winsock hooking

c++ / delphi package - dll injection and api hooking
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Doesn't matter. The dynamic string can hold #0 characters without any problems. SetString doesn't look for #0 characters, either, instead we give in the length of the buffer. So: No problems with #0 chars! :D
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

Coooooll! I Did not know that!

Mathias, is there any way to realloc a memory for a pointer of another process? I am using OpenProcess + WriteProcessMemory to change the packets. How to change the length of this packet (buffer)? Because it can not be donne with SetString, because I change the Buffer directly to the original buffer of the Hooked-application

Thanks a lot !
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Well, basically you can't. Sorry. When the application calls "recv" and gives in a buffer of a specific size there's no way to reliably increase the length of this buffer. You can change the length when hooking "send" (see my code), but not when hooking "receiv". The application who calls "recv" has allocated the buffer and short of changing the caller's asm code (which would be *very* hard) there's no way to change the buffer size.
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

madshi wrote:Well, basically you can't. Sorry. When the application calls "recv" and gives in a buffer of a specific size there's no way to reliably increase the length of this buffer. You can change the length when hooking "send" (see my code), but not when hooking "receiv". The application who calls "recv" has allocated the buffer and short of changing the caller's asm code (which would be *very* hard) there's no way to change the buffer size.
:cry: Thank you!!
legion
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

hi

Post by legion »

hi

thank you all for all information that you have posted here.
@madhi
i have tried your code but it doesn't work ?
did you know why ?
what's happen whit your code ?
i have compiled it successfully but when i inject it i cannot send any data.


thank you for all help that you have done

@+
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Let us see the whole dll code.
legion
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

hi

Post by legion »

hi

i have just replaced my sendhookproc by the code that your are posted
this is the code that i used

Code: Select all

function SendCallback( s: Integer; Buf: Pointer; len, flags: Integer): Integer; stdcall; 
var s1 : string; 
begin 
  SetString(s1, Buf, len); 
  ReplaceStr(s1, 'hello', 'reallycool'); 
  result := sendNextHook(s, pointer(s1), length(s1), flags); 
end;
i have also try this code by adding just the result :=0

Code: Select all

function SendCallback( s: Integer; Buf: Pointer; len, flags: Integer): Integer; stdcall; 
var s1 : string; 
begin 
result:=0;
while true do begin
  SetString(s1, Buf, len); 
  ReplaceStr(s1, 'hello', 'reallycool'); 
  result := sendNextHook(s, pointer(s1), length(s1), flags)
end
else
begin
Result := sendNextHook(s, Buf, len, flags);
end; 
end;
i have tried this two code buit it doesn't work

thank a lot
@+
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

What do you mean with "it doesn't work"? What happens? Do you get crashes?
legion
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

hi

Post by legion »

hi

when i send data my dll hook crash.
i cannot also send any data when i inject my hook dll.
my dll contain just the code that i have currently posted above.
the code that you posted

@+
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Could you please post the *whole* dll code?
legion
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

hi

Post by legion »

helo

hi is my code

Code: Select all

library ws2hook;

{$IMAGEBASE $58000000}

uses
  windows,madcodehook,winsock,madstrings;

{$R *.res}
var
  sendNextHook: function(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall;

function sendHookProc( s: Integer; Buf: Pointer; len, flags: Integer): Integer; stdcall; 
var s1 : string; 
begin
result:=0;
while true do
 begin 
  SetString(s1, Buf, len); 
  ReplaceStr(s1, 'hello', 'reallycool'); 
  result := sendNextHook(s, pointer(s1), length(s1), flags)
end
else
begin
Result := sendNextHook(s, Buf, len, flags);
end; 
end;


begin
hookapi('ws2_32.dll','send', @sendHookProc, @sendNextHook);
hookapi('wsock32.dll','send', @sendHookProc, @sendNextHook);
end.


madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

(1) The declaration of your callback function and of the nextHook function variable must always be 100% identical. It is not in your case. That's probably the reason for the problems.

(2) Don't use the same callback and nextHook variable for two different hooks, that doesn't work. If you have 2 hooks, you also need two callback functions and two nextHook variables.
legion
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

hi

Post by legion »

hi
madshi

i have noticed that the two winsock module use the same the parameter (variable).
for the send function.
both use this

Code: Select all

function send(s: TSocket; var Buf; len, flags: Integer);
in another case when i tested to log the winsock data insisde a text file.
i have hooked it like above with one callback for the two send function
and i have successfully logged their data on the same time (ws2_32.dll and wsock32.dll).

also in the send callback i have done one callback for both winsock module
and i have successufuly changed data.but in this case i have just changed data with another one which have the same lenght.

that's why i think that one callback for both different send function isn't the matter ? did you think that ? :idea:

(1) The declaration of your callback function and of the nextHook function variable must always be 100% identical. It is not in your case. That's probably the reason for the problems
in your code i seen that you have changed something on their variable
that why i have used your code for test purpose
your code is here

Code: Select all

function SendCallback( s: Integer; Buf: Pointer; len, flags: Integer): Integer; stdcall; 
var s1 : string; 
begin 
  SetString(s1, Buf, len); 
  ReplaceStr(s1, 'hello', 'reallycool'); 
  result := sendNextHook(s, pointer(s1), length(s1), flags); 
end;
in your code your have changed some variables.
you are used s1 instead of buf and also length instead of the real length.
are you noticed that ?
why are you not used the sizeof(s1) like you adviced to me and also nildo.

thank you again
hooking winsock is very hard

@+
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: hi

Post by madshi »

legion wrote:i think that one callback for both different send function isn't the matter ? did you think that ?
It's probably not the cause of the problems you're having. But it's wrong nevertheless.
(1) The declaration of your callback function and of the nextHook function variable must always be 100% identical. It is not in your case. That's probably the reason for the problems
in your code your have changed some variables.
you are used s1 instead of buf and also length instead of the real length.
are you noticed that ?
why are you not used the sizeof(s1) like you adviced to me and also nildo.
You don't need to question my code, it's alright. Just read again what I wrote. Do you know what "declaration" means? "Declaration" is the calling convention and the number, names and types of the parameters.

Code: Select all

var      sendNextHook: function(s: TSocket; var Buf;          len, flags: Integer): Integer; stdcall;
function sendHookProc          (s: Integer;     Buf: Pointer; len, flags: Integer): Integer; stdcall;
Do you see that? There are differences and there MUST NOT BE any differences.
hooking winsock is very hard
No, it's not. The mistakes you made are not hooking related, nor are they WinSock related. You are making simple normal programming mistakes.
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

One more thing:

Do not hook wsock32.dll, you will get no results, since this DLL calls ws2_32.dll functions. So hook only ws2_32.dll
Post Reply