Hooking recv

Page 1 of 2

02/18/2013 22:52 iszoPL#1

I have a question about that ;) I'm trying to EAT Hook recv function after injecting dll into engine.exe. The trick is that i don't really know if kal is using GetProcAddress to retrieve recv address on every call. I suppose it does because if we try simple jmp patch on it. It works for a short time after hs patches it.

My hook is also working i guess but, well i don't really know why it is not showing data ;)

I found in EAT of ws2_32.dll address:

recv 0x74B80DA8

and it is const. Code snippet:

MyRecv

Code:

typedef int (WINAPI *myrecv)(SOCKET s, char *buf, int len, int flags);

myrecv NewRecv = NULL, OldRecv = NULL;

int WINAPI fRecv(SOCKET s, char *buf, int len, int flags)
{
	cout << "Hooked recv: ";
	for(int i=0;i<len;i++)
		cout << hex << buf[i] << ' ';
	return OldRecv(s,buf,len,flags);
}

Hooking

Code:

OldRecv = (myrecv)dll.hookEAT(fname,(void*)fRecv);
NewRecv = (myrecv)GetProcAddress(GetModuleHandle(L"ws2_32.dll"),"recv");
cout << "Checking hook...\n";
NewRecv(NULL,"aaa",3,NULL);

dll is object of my class that is handling getting data from dll/exe.

This is part of hooking function. Directly in EAT.

Code:

for(WORD i = 0 ; i < ied->NumberOfFunctions ; i++)
    {
        name = reinterpret_cast<char*>(*tmp + (DWORD)dllBase);
        PWORD pOrdinal = (WORD *)(ied->AddressOfNameOrdinals +
                                  (sizeof(WORD) * i) +
                                  dllBase);
        address = reinterpret_cast<PDWORD>(dllBase + ied->AddressOfFunctions + 4 * (*pOrdinal));
        if(strcmp(functionName.c_str(),name)==0)
        {
            DWORD oldprot, oldprot2;
            oldAddress = reinterpret_cast<PDWORD>(dllBase + *address);

            VirtualProtect(address, sizeof(DWORD), PAGE_READWRITE, (DWORD *)&oldprot);
            *address = (DWORD)(newFunction) - (DWORD)dllHandler;
            VirtualProtect(address, sizeof(DWORD), oldprot, (DWORD *)&oldprot2);

            return oldAddress;
        }
        tmp++;
    }

I checked also IAT of engine.exe and it doesn't contain recv function so it has to be EAT hook i guess. Any idea why it doesn't work?

02/18/2013 23:50 nonosocr1986#2

i think this may help you:
[Only registered and activated users can see links. Click Here To Register...]

02/19/2013 00:28 iszoPL#3

Not really. As u can see i started that topic also and this is different.

02/19/2013 01:33 RunzelEier#4

if even "Hooked recv: " doesn't show up then your hook doesn'T work ;)

does this work?
NewRecv(NULL,"aaa",3,NULL);

the idea is really interesting.
but manipulating the EAT is only usefull if GetProcAddress() is being called for every recv call.
this doesn't sound very likely to me.

how did you check the IAT? are you sure recv isn't included?

02/19/2013 02:35 iszoPL#5

My hook partially works. GetProcAddress returns fRecv function adress instead of original recv from ws2_32. This was just to check and yes it works fine(just check).

Well after injecting I checked for IAT of engine.exe and it containts these functions:

Code:

