Using the code
The attached code
is built using VS2010 express edition. The code must
be referred to while going through this article.
Also 64-bit API hooking code has been attached but
not tested.
We will start with
introduction of sockets APIs used to send and
receive information, these are send
and recv. The attached code will
try to hook/Hijack these APIs and attempt to log all
information passed through them.
The following code
is mentioned in the DLL ,module
Collapse |
Copy
Code
struct NetSnoop{
NetSnoop()
{
_beginthread(sendThread,0,0);
_beginthread(recvThread,0,0);
}
...
}
g_NetSnoop;
Notice the
variable g_NetSnoop declared globally, this object
will be created (and its constructor will be called
which will call sendThread and
recvThread) every time the DLL is
loaded into a new/different process. To get the DLL
to load in a different process, we use Windows hook
API (mentioned in the code: NetSnoop.cpp).
Collapse |
Copy
Code
SetWindowsHookEx(WH_CBT,hookFunction,h,0);
Here the variable
h holds the module handle of the
DLL mentioned earlier. Calling SetWindowsHookEx will
cause all threads that belong to the callers desktop
to load the DLL whose module is passed to it, in
this case: HMODULE h=LoadLibraryA("NetSnoopDll.dll");
Reader will have to be aware of Windows
hook.
Another way is to
call (without using hook) CreateRemoteThread, you
can call the above function sendThread
and recvThread , please read up
CreateRemoteThread on MSDN. (This
method is not used in code).
Now comes
the best part:- API hooking (APIHook.cpp).
We will discuss
API hooking for send API, the rest
are all the same, refer to the code at all times,
this is important.
The function :
void sendThread(void*) will perform
API hack, notice that this function is called from
constructor of struct NetSnoop (via
different thread) or via API
CreateRemoteThread.
Follow the
code:-
We first start by
getting the address of the function and use
VirtualProtect.
Be sure to use
VirtualProtect to alter the
protection of a committed page else you will get an
exception (386 memory segment protection!). Look up
MSDN for VirtualProtect .
Collapse |
Copy
Code
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission);
The code after
that is self explanatory.
Do use disassembly
of function call to better understand how it works,
you will notice the following code added at the
function address:-
Collapse |
Copy
Code
MOV EAX,function adress;
JMP EAX;
We are injecting
the following code at the function call address
using opcodes:
64 bit
code is mentioned in attachment. Before we
tamper with the instructions at the function
address, we first store the original instructions so
as to restore them when needed.
Remember:
32-bit DLL cannot be loaded/injected in 64-bit
process space and vice-versa which is why you would
require a separate 64-bit APP/DLL to snoop network
traffic for 64-bit processes.
How it works:
When the hooked
function (in this case send) is
called, the instruction pointer (EIP) is taken to
the function address and will start executing from
there (well...this how any function call works).
We have decisively
placed a JMP instruction at that very location. This
will cause the EIP to move to the function :
Mysend, notice that this function has the
very same signature, calling convection as the
original function, this is to avoid any stack
corruption.
Once the EIP is
routed to function Mysend (as done
in attached code):-
- Log what ever
is needed ,
- restore the
function's original instruction ,
- call the
original function to complete the functionality.
In API hooking of
send function, please note that
send function is called twice by
the application:-
- called by the
application , through the JMP instruction , EIP
is routed to Mysend
- Inside
Mysend, after restoring the original
instructions. (shown below)
Code snippet from
APIHook.cpp, int WSAAPI Mysend(...)...
Collapse |
Copy
Code
DWORD dPermission=0;
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission);
memcpy(send,StoreOriginal_Send,sizeof(StoreOriginal_Send)); int ret=send(s,buf,len,flags);
if(bExit==false) {
memcpy(send, Trap_Send, sizeof(Trap_Send)); }
hence to maintain
the stack, RET instruction is also called twice
- After it
returns from the original send
function called from inside Mysend
- After it
returns from Mysend
Restore (done in
destructor):
Another important
thing is to restore everything when the application
exits.
This is important,
when the application (NetworkSnoop) exits, the
Hook will be
released by code (or by OS if hook is active when
application is closed/terminated).
When applications
are being unhooked, the injected DLL is removed, if
code is not restored, the JMP instruction will cause
the EIP to jump to an invalid memory location (since
DLL is removed) causing a crash.
The application
restores all in a destructor of a global object, the
destructor is called during DLL unload, refer code .
Collapse |
Copy
Code
~NetSnoop()
{
bExit=true; while(uiInUse!=0) Sleep(500);
DWORD dPermission=0;
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission);
memcpy(send,StoreOriginal_Send,sizeof(StoreOriginal_Send)); VirtualProtect(recv,sizeof(Trap_recv),PAGE_EXECUTE_READWRITE,&dPermission);
memcpy(recv,StoreOriginal_recv,sizeof(StoreOriginal_recv)); }
Debug the call
The reader will
have to write a simple console based application
mentioned below and debug the send call via
dissambly to better understand the introduction of a
JMP instruction.
Collapse |
Copy
Code
#include<windows.h>
#include<WinSock2.h>
int main()
{
MessageBoxA(0,"","",0); int z=send(0,0,0,0); function from Ws2_32.lib (add this to your lib section) ,pass any dummy values , the idea is to understand via dissambly the introduction of JMP instruction after the hook has injected the DLL
return z;
}
Points of
Interest
The best part is
that NetworkSnoop introduces API hooking using
Windows Hook, this allows you to hook any function
in any process provided your hook injects the DLL
into it, for the hook to work, the targeted thread
must have a message loop. I do hope you enjoy this
short article on Network snoop. API hook technique
is widely used, most famous is FRAPS, it uses the
technique to hook DirectX calls to get information
about game performance.
News:
1
UCanCode Advance E-XD++
CAD Drawing and Printing Solution
Source Code Solution for C/C++, .NET V2024 is released!
2
UCanCode Advance E-XD++
HMI & SCADA Source Code Solution for C/C++, .NET V2024 is released!
3
UCanCode
Advance E-XD++ GIS SVG Drawing and Printing Solution
Source Code Solution for C/C++, .NET V2024 is released!
Contact UCanCode Software
To buy the source code or learn more about with: