SSL Encryption

Home Forums Discussions Support SSL Encryption

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #5230
    HennieP
    Participant

      Hi Serpentfly,

      We are working on an application that needs to monitor all traffic for any Trojan that is sending out sensitive information. This works very well for HTTP but for Email and most others that use SSL we are stuck because we can not read the data. Is it possible with the development version to install the driver below the encryption layer to overcome this? If not, is there any way to overcome this?

      #6692
      Vadim Smirnov
      Keymaster

        SSL encryption is implemented in user mode above winsock layer, so there is no way for the driver to intercept unencrypted data.

        Interception of unencrypted data is still possible, but very specific for the particular application. Some of the application use Microsoft SSL crypto provider implemented in secur32.dll and in order to intercept unencrypted data you have to inject your own DLL into the target process and hook SPI functions between application and secur32.dll:

        InitializeSecurityContext
        AcceptSecurityContext
        DecryptMessage
        EncryptMessage
        DeleteSecurityContext

        Another possibility commonly used in Windows is OpenSSL library, the solution is similar but another set of functions has to be hooked. Custom SSL libraries or another methods of traffic encryption may require different methods.

      Viewing 2 posts - 1 through 2 (of 2 total)
      • You must be logged in to reply to this topic.