ssljack.c

/* **********************************************************
 * Copyright (c) 2015-2018 Google, Inc.  All rights reserved.
 * **********************************************************/

/*
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * * Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 *
 * * Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 *
 * * Neither the name of Google, Inc. nor the names of its contributors may be
 *   used to endorse or promote products derived from this software without
 *   specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL GOOGLE, INC. OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
 * DAMAGE.
 */

/*
 * ssljack hijacks (wraps) interesting OpenSSL and GnuTLS functions using the
 * drwrap extension. ssljack creates separate read and write files per SSL
 * context containing all the data the app read and wrote.
 *
 * Hacked together by Dhiru Kholia (dhiru [at] openwall [dot] com)
 *
 * "ssl-jack" was initially published on the https://github.com/kholia/dedrop
 * page by me. This revision integrates changes from Dragos-George Comaneci, to
 * improve logging.
 */

#include "dr_api.h"
#include "utils.h"
#include "drwrap.h"
#include "drmgr.h"
#include <stdio.h>
#include <string.h>

/* OpenSSL and GnuTLS - shared wrappers */
static void
wrap_pre_SSL_write(void *wrapcxt, OUT void **user_data);
static void
wrap_pre_SSL_read(void *wrapcxt, OUT void **user_data);
static void
wrap_post_SSL_read(void *wrapcxt, void *user_data);

struct SSL_read_data {
    unsigned char *read_buffer;
    void *ssl;
};

static void
module_load_event(void *drcontext, const module_data_t *mod, bool loaded)
{
    app_pc towrap = (app_pc)dr_get_proc_address(mod->handle, "SSL_write");
    if (towrap != NULL) {
        bool ok = drwrap_wrap(towrap, wrap_pre_SSL_write, NULL);
        if (!ok) {
            dr_fprintf(STDERR, "Couldn’t wrap SSL_write\n");
            DR_ASSERT(ok);
        }
    }

    towrap = (app_pc)dr_get_proc_address(mod->handle, "SSL_read");
    if (towrap != NULL) {
        bool ok = drwrap_wrap(towrap, wrap_pre_SSL_read, wrap_post_SSL_read);
        if (!ok) {
            dr_fprintf(STDERR, "Couldn’t wrap SSL_read\n");
            DR_ASSERT(ok);
        }
    }

    towrap = (app_pc)dr_get_proc_address(mod->handle, "gnutls_record_send");
    if (towrap != NULL) {
        bool ok = drwrap_wrap(towrap, wrap_pre_SSL_write, NULL);
        if (!ok) {
            dr_fprintf(STDERR, "Couldn’t wrap gnutls_record_send\n");
            DR_ASSERT(ok);
        }
    }

    towrap = (app_pc)dr_get_proc_address(mod->handle, "gnutls_record_recv");
    if (towrap != NULL) {
        bool ok = drwrap_wrap(towrap, wrap_pre_SSL_read, wrap_post_SSL_read);
        if (!ok) {
            dr_fprintf(STDERR, "Couldn’t wrap gnutls_record_recv\n");
            DR_ASSERT(ok);
        }
    }
}

static void
event_exit(void)
{
    drwrap_exit();
    drmgr_exit();
}

DR_EXPORT void
dr_init(client_id_t id)
{
    dr_set_client_name("DynamoRIO client 'ssljack'", "http://dynamorio.org/issues");
    /* make it easy to tell, by looking at log file, which client executed */
    dr_log(NULL, DR_LOG_ALL, 1, "Client ssljack initializing\n");
#ifdef SHOW_RESULTS
    if (dr_is_notify_on()) {
        dr_fprintf(STDERR, "Client ssljack running! See trace-* files for SSL logs!\n");
    }
#endif

    drmgr_init();
    drwrap_init();
    dr_register_exit_event(event_exit);
    drmgr_register_module_load_event(module_load_event);
}

static void
wrap_pre_SSL_write(void *wrapcxt, OUT void **user_data)
{
    /* int SSL_write(SSL *ssl, const void *buf, int num);
     *
     * ssize_t gnutls_record_send(gnutls_session_t session,
     *                            const void * data, size_t sizeofdata);
     */

    void *ssl = (void *)drwrap_get_arg(wrapcxt, 0);
    unsigned char *buf = (unsigned char *)drwrap_get_arg(wrapcxt, 1);
    size_t sz = (size_t)drwrap_get_arg(wrapcxt, 2);

