SSL write hooking Trouble fdc

1. #include "stdafx.h"
2. #include <Windows.h>
3. #include <stdlib.h>
4. #include <stdio.h>
5.  
6. using namespace std;
7.  
8. struct SECTION_INFO
9. {
10.     DWORD dwStartAddress;
11.     DWORD dwSize;
12. };
13.  
14.  
15. DWORD (*OldSSL_Write)(void *s, const void *buf, int len);
16.  
17. BOOL PatchAPI(LPSTR lpszLib, LPSTR lpszFunc, FARPROC *lpOldFunc, FARPROC fpNewFunc) // by Napalm
18. {
19.     BOOL    bResult = FALSE;
20.     DWORD   dwProtect;
21.     LPBYTE  lpPatch;
22.     FARPROC fpOldFunc;
23.      
24.     fpOldFunc = GetProcAddress(LoadLibrary(lpszLib), lpszFunc);
25.     if(fpOldFunc){
26.         lpPatch = (LPBYTE)fpOldFunc - 5;
27.         if(!memcmp(lpPatch, "\x90\x90\x90\x90\x90\x8B\xFF", 7)){
28.             if(VirtualProtect(lpPatch, 7, PAGE_EXECUTE_READWRITE, &dwProtect)){
29.                 *lpPatch = 0xE9;
30.                 *(LPDWORD)(lpPatch + 1) = (DWORD)((LONG)fpNewFunc - (LONG)fpOldFunc);
31.                 *(LPDWORD)lpOldFunc = ((DWORD)fpOldFunc + 2);
32.                 InterlockedExchange((LPLONG)fpOldFunc, (LONG)((*(LPDWORD)fpOldFunc & 0xFFFF0000) | 0xF9EB));
33.                 VirtualProtect(lpPatch, 7, dwProtect, NULL);
34.                 bResult = TRUE;
35.             }
36.         }
37.     }
38.      
39.     return bResult;
40. }
41.  
42. DWORD SearchMemory(void* p_pvStartAddress, DWORD p_dwSize, void *p_pvBuffer, DWORD p_dwBufferSize)
43. {
44.     unsigned char *pByte = (unsigned char *)p_pvStartAddress;
45.  
46.     for(size_t i = 0; i < p_dwSize - p_dwBufferSize; i++)
47.     {
48.         if(memcmp(pByte + i, p_pvBuffer, p_dwBufferSize) == 0)
49.         {
50.             return (DWORD)(pByte + i);
51.         }
52.     }
53.  
54.     OutputDebugStringA("[ERROR] SearchMemory did not find the pattern!");
55.  
56.     return 0;
57. }
58.  
59. DWORD SearchMemoryByN(void* p_pvStartAddress, DWORD p_dwSize, void *p_pvBuffer, DWORD p_dwBufferSize, unsigned int p_nN)
60. {
61.     unsigned char *pByte = (unsigned char *)p_pvStartAddress;
62.     unsigned int n = 0;
63.  
64.     for(size_t i = 0; i < p_dwSize - p_dwBufferSize; i++)
65.     {
66.         // Find each occurence and return the N'th one
67.  
68.         if(memcmp(pByte + i, p_pvBuffer, p_dwBufferSize) == 0)
69.         {
70.             n++;
71.             if(n == p_nN) return (DWORD)(pByte + i);
72.         }
73.     }
74.  
75.     OutputDebugStringA("[ERROR] SearchMemory did not find the pattern!");
76.  
77.     return 0;
78. }
79.  
80. int WINAPI NewSSL_Write(void *s, const void *buf, int len)
81. {
82.     return OldSSL_Write(s, buf, len);
83. }
84.  
85.  
86.  SECTION_INFO GetModuleSection(LPCSTR p_sModule, LPCSTR p_sSection)
87. {
88.     SECTION_INFO oSectionData = {0, 0};
89.     bool bFound = 0;
90.  
91.     HANDLE hLib = LoadLibraryA(p_sModule);
92.     if (!hLib)
93.     {
94.         OutputDebugStringA("[ERROR] Cannot Find Chrome.dll\n");
95.     }
96.  
97.             IMAGE_DOS_HEADER dos;
98.             IMAGE_NT_HEADERS ntHeaders;
99.             IMAGE_SECTION_HEADER *pSections = NULL;
100.  
101.             // Get DOS/PE header
102.  
103.             memcpy(&dos, (void *)p_sModule, sizeof(IMAGE_DOS_HEADER));
104.             memcpy(&ntHeaders, (void *)((DWORD)p_sModule + dos.e_lfanew), sizeof(IMAGE_NT_HEADERS));
105.  
106.             // Get sections
107.  
108.             pSections = new IMAGE_SECTION_HEADER[ntHeaders.FileHeader.NumberOfSections];
109.  
110.             if(pSections == NULL)
111.             {
112.                 OutputDebugStringA("[ERROR] Cannot allocate space for sections: ");
113.             }
114.  
115.             // Copy
116.  
117.             memcpy(pSections, (void *)((DWORD)p_sModule + dos.e_lfanew + sizeof(IMAGE_NT_HEADERS)),
118.                 ntHeaders.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER));
119.  
120.             for(size_t j = 0; j < ntHeaders.FileHeader.NumberOfSections; j++)
121.                      
122.                 {
123.                     oSectionData.dwSize = pSections[j].SizeOfRawData;
124.                     oSectionData.dwStartAddress = (DWORD)p_sModule +  pSections[j].VirtualAddress;
125.  
126.                 }
127.                     return oSectionData;
128. }
129.  
130. void HookChromeBoringSSL()
131. {  
132.     SECTION_INFO rdata = {0, 0};
133.     SECTION_INFO text  = {0, 0};
134.  
135.     unsigned char PSH_string[] = {0x68, 0x00, 0x00, 0x00, 0x00};
136.     unsigned char SSL_string[] = "c:\\b\\build\\slave\\win\\build\\src\\third_party\\boringssl\\src\\ssl\\ssl_lib.c";
137.     const unsigned int nBytesBeforeRead  = 17;
138.     const unsigned int nBytesBeforeWrite = 17;
139.     const unsigned int READ_IND  = 17;
140.     const unsigned int WRITE_IND = 15;
141.      
142.     rdata = GetModuleSection("chrome.dll", ".rdata");
143.     text  = GetModuleSection("chrome.dll", ".text");
144.  
145.     SearchMemoryByN((void *)text.dwStartAddress, text.dwSize, (void *)PSH_string, 5, READ_IND);
146.     SearchMemoryByN((void *)text.dwStartAddress, text.dwSize, (void *)PSH_string, 5, WRITE_IND);
147.  
148.     if(PatchAPI("chrome.dll", "SSL_Write", (FARPROC *)&OldSSL_Write, (FARPROC)NewSSL_Write))
149.     {
150.         MessageBoxA(NULL,"Hooked","",MB_OK);
151.     }// Using Napalms Patch
152. }
153.  
154. BOOL APIENTRY DllMain( HMODULE hModule,
155.                        DWORD  ul_reason_for_call,
156.                        LPVOID lpReserved
157.                      )
158. {
159.     switch(ul_reason_for_call)
160.     {
161.        case DLL_PROCESS_ATTACH:
162.         HookChromeBoringSSL();
163.        break;
164.        case DLL_PROCESS_DETACH:
165.        break;
166.        case DLL_THREAD_ATTACH:
167.        break;
168.        case DLL_THREAD_DETACH:
169.        break;
170.     }
171.     return TRUE;
172. }