All geek questions in one place

EasyHook recv won't hook all packets

I managed to write a semi-working EasyHook example that hooks the recv function. I wrote a form, added the WebBrowser component and launched the application. The problem is that I receive HTTP packets, but if there is a socket, it seems that recv is no longer "intercepting". The problem is that with an external Spystudio application I can get them to connect recv. So what am I missing?

using System; using System.Collections.Generic; using System.Data; using System.Runtime.InteropServices; using System.Threading; using System.Text; using System.Windows.Forms; using System.Diagnostics; using System.IO; using System.Runtime.Remoting; using System.Runtime.Remoting.Channels.Ipc; using EasyHook; namespace flashing { public partial class Form1 : Form,EasyHook.IEntryPoint { public LocalHook CreateRecvHook; public Form1() { InitializeComponent(); } [DllImport("Ws2_32.dll")] static extern int recv( IntPtr socketHandle, IntPtr buf, int count, int socketFlags ); [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)] delegate int Drecv( IntPtr socketHandle, IntPtr buf, int count, int socketFlags ); static int recv_Hooked( IntPtr socketHandle, IntPtr buf, int count, int socketFlags) { int bytesCount = recv(socketHandle, buf, count, socketFlags); if (bytesCount > 0) { byte[] newBuffer = new byte[bytesCount]; Marshal.Copy(buf, newBuffer, 0, bytesCount); string s = System.Text.ASCIIEncoding.ASCII.GetString(newBuffer); TextWriter tw = new StreamWriter("log.txt"); tw.Write(s); tw.Close(); Debug.WriteLine("Hooked:>" + s); } return bytesCount; } private void bottonHook_Click(object sender, EventArgs e) { try { CreateRecvHook = LocalHook.Create( LocalHook.GetProcAddress("Ws2_32.dll", "recv"), new Drecv(recv_Hooked), this); CreateRecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 }); } catch (Exception ExtInfo) { Debug.WriteLine("Error creating the Hook"); return; } RemoteHooking.WakeUpProcess(); } private void buttonLoader_Click(object sender, EventArgs e) { axShockwaveFlash1.LoadMovie(0, "test.swf"); } } }

edit : I have no doubt in recv, here is what apimonitor says:

 # TID Module API Return Error 5 2696 Flash10l.ocx recv ( 1992, 0x07080000, 65536, 0 ) 1

So can someone help me?

+4
source share
3 answers

The problem is resolved. The problematic line was

 CreateRecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });

I changed it to

 CreateRecvHook.ThreadACL.SetInclusiveACL(new Int32[] { 0 });

and now everything works fine. Thanks everyone :)

+4
source

There are many different functions used with sockets. Perhaps the plugin is not using a function called recv . At the top of my head, I can think of recvfrom , recvmsg , WSARecv , WSARecvFrom , WSARecvMsg , ReadFile , ReadFileEx .

Then the plugin can execute requests with overlapping I / O (possibly complicated by completion procedures or completion ports), in which case the data is not saved during, for example, ReadFile , but after a while. Attracting them would be much more difficult.

+2
source

I wrote a dumping http tool using sharppcs in C #. It uses the winpcap driver. I think these are more reliable tan apihooks.

HTTPSaver (with sources)
Sharpcap
Winpcap

+2
source

Source: https://habr.com/ru/post/1334139/

More articles:


All Articles