155 | CloseHandle(hFile); 156 | 157 | return base; 158 | } 159 | 160 | BOOL get_param(PVOID param, WCHAR *szPath, int len, DWORD_PTR *p1, DWORD_PTR *p2) 161 | { 162 | WCHAR *addrStr; 163 | 164 | OutputDebugStringW((WCHAR *)param); 165 | 166 | lstrcpyn(szPath, (WCHAR *)param, len); 167 | 168 | if((addrStr = wcschr(szPath, ':')) == 0) 169 | { 170 | TraceA("Invalid param: %ls", param); 171 | return FALSE; 172 | } 173 | 174 | *addrStr++ = '\0'; 175 | *p1 = wcstol(addrStr, 0, 16); 176 | 177 | if(p2 && (addrStr = wcschr(addrStr, ':')) != 0) 178 | { 179 | *addrStr++ = '\0'; 180 | *p2 = wcstol(addrStr, 0, 16); 181 | } 182 | 183 | return TRUE; 184 | } 185 | 186 | DWORD_PTR getModuleAdjustedRVA(WCHAR *szPath, DWORD_PTR addr) 187 | { 188 | HMODULE hModule = GetModuleHandle(szPath); 189 | //TraceA("FFF: %x %ls\n", addr, addrStr); 190 | 191 | if(hModule == 0) 192 | { 193 | TraceA("Failed GetModuleHandle %ls [%x]", szPath, GetLastError()); 194 | return 0; 195 | } 196 | else 197 | { 198 | TraceA("Found %ls at %08x\n", szPath, hModule); 199 | } 200 | 201 | PIMAGE_DOS_HEADER dosheader = (PIMAGE_DOS_HEADER)hModule; 202 | PIMAGE_NT_HEADERS ntheaders = MakePtr(PIMAGE_NT_HEADERS, dosheader, dosheader->e_lfanew); 203 | 204 | DWORD_PTR base = OriginalImageBase(hModule); 205 | DWORD_PTR rva = addr - base;//ntheaders->OptionalHeader.ImageBase; 206 | 207 | TraceA("Magik %x %x\n", ntheaders->Signature, ntheaders->OptionalHeader.Magic); 208 | TraceA("Base: %x\n", base);//ntheaders->OptionalHeader.ImageBase); 209 | TraceA("RVA: %x\n", rva); 210 | 211 | return (DWORD_PTR)hModule + rva; 212 | } 213 | 214 | extern "C" 215 | __declspec(dllexport) 216 | BOOL WINAPI hook(PVOID param)//WCHAR *module, DWORD_PTR addr) 217 | { 218 | WCHAR szPath[MAX_PATH]; 219 | DWORD_PTR addr; 220 | DWORD_PTR addr2; 221 | 222 | if(!get_param(param, szPath, MAX_PATH, &addr, 0)) 223 | return FALSE; 224 | 225 | if((addr2 = getModuleAdjustedRVA(szPath, addr)) == 0) 226 | return FALSE; 227 | 228 | __try 229 | { 230 | if(hookAddress) 231 | Unhook(); 232 | 233 | Hook(addr2); 234 | } 235 | __except(EXCEPTION_EXECUTE_HANDLER) 236 | { 237 | TraceA("Shit\n"); 238 | } 239 | 240 | return TRUE; 241 | } 242 | 243 | extern "C" 244 | __declspec(dllexport) 245 | BOOL WINAPI hookopenssl(PVOID param)//WCHAR *module, DWORD_PTR addr) 246 | { 247 | WCHAR szPath[MAX_PATH]; 248 | DWORD_PTR sslWrite; 249 | DWORD_PTR sslRead; 250 | 251 | if(!get_param(param, szPath, MAX_PATH, &sslRead, &sslWrite)) 252 | return FALSE; 253 | 254 | if((sslRead = getModuleAdjustedRVA(szPath, sslRead)) == 0) 255 | return FALSE; 256 | 257 | if((sslWrite = getModuleAdjustedRVA(szPath, sslWrite)) == 0) 258 | return FALSE; 259 | 260 | __try 261 | { 262 | Hook_OpenSSL(sslWrite, sslRead, 0); 263 | } 264 | __except(EXCEPTION_EXECUTE_HANDLER) 265 | { 266 | TraceA("Shit\n"); 267 | } 268 | 269 | return TRUE; 270 | } 271 | 272 | void GetModuleBaseName(HMODULE