hooking? injection? static replacement?

c++ / delphi package - dll injection and api hooking
Post Reply
zcot
Posts: 2
Joined: Tue Sep 28, 2004 12:27 pm
Location: Orlando, Florida, US

hooking? injection? static replacement?

Post by zcot »

Hi, I'm part of an old online gaming community. Lately we are experiencing some unscrupulous cheaters and so I think an IP Logging capability on the hosting server could prove useful by being able to show those cheaters that we can very easily get their info and futher post reports to thier ISP if necessary. Hopefully, this would be enough of a deterrant in itself. Also there is someone in particular who has evidently hacked their client-side code to prevent them from being punted. I assume this is only possible because of the early online programming nature of the game since it is over 6 years old and likely very little was put into the cause for client hacking and cheating.

What I'd like to do is create a server module to provide for IP Logging and possibly try to go beyond that and come up with a solution for this "anti-punt" character(other than having to go outside to firewall blocking or something). And perhaps make an addition to the existent IP ban list scenerio which only takes single IP address' and does not work against ranges(built internally into the game).

I've recently read so many articles about hooking and injecting but since they mostly seem to relate to GUI based situations and/or Win32 message loops or only the kernal library I can't see how this will be possible, since the game is using a fullscreen DirectX scenerio and not processing any useful message loop during that thread(a thread under the main process thread and window).

I've found that the game uses 2 threads normally and when you go toward the internet it produces a 3rd thread(assumably dealing with the connectivity) of which appears to load a local "net.dll". The net.dll exports functions such as GetPlayerIPAddress(...), LoadIPFilterFile(...), DestroyPlayer(...), SendToClient(...) among the typical ones that would initiate the dll and creating any subsequent connections and cleanup. With these functions I believe I could do what it needed like this:

GetPlayerIPAddress(.. -add some code to log the ip into a file.

LoadIPFilterFile(.. -add code to parse IP ranges as well.

SendToClient(.. -parse for the "punt player" situation and analyze if the client has left, but if not then maybe work something with DestroyPlayer(..) or maybe add a situation such as DropPacket(...).

As far as I could tell I should be able to merely replace these functions upon startup, adding some additional code. I don't feel that any active "hooking" would be necessary. So, it seems that "injection" could be a workable solution here. Maybe I should look into just rebuilding the net.dll for those who are hosting?

I'm at a bit of a loss as to what method to get into.. -it's quite an expansive proposition looking at the possibilities of hooking and injection.

-any suggestions? Can anybody offer some direction or creative design ideas for a solution here?

thanks,
zcot
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

First of all: You don't have the source code of that game - right?

In that case I see 2 good solutions:

(1) You could try to build your own net.dll which does nothing but call the original net.dll and do some small additional tasks. If all you need is inside of the net.dll, then this should work just fine. This way you wouldn't need to do any "injecting" and "hooking". Your dll would automatically be loaded by the game. You would need to rename the original net.dll and load it from your new net.dll.

(2) Alternatively you could write a new server starter, which would start the original game server, while additionally injecting a little hook dll. With madCodeHook this would be very easy to realize by just using CreateProcessEx. Your hook dll would then call HookAPI in the initialization of the dll and hook all the APIs you're interested in.

The first solution could be realized without madCodeHook. The 2nd one would need madCodeHook. The 2nd one has the advantage that you don't need to rebuild a whole net.dll. You would just need to implement the hooks you need.
zcot
Posts: 2
Joined: Tue Sep 28, 2004 12:27 pm
Location: Orlando, Florida, US

Post by zcot »

hmmm.. okay, thank you madshi..

this provides some additional perspective for me to chew on.

In viewing your response and doing some more thinking I realize that it seems inevitable that some amount of hooking and injection technic is likely in order.. -if nothing else hooking the loadup of the net.dll(LoadLibrary, CreateProcess or CreateThread) to inject(preferrably overwrite) a few functions.

It seems like the best result would be to make any alterations upon startup and not leave any extra processes or threads around so there is not added function calls that in-turn have to call the original function... -or at least for something like SendToClient(..), since if the server is hosting 10 or 15 real-time users it's not going to be as effective to be adding extra processing. I think the preferrable way would be to basically overwrite the existing code. But using a wedge in something like GetPlayerIPAddress(..) is probably not an issue. I just wouldn't want to have any bearing on the efficiency/effectiveness of the existing functionality and because I know absolutely nothing about synchronization or attaching processes/threads to low system internals or other potentially real-time threads.

I appreciate your input and I'll be looking further into these things and trying my hand at something in the near future. I've done programming for years but have never dealt with anything too advanced or anything that I didn't have full control over... -but right now my efforts have been caught up in looking at the bytes of the dll so really that's a project within itself.

I'm fairly good at locking up the machine though. :lol:

I'm gonna see what this madCodeHook buzz is all about :wink:

thanks man
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I'd suggest this:

Create a little starter app, which does nothing but call madCodeHook's CreateProcessEx function. Afterwards the starter app should just shutdown again. The real server application will then start and load your little hook dll. Your hook dll should call HookAPI in the initialization section and hook the net.dll APIs you're interested in.

The hooking itself doesn't consume much performance. You won't notice it, I'm quite sure about that. You can begin by just calling the original API in your hook callback function. Then you'll be able to test how the performance behaves. I think you'll not be able to measure any difference.

Of course when then adding additional logging code performance might get a bit worse, but that's totally in your hands then. It's your task to write fast code then.
Post Reply