Hook Winsock2.....

c++ / delphi package - dll injection and api hooking

Hook Winsock2.....

Postby michen » Sat May 01, 2004 5:31 pm

Hello madshi.....


I use madCodeHook to Hook WS2_32.dll send and connect

the connect api can't hook(send api hook is still work..),when use windows xp + Rising Antivirus(http://www.rising-global.com/)

It works fine on other system like windows2k,98,me... or windows xp without Install Rising Antivirus...

I tried the madcodehook version 2.1.2.0(download from www.madshi.net)
and madCodeHook 2.1b (download from this forum)

Please help me....
michen
 
Posts: 6
Joined: Sat May 01, 2004 5:23 pm

Postby Layane » Sat May 01, 2004 9:06 pm

Copy madCHook.dll to System32 folder or inject madCHook.dll in the process to hook, i believe that this solve the problem. Else your antivirus protect process for injections hooking the API functions (WriteProcessMemory, VirtualAllocEx, etc....). So an antivirus avoid virus that infect on the fly (like a injector,loader, etc...) and if antivirus is the problem, uninstall or disable the resident scanner.
Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Postby michen » Sun May 02, 2004 7:12 am

But why just the connectcallback doesn't hook....

the sendcallback works fine:(
michen
 
Posts: 6
Joined: Sat May 01, 2004 5:23 pm

Postby Layane » Sun May 02, 2004 8:57 am

Are you sure? i believe that the funtions that hook your antivirus return values that usually you want to see its but really calls dont execute it, then InjectLibrary() return TRUE because believe that is all ok. For example antivirus hook code, that detect an injection using heuristic:

Code: Select all

LPVOID HookVirtualAllocEx (HANDLE hProcess,LPVOID lpAddress,DWORD dwSize,DWORD flAllocationType,DWORD flProtect) {
  .....
 //save the process that call this funtion and hProcess
 //and call the real function
  .....
 return VirtualAllocEx (hProcess,lpAddress,dwSize,flAllocationType, flProtect);
}

BOOL HookWriteProcessMemory(HANDLE hProcess,LPVOID lpBaseAddress,LPVOID lpBuffer,DWORD nSize,LPDWORD lpNumberOfBytesWritten) {
  .....
 //Antivirus compare information that before saved it by
 //functions that are hooked (VirtualAllocEx,OpenProcess,etc...)
  .....
  if (bHeuristic == TRUE) {
   //its a virus
   lpNumberOfBytesWritten = nSize;
   return TRUE;
  }
 else {
   return WriteProcessMemory(hProcess,lpBaseAddress,
                 lpBuffer,nSize,lpNumberOfBytesWritten);
 }

}

Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Postby michen » Sun May 02, 2004 10:33 am

I mean...
the dll file what I inject has send and connect hook...

and the send hook works fine,,,the connect hook can't work if the client install RiSing antivirus......
michen
 
Posts: 6
Joined: Sat May 01, 2004 5:23 pm

Postby Layane » Sun May 02, 2004 11:44 am

dough!! i didnt undestand you :sorry: (english isnt my native language). Has antivirus firewall or "internet protection"?
Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Postby michen » Sun May 02, 2004 2:40 pm

english isnt my native language too....

My english is very poor:(.....


sorry,,sorry...


I mean
if I run antivirus firewall in windows xp
then my dll hook can't hook the WS2_32.dll connect function...

but can hook send function....
michen
 
Posts: 6
Joined: Sat May 01, 2004 5:23 pm

Postby Layane » Sun May 02, 2004 2:50 pm

If your antivirus control all conections hooking connect() , it dont need to hook send() functions ¿no? :wink: . Disable the Resident Scanner is a easy solution :D
Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Postby madshi » Sun May 02, 2004 3:59 pm

It might be that this anti virus product also hooks WinSock. Most of the time madCodeHook works nevertheless, but not always. WinSock is especially sensitive in this area. I'm sorry, I fear this can't be solved... :cry:
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Postby Layane » Sun May 02, 2004 4:06 pm