hModule, WCHAR *szPath, DWORD nBufLen) 273 | { 274 | GetModuleFileName(hModule, szPath, nBufLen); 275 | WCHAR *ptr = wcsrchr(szPath, '\\'); 276 | 277 | if(ptr) *ptr++ = '\0'; 278 | memmove(szPath, ptr, (lstrlen(ptr) + 1) * sizeof(WCHAR)); 279 | } 280 | 281 | BOOL check_allow_hooking(HMODULE hSllHook) 282 | { 283 | BOOL allow = FALSE; 284 | 285 | WCHAR szExeName[MAX_PATH]; 286 | WCHAR szIniPath[MAX_PATH]; 287 | WCHAR *ptr; 288 | 289 | // hook parameters that we read from the ini file 290 | WCHAR raddr[20], waddr[20], baddr[20] = L""; 291 | 292 | // get base name of current exe 293 | GetModuleBaseName(0, szExeName, MAX_PATH); 294 | 295 | TraceA("CurExe: %ls", szExeName); 296 | 297 | // get path of sslhook.dll -> change to sslhook.ini 298 | GetModuleFileName(hSllHook, szIniPath, MAX_PATH); 299 | ptr = wcsrchr(szIniPath, '.'); if(ptr) lstrcpyn(ptr, L".ini", MAX_PATH); 300 | 301 | if(0 == GetPrivateProfileString(szExeName, L"targetDll", L"", szTargetDLL, MAX_PATH, szIniPath)) 302 | return FALSE; 303 | 304 | if(0 == GetPrivateProfileString(szExeName, L"SSL_read", L"", raddr, 20, szIniPath)) 305 | return FALSE; 306 | 307 | if(0 == GetPrivateProfileString(szExeName, L"SSL_write", L"", waddr, 20, szIniPath)) 308 | return FALSE; 309 | 310 | GetPrivateProfileString(szExeName, L"BIO_NewMemBuf", L"", baddr, 20, szIniPath); 311 | 312 | SSL_Read_Target = wcstol(raddr, 0, 16); 313 | SSL_Write_Target = wcstol(waddr, 0, 16); 314 | BIO_NewMem_Target = wcstol(baddr, 0, 16); 315 | 316 | TraceA("targetDLL: %ls", szTargetDLL); 317 | TraceA("SSL_Read RVA: %08x", SSL_Read_Target); 318 | TraceA("SSL_Write RVA: %08x", SSL_Write_Target); 319 | TraceA("BIO_NewMem RVA: %08x", BIO_NewMem_Target); 320 | return TRUE; 321 | } 322 | 323 | void module_loaded(PVOID base, WCHAR *name, WCHAR *path) 324 | { 325 | TraceW(L"Module loaded: %08x %ls", base, name); 326 | 327 | if(lstrcmpi(name, szTargetDLL) == 0) 328 | { 329 | DWORD read_addr = getModuleAdjustedRVA(path, SSL_Read_Target); 330 | DWORD write_addr = getModuleAdjustedRVA(path, SSL_Write_Target); 331 | DWORD biomem_addr = BIO_NewMem_Target ? getModuleAdjustedRVA(path, BIO_NewMem_Target) : 0; 332 | 333 | TraceA("Hooking OpenSSL!"); 334 | TraceA("SSL_Read = %08x", read_addr); 335 | TraceA("SSL_Write = %08x", write_addr); 336 | TraceA("BIO_NewMem = %08x", biomem_addr); 337 | 338 | Hook_OpenSSL(write_addr, read_addr, biomem_addr); 339 | } 340 | } 341 | 342 | 343 | BOOL CALLBACK DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) 344 | { 345 | switch(dwReason) 346 | { 347 | case DLL_PROCESS_ATTACH: 348 | g_hModule = hInstance; 349 | 350 | if(check_allow_hooking(hInstance) == FALSE) 351 | { 352 | return FALSE; 353 | } 354 | 355 | //TraceA("Loaded!"); 356 | //Hook(); 357 | 358 | allow_debugging(); 359 | 360 | // install hook so we are notified when DLLs load 361 | if(init_dll_notify()) 362 | { 363 | TraceA("LdrRegisterDllNotification OK"); 364 | } 365 | 366 | break; 367 | 368 | case DLL_PROCESS_DETACH: 369 | 370 | deinit_dll_notify(); 371 | restore_debugging(); 372 | 373 | if(hookAddress) 374 | Unhook(); 375 | 376 | UnHook_OpenSSL(); 377 | OutputDebugStringA("Unloaded!"); 378 | break; 379 | } 380 | 381 | return TRUE; 382 | } 383 | -------------------------------------------------------------------------------- /sslhook/detours.