Decrypting TLS using Crypt hooks

Apr 25, 2010 at 2:24 AM

Hi guys,

Little bit of background: I'm trying to decrypt a TLS conversation on the fly on my machine using EasyHook and sniffing the raw packets as they arrive. The sniffing part works fine, and I can strip out the encrypted packets. Decrypting them is the problem ;)

Where I'm at currently is using EasyHook to intercept the call to CryptGenRandom() but I'm having two problems:

1. After passing through the call to the actual API, I can't see the result of the call (FYI: CryptGenRandom fills a byte buffer with a random number, and returns a bool). The code seems to return immediately after the API call is passed through. So first question is - should I easily be able to see the result(s) of the API call? I know it's possible, because oSpy can do it.

2. Even if I could see what CryptGenRandom produced, there is still a hell of a lot of work to decrypt the conversation (generating keys, hashs, etc.)! My thought was that instead of going through all that hassle, why not just hook into the CryptDecrypt() function and read the decrypted result? Problem is though that it doesn't appear to be called by this particular application - but I'm about 90% sure that it is called, but I just can't hook into it for whatever reason. So the question is - are there some calls I can hook, and some I can't? What determines this? Is CryptDecrypt() one of the unhookable ones?

Also, it might be a bit off-topic, but if anyone has any suggestions on how to go about the whole decryption thing, please PM me.





Apr 25, 2010 at 2:50 AM

A little more info:

        static extern bool CryptDecrypt(
            IntPtr hKey,
            IntPtr hHash,
            int Final,
            uint dwFlags,
            byte[] pbData,
            ref uint pdwDataLen);

.. is the signature that I am using. There are conflicting signatures for this function on the net, and I'm on a 64-bit machine, so I'm not 100% sure the signature is matching. I'll keep trying ...