Do you use madCHook to hook only a specific process or all process on the system?
Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Postby michen » Mon May 03, 2004 3:19 am

I use madCHook to hook only a specific process

Maybe it as madshi said the virus product hooks Winsock2...:(

But something is funny

1. stop all of the virus product's process, the hook still can't work...must need uninstall the virus product....
2. If you use some online game bot(that game bot hook winsock's connect function),that bot can work...- -|||

:crazy: :crazy: :crazy:
michen
 
Posts: 6
Joined: Sat May 01, 2004 5:23 pm

Postby madshi » Mon May 03, 2004 6:24 am

How does the game bot hooking WinSock? I mean which API hooking method does it use?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Postby nildo » Mon May 03, 2004 12:11 pm

I was going to ask exatly the same thing. On WindowsXP, I am not able to hook the function RECV but all others I can, linke Connect I am able, SEND, SENDTO, but not RECV. at Windows9X/ME works perfectly. But its not MadCodeHook's problem. I've tried others methods of API Hooking and do not works on XP too (one of them I've did). And I got the same problem. So do not be linke this: :crazy: Madshi! Its not your fault. Or maybe you can try to explain us why does this happens at windows Xp? If not no problem. So everyone read: Its not MadCodeHook's problem
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby madshi » Mon May 03, 2004 12:25 pm

nildo, the problem you're talking about might be that with WinSock1 vs WinSock2. In win9x WinSock1 calls end up in the same WinSock2 calls. So if you call WinSock1.recv, this goes through WinSock2.recv. IIRC, in XP when you call WinSock1.recv this ends up in WinSock2.WSARecv. Probably that's what you mean, nildo?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Postby michen » Mon May 03, 2004 4:27 pm

I only can find this bot(open source),others I can't got the source code...


Code: Select all
#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#include <mswsock.h>

#define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr)+(DWORD)(addValue))

#define FALSECLIENT_TIMEOUT 12000
#define FALSECLIENT_SEND_TIMEOUT 5000
#define MAX_BUFFER_LENGTH 10000


////
//FUNCTION PROTOTYPES AND TYPEDEF
////
BOOL IsConnected(SOCKET s);
void falseClientCom();
PROC HookImportedFunction(HMODULE,PSTR,PSTR,PROC);
BOOL DoHookProcs();


typedef int(WINAPI *MyWSASendProc)(
  SOCKET s,
  LPWSABUF lpBuffers,
  DWORD dwBufferCount,
  LPDWORD lpNumberOfBytesSent,
  DWORD dwFlags,
  LPWSAOVERLAPPED lpOverlapped,
  LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);

typedef int(WINAPI *MyWSASendToProc)(
  SOCKET s,
  LPWSABUF lpBuffers,
  DWORD dwBufferCount,
  LPDWORD lpNumberOfBytesSent,
  DWORD dwFlags,
  struct sockaddr* lpTo,
  int iToLen,
  LPWSAOVERLAPPED lpOverlapped,
  LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);

typedef int(WINAPI *MyWSARecvProc)(
  SOCKET s,
  LPWSABUF lpBuffers,
  DWORD dwBufferCount,
  LPDWORD lpNumberOfBytesRecvd,
  LPDWORD lpFlags,
  LPWSAOVERLAPPED lpOverlapped,
  LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);

typedef int(WINAPI *MyWSARecvFromProc)(
  SOCKET s,
  LPWSABUF lpBuffers,
  DWORD dwBufferCount,
  LPDWORD lpNumberOfBytesRecvd,
  LPDWORD lpFlags,
  struct sockaddr* lpFrom,
  LPINT lpFromlen,
  LPWSAOVERLAPPED lpOverlapped,
  LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);

typedef int(WINAPI *MySendProc)(
  SOCKET s,
  char* buf,
  int len,
  int flags
);

typedef int(WINAPI *MySendToProc)(
  SOCKET s,
  const char* buf,
  int len,
  int flags,
  struct sockaddr* to,
  int tolen
);

