We are working on an application that needs to monitor all traffic for any Trojan that is sending out sensitive information. This works very well for HTTP but for Email and most others that use SSL we are stuck because we can not read the data. Is it possible with the development version to install the driver below the encryption layer to overcome this? If not, is there any way to overcome this?
SSL encryption is implemented in user mode above winsock layer, so there is no way for the driver to intercept unencrypted data.
Interception of unencrypted data is still possible, but very specific for the particular application. Some of the application use Microsoft SSL crypto provider implemented in secur32.dll and in order to intercept unencrypted data you have to inject your own DLL into the target process and hook SPI functions between application and secur32.dll:
Another possibility commonly used in Windows is OpenSSL library, the solution is similar but another set of functions has to be hooked. Custom SSL libraries or another methods of traffic encryption may require different methods.