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Core Detours Functionality (detours.h of detours.lib) 4 | // 5 | // Microsoft Research Detours Package, Version 2.1. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #pragma once 11 | #ifndef _DETOURS_H_ 12 | #define _DETOURS_H_ 13 | 14 | #define DETOURS_VERSION 20100 // 2.1.0 15 | 16 | ////////////////////////////////////////////////////////////////////////////// 17 | // 18 | 19 | #if (_MSC_VER < 1299) 20 | typedef LONG LONG_PTR; 21 | typedef ULONG ULONG_PTR; 22 | #endif 23 | 24 | #ifndef __in_z 25 | #define __in_z 26 | #endif 27 | 28 | ////////////////////////////////////////////////////////////////////////////// 29 | // 30 | #ifndef GUID_DEFINED 31 | #define GUID_DEFINED 32 | typedef struct _GUID 33 | { 34 | DWORD Data1; 35 | WORD Data2; 36 | WORD Data3; 37 | BYTE Data4[ 8 ]; 38 | } GUID; 39 | 40 | #ifdef INITGUID 41 | #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \ 42 | const GUID name \ 43 | = { l, w1, w2, { b1, b2, b3, b4, b5, b6, b7, b8 } } 44 | #else 45 | #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \ 46 | const GUID name 47 | #endif // INITGUID 48 | #endif // !GUID_DEFINED 49 | 50 | #if defined(__cplusplus) 51 | #ifndef _REFGUID_DEFINED 52 | #define _REFGUID_DEFINED 53 | #define REFGUID const GUID & 54 | #endif // !_REFGUID_DEFINED 55 | #else // !__cplusplus 56 | #ifndef _REFGUID_DEFINED 57 | #define _REFGUID_DEFINED 58 | #define REFGUID const GUID * const 59 | #endif // !_REFGUID_DEFINED 60 | #endif // !__cplusplus 61 | 62 | // 63 | ////////////////////////////////////////////////////////////////////////////// 64 | 65 | #ifdef __cplusplus 66 | extern "C" { 67 | #endif // __cplusplus 68 | 69 | /////////////////////////////////////////////////// Instruction Target Macros. 70 | // 71 | #define DETOUR_INSTRUCTION_TARGET_NONE ((PVOID)0) 72 | #define DETOUR_INSTRUCTION_TARGET_DYNAMIC ((PVOID)(LONG_PTR)-1) 73 | #define DETOUR_SECTION_HEADER_SIGNATURE 0x00727444 // "Dtr\0" 74 | 75 | extern const GUID DETOUR_EXE_RESTORE_GUID; 76 | 77 | #define DETOUR_TRAMPOLINE_SIGNATURE 0x21727444 // Dtr! 78 | typedef struct _DETOUR_TRAMPOLINE DETOUR_TRAMPOLINE, *PDETOUR_TRAMPOLINE; 79 | 80 | /////////////////////////////////////////////////////////// Binary Structures. 