hook dll

hazarada (21)
Hello, ive been trying to create a winsock send/recv hook dll which i could inject into programs but despite my best efforts it just crashes the target program. The dll compiles without any problems and its test function can be called in all the languages ive tried it on but for its main purpose it just doesent work.

heres the source:

head.h:
1
2
3
4
5
6
7
8
9
10
11
12
13
 
#pragma comment(lib, "ws2_32.lib")
#include <stdio.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <process.h>
#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved );
void Hook(HINSTANCE hInst);
DWORD APIHook(DWORD HookFunc, DWORD MyFunc, DWORD OrigFunc);
int HelloWorld();
int MySend(SOCKET s, const char* buf, int len, int flags);
int MyRecv(SOCKET s, const char* buf, int len, int flags);


Definition.def:
1
2
3
4
5
6
 
LIBRARY
	BrainDamage
EXPORTS
	HelloWorld
	MySend
	MyRecv


Main.cpp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 


#include "Head.h"

typedef int (WINAPI *PSEND)(SOCKET s, const char* buf, int len, int flags);
typedef int (WINAPI *PRECV)(SOCKET s, const char* buf, int len, int flags);
PSEND    OrigSend;
PRECV    OrigRecv;
SYSTEMTIME st;
int conch;

BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason , LPVOID reserved)
{
	switch (reason)
		{
		case DLL_PROCESS_ATTACH:
			Hook(hInst);
		break;
		case DLL_PROCESS_DETACH:
		break;
		case DLL_THREAD_ATTACH:
		break;
		case DLL_THREAD_DETACH:
		break;
		}
	return TRUE;
}
int HelloWorld() {
	return 1;
}
void Hook(HINSTANCE hInst)
{
	WSADATA wsaData;
	WSAStartup(MAKEWORD(1,1), &wsaData);
	*(PDWORD)&OrigSend = APIHook((DWORD)GetProcAddress(GetModuleHandle(L"ws2_32.dll"), "send"), (DWORD)MySend, (DWORD)OrigSend);
	*(PDWORD)&OrigRecv = APIHook((DWORD)GetProcAddress(GetModuleHandle(L"ws2_32.dll"), "recv"), (DWORD)MyRecv, (DWORD)OrigRecv);
}
DWORD APIHook(DWORD HookFunc, DWORD MyFunc, DWORD OrigFunc)
{
	unsigned char NewData[5], DetourJump[5], OldData[5];
	DWORD OldProtect;
	int i;
	unsigned char* HookFuncPtr = (unsigned char*) HookFunc;
	unsigned char* HookDetour = (unsigned char*) malloc(25);
	for(i = 0; i < 25; i++)
		HookDetour[i] = 0x90; //NOP
	NewData[0] = 0xE9; //JMP (near)
	*(PDWORD)&NewData[1] = (DWORD)((DWORD)MyFunc - ((DWORD)HookFunc + 5));
	DetourJump[0] = 0xE9;
	*(PDWORD)&DetourJump[1] = (DWORD)((DWORD)HookFunc - ((DWORD)HookDetour + 14 + 5));
	VirtualProtectEx(GetCurrentProcess(), (void*)HookFunc, 10, PAGE_EXECUTE_WRITECOPY, &OldProtect);
	for(i = 0; i < 5; i++)
	{
		OldData[i] = HookFuncPtr[i];
		HookFuncPtr[i] = NewData[i];
	}
	VirtualProtectEx(GetCurrentProcess(), (void*)HookFunc, 10, OldProtect, NULL);
	VirtualProtectEx(GetCurrentProcess(), (void*)HookDetour, 25, PAGE_EXECUTE_WRITECOPY, &OldProtect);
	for(i = 0; i < 5; i++)
		HookDetour[i] = OldData[i];
	HookDetour[24-5] = DetourJump[0];
	HookDetour[24-4] = DetourJump[1];
	HookDetour[24-3] = DetourJump[2];
	HookDetour[24-2] = DetourJump[3];
	HookDetour[24-1] = DetourJump[4];
	HookDetour[24] = 0xC3; //RET
	VirtualProtectEx(GetCurrentProcess(), (void*)HookDetour, 25, OldProtect, NULL);
	OrigFunc = (DWORD)HookDetour;
	return OrigFunc;
}
int MySend(SOCKET s, const char* buf, int len, int flags)
{
	int SentBytes = OrigSend(s, buf, len, flags);
	return SentBytes;
}
int MyRecv(SOCKET s, const char* buf, int len, int flags)
{
	int RecvedBytes = OrigRecv(s, buf, len, flags);
	return RecvedBytes;
}
Topic archived. No new replies allowed.