BeginPaint 74BEB290
BitBlt 6FD60CA2
CloseHandle 6538ED87
ContinueDebugEvent 74E26849
CreateCompatibleDC 6FD60C6E
CreateDCA 6FD5F2BB
CreateDIBitmap 6FD60F52
CreateDialogIndirectParamA 74C18E03
CreateFileA 6538EC39
CreateFileMappingA 74D9302E
CreateMutexA 74D938AD
CreatePalette 6FD60F96
CreateProcessA 6537E600
CreateProcessW 6537E845
CreateThread 74D927A5
CreateWindowExA 74BF481E
CreateWindowExW 74BF27BE
DebugActiveProcess 74E267A1
DefWindowProcA 76EE10BE
DeleteCriticalSection 76EF8F29
DeleteDC 7496859E
DeleteObject 74966E0F
DestroyWindow 6FD60BE8
DispatchMessageA 74BEE234
DuplicateHandle 74D92B3B
EndPaint 74BEB274
EnterCriticalSection 76EE1005
EnumThreadWindows 6FD60C1D
EnumWindows 74BF17B7
ExitProcess 74D93176
FindClose 74D928F8
FindFirstFileA 74D95A03
FindFirstFileW 74D92903
FindWindowA 74C0659F
FlushFileBuffers 74D93A91
FreeConsole 74E1C0B2
FreeDDElParam 74C2C48E
FreeEnvironmentStringsA 74D959DC
FreeEnvironmentStringsW 74D93982
GetACP 74D936A2
GetAsyncKeyState 74BEBFEC
GetCPInfo 74D936BE
GetCommandLineA 74D93977
GetCommandLineW 74D93793
GetConsoleCP 74E1C00D
GetConsoleMode 74D92D36
GetConsoleOutputCP 74D939F8
GetCurrentProcess 74D914C4
GetCurrentProcessId 74D91576
GetCurrentThread 74D91585
GetCurrentThreadId 74D91470
GetDesktopWindow 74BF046D
GetDlgItem 74BFCB65
GetEnvironmentStrings 74D959ED
GetEnvironmentStringsW 74D93993
GetEnvironmentVariableA 74D92EC4
GetExitCodeProcess 74D958C3
GetFileType 74D939D1
GetLastError 74D91549
GetLocaleInfoA 74D93D03
GetMessageA 74BEE276
GetModuleFileNameA 6FD71380
GetModuleFileNameW 74D9285B
GetModuleHandleA 6FD7130D
GetOEMCP 74DAC58D
GetProcAddress 653A8482
GetProcessHeap 74D915D0
GetPropA 74C0897A
GetShortPathNameA 74DBDAC0
GetShortPathNameW 74DA0186
GetStartupInfoA 74D91010
GetStartupInfoW 74D927E6
GetStdHandle 74D9282E
GetStringTypeA 74DA8BED
GetStringTypeW 74D936F1
GetSystemMetrics 74BE94A6
GetSystemTimeAsFileTime 74D91655
GetThreadContext 74DAC3D2
GetTickCount 74D9144C
GetVersionExA 653A68F2
GetWindowThreadProcessId 74BE9743
GlobalAddAtomA 74DA89C2
GlobalAddAtomW 74D9506B
GlobalAlloc 74D9298C
GlobalDeleteAtom 74D95166
GlobalFree 74D9296E
GlobalGetAtomNameA 74E1FCA1
GlobalGetAtomNameW 74D95192
GlobalLock 74D9478F
GlobalUnlock 74D94687
HeapAlloc 6538467C
HeapCreate 74D93966
HeapDestroy 74D939C0
HeapFree 74D91491
HeapReAlloc 65384880
HeapSize 65385567
InSendMessage 74C0532B
InitializeCriticalSection 76EF9A33
InterlockedDecrement 74D915A1
InterlockedIncrement 74D914CD
IsBadReadPtr 74DA82CF
IsDebuggerPresent 74D93713
IsWindow 74BE9000
IsWindowUnicode 74BEF7AF
KillTimer 74BE8F80
LCMapStringA 65380AAF
LCMapStringW 65380A36
LeaveCriticalSection 76EF736D
LoadCursorA 74BEBF60
LoadLibraryA 74D92FE4
LoadStringA 74C08CD8
LoadStringW 74BEAD3C
MapViewOfFile 74D92812
MessageBoxA 74C3E3DB
MoveWindow 74C04F80
MultiByteToWideChar 74D9284A
OpenMutexA 74DA9407
PackDDElParam 74C2C3EF
PeekMessageA 74BEE131
PostMessageA 74BEBC4C
PostMessageW 74BE8EC3
QueryPerformanceCounter 74D91527
RaiseException 74D92CB5
ReadProcessMemory 74D91B01
RealizePalette 6FD60FAE
RegisterClassA 74C03DA4
RegisterClassW 74BF2E84
ReleaseMutex 74D9145A
ResumeThread 74D9379E
RtlUnwind 74D92CC6
SelectObject 74967B86
SelectPalette 6FD60D2C
SendMessageA 74BFABE7
SendMessageW 74BEA9AB
SetEnvironmentVariableA 74DA0923
SetFilePointer 74D928ED
SetHandleCount 74D9EE4E
SetLastError 74D91554
SetPropA 74C0DFA2
SetStdHandle 74D92CF2
SetThreadContext 74E26270
SetThreadPriority 74D91B23
SetTimer 74BE8FDF
SetUnhandledExceptionFilter 74D958A1
SetWindowTextA 74C0DA0E
ShowWindow 74BEF6DA
Sleep 74D911DF
SuspendThread 74DA8C20
TerminateProcess 74D93923
TlsAlloc 74D92E06
TlsFree 74D9176E
TlsGetValue 74D91480
TlsSetValue 74D91565
TranslateMessage 74BE7C63
UnhandledExceptionFilter 74E2623D
UnmapViewOfFile 74D915DB
UnpackDDElParam 74C2CAC8
UpdateWindow 74BF072C
VirtualAlloc 74D91590
VirtualFree 74D9177F
VirtualProtect 74D91B82
VirtualProtectEx 74E2620A
VirtualQueryEx 74D91B12
WaitForDebugEvent 74E261F9
WaitForInputIdle 74BFA24A
WaitForSingleObject 74D91465
WideCharToMultiByte 74D9174C
WriteConsoleA 74E1C065
WriteConsoleW 74D92D41
WriteFile 74D92B30
WriteProcessMemory 74DC09F7

So for me there's only 1 option left. As address of recv is const so i'm thinking that it is stored somewhere in engine and it's called directly and that's why it's not showing at IAT.

Or is there any other explanation why my hook is not working?

02/20/2013 00:48 Thiesius#6

Simple:
Load debugger, ignore anti-debug, and bp ws2_32.recv. Break on that bp and return to user code. I think there should be an instruction to load ws2_32.recv using something like this
MOV EAX, DWORD PTR DS: [IAT]
CALL EAX
Change ProcAddress stored in IAT to your HookProc address.

02/20/2013 14:06 iszoPL#7

I'll try that but this raises the question. Why isn't it showing up at IAT of engine.exe? Is it hidden some way? Lucky that i found a kernel driver that is letting me attach dbg to engine after hs loads. Game crashes after 10 min or so cuz i guess api hooks are detected somehow by HS even in kernel mode. Well this is old driver ;) But OpenProcess works and i can read memory directly from running engine so it's ok.

@Edit 1.

Ok this is more tricky i guess ;) Small update on what i've found.

[Only registered and activated users can see links. Click Here To Register...]

In EDX we've got address of recv. We are in ehsvc module and i'm pretty sure it's check for jmp patch hook on recv function. So maybe I can modify this part so it won't be able to "see" my hook or does ehsvc got some crc check on it's module and i can't modify memory in it?

I will keep digging and see if i can get address of recv in IAT.

02/20/2013 16:40 Thiesius#8

I think EHSvc has CRC self check.
IAT is decrypted at runtime by Armadillo. Few entries are obfuscated.

@EDIT
However that doesn't really matter. Just do it as I said.

02/20/2013 16:47 meak1#9

i said, just hook 5 bytes after the recv start function...

PHP Code:


			
PUSH EBP
MOV EBP,ESP
SUB ESP,8
MOV [LOCAL.2],ECX <---- just hook here, not at the start and GG, said it 20 times in the past 2 months? same in ur old thread i told U. just an example, only hook recv in ws32_2.dll or how the DLL was called, thx for my Bad english.
MOV EAX,[ARG.4]
PUSH EAX                                           ; /Flags
MOV ECX,[ARG.3]                                    ; |
PUSH ECX                                           ; |BufSize
MOV EDX,[ARG.2]                                    ; |
PUSH EDX                                           ; |Buffer
MOV EAX,[ARG.1]                                    ; |
PUSH EAX                                           ; |Socket

Hackshield proof the whole Engine.exe i guess, so hook in ws32_2.dll the Recv, after the first 5 Bytes. Just the Start of Recv is proofed by Hackshield...

02/20/2013 20:12 iszoPL#10

Ok so I'm trying to do mid-function hook as you said.

Code:

DWORD dwJMPback = (DWORD)GetProcAddress(GetModuleHandle(L"ws2_32.dll"),"recv") + 0xA; //The Jump Back address

 __declspec(naked) void fRecv(){
          __asm PUSHAD
          __asm PUSHF
    
	  cout << "Hooked recv\n";

          __asm POPFD
          __asm POPAD

	__asm MOV EAX,DWORD PTR DS:[0x76FFA050]
	__asm JMP [dwJMPback]
}

I'm placing a hook at recv + 5 bytes and jumping back at recv + 10 as length of my jmp is 5 bytes long.

Code:

OldRecv = (myrecv)GetProcAddress(GetModuleHandle(L"ws2_32.dll"),"recv");
OldRecv = (myrecv)((DWORD)OldRecv+0x5);
PlaceJMP((BYTE*)OldRecv, (DWORD)fRecv, 5);

And i'm getting crash. Function is hooked, i can see message but it crashes. I'll try to check with olly if it's placed correctly but feel free to help ;)

Edit.

It seems that everything should be fine. ;/

I traced back call to my function.

[Only registered and activated users can see links. Click Here To Register...]

JMP at the end goes back directly to instruction after my jmp

[Only registered and activated users can see links. Click Here To Register...]

So i have no idea why this is not working.

Edit 2.

Crap how could i be so stupid xD That's why it crashed "PUSHF" and i was trying to pop later. ;) heh works now. Anyway midfunc hook is in my opinion great thing. I had to read a bit about that but it works now. Thanks.

02/20/2013 20:41 Thiesius#11

ASM patches are still overkill for this situation.

Just write your detour address to the IAT.

02/20/2013 21:16 iszoPL#12

oO so I had this the whole time and I didn't know that was it. I'm guessing then that this is part of that obfuscated IAT. I was checking earlier dumped engine. Highlited address is add of recv in ws2 library.

And how on earth did u find this on running engine ;) Normally my olly crashes the game and I can't use it that's why i have to rely on dump. Even with this drivers as i mentioned hs after some time crashes game because of "some hacking software".

I tried to find that ur way and all i got was this check in ehsvc module then when i tried to execute till user code game was crashing due some exceptions or something.

I'm really just starting with olly and this type of coding so thx for help and understanding ;).

Oh and I have another question. Because of some kal update they are now able to detect proxy dlls. Even the one with detoured functions. I guess they added some new things, so I had to use injector + this driver in order to inject my dll, but as I said it's only for 10min-1h after game closes. So any idea how to fix that ;)

02/20/2013 21:37 Thiesius#13

Quote:

Originally Posted by iszoPL

And how on earth did u find this on running engine ;) Normally my olly crashes the game and I can't use it that's why i have to rely on dump. Even with this drivers as i mentioned hs after some time crashes game because of "some hacking software".

Just kidding I replaced the EHSvc by the HS Interactor from my old project.

Quote:

Originally Posted by iszoPL

Oh and I have another question. Because of some kal update they are now able to detect proxy dlls. Even the one with detoured functions. I guess they added some new things, so I had to use injector + this driver in order to inject my dll, but as I said it's only for 10min-1h after game closes. So any idea how to fix that ;)

1) Patch the dll checks in the Engine startup code. Then unpatch them.
OR
2) Inject DLL at startup before the HS gets loaded.

There are other ways, more complex or requires special tools.

02/20/2013 21:47 iszoPL#14

Second sounds pretty easy and I already tried that. Unfortunately even that it injects before hs there is a problem with my thread. It seems like they are blocking each other with main thread. If i put for example. cin in it then hs won't load till cin gets some stuff and thread moves on. Like it's suspended. After that game loads correctly but my injected dll doesn't seem to be working ;). Just blank console xD. Weird.

And I would love to try first one but will i get those check addresses just form dump? I mean aren't they changing or something?

02/20/2013 22:56 meak1#15

Quote:

Originally Posted by Thiesius

[Only registered and activated users can see links. Click Here To Register...]

Just kidding I replaced the EHSvc by the HS Interactor from my old project.

1) Patch the dll checks in the Engine startup code. Then unpatch them.
OR
2) Inject DLL at startup before the HS gets loaded.

There are other ways, more complex or requires special tools.

had it thiesius -> 1)

Dont work anymore, so i changed it to inject..
if u patch it and unpatch it, HS will detect it after some minutes, wrong HS packet i guess..

Page 1 of 2