HookMe, a tool for intercepting communications with API hooking

martes, 5 de noviembre de 2013

HookMe is a tool for Windows that allows to intercept system processes when calling APIs needed for network connections. The tool, still in beta, was developed by Manuel Fernández (now in Eleven Paths team) and Francisco Oca (one of the first developers of the earlier versions of FOCA). The tool was presented in BlackHat Europe & USA 2013.

When malware is analyzed, it is usual to study network traffic to better understand how it communicates with some external server, what information it downloads, and what commands it receives or sends. Usually, this kind of malware uses http or https to communicate, and the tools to actually get to "see" that traffic are well known (acting as a man in the middle). However, more sophisticated malware may use its own protocol encapsulated under SSL, even checking the server's certificate (if it doesn't get to communicate with a server that holds a specific certificate that is embedded in its code, it refuses to establish connection). Analyzing in a more comfortable way this kind of malware was the motivation to create this tool, but it may be useful for some scenarios, for instance:
  • Analyzing and modifying network protocols.
  • Application firewall (thanks to "on the fly" filters that it supports).
  • A tool for post-explotation and creating backdoors (injecting malware over the network protocol in a certain application).
API Hooking

Roughly, the hooking technique consists in intercepting communications between different processes, may it be function calls, events or messages. In the case of HookME, the hook is done between the calls that a certain process makes to data reception and data sending APIs.

When hooking any call, different techniques may be used. The most used are "AIT Hooking" and "InLine Hooking". The latest is the one used by HookMe. It consists in modifying the code of the function that is going to be hooked, and jump to another portion of code before executing the original one. This modification consists in an unconditional jump (JMP) that points to some other memory address where actions by the hook itself are implemented.

The following figures show the before and after look of hooking a call to the "send" API in WS2_32.dll.

"Send" function code before and after adding the hook
As observed, the memory address where the function "send" starts is 0x71A34C27 and implements a MOV EDI,EDI command. This instruction is replaced by an unconditional jump (JMP) to 0x0576000 address. This address will implement hook instructions code. The program, to solve potential errors because of functions changing addresses in different operative systems or versions, uses the well known Nektra Deviare2 DLL.

Windows sending and recieving APIs

HookMe's goal is to intercept network sending and receiving API calls. The ones used for this in Windows are:
The first six ones are responsible for sending and receiving data over the network, in different ways. The two others (EncryptMessage and DecryptMessage) have a different goal. They are used by applications to cipher and decipher data in an easy way, supporting different cryptographic algorithms. These two APIs are hooked to get access to clear text data directly even if they are going to be sent over a secure channel (like SSL). Hookme, when intercepting these calls, allows the user to see and modify the input and output of these functions, even clear text data of SSL connections using Windows CryptoAPI. This is possible because data is intercepted just before it is ciphered and just after they are decrypted.

In the following figure, the interface shows clear text requests that is about to be sent by HTTPS. The shown content is the one going to be ciphered.

The interface

To get to hook the functions, HookMe implements a graphical interface that allows to be attached to a process (intercept and take over it). Before that, it is recommended to select the right API that is going to be intercepted. This is done with the menu in "Configuration, Hooks".

Once a call is "hooked", from the user interface it's possible to intercept calls, or "let them go" with  Intercepting is ON / Intercepting is OFF button. If intercepted, the program will show its content in hexadecimal and text (ANSI).

From this window, the content may be modified before it is sent to the API or before data is returned back to the application (when the API returns something). In the screenshot above, the communication of HeidiSQL (a Windows graphical client for MySQL) is being intercepted. The screenshot shows the exact authentication packet between client and server. In 0x24 offset ‘root’ user is shown, and in 0x29 the hash of the password that has been introduced.

HookME can apply on the fly replace rules, without the user interacting. In the tab Match and replace, rules can be added by right clicking and selecting Add. A new window will pop up where the rule may be specified.

Once the replacement rule is applied, in the figure below you can see how the SQL Select ‘hello :)’ statement is received as an answer to “11 Paths” string. With these changes, firewall applications could be implemented, filtering some parameters that received over the network by the applications could represent a risk.

An important feature is that HookMe supports plugins developed in Python. These plugins may be created with different goals, like saving communications in a file, modifying traffic,  certificates, application firewalls, etc. The following screenshot shows the interface where plugins are loaded, and a simple Python interface inside the application itself.

One of the available plugins is MySQL_Backdoor.txt which forces HookMe to attach itself to mysqld.exe process and listens to a specially crafted packet. In this case it looks for the "|exec command|" string. This string may be sent as a username during authentication process, for instance. A video recording explaining this plugin is available here:

The tool may be freely downloaded. License and more details are available from its official web https://code.google.com/p/hookme/

Manuen Fernández

No hay comentarios:

Publicar un comentario en la entrada