All geek questions in one place

Connect winsock to C ++

I am trying to connect winsock send and recv to read all the process traffic. I am inserting the following code as a dll inside the target process

#include "dll.h" #include <windows.h> #include <winsock2.h> #include <iostream> #include <fstream> #pragma comment(lib, "ws2_32.lib") using namespace std; DllClass::DllClass() { } DllClass::~DllClass () { } BYTE hook[6]; BYTE hook2[6]; BYTE jmp[6] = { 0xe9,0x00, 0x00, 0x00, 0x00 ,0xc3 }; ofstream myfile; ofstream myfile2; DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0); DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5); memcpy(&jmp[1], &dwCalc, 4); WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0); return dwAddr; } BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsigned char *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0)) return TRUE; return FALSE; } int nSend(SOCKET s, const char *buf, int len,int flags){ UnHookFunction("ws2_32.dll", "send", hook); int result = send(s,buf,len,flags); myfile.open ("C:\\tmp\\log.txt",ios::app | ios::binary); myfile << buf; myfile.close(); HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook); return result; } int nRecv(SOCKET s, char* buf, int len, int flags) { UnHookFunction("ws2_32.dll", "recv", hook2); DWORD tmp; len = recv(s, buf, len, flags); if (len > 0) { myfile2.open ("C:\\tmp\\log.txt",ios::app | ios::binary); myfile2 << buf; myfile2.close(); } HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2); return len; } void fun(){ // <-- this is called after the DLL has been injected HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook); HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }

This works in some cases, and in some cases not. If I enter it into filezilla ftp, it works like a charm and writes everything sent or received to a file.

But in almost all other programs (Internet Explorer, firefox usw.) it just writes a few bytes to a file, and then the process crashes ...

Does anyone know what is going wrong?

+3
source share
2 answers

Be sure to use the correct calling convention for your connected functions. The default calling convention is usually __cdecl. However, 'send' and 'recv' use __stdcall ( #define WINAPI __stdcall )

The main difference between the two:

When a function uses __cdecl, the caller is responsible for clearing the stack. However, when a function uses __stdcall, the called function is responsible for clearing the stack.

 int WINAPI nSend(SOCKET s, const char *buf, int len,int flags); int WINAPI nRecv(SOCKET s, char* buf, int len, int flags)

See here for more details.

+3
source

Ok Now it works, even with DataExecutionPrevention enabled. If anyone has a similar problem in the future, here is the working code:

dllmain.cpp:

 #include "dll.h" #include <windows.h> #include <winsock2.h> #include <iostream> #include <fstream> #pragma comment(lib, "ws2_32.lib") using namespace std; DllClass::DllClass() { } DllClass::~DllClass () { } BYTE hook[6]; BYTE hook2[6]; BYTE jmp[6] = { 0xe9,0x00, 0x00, 0x00, 0x00 ,0xc3 }; ofstream myfile; ofstream myfile2; DWORD pPrevious; DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0); DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5); VirtualProtect((void*) dwAddr, 6, PAGE_EXECUTE_READWRITE, &pPrevious); memcpy(&jmp[1], &dwCalc, 4); WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0); VirtualProtect((void*) dwAddr, 6, pPrevious, &pPrevious); FlushInstructionCache(GetCurrentProcess(),0,0); return dwAddr; } BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsigned char *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0)) return TRUE; FlushInstructionCache(GetCurrentProcess(),0,0); return FALSE; } int __stdcall nSend(SOCKET s, const char *buf, int len,int flags){ UnHookFunction("ws2_32.dll", "send", hook); int result = send(s,buf,len,flags); myfile.open ("C:\\tmp\\log.txt",ios::app | ios::binary); myfile << buf; myfile.close(); HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook); return result; } int __stdcall nRecv(SOCKET s, char* buf, int len, int flags) { UnHookFunction("ws2_32.dll", "recv", hook2); DWORD tmp; len = recv(s, buf, len, flags); if (len > 0) { myfile2.open ("C:\\tmp\\log.txt",ios::app | ios::binary); myfile2 << buf; myfile2.close(); } HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2); return len; } void fun(){ HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook); HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook); HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }

dll.h

 #ifndef _DLL_H_ #define _DLL_H_ #if BUILDING_DLL # define DLLIMPORT __declspec (dllexport) #else /* Not BUILDING_DLL */ # define DLLIMPORT __declspec (dllimport) #endif /* Not BUILDING_DLL */ class DLLIMPORT DllClass { public: DllClass(); virtual ~DllClass(void); private: }; extern "C" __declspec(dllexport) void fun(); #endif /* _DLL_H_ */

Tested and works with almost all programs on Win XP 32bit and some programs on Win 7 x64

+3
source

Source: https://habr.com/ru/post/1245642/

More articles:


All Articles