81 | // 82 | #pragma pack(push, 8) 83 | typedef struct _DETOUR_SECTION_HEADER 84 | { 85 | DWORD cbHeaderSize; 86 | DWORD nSignature; 87 | DWORD nDataOffset; 88 | DWORD cbDataSize; 89 | 90 | DWORD nOriginalImportVirtualAddress; 91 | DWORD nOriginalImportSize; 92 | DWORD nOriginalBoundImportVirtualAddress; 93 | DWORD nOriginalBoundImportSize; 94 | 95 | DWORD nOriginalIatVirtualAddress; 96 | DWORD nOriginalIatSize; 97 | DWORD nOriginalSizeOfImage; 98 | DWORD cbPrePE; 99 | 100 | DWORD nOriginalClrFlags; 101 | DWORD reserved1; 102 | DWORD reserved2; 103 | DWORD reserved3; 104 | 105 | // Followed by cbPrePE bytes of data. 106 | } DETOUR_SECTION_HEADER, *PDETOUR_SECTION_HEADER; 107 | 108 | typedef struct _DETOUR_SECTION_RECORD 109 | { 110 | DWORD cbBytes; 111 | DWORD nReserved; 112 | GUID guid; 113 | } DETOUR_SECTION_RECORD, *PDETOUR_SECTION_RECORD; 114 | 115 | typedef struct _DETOUR_CLR_HEADER 116 | { 117 | // Header versioning 118 | ULONG cb; 119 | USHORT MajorRuntimeVersion; 120 | USHORT MinorRuntimeVersion; 121 | 122 | // Symbol table and startup information 123 | IMAGE_DATA_DIRECTORY MetaData; 124 | ULONG Flags; 125 | 126 | // Followed by the rest of the header. 127 | } DETOUR_CLR_HEADER, *PDETOUR_CLR_HEADER; 128 | 129 | typedef struct _DETOUR_EXE_RESTORE 130 | { 131 | ULONG cb; 132 | 133 | PIMAGE_DOS_HEADER pidh; 134 | PIMAGE_NT_HEADERS pinh; 135 | PULONG pclrFlags; 136 | DWORD impDirProt; 137 | 138 | IMAGE_DOS_HEADER idh; 139 | IMAGE_NT_HEADERS inh; 140 | ULONG clrFlags; 141 | } DETOUR_EXE_RESTORE, *PDETOUR_EXE_RESTORE; 142 | 143 | #pragma pack(pop) 144 | 145 | #define DETOUR_SECTION_HEADER_DECLARE(cbSectionSize) \ 146 | { \ 147 | sizeof(DETOUR_SECTION_HEADER),\ 148 | DETOUR_SECTION_HEADER_SIGNATURE,\ 149 | sizeof(DETOUR_SECTION_HEADER),\ 150 | (cbSectionSize),\ 151 | \ 152 | 0,\ 153 | 0,\ 154 | 0,\ 155 | 0,\ 156 | \ 157 | 0,\ 158 | 0,\ 159 | 0,\ 160 | 0,\ 161 | } 162 | 163 | ///////////////////////////////////////////////////////////// Binary Typedefs. 164 | // 165 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_BYWAY_CALLBACK)(PVOID pContext, 166 | PCHAR pszFile, 167 | PCHAR *ppszOutFile); 168 | 169 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_FILE_CALLBACK)(PVOID pContext, 170 | PCHAR pszOrigFile, 171 | PCHAR pszFile, 172 | PCHAR *ppszOutFile); 173 | 174 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_SYMBOL_CALLBACK)(PVOID pContext, 175 | ULONG nOrigOrdinal, 176 | ULONG nOrdinal, 177 | ULONG *pnOutOrdinal, 178 | PCHAR pszOrigSymbol, 179 | PCHAR pszSymbol, 180 | PCHAR *ppszOutSymbol); 181 | 182 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_COMMIT_CALLBACK)(PVOID pContext); 183 | 184 | typedef BOOL (CALLBACK *PF_DETOUR_ENUMERATE_EXPORT_CALLBACK)(PVOID pContext, 185 | ULONG nOrdinal, 186 | PCHAR pszName, 187 | PVOID pCode); 188 | 189 | typedef VOID * PDETOUR_BINARY; 190 | typedef VOID * PDETOUR_LOADED_BINARY; 191 | 192 | //////////////////////////////////////////////////////////// Detours 2.1 APIs. 193 | // 194 | 195 | LONG WINAPI DetourTransactionBegin(); 196 | LONG WINAPI DetourTransactionAbort(); 197 | LONG