    /* By generating unique filenames (per SSL context), we are able to
     * simplify logging of SSL traffic (no file locking is required).
     */
    char filename[MAXIMUM_PATH] = { 0 };
    dr_snprintf(filename, BUFFER_SIZE_ELEMENTS(filename), "trace-%x.write", ssl);
    NULL_TERMINATE_BUFFER(filename);
    FILE *fp = fopen(filename, "ab+");
    /* Error handling of logging operations isn't critical - in fact, we don't
     * even know what to do in such error conditions, so we simply return!
     */
    if (!fp) {
        dr_fprintf(STDERR, "Couldn’t open the output file %s\n", filename);
        return;
    }

    /* We assume that SSL_write always succeeds and writes the whole buffer. */
    fwrite(buf, 1, sz, fp);
    fclose(fp);
}

static void
wrap_pre_SSL_read(void *wrapcxt, OUT void **user_data)
{
    struct SSL_read_data *sd;

    /* int SSL_read(SSL *ssl, void *buf, int num);
     *
     * ssize_t gnutls_record_recv(gnutls_session_t session,
     *                            void * data, size_t sizeofdata);
     */

    sd = dr_global_alloc(sizeof(struct SSL_read_data));
    sd->read_buffer = (unsigned char *)drwrap_get_arg(wrapcxt, 1);
    sd->ssl = (void *)drwrap_get_arg(wrapcxt, 0);

    *user_data = (void *)sd;
}

static void
wrap_post_SSL_read(void *wrapcxt, void *user_data)
{
    struct SSL_read_data *sd = (struct SSL_read_data *)user_data;

    int actual_read = (int)(ptr_int_t)drwrap_get_retval(wrapcxt);

    char filename[MAXIMUM_PATH] = { 0 };
    dr_snprintf(filename, BUFFER_SIZE_ELEMENTS(filename), "trace-%x.read", sd->ssl);
    NULL_TERMINATE_BUFFER(filename);
    FILE *fp = fopen(filename, "ab+");
    if (!fp) {
        dr_fprintf(STDERR, "Couldn’t open the output file %s\n", filename);
        dr_global_free(user_data, sizeof(struct SSL_read_data));
        return;
    }

    if (actual_read > 0) {
        fwrite(sd->read_buffer, 1, actual_read, fp);
    }
    fclose(fp);

    dr_global_free(user_data, sizeof(struct SSL_read_data));
}
	/* **********************************************************
	* Copyright (c) 2015-2018 Google, Inc. All rights reserved.
	* **********************************************************/

	/*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions are met:
	*
	* * Redistributions of source code must retain the above copyright notice,
	* this list of conditions and the following disclaimer.
	*
	* * Redistributions in binary form must reproduce the above copyright notice,
	* this list of conditions and the following disclaimer in the documentation
	* and/or other materials provided with the distribution.
	*
	* * Neither the name of Google, Inc. nor the names of its contributors may be
	* used to endorse or promote products derived from this software without
	* specific prior written permission.
	*
	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
	* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	* ARE DISCLAIMED. IN NO EVENT SHALL GOOGLE, INC. OR CONTRIBUTORS BE LIABLE
	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
	* DAMAGE.
	*/

	/*
	* ssljack hijacks (wraps) interesting OpenSSL and GnuTLS functions using the
	* drwrap extension. ssljack creates separate read and write files per SSL
	* context containing all the data the app read and wrote.
	*
	* Hacked together by Dhiru Kholia (dhiru [at] openwall [dot] com)
	*
	* "ssl-jack" was initially published on the https://github.com/kholia/dedrop
	* page by me. This revision integrates changes from Dragos-George Comaneci, to
	* improve logging.
	*/

	#include "dr_api.h"
	#include "utils.h"
	#include "drwrap.h"
	#include "drmgr.h"
	#include <stdio.h>
	#include <string.h>

	/* OpenSSL and GnuTLS - shared wrappers */
	static void
	wrap_pre_SSL_write(void wrapcxt, OUT void *user_data);
	static void
	wrap_pre_SSL_read(void wrapcxt, OUT void *user_data);
	static void
	wrap_post_SSL_read(void wrapcxt, void user_data);

	struct SSL_read_data {
	unsigned char *read_buffer;
	void *ssl;
	};

	static void
	module_load_event(void drcontext, const module_data_t mod, bool loaded)
	{
	app_pc towrap = (app_pc)dr_get_proc_address(mod->handle, "SSL_write");
	if (towrap != NULL) {
	bool ok = drwrap_wrap(towrap, wrap_pre_SSL_write, NULL);
	if (!ok) {
	dr_fprintf(STDERR, "Couldn’t wrap SSL_write\n");
	DR_ASSERT(ok);
	}
	}

	towrap = (app_pc)dr_get_proc_address(mod->handle, "SSL_read");
	if (towrap != NULL) {
	bool ok = drwrap_wrap(towrap, wrap_pre_SSL_read, wrap_post_SSL_read);
	if (!ok) {
	dr_fprintf(STDERR, "Couldn’t wrap SSL_read\n");
	DR_ASSERT(ok);
	}
	}

