How do I hook the winsock send, recv, and connect in c#

tarafından **EMO** Perş. Haz. 02, 2011 8:45 am

I have been injecting a c++ .dll that is able to hook the send, recv functions of winsock, so that I can manipulate the data.

However, I have recenly learned how to get a Windows Form created in a
C# dll (By injecting a c++ .dll that acts as a loader, and loads the
CLR, then calls a method on my managed C# class library)

In this method, I need to hook the winsock functions for send and recv.
I know how to do this in C++, but I have never found any instructions
to do this in c#

Here is my c++ code, so to better illustrate what I am trying to do.

Code:

typedef SOCKET (WINAPI *PSOCKET)(int af, int type, int protocol);

typedef int (WINAPI *PCONNECT)(SOCKET s, const struct sockaddr *address, int namelen);

typedef int (WINAPI *PSEND)(SOCKET s, const char* buf, int len, int flags);

PSOCKET OrigSocket;

PCONNECT OrigConnect;

PSEND OrigSend;

int WINAPI __stdcall MyConnect(SOCKET s, const struct sockaddr *address, int namelen)

{

}

int WINAPI __stdcall MySend(SOCKET s, const char* buf, int len, int flags)

{

}

DWORD APIHook(DWORD HookFunc, DWORD MyFunc, DWORD OrigFunc)

{

unsigned char NewData[5], DetourJump[5], OldData[5];

DWORD OldProtect;

int i;

unsigned char* HookFuncPtr = (unsigned char*) HookFunc;

unsigned char* HookDetour = (unsigned char*)new char[(25)];

for(i = 0; i < 25; i++)

HookDetour = 0x90; //NOP

NewData[0] = 0xE9; //JMP (near)

*(PDWORD)&NewData[1] = (DWORD)((DWORD)MyFunc - ((DWORD)HookFunc + 5));

DetourJump[0] = 0xE9;

*(PDWORD)&DetourJump[1] = (DWORD)((DWORD)HookFunc - ((DWORD)HookDetour + 14 + 5));

VirtualProtectEx(GetCurrentProcess(), (void*)HookFunc, 10, PAGE_EXECUTE_WRITECOPY, &OldProtect);

for(i = 0; i < 5; i++)

{

OldData[i] = HookFuncPtr[i];

HookFuncPtr[i] = NewData[i];

}

VirtualProtectEx(GetCurrentProcess(), (void*)HookFunc, 10, OldProtect, NULL);

VirtualProtectEx(GetCurrentProcess(), (void*)HookDetour, 25, PAGE_EXECUTE_WRITECOPY, &OldProtect);

for(i = 0; i < 5; i++)

HookDetour[i] = OldData[i];

HookDetour[24-5] = DetourJump[0];

HookDetour[24-4] = DetourJump[1];

HookDetour[24-3] = DetourJump[2];

HookDetour[24-2] = DetourJump[3];

HookDetour[24-1] = DetourJump[4];

HookDetour[24] = 0xC3; //RET

VirtualProtectEx(GetCurrentProcess(), (void*)HookDetour, 25, OldProtect, NULL);

OrigFunc = (DWORD)HookDetour;

return OrigFunc;

}

DWORD WINAPI Inject(HINSTANCE hInst /*LPVOID lparam*/)

{

WSADATA wsaData;

WSAStartup(MAKEWORD(1,1), &wsaData);

*(PDWORD)&OrigConnect =
APIHook((DWORD)GetProcAddress(GetModuleHandle((LPCSTR)"Ws2_32.dll"),
"connect"), (DWORD)MyConnect, (DWORD)OrigConnect);

*(PDWORD)&OrigSend =
APIHook((DWORD)GetProcAddress(GetModuleHandle((LPCSTR)"Ws2_32.dll"),
"send"), (DWORD)MySend, (DWORD)OrigSend);

}

Unsafe is only needed if you plan to use direct
access. You can read and write to pointers using the Marshal class and
not have to touch unsafe at all. Basically if you were wanting to deal
with the pointers like C++ does and such. But you can do the same things
using Marshaling if you are injected.

[i]Think of it as memcpy/memset.

Quote:

I
was referring to the functions that "are" the detours (MyConnect,
MySend, MyRecv, MyWSASend, MyWSARecv) rather than the functions that
"create" the detours (Inject, APIHook) when I stated that the functions
must be unmanaged. This is assuming that an abstraction such as EasyHook
is not to be used.

You can do all these in C# / managed code as well. The detours can be
written in managed code without issue. I was writing a Direct3D hook /
wrapper that does this, for example the Direct3DCreate9 detour:

Code:

///

/// Direct3DCreate9 Hook

///

///

///

[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Auto, SetLastError = true)]

delegate IntPtr delegate_Direct3DCreate9(ushort SDKVersion);

public IntPtr Mine_Direct3DCreate9(ushort SDKVersion)

{

Debug.Write("[Mine_Direct3DCreate9] Hooked Direct3DCreate9 called.");

this.m_vDirect3D = (IntPtr)DetourManager.Instance["Direct3DCreate9"].CallOriginal(SDKVersion);

return this.m_vDirect3D;

}

Placement:

Code:

// Detour Direct3DCreate9

bool bAttached = DetourManager.Instance.DetourAttach(

"d3d9.dll", "Direct3DCreate9", new delegate_Direct3DCreate9(Mine_Direct3DCreate9), true

);

Then the detour code creates the patch in the function as:

PUSH 0x68 0xFF 0xFF 0xFF 0xFF

RETN 0xC3

Which my Detour manager uses delegate pointers to call the original
functions. All of which are using Marshal calls instead of having to
touch unsafe.

You can create delegates to the real function like:

Code:

Delegate realFunction = Marshal.GetDelegateForFunctionPointer(lpFunctionAddress, lpFunctionDelegate.GetType())

Which you can call with:

Code:

object ret = realFunction.DynamicInvoke(params_here);

Pretty fun stuff to dive into, the Marshal class is nice for stuff like
this if you haven't taken a chance to look into it much: Marshal