WINAPI DetourTransactionCommit(); 198 | LONG WINAPI DetourTransactionCommitEx(PVOID **pppFailedPointer); 199 | 200 | LONG WINAPI DetourUpdateThread(HANDLE hThread); 201 | 202 | LONG WINAPI DetourAttach(PVOID *ppPointer, 203 | PVOID pDetour); 204 | 205 | LONG WINAPI DetourAttachEx(PVOID *ppPointer, 206 | PVOID pDetour, 207 | PDETOUR_TRAMPOLINE *ppRealTrampoline, 208 | PVOID *ppRealTarget, 209 | PVOID *ppRealDetour); 210 | 211 | LONG WINAPI DetourDetach(PVOID *ppPointer, 212 | PVOID pDetour); 213 | 214 | VOID WINAPI DetourSetIgnoreTooSmall(BOOL fIgnore); 215 | 216 | ////////////////////////////////////////////////////////////// Code Functions. 217 | // 218 | PVOID WINAPI DetourFindFunction(PCSTR pszModule, PCSTR pszFunction); 219 | PVOID WINAPI DetourCodeFromPointer(PVOID pPointer, PVOID *ppGlobals); 220 | 221 | PVOID WINAPI DetourCopyInstruction(PVOID pDst, PVOID pSrc, PVOID *ppTarget); 222 | PVOID WINAPI DetourCopyInstructionEx(PVOID pDst, 223 | PVOID pSrc, 224 | PVOID *ppTarget, 225 | LONG *plExtra); 226 | 227 | ///////////////////////////////////////////////////// Loaded Binary Functions. 228 | // 229 | HMODULE WINAPI DetourEnumerateModules(HMODULE hModuleLast); 230 | PVOID WINAPI DetourGetEntryPoint(HMODULE hModule); 231 | ULONG WINAPI DetourGetModuleSize(HMODULE hModule); 232 | BOOL WINAPI DetourEnumerateExports(HMODULE hModule, 233 | PVOID pContext, 234 | PF_DETOUR_ENUMERATE_EXPORT_CALLBACK pfExport); 235 | 236 | PVOID WINAPI DetourFindPayload(HMODULE hModule, REFGUID rguid, DWORD *pcbData); 237 | DWORD WINAPI DetourGetSizeOfPayloads(HMODULE hModule); 238 | 239 | ///////////////////////////////////////////////// Persistent Binary Functions. 240 | // 241 | 242 | PDETOUR_BINARY WINAPI DetourBinaryOpen(HANDLE hFile); 243 | PVOID WINAPI DetourBinaryEnumeratePayloads(PDETOUR_BINARY pBinary, 244 | GUID *pGuid, 245 | DWORD *pcbData, 246 | DWORD *pnIterator); 247 | PVOID WINAPI DetourBinaryFindPayload(PDETOUR_BINARY pBinary, 248 | REFGUID rguid, 249 | DWORD *pcbData); 250 | PVOID WINAPI DetourBinarySetPayload(PDETOUR_BINARY pBinary, 251 | REFGUID rguid, 252 | PVOID pData, 253 | DWORD cbData); 254 | BOOL WINAPI DetourBinaryDeletePayload(PDETOUR_BINARY pBinary, REFGUID rguid); 255 | BOOL WINAPI DetourBinaryPurgePayloads(PDETOUR_BINARY pBinary); 256 | BOOL WINAPI DetourBinaryResetImports(PDETOUR_BINARY pBinary); 257 | BOOL WINAPI DetourBinaryEditImports(PDETOUR_BINARY pBinary, 258 | PVOID pContext, 259 | PF_DETOUR_BINARY_BYWAY_CALLBACK pfByway, 260 | PF_DETOUR_BINARY_FILE_CALLBACK pfFile, 261 | PF_DETOUR_BINARY_SYMBOL_CALLBACK pfSymbol, 262 | PF_DETOUR_BINARY_COMMIT_CALLBACK pfCommit); 263 | BOOL WINAPI DetourBinaryWrite(PDETOUR_BINARY pBinary, HANDLE hFile); 264 | BOOL WINAPI DetourBinaryClose(PDETOUR_BINARY pBinary); 265 | 266 | /////////////////////////////////////////////////// Create Process & Load Dll. 267 | // 268 | typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEA) 269 | (LPCSTR lpApplicationName, 270 | LPSTR lpCommandLine, 271 | LPSECURITY_ATTRIBUTES lpProcessAttributes, 272 | LPSECURITY_ATTRIBUTES lpThreadAttributes, 273 | BOOL bInheritHandles, 274 | DWORD dwCreationFlags, 275 | LPVOID lpEnvironment, 276 | LPCSTR lpCurrentDirectory, 277 | LPSTARTUPINFOA lpStartupInfo, 278 | LPPROCESS_INFORMATION lpProcessInformation); 279 | 280 | typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEW) 281 | (LPCWSTR lpApplicationName, 282 | LPWSTR lpCommandLine, 283 | LPSECURITY_ATTRIBUTES lpProcessAttributes, 284 | LPSECURITY_ATTRIBUTES lpThreadAttributes, 285 | BOOL bInheritHandles, 286 | DWORD dwCreationFlags, 287 | LPVOID lpEnvironment, 288 | LPCWSTR lpCurrentDirectory, 289 | LPSTARTUPINFOW lpStartupInfo, 290 | LPPROCESS_INFORMATION lpProcessInformation); 291 | 292 | BOOL WINAPI DetourCreateProcessWithDllA(LPCSTR lpApplicationName, 293 | __in_z LPSTR lpCommandLine, 294 | LPSECURITY_ATTRIBUTES lpProcessAttributes, 295 | LPSECURITY_ATTRIBUTES lpThreadAttributes, 296 | BOOL bInheritHandles, 297 | DWORD dwCreationFlags, 298 | LPVOID lpEnvironment, 299 | LPCSTR lpCurrentDirectory, 300 | LPSTARTUPINFOA lpStartupInfo, 301 | LPPROCESS_INFORMATION lpProcessInformation, 302 | LPCSTR lpDetouredDllFullName, 303 | LPCSTR lpDllName, 304 | PDETOUR_CREATE_PROCESS_ROUTINEA 305 | pfCreateProcessA); 306 | 307 | BOOL WINAPI DetourCreateProcessWithDllW(LPCWSTR lpApplicationName, 308 | __in_z LPWSTR lpCommandLine, 309 | LPSECURITY_ATTRIBUTES lpProcessAttributes, 310 | LPSECURITY_ATTRIBUTES lpThreadAttributes, 311 | BOOL bInheritHandles, 312 | DWORD dwCreationFlags, 313 | LPVOID lpEnvironment, 314 | LPCWSTR lpCurrentDirectory, 315 | LPSTARTUPINFOW lpStartupInfo, 316 | LPPROCESS_INFORMATION lpProcessInformation, 317 | LPCSTR lpDetouredDllFullName, 318 | LPCSTR lpDllName, 319 | PDETOUR_CREATE_PROCESS_ROUTINEW 320 | pfCreateProcessW); 321 | 322 | #ifdef UNICODE 323 | #define DetourCreateProcessWithDll DetourCreateProcessWithDllW 324 | #define PDETOUR_CREATE_PROCESS_ROUTINE PDETOUR_CREATE_PROCESS_ROUTINEW 325 | #else 326 | #define DetourCreateProcessWithDll DetourCreateProcessWithDllA 327 | #define PDETOUR_CREATE_PROCESS_ROUTINE PDETOUR_CREATE_PROCESS_ROUTINEA 328 | #endif // !UNICODE 329 | 330 | BOOL WINAPI DetourCopyPayloadToProcess(HANDLE hProcess, 331 | REFGUID rguid, 332 | PVOID pvData, 333 | DWORD cbData); 334 | BOOL WINAPI DetourRestoreAfterWith(); 335 | BOOL WINAPI DetourRestoreAfterWithEx(PVOID pvData, DWORD cbData); 336 | 337 | HMODULE WINAPI DetourGetDetouredMarker(); 338 | 339 | // 340 | ////////////////////////////////////////////////////////////////////////////// 341 | #ifdef __cplusplus 342 | } 343 | #endif // __cplusplus 344 | 345 | //////////////////////////////////////////////// Detours Internal Definitions. 346 | // 347 | #ifdef __cplusplus 348 | #ifdef DETOURS_INTERNAL 349 | 350 | #ifndef __deref_out 351 | #define __deref_out 352 | #endif 353 | 354 | #ifndef __deref 355 | #define __deref 356 | #endif 357 | 358 | ////////////////////////////////////////////////////////////////////////////// 359 | // 360 | #if (_MSC_VER < 1299) 361 | #include 362 | typedef IMAGEHLP_MODULE IMAGEHLP_MODULE64; 363 | typedef PIMAGEHLP_MODULE PIMAGEHLP_MODULE64; 364 | typedef IMAGEHLP_SYMBOL SYMBOL_INFO; 365 | typedef PIMAGEHLP_SYMBOL PSYMBOL_INFO; 366 | 367 | static inline 368 | LONG InterlockedCompareExchange(LONG *ptr, LONG nval, LONG oval) 369 | { 370 | return (LONG)::InterlockedCompareExchange((PVOID*)ptr, (PVOID)nval, (PVOID)oval); 371 | } 372 | #else 373 | #include 374 | #endif 375 | 376 | #ifdef IMAGEAPI // defined by DBGHELP.H 377 | typedef LPAPI_VERSION (NTAPI *PF_ImagehlpApiVersionEx)(LPAPI_VERSION AppVersion); 378 | 379 | typedef BOOL (NTAPI *PF_SymInitialize)(IN HANDLE hProcess, 380 | IN LPCSTR UserSearchPath, 381 | IN BOOL fInvadeProcess); 382 | typedef DWORD (NTAPI *PF_SymSetOptions)(IN DWORD SymOptions); 383 | typedef DWORD (NTAPI *PF_SymGetOptions)(VOID); 384 | typedef DWORD64 (NTAPI *PF_SymLoadModule64)(IN HANDLE hProcess, 385 | IN HANDLE hFile, 386 | IN PSTR ImageName, 387 | IN PSTR ModuleName, 388 | IN DWORD64 BaseOfDll, 389 | IN DWORD SizeOfDll); 390 | typedef BOOL (NTAPI *PF_SymGetModuleInfo64)(IN HANDLE hProcess, 391 | IN DWORD64 qwAddr, 392 | OUT PIMAGEHLP_MODULE64 ModuleInfo); 393 | typedef BOOL (NTAPI *PF_SymFromName)(IN HANDLE hProcess, 394 | IN LPSTR Name, 395 | OUT PSYMBOL_INFO Symbol); 396 | 397 | typedef struct _DETOUR_SYM_INFO 398 | { 399 | HANDLE hProcess; 400 | HMODULE hDbgHelp; 401 | PF_ImagehlpApiVersionEx pfImagehlpApiVersionEx; 402 | PF_SymInitialize pfSymInitialize; 403 | PF_SymSetOptions pfSymSetOptions; 404 | PF_SymGetOptions pfSymGetOptions; 405 | PF_SymLoadModule64 pfSymLoadModule64; 406 | PF_SymGetModuleInfo64 pfSymGetModuleInfo64; 407 | PF_SymFromName pfSymFromName; 408 | } DETOUR_SYM_INFO, *PDETOUR_SYM_INFO; 409 | 410 | PDETOUR_SYM_INFO DetourLoadDbgHelp(VOID); 411 | 412 | #endif // IMAGEAPI 413 | 414 | #ifndef DETOUR_TRACE 415 | #if DETOUR_DEBUG 416 | #define DETOUR_TRACE(x) printf x 417 | #define DETOUR_BREAK() DebugBreak() 418 | #include 419 | #include 420 | #else 421 | #define DETOUR_TRACE(x) 422 | #define DETOUR_BREAK() 423 | #endif 424 | #endif 425 | 426 | #ifdef DETOURS_IA64 427 | __declspec(align(16)) struct DETOUR_IA64_BUNDLE 428 | { 429 | public: 430 | union 431 | { 432 | BYTE data[16]; 433 | UINT64 wide[2]; 434 | }; 435 | 436 | public: 437 | struct DETOUR_IA64_METADATA; 438 | 439 | typedef BOOL (DETOUR_IA64_BUNDLE::* DETOUR_IA64_METACOPY) 440 | (const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const; 441 | 442 | enum { 443 | A_UNIT = 1u, 444 | I_UNIT = 2u, 445 | M_UNIT = 3u, 446 | B_UNIT = 4u, 447 | F_UNIT = 5u, 448 | L_UNIT = 6u, 449 | X_UNIT = 7u, 450 | UNIT_MASK = 7u, 451 | STOP = 8u 452 | }; 453 | struct DETOUR_IA64_METADATA 454 | { 455 | ULONG nTemplate : 8; // Instruction template. 