typedef int(WINAPI *MyRecvProc)(
  SOCKET s,
  char* buf,
  int len,
  int flags
);

typedef int(WINAPI *MyRecvFromProc)(
  SOCKET s,
  char* buf,
  int len,
  int flags,
  struct sockaddr* from,
  int* fromlen
);

typedef int (WINAPI *MyConnectProc) (
  SOCKET s,
  const struct sockaddr* name,
  int namelen
);

typedef int (WINAPI *MyWSAAsyncSelectProc) (
  SOCKET s,
  HWND hWnd,
  unsigned int wMsg,
  long lEvent
);

typedef FARPROC (WINAPI *MyGetProcAddressProc)(
  HMODULE hModule,
  LPCSTR lpProcName
);


////
//GLOBAL VARIABLES
////

HINSTANCE g_hInst=0;
MyWSASendProc  OriginalWSASendProc;
MyWSASendToProc  OriginalWSASendToProc;
MyWSARecvProc  OriginalWSARecvProc;
MyWSARecvFromProc  OriginalWSARecvFromProc;
MySendProc  OriginalSendProc;
MySendToProc  OriginalSendToProc;
MyRecvProc  OriginalRecvProc;
MyRecvFromProc  OriginalRecvFromProc;
MyConnectProc  OriginalConnectProc;
MyGetProcAddressProc  OriginalGetProcAddressProc;
MyWSAAsyncSelectProc  OriginalWSAAsyncSelectProc;

ULONG falseClientComId;
SOCKET falseClient;
SOCKET currentServer;

WSADATA WSAData;
char* falseClient_send;
char* falseClient_recvInject;
int falseClient_sendLength;
int falseClient_recvInjectLength;
CRITICAL_SECTION falseClient_sendSection;
CRITICAL_SECTION falseClient_recvInjectSection;
 
////
//FUNCTIONS
////

BOOL IsConnected(SOCKET s) {
   fd_set udtWrite_fd;
   timeval tv;
   tv.tv_sec = 0;
   tv.tv_usec = 1;
   long lngSocketCount = 0;
    udtWrite_fd.fd_count = 1;
    udtWrite_fd.fd_array[0] = s;
    lngSocketCount = select(0, 0, &udtWrite_fd, 0, &tv);
    return (BOOL)(lngSocketCount);
}


void falseClientCom() {
   char * falseClient_recv = (char*)malloc(MAX_BUFFER_LENGTH);
   unsigned short falseClient_recvLength;
   int index;
   int ret;
   int type;
   DWORD falseClient_timeout;
   DWORD falseClient_send_timeout;
   sockaddr_in addr;
   DWORD arg = 1;
   addr.sin_family = AF_INET;
   addr.sin_port = htons(2350);
   addr.sin_addr.s_addr = inet_addr("127.0.0.1");
   falseClient = socket(AF_INET, SOCK_STREAM, 0);
   
   char* keepAlivePacket = (char*)malloc(3);
   unsigned short keepAlivePacketLength = 0;
   memcpy(keepAlivePacket,"K",1);
   memcpy(keepAlivePacket+1,&keepAlivePacketLength,2);
   while (1) {
      while (!falseClient || !IsConnected(falseClient) || (GetTickCount() - falseClient_timeout >= FALSECLIENT_TIMEOUT)) {
         closesocket(falseClient);
         falseClient = socket(AF_INET, SOCK_STREAM, 0);
         connect(falseClient, (struct sockaddr *) &addr, sizeof(sockaddr_in));
         ioctlsocket(falseClient,FIONBIO,&arg);
         falseClient_timeout = GetTickCount();
         falseClient_send_timeout = GetTickCount();
         falseClient_sendLength = 0;
      }
      ret = OriginalRecvProc(falseClient,falseClient_recv,MAX_BUFFER_LENGTH,0);
      if (ret != SOCKET_ERROR && ret >= 3) {
         index = 0;
         while (index < ret) {
            falseClient_recvLength = *(unsigned short *)(falseClient_recv+index+1);
            if (ret-index < falseClient_recvLength) {
               MessageBox(0,"False client sent a bad message!", "False client error",0);
               break;
            }
            if (*(falseClient_recv+index) == 'S') {
               type = 0;
            } else if (*(falseClient_recv+index) == 'R') {
               type = 1;
            } else if (*(falseClient_recv+index) == 'K') {
               //Keep alive
               type = 2;
            } else {
               type = -1;
            }
         
