What is MioStar

MioStar is an offspring of the SkypeTrojan. Unlike the SkypeTrojan MioStar puts its focus on hooking functions that deal with sensitive data like account information or network traffic. The initial objective was not to produce a hacker tool ready to use or incorporate in malware. But at the point we reached now it is more than just a simple proof of concept. We have a nice, fancy GUI now and a handful of preconfigured applications where we can extract sensitive data. And in the future the list will grow.

What function calls are intercepted

Currently the following functions can be intercepted with MioStar …

Files CreateFile ReadFile WriteFile	Crypto CryptEncrypt CryptDecrypt CryptHashData EncryptFile DecryptFile NCryptEncrypt NCryptDecrypt NCryptCreatePersistedKey SslEncryptPacket SslDecryptPacket BCryptEncrypt BCryptDecrypt BCryptHashData BCryptGenerateSymmetricKey CPEncrypt CPDecrypt CryptProtectData CryptUnprotectData CryptProtectMemory CryptUnprotectMemory CryptMsgGetParam CryptMsgUpdate CryptHashMessage CryptDecryptMessage CryptEncryptMessage nss3.dll::PK11SDR_Encrypt nss3.dll::PK11SDR_Decrypt
Registry RegOpenKey RegOpenKeyEx RegQueryValue RegQueryValueEx RegGetValue
Networking send WSASend WSPSendTo GetAddrInfo GetAddrInfoEx WinHttpOpenRequest WinHttpConnect WinHttpWriteData
System LoadLibrary LoadLibraryEx GetProcAddress GetModuleHandle GetModuleHandleEx FreeLibrary

Which applications use these calls

MioStar can be used with any application but without guarantee of success. From following applications
sensitive data can be extracted …

Application name	Function
Safari	CryptProtectData CryptUnprotectData
Chrome	CryptProtectData CryptUnprotectData
GoogleTalk	CryptProtectData CryptUnprotectData
Microsoft Live Messenger	CryptEncrypt
Microsoft Live Mail	CryptProtectMemory CryptUnprotectMemory
Yahoo Messenger	SslEncryptPacke
Thunderbird	nss3.dll::PK11SDR_Decrypt nss3.dll::PK11SDR_Encrypt
FireFox	nss3.dll::PK11SDR_Decrypt nss3.dll::PK11SDR_Encrypt
SeaMonkey	nss3.dll::PK11SDR_Decrypt nss3.dll::PK11SDR_Encrypt
RockMelt	CryptProtectData CryptUnprotectData

Manipulating functions

Instead of extracting sensitive data you can also manipulate the function arguments and replace the passed values by your own. As an example the function GetAddrInfoEx normally resolves hostnames and gives back the according IP address. Instead of resolving www.google.com replace this parameter by www.megapanzer.com. All traffic for google gets then redirected to Megapanzer.

How can I participate

You can participate in three ways. If you know of …

• applications using one of the functions mentioned in the list above that deal with sensitive data.
• Windows functions that handle sensitive data and they are not implemented in MioStar yet.
• DLLs providing functions that deal with sensitive data.

… then please drop me a mail and let me know.

Feedback

In case you encounter any problems with the tool, you find a bug, you have suggestions to improve it, or you tested it with a Windows version i’ve not yet tested please drop me an email.

Where can I download it

Version 0.1 – Binary & source

Version 0.2 – Binary & source

Why this strange name

There are many security related tools out there with heroic, martial, elite or marketing strategic, odd sounding names. Why not name a tool something like a household appliance? MioStar is a product line of a Swiss store that offers great products for your household like MioStar mixer, MioStar hair dryer, MioStar vacuum. MioStar, a great name for a tool!

MioStar video

Will follow soon …

Screenshot

tags: Crypto, DLL injection, funkction hooking, Hacking, Hooking, injectin, Passwords