» Crypto http://www.megapanzer.com Fri, 23 Dec 2011 13:02:33 +0000 en hourly 1 http://wordpress.org/?v=3.3 Fishing sensitive data with MioStar http://www.megapanzer.com/2010/11/17/fishing-sensitive-data-with-miostar/ http://www.megapanzer.com/2010/11/17/fishing-sensitive-data-with-miostar/#comments Wed, 17 Nov 2010 14:31:58 +0000 carrumba http://www.megapanzer.com/?p=4365 What is MioStar


MioStar is an offspring of the SkypeTrojan. Unlike the SkypeTrojan MioStar puts its focus on hooking functions that deal with sensitive data like account information or network traffic. The initial objective was not to produce a hacker tool ready to use or incorporate in malware. But at the point we reached now it is more than just a simple proof of concept. We have a nice, fancy GUI now and a handful of preconfigured applications where we can extract sensitive data. And in the future the list will grow.

What function calls are intercepted

Currently the following functions can be intercepted with MioStar …

Files

  • CreateFile
  • ReadFile
  • WriteFile
 Crypto

  • CryptEncrypt
  • CryptDecrypt
  • CryptHashData
  • EncryptFile
  • DecryptFile
  • NCryptEncrypt
  • NCryptDecrypt
  • NCryptCreatePersistedKey
  • SslEncryptPacket
  • SslDecryptPacket
  • BCryptEncrypt
  • BCryptDecrypt
  • BCryptHashData
  • BCryptGenerateSymmetricKey
  • CPEncrypt
  • CPDecrypt
  • CryptProtectData
  • CryptUnprotectData
  • CryptProtectMemory
  • CryptUnprotectMemory
  • CryptMsgGetParam
  • CryptMsgUpdate
  • CryptHashMessage
  • CryptDecryptMessage
  • CryptEncryptMessage
  • nss3.dll::PK11SDR_Encrypt
  • nss3.dll::PK11SDR_Decrypt
Registry

  • RegOpenKey
  • RegOpenKeyEx
  • RegQueryValue
  • RegQueryValueEx
  • RegGetValue
Networking

  • send
  • WSASend
  • WSPSendTo
  • GetAddrInfo
  • GetAddrInfoEx
  • WinHttpOpenRequest
  • WinHttpConnect
  • WinHttpWriteData
System

  • LoadLibrary
  • LoadLibraryEx
  • GetProcAddress
  • GetModuleHandle
  • GetModuleHandleEx
  • FreeLibrary


Which applications use these calls

MioStar can be used with any application but without guarantee of success. From following applications
sensitive data can be extracted …

Application name Function
Safari CryptProtectData
CryptUnprotectData
Chrome CryptProtectData
CryptUnprotectData
GoogleTalk CryptProtectData
CryptUnprotectData
Microsoft Live Messenger CryptEncrypt
Microsoft Live Mail CryptProtectMemory
CryptUnprotectMemory
Yahoo Messenger SslEncryptPacke
Thunderbird nss3.dll::PK11SDR_Decrypt
nss3.dll::PK11SDR_Encrypt
FireFox nss3.dll::PK11SDR_Decrypt
nss3.dll::PK11SDR_Encrypt
SeaMonkey nss3.dll::PK11SDR_Decrypt
nss3.dll::PK11SDR_Encrypt
RockMelt CryptProtectData
CryptUnprotectData


Manipulating functions

Instead of extracting sensitive data you can also manipulate the function arguments and replace the passed values by your own. As an example the function GetAddrInfoEx normally resolves hostnames and gives back the according IP address. Instead of resolving www.google.com replace this parameter by www.megapanzer.com. All traffic for google gets then redirected to Megapanzer.

How can I participate

You can participate in three ways. If you know of …

  • applications using one of the functions mentioned in the list above that deal with sensitive data.
  • Windows functions that handle sensitive data and they are not implemented in MioStar yet.
  • DLLs providing functions that deal with sensitive data.

… then please drop me a mail and let me know.

Feedback

In case you encounter any problems with the tool, you find a bug, you have suggestions to improve it, or you tested it with a Windows version i’ve not yet tested please drop me an email.

Where can I download it

Version 0.1 – Binary & source
Version 0.2 – Binary & source


Why this strange name

There are many security related tools out there with heroic, martial, elite or marketing strategic, odd sounding names. Why not name a tool something like a household appliance? MioStar is a product line of a Swiss store that offers great products for your household like MioStar mixer, MioStar hair dryer, MioStar vacuum. MioStar, a great name for a tool!

MioStar video

Will follow soon …

Screenshot

Fishing sensitive data with MioStar
 
]]> http://www.megapanzer.com/2010/11/17/fishing-sensitive-data-with-miostar/feed/ 2 RC4Encryption : Encrypt and decrypt files with RC4 http://www.megapanzer.com/2009/06/09/rc4encryption-encrypt-and-decrypt-files-with-rc4/ http://www.megapanzer.com/2009/06/09/rc4encryption-encrypt-and-decrypt-files-with-rc4/#comments Tue, 09 Jun 2009 19:02:56 +0000 carrumba http://www.megapanzer.com/?p=2111 Tool name : RC4Encryption 0.1   Description : RC4Encryption is a tool to encrypt and decrypt files with the RC4 algorithm. The tool itself is not really hot stuff. OpenSSL supports RC4 since years and also many other algorithms. But you can use this code without any dependency of an additional library and you have working functions of stream cipher encryption.   Tested on : Windows XP   Feedback : In case you encounter any problems with the tool, you have suggestions to improve it, or you tested it with a Windows version i’ve not yet tested please drop me an email.   Downloads : Binary | Source   Screen shots :   ]]> http://www.megapanzer.com/2009/06/09/rc4encryption-encrypt-and-decrypt-files-with-rc4/feed/ 6