Hooking Send

Ok I also have been working on my skills for sometime also.
Now I tried hooking send() I done it with a dll, but I decided to try with an eexecutable, in the sense that when the executable is clicked it hooks send() and logs the data to a text file. Tried something, didn't log the data let alone create the file, but it compiles without issues.

I need help, can someone be of a helping hand
closed account (13bSLyTq)
Yes, this is an stupid way to go about it first you must globalize the hook or else it will fail as you have executed it locally while other processes are in memory-hyperspace and not in its local memory thus it is failing.

You must inject this hook into the process using a PE injection equip with an code-cave injection. Then try the same test and I'm sure it should work if done correctly.
Last edited on
Hmmmm, nice. Except that I am just trying out things, like with this
[Code]
If (dwReason ==DLL_PROCESS_ATTACH)
{
ApiHook();
}
[/code]

Like. The injector I use doesn't inject normally as I don't see a reaction of the code I bootstrapped into a dll. That's why I needed it to be loaded like an executable, don't be offended @Orionmaster
closed account (13bSLyTq)
Okay first have you ever used an "Disassembler" its an useful tool when hooking I strongly advise you to learn that trick.

I use Immunity Debugger & Ollydbg. These are perhaps best external debuggers but VS debugger is also brilliant.

Next, can you explain that again I did not understand what you meant.
Last edited on
Ok, I am downloading the immunity debugger, except I don't know how to use it, I used to think when you inject your code to a process, it would react inside the same process without the assistance of a third party application, as is, I am downloading it tho.
I have a source code of an injector, what I don't understand is, why I inject into a process and it doesn't execute the code as I have asked it to,

Like I do something like

 
MessageBoxA(NULL,"hooked Data",buf,MB_OK);


To show the hooked buffer in a messageBox, doesn't throw that back. I was trying to inject the code into firefox, ran my Xampp (since it has UDP, send(), recv()) so I wanted to see if it would show it in a message box

All this I wanted to try, that's why It looks like I been trying out and failing. Need some good explanation on these.

Grateful for your help.
closed account (13bSLyTq)
Hi,

I have heard that you have converted the DLL into an EXE and executables cannot be executed inside process space of other processes except using PE file injection which I bet does not run via your injector therefore it fails. That being said you must inject the hook code and callback using code-cave injection has has been custom designed by yourself through your executable. Or even add an PE module injector to the preexisting injector.

To carry on, have you checked the base address for the injected file or DLL then actually see if the EIP even hits the base address using breakpoints. Furthermore, if it does then you should check to see if the installing hook code works to do this simply check the address of the function send() and if there is an JMP to the prologue to your callback then your successful and I suspect it is not successful so you must give me the details of the location of unsuccess is it:

1. The injector is not PE portable and cannot execute your executable inside the other process memory space?
2. The base address is not even being executed by the EIP.

If you give the correct details I can help else I am left guessing and cannot accurately assist you in why it is failing.

I am trying my best to try and help.

To learn how to use Immunity debugger: http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/
Last edited on
Very obvious, my injector doesn't have the PE injector, obviously that could be the possible problem.
Is there a source code or something I can learn from (if you have any) I would be happy to learn.

I haven't checked for base address, possibly that will be done with a debugger or something.
Possibly I paste my source code, maybe you see where I have errors. Tho it compiles without any problems.
Last edited on
closed account (13bSLyTq)
Yes I do have an article you can read to understand more about PE injections:
http://www.sevagas.com/?PE-injection-explained

You should do once you add this feature in see if it works then and else you must inspect using your debugger.
@OrionMaster,

I am very grateful for your assistance, here is the source code for the dynamic Link library written in C, i decided to paste the source so you can see for your own viewing, i wanted to know if i am taking the necessary steps towards the Hooking technique, and employing the newsend() to save the logs and redirect to the main function send()

Since i am quite new to this i wanted to be sure of what i am doing and if i am doing it correctly, my code goes thus :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#include <stdio.h>
#include <stdlib.h>
#include <Winsock.h>

#pragma comment (lib,"ws2_32.lib")

typedef int (*WINAPI oldsend)(SOCKET s,const char* buf,int len,int flags);

BYTE hook[6];

void ApiHook(LPSTR Module,LPCSTR OldFunc,LPVOID NewFunc, unsigned char *backup)
{
  DWORD dwProtect;
  HINSTANCE hLib = LoadLibrary(Module);
  DWORD OldFuncAddr = (DWORD)GetProcAddress(hLib, OldFunc);
  DWORD NewFuncAddr = (DWORD)NewFunc;

  BYTE jmp[6] = {0xE9,0x00,0x00,0x00,0x00,0xC3};

  DWORD jmpAddr = (NewFuncAddr - OldFuncAddr) - 5;
  memcpy(&jmp[1],&jmpAddr,4);

  VirtualProtect((LPVOID)OldFuncAddr,6,PAGE_EXECUTE_READWRITE,&dwProtect);
  WriteProcessMemory(GetCurrentProcess(),(LPVOID)OldFuncAddr,jmp,6,0);
  VirtualProtect((LPVOID)OldFuncAddr,6,dwProtect,&dwProtect);

}

int WINAPI newsend(SOCKET s,const char* buf,int len,int flags)
{
//Save log of Send() Function.
 FILE *buffile;
 buffile = fopen("logs.txt","w");
 fprintf(buffile,"%s",buf);
 fclose(buffile);
return send(s,buf,len,flags);
}

BOOL WINAPI DLLMain(HINSTANCE hInst,DWORD dwReason,LPVOID reserved)
{
if (dwReason ==DLL_PROCESS_ATTACH)
{
//Employ Hook Function
ApiHook("ws2_32.dll","send",newsend,hook);

return 0;
}
}


Doesnt throw any errors, just pops up some Warnings that look like this.

1
2
3
Warning1warning C4229: anachronism used : modifiers on data are ignored
Warning2warning C4715: 'DLLMain' : not all control paths return a value


With This I have shown you, do i appear to be doing it correctly? thats all i want to know.

Thanking you again for your assistance.

Regards,
Tim (M0mathur)
Last edited on
closed account (13bSLyTq)
Hi,

I have analysed and tested this code and I will announce that the hook code works successfully:

http://i.imgur.com/ZXid7i4.png

As you see there is an jump there to your callback, therefore successful.
Yay! Thanks boss you the best of the best @Orionmaster. You the best.
Topic archived. No new replies allowed.