Memitm - Tool To Brand Inward Retentivity Homo Inward The Middle
The MemITM (Mem In The Middle) tool has been developped inward lodge to easily intercept "messages" inward Windows processes memory. We developped a lot of custom retention interception tools inward lodge to capture network messages earlier encryption, or IPC messages, too to survive able to inspect them or alter them to produce about fuzzing. Each tool was actually custom, non generic, implemented inward C/ASM too was non tardily to use/maintain/adapt.
The MemITM tool has been developped inward lodge to address these problems, too consists inward :
- an IDA Python script, which generates a "config" file, indicating where too how the interception points convey to survive placed (relative address, how to discovery the buffer too its size, how to house the hook, etc.) ;
- the DLL file, which volition survive injected inward the target procedure too volition loads the config too places the hooks ;
- a DLL file injector, which volition charge the DLL inward the target procedure ;
- a python script, which communicates amongst the injected DLL/hooks, too gets inward realtime the intercepted buffers (and tin alter them) inward actually elementary callbacks yous tin modify every bit yous want.
How elementary is MemITM? (Example1: WriteFile)
Let's tell yous desire to intercept file writes (there are simpler ways to produce it, but that's for the example) inward a specific Windows process. File writes are performed past times the
WriteFile
function, which is exported past times kernelbase.dll
, too follows the scheme BOOL WriteFile( HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, ...)
. WriteFile is a __fastcall
component : lpBuffer
is pointed past times RDX
too NumberOfBytesToWrite
past times R8
. Let's intercept these buffers.- open your "kernelbase.dll" file inward IDA Pro, charge the
generate.idapython.py
script, too only rungetHook(LocByName("WriteFile"), "rdx","r8")
followed past timesupdateConfig("config.bin")
.
- run a notepad too then,
python memitm.py notepad.exe config.bin
.
WriteFile
function, too the memitm.py
"logger" too "fuzzer" functions volition have a re-create of the buffer.My buffer is non pointed past times a register! (Example2: NtCreateFile)
The
getHook
component allows specifying registers for the buffer too its size, but inward about cases it may non survive the case. Let's tell yous desire to intercept NtCreateFile
syscalls too become the filename. NtCreateFile
follows the scheme NTSTATUS NtCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, ...)
, too the file lift tin survive obtained past times ObjectAttributes->ObjectName->Buffer
(size is ObjectAttributes->ObjectName->Length * sizeof(WCHAR)
).getHook
also allows specifying a shellcode inward its t1customOpcodes
parameter instead of registers. This shellcode must :- place the buffer pointer into the
RCX
register; - place the buffer's size into the
RDX
register; - not mess upward amongst the stack.
NtCreateFile
case, nosotros tin only run this ASM code to produce the work:mov rax, [r8+0x10] ; rax is instantly ObjectAttributes->ObjectName mov rcx, [rax + 0x10] ; rcx is instantly ObjectAttributes->ObjectName->Buffer mov rdx, [rax] ; rdx is instantly ObjectAttributes->ObjectName->Length too rdx, 0xFFFF ; Length is a USHORT shl rdx, 1 ; too must survive *2
Let's get together this (using for instance the online disassembly website) : 498B4010488B4810488B104881E2FFFF000048D1E2
. Our getHook
telephone phone should instantly survive getHook(LocByName("NtCreateFile", t1customOpcodes="498B…E2")
.Can I intercept multiple calls?
Yes! The config file tin embed multiple interception points definitions, too the
getHook
component appends the file. You tin laid interception points inward multiple modules. For instance, yous tin intercept ALPC too IOCTL messages at the same time.You volition survive able to diffentiate them past times their "message ID" inward the python callbacks.
Oops, BSOD/system freeze!
Don't worry, at that spot is also a elementary HTTP server (
logserver.py
) too the httpNetSend
component which permit yous to post your examine cases (and modification) to a remote host inward realtime.How produce I fuzz?
Well, yous tin offset using the
bufferBitFlip
component inward lodge to... flip several bits. Logging raw messages volition permit yous to write your ain dissector, too to offset implementing manually a amend fuzzer :). Remember: yous can't alter the buffer size!For instance, inward our
WriteFile
example, the next fuzzer
component volition supersede "hello" past times "world":def fuzzer(data, msgID=None, pid = 0): provide data.replace("hello","world")
Example3: dissecting ALPC messages
For instance, for ALPC messages, yous may convey the next
memitm.py
setup:def logger(data, msgID=None, pid=0): totalLen = 0 dataLen = 0 typ = 0 dataInfoOffset = 0 cid = 0 tid = 0 messageID = 0 clientViewSize = 0 # skip the PORT_MESSAGE header (0x18 bytes) if len(data) > 0x18: totalLen = struct.unpack("
How does it industrial plant internally?
The IDA Pro script embeds a elementary "hooking" engine, which allows moving several instructions to a specific surface area (derived from our DIMCT tool). It must grip lots of corner cases, such every bit retention relative instructions, cross references, etc. too volition likely display lots of "can't install claw here" if yous endeavor intercepting actually pocket-size basic blocks (<5 bytes for x86 binaries, <12 bytes for x64 ones) which incorporate multiple cross-references. For to a greater extent than information, only read the source code :).
It generates the next information inward the config file:
- the module name;
- the relative address of the interception point;
- the interception claw surface area (aka "T1 trampoline"), which places the buffer/length into
RCX
/RDX
too calls the DLL log routine; - the restoration claw surface area (aka "T2 trampoline"), which restores the context too executes replaced instructions earlier returning to the interception point;
- the restoration claw surface area relocations, for relative instructions which convey been converted to absolute ones too must survive patched.
CreateRemoteThread
/LoadLibraryA
stuff).The DLL itself initiates a shared retention surface area too waits for the config information (the shared retention surface area has iii generic fields : the shared retention message ID, the message size too the message buffer). Once received, it parses too installs the hooks inward memory, too no config update volition survive allowed afterward this (you must kill the procedure if yous desire to gear upward novel hooks). Any placed claw volition land inward the
genericHookFunction
DLL function. This component only fills the retention surface area (protected amongst critical sections) amongst the buffer data, its size too the message ID (set inward higher bits of the shared retention message ID field). In lodge to notify the python process, 2 events are used to signal novel messages too to await for the procedure to piece them (timeout is 2 seconds). If the buffer has been updated, the master copy buffer is modified too.The
memitm.py
script runs the injector process, too waits for the shared retention to survive created. It hence sends the configuration too waits for the message event. When received, the shared retention is read too the logger
too fuzzer
functions are called amongst the buffer, the procedure ID too the message ID. If the logger
component returns a unlike buffer than the master copy i too its size is equal, it is written to the shared retention area. The "ACK" number is hence signaled, too the script waits for a novel message.That's it!
We promise this tool volition survive useful, whatever contrib/reviews volition survive appreciated! Also, if you're French too similar Rennes, we're hiring :)