 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
kot1990
Expert Cheater
 Reputation: 1
Joined: 06 Sep 2009
Posts: 131
Location: Greece
|
 Posted: Wed Feb 17, 2010 3:43 pm Post subject: Pls help hooking! |
 |
|
I have created a DLL that hooks the send() function from ws2_32.dll . Now how can I use the dll for my application?
This is my app:
| Code: | #include <iostream>
#include <winsock2.h>
using namespace std;
int main()
{
//startup
WSADATA wsaData;
WSAStartup(MAKEWORD(2,0), &wsaData);
//socket address
sockaddr_in sockAddr1;
sockAddr1.sin_family = AF_INET;
sockAddr1.sin_port = htons(4444);
sockAddr1.sin_addr.S_un.S_addr = inet_addr("localhost");
//socket
SOCKET hSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (hSocket == INVALID_SOCKET)
cout << "a shit socket.\n\n";
else
cout << "socket created successfully! :)\n\n";
//connect
connect(hSocket,(sockaddr*)(&sockAddr1), sizeof(sockAddr1));
char buffer[150];
while(true)
{
cout << "say: ";
cin >> buffer;
send(hSocket,buffer,sizeof(buffer),0);
}
closesocket(hSocket);
WSACleanup();
}
|
It sends data on a localhost bound socket that keeps listening for connections. I want to hook send() so I can send packet without the use of my application. Pls help. Here's the DLL.
| Code: | #include "windows.h"
#include "winsock.h"
#pragma comment ( lib, "Ws2_32.lib" )
#define JMP(frm, to) (int)(((int)to - (int)frm) - 5);
DWORD SendOriginalAddress = 0;
DWORD SendReturnAddress = 0;
DWORD* SendNewAddress = 0;
DWORD OldProtection = 0;
char* send_buffer;
int send_sizeofdata = 0;
SOCKET send_s;
int send_flags = 0;
void __declspec(naked) __stdcall SendHookFunc()
{
__asm
{
mov edi,edi
push ebp
mov ebp, esp
mov eax, [ebp+0x08] /* Param 1 : Socket */
mov send_s, eax
mov eax, [ebp+0x0C] /* Param 2 : buffer */
mov [send_buffer], eax
mov eax, [ebp+0x10] /*Param 3 : Size*/
mov send_sizeofdata, eax
mov eax, [ebp+0x14] /*Param 4 : flags*/
mov send_flags, eax
jmp SendReturnAddress
}
}
void UnHookSend()
{
/* To unhook on a WinXP post SP2 box you need to restore the 5 byte preamble */
*(WORD *)SendOriginalAddress = 0xFF8B; // mov edi,edi
*(BYTE *)(SendOriginalAddress+2) = 0x55; // push epb
*(WORD *)(SendOriginalAddress+3) = 0xEC8B; // mov epb, esp
VirtualProtect( (void*)SendOriginalAddress, 0x05, OldProtection, &OldProtection );
}
void HookSend()
{
SendNewAddress = (DWORD*)SendHookFunc;
HINSTANCE hDll = LoadLibrary((LPCTSTR) "Ws2_32.dll");
SendOriginalAddress = (DWORD)GetProcAddress(hDll, "send");
SendReturnAddress = SendOriginalAddress + 5;
VirtualProtect( (void*)SendOriginalAddress, 0x05, PAGE_READWRITE , &OldProtection );
*(BYTE *)(SendOriginalAddress) = 0xe9;
*(int *)(SendOriginalAddress+1) = JMP(SendOriginalAddress, SendNewAddress);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
HookSend();
if (ul_reason_for_call == DLL_THREAD_DETACH)
UnHookSend();
return TRUE;
} |
|
|
| Back to top |
|
 |
Anden100
Grandmaster Cheater
![]() Reputation: 0
Joined: 20 Apr 2007
Posts: 668
|
| Posted: Wed Feb 17, 2010 4:25 pm Post subject: |
|
|
| Just call send() from your DLL using send_s in the first parameter. (just make sure to check if send_s is a valid socket, the program needs to have send a packet since your DLL was injected for send_s to be set)
|
|
| Back to top |
|
|
kot1990
Expert Cheater
Reputation: 1
Joined: 06 Sep 2009
Posts: 131
Location: Greece
|
| Posted: Wed Feb 17, 2010 5:44 pm Post subject: |
|
|
| Anden100 wrote: | | Just call send() from your DLL using send_s in the first parameter. (just make sure to check if send_s is a valid socket, the program needs to have send a packet since your DLL was injected for send_s to be set) |
Where should I place the code for the send() in dll?
I use LoadLibrary("hook.dll"); from my app and dll then runs and calls the HookSend(); function which changes the first 5 bytes of the send() function and puts a jmp instead to the SendHookFunc(). After that the process leaves the dll execution and continues the execution in the main app. If I then call the send() so send_s gets a value, how will I get back to the DLL's execution to call send() from there? Maybe there should be another thread running?
