Can hook send() but not recv()

dcsoft · Post by **dcsoft** » Wed Apr 06, 2005 6:42 am

OK, I've given enough tips on hooking send() here, now I want to hook recv(). But even though

HookAPI("ws2_32.dll", "send", hook_send, (PVOID *) &next_send);

works great (on Windows XP), the following does not!

Code: Select all

HookAPI("ws2_32.dll", "recv", hook_recv, (PVOID *) &next_recv);

HookAPI() returns -1 in the second case, and my hook_recv() function does not get called. I am injecting into both Explorer.exe and IExplore.exe, and both the send() hooks fine, but not the recv().

What is the problem here? Under what conditions does HookAPI() return -1?

Thanks much,
David

Post by **madshi** » Wed Apr 06, 2005 7:31 am

A return value of -1 indicates success.

There are lots of different recv APIs. First we have WinSock 1 and 2. Then we have synchronous and asynchronous APIs. I guess you simply have hooked an API which doesn't get called.

Have a look at some of the older threads in this forum. There's a WinSock spy application somewhere based on madCodeHook. Does that catch the recv calls you're looking for?

dcsoft · Post by **dcsoft** » Wed Apr 06, 2005 3:14 pm

madshi wrote:A return value of -1 indicates success.

Thanks, I wouldn't have expected that!

madshi wrote:There are lots of different recv APIs. First we have WinSock 1 and 2. Then we have synchronous and asynchronous APIs. I guess you simply have hooked an API which doesn't get called.

Have a look at some of the older threads in this forum. There's a WinSock spy application somewhere based on madCodeHook. Does that catch the recv calls you're looking for?

I used TracePlus/Winsock, and it reported recv() was being called. I seem to recall the threads here also report people hooking recv() for popular apps like IE, and it was fine. I'll have to look at this some more. I'll hae to try the madCodeHook-based winsock spy app; thanks for reminding me of that.

If anyone else has successfully hooked recv() for either Internet Explorer or Firefox, please let me know.

Thanks,
David

nildo · Post by **nildo** » Wed Apr 06, 2005 6:30 pm

Yes I have.. Under win9x you should hook "recv", but under XP > you must hook WSARecv. For "send", works under both OS

Got it?

dcsoft · Post by **dcsoft** » Thu Apr 07, 2005 9:52 am

nildo wrote:Yes I have.. Under win9x you should hook "recv", but under XP > you must hook WSARecv. For "send", works under both OS

Got it?

Thanks much Nildo, will try.

It is under WinXP that recv() isn't being called. But I wonder why the TracePlus/Winsock reported recv() was being called. Very strange.

Thanks again,
David

nildo · Post by **nildo** » Thu Apr 07, 2005 11:21 am

[quote="dcsoft"But I wonder why the TracePlus/Winsock reported recv() was being called. Very strange.[/quote]

Maybe they report just for you see that the packet is receiving.. Maybe