	towrap = (app_pc)dr_get_proc_address(mod->handle, "gnutls_record_send");
	if (towrap != NULL) {
	bool ok = drwrap_wrap(towrap, wrap_pre_SSL_write, NULL);
	if (!ok) {
	dr_fprintf(STDERR, "Couldn’t wrap gnutls_record_send\n");
	DR_ASSERT(ok);
	}
	}

	towrap = (app_pc)dr_get_proc_address(mod->handle, "gnutls_record_recv");
	if (towrap != NULL) {
	bool ok = drwrap_wrap(towrap, wrap_pre_SSL_read, wrap_post_SSL_read);
	if (!ok) {
	dr_fprintf(STDERR, "Couldn’t wrap gnutls_record_recv\n");
	DR_ASSERT(ok);
	}
	}
	}

	static void
	event_exit(void)
	{
	drwrap_exit();
	drmgr_exit();
	}

	DR_EXPORT void
	dr_init(client_id_t id)
	{
	dr_set_client_name("DynamoRIO client 'ssljack'", "http://dynamorio.org/issues");
	/* make it easy to tell, by looking at log file, which client executed */
	dr_log(NULL, DR_LOG_ALL, 1, "Client ssljack initializing\n");
	#ifdef SHOW_RESULTS
	if (dr_is_notify_on()) {
	dr_fprintf(STDERR, "Client ssljack running! See trace-* files for SSL logs!\n");
	}
	#endif

	drmgr_init();
	drwrap_init();
	dr_register_exit_event(event_exit);
	drmgr_register_module_load_event(module_load_event);
	}

	static void
	wrap_pre_SSL_write(void wrapcxt, OUT void *user_data)
	{
	/* int SSL_write(SSL ssl, const void buf, int num);
	*
	* ssize_t gnutls_record_send(gnutls_session_t session,
	* const void * data, size_t sizeofdata);
	*/

	void ssl = (void )drwrap_get_arg(wrapcxt, 0);
	unsigned char buf = (unsigned char )drwrap_get_arg(wrapcxt, 1);
	size_t sz = (size_t)drwrap_get_arg(wrapcxt, 2);

	/* By generating unique filenames (per SSL context), we are able to
	* simplify logging of SSL traffic (no file locking is required).
	*/
	char filename[MAXIMUM_PATH] = { 0 };
	dr_snprintf(filename, BUFFER_SIZE_ELEMENTS(filename), "trace-%x.write", ssl);
	NULL_TERMINATE_BUFFER(filename);
	FILE *fp = fopen(filename, "ab+");
	/* Error handling of logging operations isn't critical - in fact, we don't
	* even know what to do in such error conditions, so we simply return!
	*/
	if (!fp) {
	dr_fprintf(STDERR, "Couldn’t open the output file %s\n", filename);
	return;
	}

	/* We assume that SSL_write always succeeds and writes the whole buffer. */
	fwrite(buf, 1, sz, fp);
	fclose(fp);
	}

	static void
	wrap_pre_SSL_read(void wrapcxt, OUT void *user_data)
	{
	struct SSL_read_data *sd;

	/* int SSL_read(SSL ssl, void buf, int num);
	*
	* ssize_t gnutls_record_recv(gnutls_session_t session,
	* void * data, size_t sizeofdata);
	*/

	sd = dr_global_alloc(sizeof(struct SSL_read_data));
	sd->read_buffer = (unsigned char *)drwrap_get_arg(wrapcxt, 1);
	sd->ssl = (void *)drwrap_get_arg(wrapcxt, 0);

	user_data = (void )sd;
	}

	static void
	wrap_post_SSL_read(void wrapcxt, void user_data)
	{
	struct SSL_read_data sd = (struct SSL_read_data )user_data;

	int actual_read = (int)(ptr_int_t)drwrap_get_retval(wrapcxt);

	char filename[MAXIMUM_PATH] = { 0 };
	dr_snprintf(filename, BUFFER_SIZE_ELEMENTS(filename), "trace-%x.read", sd->ssl);
	NULL_TERMINATE_BUFFER(filename);
	FILE *fp = fopen(filename, "ab+");
	if (!fp) {
	dr_fprintf(STDERR, "Couldn’t open the output file %s\n", filename);
	dr_global_free(user_data, sizeof(struct SSL_read_data));
	return;
	}

	if (actual_read > 0) {
	fwrite(sd->read_buffer, 1, actual_read, fp);
	}
	fclose(fp);

	dr_global_free(user_data, sizeof(struct SSL_read_data));
	}