Closed allblackfire closed 3 years ago
ngo
commented
3 years ago Hi, thanks for trying out the research!
I find it odd that frida says "Spawned C:\Windows\System32\lsass.exe", as if it indeed spawns a new lsass.exe instead of attaching to an existing one. Why are you using a full path instead of just the process name?
What version of windows (as reported by systeminfo) are you using? Could you provide a copy of your ncrypt.dll (should be in C:\Windows\system32) for analysis?
allblackfire
commented
3 years ago I get an error like this
C:\Users\Tom\Desktop>frida --no-pause lsass.exe -l win-frida-scripts\lsasslkeylog-easy\keylog.js
____
/ _ | Frida 14.2.18 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
Error: ncrypt.dll: unable to find export 'SslHashHandshake'
at value (frida/runtime/core.js:194)
at <eval> (/keylog.js:19)
[Local::lsass.exe]->My computer is: 6.1.7601 Service Pack 1 Build 7601 ncrypt.zip
allblackfire
commented
3 years ago I can find the function in ncrypt.dll.
NTSTATUS __fastcall SslHashHandshake(__int64 a1, __int64 a2, UCHAR *a3, ULONG a4, int a5)
{
__int64 (__fastcall *v5)(_DWORD *, __int64); // r11
_DWORD *v6; // r10
__int64 v7; // rbx
UCHAR *v8; // rbp
ULONG v9; // esi
NTSTATUS result; // eax
void *v11; // rcx
int v12; // ecx
JUMPOUT(a1, 0i64, sub_7FF729E3F16);
JUMPOUT(*(_DWORD *)a1, 272, sub_7FF729E3F16);
JUMPOUT(*(_DWORD *)(a1 + 4), 1145324609, sub_7FF729E3F16);
JUMPOUT(*(_DWORD *)(a1 + 12), 0, sub_7FF729E3F16);
JUMPOUT(a2, 0i64, sub_7FF729E3F0F);
JUMPOUT(*(_DWORD *)a2, 32, sub_7FF729E3F0F);
JUMPOUT(*(_DWORD *)(a2 + 4), 1145324611, sub_7FF729E3F0F);
v5 = *(__int64 (__fastcall **)(_DWORD *, __int64))(a1 + 160);
v6 = *(_DWORD **)(a1 + 264);
v7 = *(_QWORD *)(a2 + 16);
v8 = a3;
v9 = a4;
if ( (char *)v5 == (char *)&SPSslHashHandshake )
{
if ( v6 && *v6 >= 0x130u && v6[1] == 1936944177 )
{
if ( v7 && *(_DWORD *)v7 >= 0x30u && *(_DWORD *)(v7 + 4) == 1936944178 )
{
if ( a3 )
{
if ( a5 )
{
result = -2146893815;
}
else if ( !a4
|| (result = BCryptHashData_1(*(BCRYPT_HASH_HANDLE *)(v7 + 16), a3, a4, 0), result >= 0)
&& ((v11 = *(void **)(v7 + 32)) == 0i64 || (result = BCryptHashData_1(v11, v8, v9, 0), result >= 0)) )
{
result = 0;
}
}
else
{
result = -2146893785;
}
}
else
{
result = -2146893786;
}
}
else
{
result = -2146893786;
}
}
else
{
result = v5(v6, v7);
}
if ( result >= 0 )
result = 0;
v12 = ((unsigned int)result >> 16) & 0x1FFF;
if ( v12 != 9 && v12 != 16 )
{
JUMPOUT(result, 0, sub_7FF729E3F1D);
result = 0;
}
return result;
}I've created a win7 x64 setup and in my case there are no problems with SslHashHandshake. There are similar problems with SslExpandTrafficKeys and SslExpandExporterMasterKey. I believe that in your case the SslHashHandshake function, while present in the dll, is not among exports.
As a temporary workaround, could you try commenting out interception of SslHashHandshake, SslExpandTrafficKeys and SslExpandExporterMasterKey (lines 152-182 and 19-36) and see if it works?
ngo
commented
3 years ago Hmm, interestingly enough, your ncrypt.dll does export SslHashHandshake (as reported by visual studio's dumpbin), and I have no idea as to why frida is not able to detect that.
ngo
commented
3 years ago Hey @allblackfire, I've done a retest replacing original ncrypt.dll of my win7 x64 VM (which has version 6.1.7601.24291) with your ncrypt.dll (which has version 6.1.7601.24231). I still cannot reproduce the inability to find SslHashHandshake export - the only thing I needed to get it to work was commenting out SslExpandTrafficKeys and SslExpandExporterMasterKey (which are tls1.3 functions and tls 1.3 I believe is not supported by win 7 at all).
One minor thing - I did my tests using lsass.exe PID instead of specifying filename (i.e tasklist | findstr lsass => use the PID found instead of lsass.exe when launching frida). Not sure why it doesn't work for me on win7 using filename.
Which version of frida are you using? I've did the test using frida.exe v 14.2.18 (can be checked using frida --version), which I installed via pip install frida-tools (using python 3.8.10 downloaded from python.org)
ngo
commented
3 years ago I've modified code to include checks for missing functions. But the fact that frida cannot find SslHashHandshake is still a mystery to me.
If you are able to reproduce the bug in a minimal VM and send me a link to an OVA, I'm willing to investigate.
ngo
commented
3 years ago As I'm not able to reproduce the erroneous behavior, I'm closing the issue. Feel free to reopen if there are additional details.
mchangchien
commented
8 months ago Hello @ngo @allblackfire Good day, hope you are doing well. I am running into this probelm on my laptop(Window 11 22H2, OS BUILD 22621.3296) May I know how you resolved this issue?
`C:\Users\azureuser>C:\Python312\Scripts\frida.exe C:\Windows\System32\lsass.exe -l C:\Users\azureuser\Desktop\keylog.js
/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit| (_| |
| Commands: // |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to Local System (id=local) Spawned
C:\Windows\System32\lsass.exe. Resuming main thread! Error: ncrypt.dll: unable to find export 'SslHashHandshake' at value (frida/runtime/core.js:250) at(C:\Users\azureuser\Desktop\keylog.js:19) Process terminated [Local::lsass.exe ]->
Thank you for using Frida!
C:\Users\azureuser>`
ngo
commented
8 months ago @mchangchien Hello! As your setup is different from the original issue (i.e. win 11 instead of win 7), I suggest creating a separate issue. But I haven't revisited the dlls in the newer Win11 builds and things might have changed since win10.
I get an error when I use the script to get sslkey.log