456 | ULONG nUnit0 : 4; // Unit for slot 0 457 | ULONG nUnit1 : 4; // Unit for slot 1 458 | ULONG nUnit2 : 4; // Unit for slot 2 459 | DETOUR_IA64_METACOPY pfCopy; // Function pointer. 460 | }; 461 | 462 | protected: 463 | BOOL CopyBytes(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const; 464 | BOOL CopyBytesMMB(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const; 465 | BOOL CopyBytesMBB(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const; 466 | BOOL CopyBytesBBB(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const; 467 | BOOL CopyBytesMLX(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const; 468 | 469 | static const DETOUR_IA64_METADATA s_rceCopyTable[33]; 470 | 471 | public: 472 | // 120 112 104 96 88 80 72 64 56 48 40 32 24 16 8 0 473 | // f. e. d. c. b. a. 9. 8. 7. 6. 5. 4. 3. 2. 1. 0. 474 | 475 | // 00 476 | // f.e. d.c. b.a. 9.8. 7.6. 5.4. 3.2. 1.0. 477 | // 0000 0000 0000 0000 0000 0000 0000 001f : Template [4..0] 478 | // 0000 0000 0000 0000 0000 03ff ffff ffe0 : Zero [ 41.. 5] 479 | // 0000 0000 0000 0000 0000 3c00 0000 0000 : Zero [ 45.. 42] 480 | // 0000 0000 0007 ffff ffff c000 0000 0000 : One [ 82.. 46] 481 | // 0000 0000 0078 0000 0000 0000 0000 0000 : One [ 86.. 83] 482 | // 0fff ffff ff80 0000 0000 0000 0000 0000 : Two [123.. 87] 483 | // f000 0000 0000 0000 0000 0000 0000 0000 : Two [127..124] 484 | BYTE GetTemplate() const; 485 | BYTE GetInst0() const; 486 | BYTE GetInst1() const; 487 | BYTE GetInst2() const; 488 | BYTE GetUnit0() const; 489 | BYTE GetUnit1() const; 490 | BYTE GetUnit2() const; 491 | UINT64 GetData0() const; 492 | UINT64 GetData1() const; 493 | UINT64 GetData2() const; 494 | 495 | public: 496 | BOOL IsBrl() const; 497 | VOID SetBrl(); 498 | VOID SetBrl(UINT64 target); 499 | UINT64 GetBrlTarget() const; 500 | VOID SetBrlTarget(UINT64 target); 501 | VOID SetBrlImm(UINT64 imm); 502 | UINT64 GetBrlImm() const; 503 | 504 | BOOL IsMovlGp() const; 505 | UINT64 GetMovlGp() const; 506 | VOID SetMovlGp(UINT64 gp); 507 | 508 | VOID SetInst0(BYTE nInst); 509 | VOID SetInst1(BYTE nInst); 510 | VOID SetInst2(BYTE nInst); 511 | VOID SetData0(UINT64 nData); 512 | VOID SetData1(UINT64 nData); 513 | VOID SetData2(UINT64 nData); 514 | BOOL SetNop0(); 515 | BOOL SetNop1(); 516 | BOOL SetNop2(); 517 | BOOL SetStop(); 518 | 519 | BOOL Copy(DETOUR_IA64_BUNDLE *pDst) const; 520 | }; 521 | #endif // DETOURS_IA64 522 | 523 | ////////////////////////////////////////////////////////////////////////////// 524 | 525 | #endif // DETOURS_INTERNAL 526 | #endif // __cplusplus 527 | 528 | #endif // _DETOURS_H_ 529 | // 530 | //////////////////////////////////////////////////////////////// End of File. 531 | --------------------------------------------------------------------------------