EDIT: I know I'm missing something.. BUt i don't know what! Please explain, why should I ever use a dll and not just WriteProcessMemory() the bytes for the instructions?
EDIT2: I think I should put the send() in the SendHookFunc()
|
|
| Back to top |
|
|
Anden100
Grandmaster Cheater
![]() Reputation: 0
Joined: 20 Apr 2007
Posts: 668
|
| Posted: Thu Feb 18, 2010 3:43 am Post subject: |
|
|
| kot1990 wrote: | | Anden100 wrote: | | Just call send() from your DLL using send_s in the first parameter. (just make sure to check if send_s is a valid socket, the program needs to have send a packet since your DLL was injected for send_s to be set) |
Where should I place the code for the send() in dll?
I use LoadLibrary("hook.dll"); from my app and dll then runs and calls the HookSend(); function which changes the first 5 bytes of the send() function and puts a jmp instead to the SendHookFunc(). After that the process leaves the dll execution and continues the execution in the main app. If I then call the send() so send_s gets a value, how will I get back to the DLL's execution to call send() from there? Maybe there should be another thread running?
EDIT: I know I'm missing something.. BUt i don't know what! Please explain, why should I ever use a dll and not just WriteProcessMemory() the bytes for the instructions?
EDIT2: I think I should put the send() in the SendHookFunc() |
1. You can use WriteProcessMemory, but there is no reason at all to do it, and you will need to do it from a DLL, since the function (SendHookFunc()) needs to be a part of the applications memory, either in the application or as a DLL loaded by the application.
2. Yes, you will most likely need a new thread in your DLL
3. No, you should not put send() in SendHookFunc(), SendHookFunc() jumps to send() after the parameters has been copied to the variables, if you put send() in SendHookFunc(), it will jump to SendHookFunc() again (due to the hook), which will then again call send(), infinite loop and you will end up with a stack overflow (i believe)
|
|
| Back to top |
|
|
kot1990
Expert Cheater
Reputation: 1
Joined: 06 Sep 2009
Posts: 131
Location: Greece
|
| Posted: Thu Feb 18, 2010 2:03 pm Post subject: |
|
|
| Well I used CreateRemoteThread() to create a thread on the other process by calling LoadLibrary() and put a MessageBox in the dll, but when the MessageBox is displayed the process just waits for me to close the messagebox. That means that the process is stuck on my MessageBox and doesn't run anything at the background?? what's happening?
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu Feb 18, 2010 2:07 pm Post subject: |
|
|
| don't put your messagebox in the dllmain. inside your dllmain, put a createthread to a new function which will have all your code. dllmain is supposed to return immediately
|
|
| Back to top |
|
|
Anden100
Grandmaster Cheater
![]() Reputation: 0
Joined: 20 Apr 2007
Posts: 668
|
| Posted: Thu Feb 18, 2010 2:08 pm Post subject: |
|
|
| kot1990 wrote: | | Well I used CreateRemoteThread() to create a thread on the other process by calling LoadLibrary() and put a MessageBox in the dll, but when the MessageBox is displayed the process just waits for me to close the messagebox. That means that the process is stuck on my MessageBox and doesn't run anything at the background?? what's happening? |
I never really understood why that happened either, but you will have to use CreateThread() from the DLL you are injecting, and then in the new thread show a messagebox, then the application shouldn't freeze. (or at least i believe not)...
|
|
| Back to top |
|
|
kot1990
Expert Cheater
Reputation: 1
Joined: 06 Sep 2009
Posts: 131
Location: Greece
|
| Posted: Thu Feb 18, 2010 2:25 pm Post subject: |
|
|
OMG, I did it like that:
| Code: |
void olaMsgBoxehh()
{
Sleep(3000);
MessageBox(NULL,TEXT("hello"),TEXT("world"),MB_OK);
ExitThread(0);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
CreateThread(0,0,(LPTHREAD_START_ROUTINE)&olaMsgBoxehh,0,0,0);
return TRUE;
} |
and the messagebox appears many many times, like a machine gun.  and the computer freezes.
EDIT: maybe I have to check ul_reason_for_call?
EDIT: Why should I create a new thread in the dll when I already have called CreateRemoteThread from my app?
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu Feb 18, 2010 2:37 pm Post subject: |
|
|
| look into what ul_reason_for_call actually does and how which cases you are interested in and should handle
|
|
| Back to top |
|
|
kot1990
Expert Cheater
Reputation: 1
Joined: 06 Sep 2009
Posts: 131
Location: Greece
|
| Posted: Thu Feb 18, 2010 2:40 pm Post subject: |
|
|
| Quote: | ook into what ul_reason_for_call actually does and how which cases you are interested in and should handle
|
It works thx 
I did that before creating the thread
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
