问题
I managed to write a semiworking EasyHook example that hooks recv function. I wrote a form, added a WebBrowser component, and started the application. The problem is, I get the HTTP packets, but if there's a socket, it seems that recv stops "hooking". The problem is, with an external application, Spystudio, I can get them hooking recv. So, what am I missing?
using System;
using System.Collections.Generic;
using System.Data;
using System.Runtime.InteropServices;
using System.Threading;
using System.Text;
using System.Windows.Forms;
using System.Diagnostics;
using System.IO;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels.Ipc;
using EasyHook;
namespace flashing
{
public partial class Form1 : Form,EasyHook.IEntryPoint
{
public LocalHook CreateRecvHook;
public Form1()
{
InitializeComponent();
}
[DllImport("Ws2_32.dll")]
static extern int recv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Unicode,
SetLastError = true)]
delegate int Drecv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
static int recv_Hooked(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags)
{
int bytesCount = recv(socketHandle, buf, count, socketFlags);
if (bytesCount > 0)
{
byte[] newBuffer = new byte[bytesCount];
Marshal.Copy(buf, newBuffer, 0, bytesCount);
string s = System.Text.ASCIIEncoding.ASCII.GetString(newBuffer);
TextWriter tw = new StreamWriter("log.txt");
tw.Write(s);
tw.Close();
Debug.WriteLine("Hooked:>" + s);
}
return bytesCount;
}
private void bottonHook_Click(object sender, EventArgs e)
{
try
{
CreateRecvHook = LocalHook.Create(
LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
new Drecv(recv_Hooked),
this);
CreateRecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Debug.WriteLine("Error creating the Hook");
return;
}
RemoteHooking.WakeUpProcess();
}
private void buttonLoader_Click(object sender, EventArgs e)
{
axShockwaveFlash1.LoadMovie(0, "test.swf");
}
}
}
edit : I've no doubt about recv, here it is what apimonitor tells me:
# TID Module API Return Error
5 2696 Flash10l.ocx recv ( 1992, 0x07080000, 65536, 0 ) 1
So, can somebody help me?
回答1:
Problem Solved. The line that created trouble was
CreateRecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
I changed it to
CreateRecvHook.ThreadACL.SetInclusiveACL(new Int32[] { 0 });
and now everything works just fine. Thanks everybody :)
回答2:
There are a lot of different functions used with sockets. Maybe the plugin is not using the function named recv. Off the top of my head I can think of recvfrom, recvmsg, WSARecv, WSARecvFrom, WSARecvMsg, ReadFile, ReadFileEx.
Then, the plugin could be doing requests with overlapped I/O (possibly complicated by completion routines or completion ports), in which case the data isn't stored during the e.g. ReadFile function call but at some later time. Hooking those would be considerably more challenging.
回答3:
I wrote a tool dumping http using sharppcs in c#. It uses the winpcap-driver. I think it is more reliable tan apihooks.
HTTPSaver (with sources)
SharpPcap
Winpcap
来源:https://stackoverflow.com/questions/4589328/easyhook-recv-doesnt-hook-all-packets