winsock hooking

c++ / delphi package - dll injection and api hooking

Postby madshi » Fri Jun 04, 2004 6:25 am

Doesn't matter. The dynamic string can hold #0 characters without any problems. SetString doesn't look for #0 characters, either, instead we give in the length of the buffer. So: No problems with #0 chars! :D
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

Postby nildo » Fri Jun 04, 2004 11:01 am

Coooooll! I Did not know that!

Mathias, is there any way to realloc a memory for a pointer of another process? I am using OpenProcess + WriteProcessMemory to change the packets. How to change the length of this packet (buffer)? Because it can not be donne with SetString, because I change the Buffer directly to the original buffer of the Hooked-application

Thanks a lot !
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby madshi » Fri Jun 04, 2004 11:24 am

Well, basically you can't. Sorry. When the application calls "recv" and gives in a buffer of a specific size there's no way to reliably increase the length of this buffer. You can change the length when hooking "send" (see my code), but not when hooking "receiv". The application who calls "recv" has allocated the buffer and short of changing the caller's asm code (which would be *very* hard) there's no way to change the buffer size.
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

Postby nildo » Fri Jun 04, 2004 11:44 am

madshi wrote:Well, basically you can't. Sorry. When the application calls "recv" and gives in a buffer of a specific size there's no way to reliably increase the length of this buffer. You can change the length when hooking "send" (see my code), but not when hooking "receiv". The application who calls "recv" has allocated the buffer and short of changing the caller's asm code (which would be *very* hard) there's no way to change the buffer size.


:cry: Thank you!!
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

hi

Postby legion » Fri Jun 04, 2004 6:45 pm

hi

thank you all for all information that you have posted here.
@madhi
i have tried your code but it doesn't work ?
did you know why ?
what's happen whit your code ?
i have compiled it successfully but when i inject it i cannot send any data.


thank you for all help that you have done

@+
legion
 
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

Postby madshi » Fri Jun 04, 2004 8:53 pm

Let us see the whole dll code.
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

hi

Postby legion » Sat Jun 05, 2004 4:08 pm

hi

i have just replaced my sendhookproc by the code that your are posted
this is the code that i used
Code: Select all
function SendCallback( s: Integer; Buf: Pointer; len, flags: Integer): Integer; stdcall;
var s1 : string;
begin
  SetString(s1, Buf, len);
  ReplaceStr(s1, 'hello', 'reallycool');
  result := sendNextHook(s, pointer(s1), length(s1), flags);
end;


i have also try this code by adding just the result :=0
Code: Select all
function SendCallback( s: Integer; Buf: Pointer; len, flags: Integer): Integer; stdcall;
var s1 : string;
begin
result:=0;
while true do begin
  SetString(s1, Buf, len);
  ReplaceStr(s1, 'hello', 'reallycool');
  result := sendNextHook(s, pointer(s1), length(s1), flags)
end
else
begin
Result := sendNextHook(s, Buf, len, flags);
end;
end;


i have tried this two code buit it doesn't work

thank a lot
@+
legion
 
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

Postby madshi » Sat Jun 05, 2004 4:48 pm

What do you mean with "it doesn't work"? What happens? Do you get crashes?
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

hi

Postby legion » Sat Jun 05, 2004 5:13 pm

hi

when i send data my dll hook crash.
i cannot also send any data when i inject my hook dll.
my dll contain just the code that i have currently posted above.
the code that you posted

@+
legion
 
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

Postby madshi » Sat Jun 05, 2004 5:16 pm

Could you please post the *whole* dll code?
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

hi

Postby legion » Sat Jun 05, 2004 10:05 pm

helo

hi is my code


Code: Select all
library ws2hook;

{$IMAGEBASE $58000000}

uses
  windows,madcodehook,winsock,madstrings;

{$R *.res}
var
  sendNextHook: function(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall;

function sendHookProc( s: Integer; Buf: Pointer; len, flags: Integer): Integer; stdcall;
var s1 : string;
begin
result:=0;
while true do
 begin
  SetString(s1, Buf, len);
  ReplaceStr(s1, 'hello', 'reallycool');
  result := sendNextHook(s, pointer(s1), length(s1), flags)
end
else
begin
Result := sendNextHook(s, Buf, len, flags);
end;
end;


begin
hookapi('ws2_32.dll','send', @sendHookProc, @sendNextHook);
hookapi('wsock32.dll','send', @sendHookProc, @sendNextHook);
end.


legion
 
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

Postby madshi » Sun Jun 06, 2004 7:43 am

(1) The declaration of your callback function and of the nextHook function variable must always be 100% identical. It is not in your case. That's probably the reason for the problems.

(2) Don't use the same callback and nextHook variable for two different hooks, that doesn't work. If you have 2 hooks, you also need two callback functions and two nextHook variables.
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

hi

Postby legion » Sun Jun 06, 2004 11:02 am

hi
madshi

i have noticed that the two winsock module use the same the parameter (variable).
for the send function.
both use this
Code: Select all
function send(s: TSocket; var Buf; len, flags: Integer);


in another case when i tested to log the winsock data insisde a text file.
i have hooked it like above with one callback for the two send function
and i have successfully logged their data on the same time (ws2_32.dll and wsock32.dll).

also in the send callback i have done one callback for both winsock module
and i have successufuly changed data.but in this case i have just changed data with another one which have the same lenght.

that's why i think that one callback for both different send function isn't the matter ? did you think that ? :idea:


(1) The declaration of your callback function and of the nextHook function variable must always be 100% identical. It is not in your case. That's probably the reason for the problems


in your code i seen that you have changed something on their variable
that why i have used your code for test purpose
your code is here
Code: Select all
function SendCallback( s: Integer; Buf: Pointer; len, flags: Integer): Integer; stdcall;
var s1 : string;
begin
  SetString(s1, Buf, len);
  ReplaceStr(s1, 'hello', 'reallycool');
  result := sendNextHook(s, pointer(s1), length(s1), flags);
end;


in your code your have changed some variables.
you are used s1 instead of buf and also length instead of the real length.
are you noticed that ?
why are you not used the sizeof(s1) like you adviced to me and also nildo.

thank you again
hooking winsock is very hard

@+
legion
 
Posts: 32
Joined: Sat May 15, 2004 7:48 pm

Re: hi

Postby madshi » Sun Jun 06, 2004 12:04 pm

legion wrote:i think that one callback for both different send function isn't the matter ? did you think that ?

It's probably not the cause of the problems you're having. But it's wrong nevertheless.

(1) The declaration of your callback function and of the nextHook function variable must always be 100% identical. It is not in your case. That's probably the reason for the problems

in your code your have changed some variables.
you are used s1 instead of buf and also length instead of the real length.
are you noticed that ?
why are you not used the sizeof(s1) like you adviced to me and also nildo.

You don't need to question my code, it's alright. Just read again what I wrote. Do you know what "declaration" means? "Declaration" is the calling convention and the number, names and types of the parameters.
Code: Select all
var      sendNextHook: function(s: TSocket; var Buf;          len, flags: Integer): Integer; stdcall;
function sendHookProc          (s: Integer;     Buf: Pointer; len, flags: Integer): Integer; stdcall;

Do you see that? There are differences and there MUST NOT BE any differences.

hooking winsock is very hard

No, it's not. The mistakes you made are not hooking related, nor are they WinSock related. You are making simple normal programming mistakes.
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

Postby nildo » Mon Jun 07, 2004 12:09 pm

One more thing:

Do not hook wsock32.dll, you will get no results, since this DLL calls ws2_32.dll functions. So hook only ws2_32.dll
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

PreviousNext

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 5 guests