PR_Write after hooking

Question

So i recently hooked PR_Write in Mozilla and was able to log results( all of the connection literally ) to a log file, there's however one problem, i was assuming that after hooking PR_Write, i would be able to capture HTTPS data but when i log in to an HTTPS server, it doesn't capture the unencrypted POST data, i tried using localhost and making a fake POST and it captures the localhost post considering it's not encrypted. Is the point of hooking PR_Write not to capture all kinds of data?

This is the prototype of the PR_Write that i'm using and the variable:

typedef int (*Custom_Write)(PVOID, LPVOID, INT);
Custom_Write c_write=NULL;

PR_Write definition by Mozilla

and in the detour function, i call the original PR_Write by getting the address which is stored in c_write using GetProcAddress. Below is how it's called:

// detour function
int detour_pr_write(int fd, LPVOID buf, int bytes)
{
    // ... code for virtual protect
    int retaddr=c_write(fd, buf, bytes);
    // file functions
    fwrite(buf, sizeof(char), strlen(buf), fileHandle);
    // ... code for virtual protect
    return retaddr;    // go to original function
}

The logging and other stuff works fine but when it comes down to writing encrypted POST data, it fails. It ends up writing gibberish.

I wonder why the hooked call has that 'int bytes' parameter? I'm sure it must be there for some reason..... — Martin James, May 15 '16 at 08:54
the definition of PR_Write has those three parameters as referred to here https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_Write — demogorgon, May 15 '16 at 09:01
Umm... OK. Now what about the arguments to fwrite()? Can you match them up with the parameters to PR_write, at all? — Martin James, May 15 '16 at 09:07
i'm assuming PR_Write uses char so i'm writing sizeof(char) and getting the length..it works with localhost unencrypted data.. — demogorgon, May 15 '16 at 09:17
'and getting the length' - why are you doing that? Think again... — Martin James, May 15 '16 at 10:28
that's the reason i'm converting the void pointer to a (const char*).. — demogorgon, May 15 '16 at 10:31
OK, let's try from the other end. What do you think that strlen() does? — Martin James, May 15 '16 at 10:33

score 1 · Answer 1 · answered May 15 '16 at 10:37

'write(buf, sizeof(char), strlen(buf), fileHandle);' - the strlen() call is both inappropriate and unnecessary. Not only does it not work reliably with void pointers that may, or may not, point at null-terminated char arrays, it is redundant because you already know how many bytes/chars to write - it's passed in as the 'int bytes' parameter.

Get rid of the strlen() call;

fwrite(buf, 1,bytes, fileHandle);

strlen() is not required and cannot work reliably with binary data that may contain embedded nulls.

With network code, strlen() is a disaster 99.9% of the time.

damn, yes, how could i not have seen that haha lemme try this code — demogorgon, May 15 '16 at 10:44

PR_Write after hooking

1 Answers1