• Welcome to Valhalla Legends Archive.
 

Hooking Winsock

Started by CupHead, December 15, 2003, 11:36 AM

Previous topic - Next topic
Print
|
Go Down Pages 1 2
User actions

CupHead

#15
December 20, 2003, 11:37 AM
That does look helpful, thanks.

Meeks

#16
February 13, 2008, 05:14 PM
Yea IMO, the most appropriate solution here is called several things, one of which is Extended Code Overwriting another is Detouring, there's a few more but it's all the same thing.  This is by no means exact, it is just a brief synapsis:

* This is a 32 bit implementation.

* Always pay respect to memory.  Use VirtualProtect to obtain the correct access rights before writing to memory.

* A trampoline function is a function that you allocate space for and it matches the parameters of your target function you want to hook.  It's intention is to preserve the bytes you will have to overwrite in order to perform the hook.

1. Copy the first 5 bytes to the trampoline function.
2. Write an unconditional JMP instruction to the trampoline function.
3. Write the 32 bit address of the 6th byte of the target function to the trampoline function.

* Pay very careful attention not to cut an assembly instruction off.  If you do, you will cause uncontrolled behavior.  The number of bytes you will copy from the target function to the trampoline function depends upon the assembly instructions, so open up OllyDbg.

* A Detour function is one that is called in place of the target function.

* Be sure the target function and your Detour function have identical parameters and are of the same calling convention.

4. Overwrite the first byte of the target function with an unconditional JMP instruction.
5. Overwrite the next 4 bytes with the 32 bit address of your Detour function.

Now when the target function is called, it is rerouted to your Detour function, add the changes needed or simply log the activity, now you may call the trampoline function to execute the original target functions contents.  It really is as simple as that.  There are several examples including source code.  Hope this helps.

ColT

#17
February 13, 2008, 05:51 PM
Great post Meeks, only 5 years later.

Spht

#18
February 13, 2008, 06:21 PM
I think he's from the future.  tell us, saddam hussein was captured last week.  what ends up happening to him?

Yegg

#19
February 14, 2008, 12:21 AM
At least he provided information of use in the event someone searches for a similar topic and finds this site.


Meeks

#20
September 15, 2008, 06:59 PM
Wow, how'd I over look that one, lol.  Oops.
Print
|
Go Up Pages 1 2
User actions