            if (!type && currentServer && IsConnected(currentServer)) {
               OriginalSendProc(currentServer,falseClient_recv+index+3,falseClient_recvLength,0);
            } else if (type == 1) {
               EnterCriticalSection(&falseClient_recvInjectSection);
               memcpy(falseClient_recvInject+falseClient_recvInjectLength,falseClient_recv+index+3,falseClient_recvLength);
               falseClient_recvInjectLength += falseClient_recvLength;
               LeaveCriticalSection(&falseClient_recvInjectSection);
            }
            index += falseClient_recvLength + 3;
         }
         falseClient_timeout = GetTickCount();
      }
      if (falseClient_sendLength) {
         EnterCriticalSection(&falseClient_sendSection);
         OriginalSendProc(falseClient,falseClient_send,falseClient_sendLength,0);
         falseClient_sendLength = 0;
         LeaveCriticalSection(&falseClient_sendSection);
      }
      if (GetTickCount() - falseClient_send_timeout >= FALSECLIENT_SEND_TIMEOUT) {
         EnterCriticalSection(&falseClient_sendSection);
         OriginalSendProc(falseClient,keepAlivePacket,3,0);
         LeaveCriticalSection(&falseClient_sendSection);
         falseClient_send_timeout = GetTickCount();
      }
      Sleep(100);
   }
}


PROC HookImportedFunction(HMODULE hModule,     //Module to intercept calls from
             PSTR FunctionModule, //The dll file that contains the function you want to hook
             PSTR FunctionName,   //The function that you want to hook
             PROC pfnNewProc)     //New function, this gets called instead
{
    PROC pfnOriginalProc;
    IMAGE_DOS_HEADER *pDosHeader;
    IMAGE_NT_HEADERS *pNTHeader;
    IMAGE_IMPORT_DESCRIPTOR *pImportDesc;
    IMAGE_THUNK_DATA *pThunk;

    if ( IsBadCodePtr(pfnNewProc) ) return 0;
   if (OriginalGetProcAddressProc) {
      pfnOriginalProc = OriginalGetProcAddressProc(GetModuleHandle(FunctionModule), FunctionName);
   } else {
      pfnOriginalProc = GetProcAddress(GetModuleHandle(FunctionModule), FunctionName);
   }
    if(!pfnOriginalProc) return 0;

    pDosHeader = (PIMAGE_DOS_HEADER)hModule;

    if ( IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) )
        return 0;
    if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
        return 0;

   pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew);
   
    if ( IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) )
        return 0;

    if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE )
        return 0;

    pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader,
                            pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

    if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader )
        return 0;
   

    while ( pImportDesc->Name )
    {
      
        PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);
       
        if ( stricmp(pszModName, FunctionModule) == 0 )
            break;

        pImportDesc++; 
    }   

    pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew);
    if ( pImportDesc->Name == 0 )
        return 0;

    pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);

   MEMORY_BASIC_INFORMATION mbi_thunk;

   while ( pThunk->u1.Function )
    {
      if ( (DWORD)pThunk->u1.Function == (DWORD)pfnOriginalProc)
        {
            VirtualQuery(pThunk, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));
         if (FALSE == VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect)) {
               return 0;
         }
         DWORD * pTemp = (DWORD*)&pThunk->u1.Function;
         *pTemp = (DWORD)(pfnNewProc);

         VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize,mbi_thunk.Protect, NULL);
            
         break;
      }
        pThunk++;
    }
   SYSTEM_INFO si;
   DWORD i;
   byte *data = NULL;
   GetSystemInfo(&si);
   LPVOID lpMem = si.lpMinimumApplicationAddress;
   while (lpMem < si.lpMaximumApplicationAddress) {
      VirtualQuery(lpMem, &mbi_thunk,sizeof(MEMORY_BASIC_INFORMATION));

      if ((DWORD)mbi_thunk.BaseAddress <= (DWORD)pDosHeader + pNTHeader->OptionalHeader.SizeOfImage
         && mbi_thunk.State == MEM_COMMIT && mbi_thunk.RegionSize > 0 && !(mbi_thunk.Protect & PAGE_GUARD)) {

         if (VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect)) {
            data = (byte*)mbi_thunk.BaseAddress;
            for (i = 0; i < mbi_thunk.RegionSize - 3; i++) {
               
               if (*(DWORD*)(data+i) == (DWORD)pfnOriginalProc) {
                  *(DWORD*)(data+i) = (DWORD)pfnNewProc;
               }
               
            }
         VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize,mbi_thunk.Protect, NULL);
         }
      }
      lpMem = MakePtr(LPVOID, mbi_thunk.BaseAddress, mbi_thunk.RegionSize+1);
   }
   
    return pfnOriginalProc;
}

int WINAPI MyWSASend (
  SOCKET s,
  LPWSABUF lpBuffers,
  DWORD dwBufferCount,
  LPDWORD lpNumberOfBytesSent,
  DWORD dwFlags,
  LPWSAOVERLAPPED lpOverlapped,
  LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
) {
   
   int ret = OriginalWSASendProc(s,lpBuffers,dwBufferCount,lpNumberOfBytesSent,dwFlags,lpOverlapped,lpCompletionRoutine);
   return ret;
}

int WINAPI MyWSASendTo (
  SOCKET s,
  LPWSABUF lpBuffers,
  DWORD dwBufferCount,
  LPDWORD lpNumberOfBytesSent,
  DWORD dwFlags,
  struct sockaddr* lpTo,
  int iToLen,
  LPWSAOVERLAPPED lpOverlapped,
  LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
) {
   int ret = OriginalWSASendToProc(s,lpBuffers,dwBufferCount,lpNumberOfBytesSent,dwFlags,lpTo,iToLen,lpOverlapped,lpCompletionRoutine);
   return ret;
}

int WINAPI MyWSARecv (
  SOCKET s,
  LPWSABUF lpBuffers,
  DWORD dwBufferCount,
  LPDWORD lpNumberOfBytesRecvd,
  LPDWORD lpFlags,
  LPWSAOVERLAPPED lpOverlapped,
  LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
  ) {
   
   int ret = OriginalWSARecvProc(s,lpBuffers,dwBufferCount,lpNumberOfBytesRecvd,lpFlags,lpOverlapped,lpCompletionRoutine);
   return ret;
}

int WINAPI MyWSARecvFrom (
  SOCKET s,
  LPWSABUF lpBuffers,
  DWORD dwBufferCount,
  LPDWORD lpNumberOfBytesRecvd,
  LPDWORD lpFlags,
  struct sockaddr* lpFrom,
  LPINT lpFromlen,
  LPWSAOVERLAPPED lpOverlapped,
  LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
  ) {

   int ret = OriginalWSARecvFromProc(s,lpBuffers,dwBufferCount,lpNumberOfBytesRecvd,lpFlags,lpFrom,lpFromlen,lpOverlapped,lpCompletionRoutine);
   return ret;
}

int WINAPI MySend (
  SOCKET s,
  char* buf,
  int len,
  int flags
  ) {
   
   int ret;
   currentServer = s;
   
   ret = OriginalSendProc(s, buf, 0, flags);

   if (ret != SOCKET_ERROR & len > 0 && falseClient_sendLength + len + 3 < MAX_BUFFER_LENGTH) {
      char* newbuf = (char*)malloc(len+3);
      unsigned short sLen = (unsigned short)len;
      memcpy(newbuf,"S",1);
      memcpy(newbuf+1,&sLen,2);
      memcpy(newbuf+3, buf,len);
      EnterCriticalSection(&falseClient_sendSection);
      memcpy(falseClient_send+falseClient_sendLength,newbuf,len+3);
      falseClient_sendLength += len+3;
      LeaveCriticalSection(&falseClient_sendSection);
      free(newbuf);
   } else {
      return ret;
   }
   return len;
}

int WINAPI MySendTo (
  SOCKET s,
  char* buf,
  int len,
  int flags,
  struct sockaddr* to,
  int tolen
  ) {
   int ret = OriginalSendToProc(s,buf,len,flags, to, tolen);
   return ret;
}

int WINAPI MyRecv (
  SOCKET s,
  char* buf,
  int len,
  int flags
  ) {
   int ret = 0;
   int ret2 = 0;
   currentServer = s;
   if (falseClient_recvInjectLength) {
      EnterCriticalSection(&falseClient_recvInjectSection);
      memcpy(buf,falseClient_recvInject,falseClient_recvInjectLength);
      ret = falseClient_recvInjectLength;
      falseClient_recvInjectLength = 0;
      LeaveCriticalSection(&falseClient_recvInjectSection);
   }
   ret2 = OriginalRecvProc(s, buf+ret, len, flags);
   if (ret2 != SOCKET_ERROR && ret2>0 && falseClient_sendLength + ret2 + 1 < MAX_BUFFER_LENGTH) {
      char* newbuf = (char*)malloc(ret2+3);
      unsigned short sLen = (unsigned short)ret2;
      memcpy(newbuf,"R",1);
      memcpy(newbuf+1, &sLen,2);
      memcpy(newbuf+3, buf+ret,ret2);
      EnterCriticalSection(&falseClient_sendSection);
      memcpy(falseClient_send+falseClient_sendLength,newbuf,ret2+3);
      falseClient_sendLength += ret2+3;
      LeaveCriticalSection(&falseClient_sendSection);
      free(newbuf);
   }
   if (ret2 != SOCKET_ERROR) {
      ret += ret2;
   }
   if (!ret) {
      ret = SOCKET_ERROR;
      WSASetLastError(WSAEWOULDBLOCK);
   }
   return ret;
}

int WINAPI MyRecvFrom (
  SOCKET s,
  char* buf,
  int len,
  int flags,
  struct sockaddr* from,
  int* fromlen
  ) {
   int ret = OriginalRecvFromProc(s,buf,len,flags,from,fromlen);
   return ret;
}

int WINAPI MyConnect (
  SOCKET s,
  struct sockaddr* name,
  int namelen
  ) {
   currentServer = s;
   int ret = OriginalConnectProc(s, name, namelen);
   return ret;
   
}

int WINAPI MyWSAAsyncSelect (
  SOCKET s,
  HWND hWnd,
  unsigned int wMsg,
  long lEvent
  ) {
   currentServer = s;
   OriginalWSAAsyncSelectProc(s,hWnd,wMsg, lEvent);
   return 0;
}

FARPROC WINAPI MyGetProcAddress (
  HMODULE hModule,
  LPCSTR lpProcName
  ) {
   FARPROC ret = OriginalGetProcAddressProc(hModule,lpProcName);
   HMODULE WS2_32 = LoadLibrary("WS2_32.DLL");
   if (hModule == WS2_32) {
      if (!stricmp(lpProcName, "WSASend")) {
         OriginalWSASendProc = (MyWSASendProc)ret;
         ret = (FARPROC)MyWSASend;

      } else if (!stricmp(lpProcName, "WSASendTo")) {
         OriginalWSASendToProc = (MyWSASendToProc)ret;
         ret = (FARPROC)MyWSASendTo;

      } else if (!stricmp(lpProcName, "WSARecv")) {
         OriginalWSARecvProc = (MyWSARecvProc)ret;
         ret = (FARPROC)MyWSARecv;

      } else if (!stricmp(lpProcName, "WSARecvFrom")) {
         OriginalWSARecvFromProc = (MyWSARecvFromProc)ret;
         ret = (FARPROC)MyWSARecvFrom;
   
      } else if (!stricmp(lpProcName, "send")) {
         OriginalSendProc = (MySendProc)ret;
         ret = (FARPROC)MySend;

      } else if (!stricmp(lpProcName, "sendto")) {
         OriginalSendToProc = (MySendToProc)ret;
         ret = (FARPROC)MySendTo;

      } else if (!stricmp(lpProcName, "recv")) {
         OriginalRecvProc = (MyRecvProc)ret;
         ret = (FARPROC)MyRecv;

      } else if (!stricmp(lpProcName, "recvfrom")) {
         OriginalRecvFromProc = (MyRecvFromProc)ret;
         ret = (FARPROC)MyRecvFrom;

      } else if (!stricmp(lpProcName, "connect")) {
         OriginalConnectProc = (MyConnectProc)ret;
         ret = (FARPROC)MyConnect;

      } else if (!stricmp(lpProcName, "WSAAsyncSelect")) {
         OriginalWSAAsyncSelectProc = (MyWSAAsyncSelectProc)ret;
         ret = (FARPROC)MyWSAAsyncSelect;
      }
   }
    return ret;
}

BOOL DoHookProcs()
{

   OriginalWSASendProc = (MyWSASendProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "WSASend", (PROC)MyWSASend);
   
   OriginalWSASendToProc = (MyWSASendToProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "WSASendTo", (PROC)MyWSASendTo);

   OriginalWSARecvProc = (MyWSARecvProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "WSARecv", (PROC)MyWSARecv);

   OriginalWSARecvFromProc = (MyWSARecvFromProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "WSARecvFrom", (PROC)MyWSARecvFrom);

   OriginalSendProc = (MySendProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "send", (PROC)MySend);

   OriginalSendToProc = (MySendToProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "sendto", (PROC)MySendTo);

   OriginalRecvProc = (MyRecvProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "recv", (PROC)MyRecv);

   OriginalRecvFromProc = (MyRecvFromProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "recvfrom", (PROC)MyRecvFrom);

   OriginalConnectProc = (MyConnectProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "connect", (PROC)MyConnect);

   OriginalWSAAsyncSelectProc = (MyWSAAsyncSelectProc)
                           HookImportedFunction( GetModuleHandle(0), "WS2_32.DLL", "WSAAsyncSelect", (PROC)MyWSAAsyncSelect);

   OriginalGetProcAddressProc = (MyGetProcAddressProc)
                           HookImportedFunction( GetModuleHandle(0), "KERNEL32.DLL", "GetProcAddress", (PROC)MyGetProcAddress);

   return true;
}

BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID _Reserved)
{
   switch(dwReason)
   {
   case DLL_PROCESS_ATTACH:
      g_hInst = hInstance;
      falseClient_send = (char*)malloc(MAX_BUFFER_LENGTH);
      falseClient_sendLength = 0;
      falseClient_recvInject = (char*)malloc(MAX_BUFFER_LENGTH);
      falseClient_recvInjectLength = 0;
      currentServer = 0;
      WSAStartup(MAKEWORD(2,2),&WSAData);
      InitializeCriticalSection(&falseClient_sendSection);
      InitializeCriticalSection(&falseClient_recvInjectSection);
      CreateThread(0, 0, (LPTHREAD_START_ROUTINE)falseClientCom, 0,   0, &falseClientComId);
      DoHookProcs();
      break;

   case DLL_THREAD_ATTACH:
      break;

   case DLL_THREAD_DETACH:
      break;

   case DLL_PROCESS_DETACH:
      break;
   }

   return true;
}
[/code]
michen
 
Posts: 6
Joined: Sat May 01, 2004 5:23 pm

Next

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests