Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to hook winsock2 recv() #315

Closed
rayzorben opened this issue May 21, 2024 · 1 comment
Closed

Unable to hook winsock2 recv() #315

rayzorben opened this issue May 21, 2024 · 1 comment
Labels

Comments

@rayzorben
Copy link

rayzorben commented May 21, 2024

I am able to hook the send() function and have it working, but the recv() function does not seem to hook. First to verify, I used API Monitor to check that indeed the application is calling recv. Nothing is logged to the file, (appendToFile works in the hooked send when I was using it)

image

Here is the DllMain where I attach. DetourTransactionCommit returns successfully.

static int (WINAPI *MegaRecv)(SOCKET s, char *buf, int len, int flags) = recv;
static int (WINAPI *MegaSend)(SOCKET s, const char *buf, int len, int flags) = send;

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
    if (DetourIsHelperProcess())
    {
        return TRUE;
    }
    LONG error;
    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        // Hook the send and recv functions
        LoadProxy();

        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourAttach(&(PVOID &)MegaSend, HookedSend);
        DetourAttach(&(PVOID &)MegaRecv, HookedRecv);
        error = DetourTransactionCommit();

        if (error == NO_ERROR)
        {
            appendToFile(".\\log.txt", "Hooks attached.");
        }
        else
        {
            appendToFile(".\\log.txt", "Hooks not attached: " + error);
        }
        break;
        
    case DLL_PROCESS_DETACH:
        // Unhook the functions
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourDetach(&(PVOID &)MegaSend, HookedSend);
        DetourDetach(&(PVOID &)MegaRecv, HookedRecv);
        DetourTransactionCommit();
        appendToFile(".\\log.txt", "Detaching process.");

        // Terminate the process
        if (pi.hProcess != NULL)
        {
            TerminateProcess(pi.hProcess, 0);
        }

        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
        CloseHandle(proxyPipe);

        break;
    }
    return TRUE;
}

Here is my Hooked Send and Receive:

// Hooked send function
int WINAPI HookedSend(SOCKET s, const char *buf, int len, int flags)
{
    SendMessageToProxy(buf, len);

    DWORD bytes;
    const char* ret = ReceiveMessageFromProxy(&bytes);

    int result = 0;
    
    if (bytes > 0) {
        result = MegaSend(s, ret, bytes, flags);
    }

    delete[] ret;
    return (result > 0) result : len; // always indicate that we cleared the buffer of the original amount
}

// Hooked recv function
int WINAPI HookedRecv(SOCKET s, char* buf, int len, int flags) 
{
    appendToFile(".\\log.txt", "receive");
    // Call the original recv function
    int result = MegaRecv(s, buf, len, flags);

    // Modify the buffer (e.g., log, modify, filter data)
    if (result > 0) {
        appendToFile(".\\receive.txt", buf);
        // Modify buf here if needed
    }
    return result;
}
@rayzorben
Copy link
Author

In case others come across this. Even though API Monitor said it is doing a recv() it was really doing a WSARecv(). I have no clue why it would say that incorrectly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant