SSL Encryption

Home Forums Discussions Support Portal SSL Encryption

This topic contains 1 reply, has 2 voices, and was last updated by  Vadim Smirnov 9 years, 2 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #5230

    HennieP
    Participant

    Hi Serpentfly,

    We are working on an application that needs to monitor all traffic for any Trojan that is sending out sensitive information. This works very well for HTTP but for Email and most others that use SSL we are stuck because we can not read the data. Is it possible with the development version to install the driver below the encryption layer to overcome this? If not, is there any way to overcome this?

    #6692

    Vadim Smirnov
    Moderator

    SSL encryption is implemented in user mode above winsock layer, so there is no way for the driver to intercept unencrypted data.

    Interception of unencrypted data is still possible, but very specific for the particular application. Some of the application use Microsoft SSL crypto provider implemented in secur32.dll and in order to intercept unencrypted data you have to inject your own DLL into the target process and hook SPI functions between application and secur32.dll:

    InitializeSecurityContext
    AcceptSecurityContext
    DecryptMessage
    EncryptMessage
    DeleteSecurityContext

    Another possibility commonly used in Windows is OpenSSL library, the solution is similar but another set of functions has to be hooked. Custom SSL libraries or another methods of traffic encryption may require different methods.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.