Hooked recv/send functions , have problem (pro's only)

Page 1 of 2 1 2
05/22/2015 00:27 Staviko#1
So i did it finally ^^
My problem now is that after 20 sec i stop getting calls to send/recv functions ?

The hook is still attached,client still connected , any one please(BakaBug where are you !!!!) ? :handsdown:


[Only registered and activated users can see links. Click Here To Register...]

Thanks !
05/22/2015 00:35 katze123#2
Quote:
Originally Posted by Staviko View Post
My problem now is that after 20 sec i stop getting calls to send/recv functions ?
Quote:
Originally Posted by Staviko View Post
The hook is still attached
somethings contrary :)
05/22/2015 00:38 Staviko#3
yes exactly , that what i cant understand...as u can see if i try to replace/rename the dll it is still in memory ....also you can see the gui still running and no expel from server means my process is undetected, maybe they have some new trick ?

lol same problem ^^

[Only registered and activated users can see links. Click Here To Register...]

thanks meak1 (:

meak1 please help,cant understand ):

how it will work ? you mean to place the jump after 5 byte of real jump ?

so how our jump will be called ?

[Only registered and activated users can see links. Click Here To Register...]


Code:
GetProcAddress(GetModuleHandleA("ws2_32.dll"), "send")+5
?
05/23/2015 17:51 meak1#4
#Yes

Code:
int Naked MySendDetour(SOCKET s,char *buf, int len, int flags){
	_asm{
		SUB ESP, 0x10
		PUSH ESI
		PUSH EDI
	}

	MySendResult(buf);

	_asm{
		jmp addressbackSend
	}
}

Intercept(INST_JMP, (DWORD)send+0x05,(DWORD)MySendDetour,5);
05/23/2015 21:09 pamz12#5
meak is not helping at all qq ahaha
05/24/2015 12:01 Staviko#6
meak1 is the best !
05/24/2015 13:28 luki180pl#7
What should be in addressbackSend?
[Only registered and activated users can see links. Click Here To Register...]
05/24/2015 15:10 meak1#8
Quote:
Originally Posted by luki180pl View Post
What should be in addressbackSend?
[Only registered and activated users can see links. Click Here To Register...]
maybe the backsend address ?
05/24/2015 16:01 Staviko#9
Code:
RealSend = (SendPtr)GetProcAddress(GetModuleHandleA("ws2_32.dll"), "send");

BYTE* back = (BYTE*)RealSend+10;
	
    _asm{
		jmp back;
	}

?

Code:
Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
:rtfm: hhhhh

haha

Code:
Applications should call FlushInstructionCache if they generate or modify code in memory. The CPU cannot detect the change, and may execute the old code it cached

also need to save registers...using push/pop/ad/fd
05/26/2015 16:01 luki180pl#10
Thx Staviko, actually my problem was that i wrote +"0x10" istead of +"0xA".

"also need to save registers...using push/pop/ad/fd" - possibly too hard for me as i know nothing about assembler at all ^^
05/26/2015 18:07 Frosttall#11
Quote:
Originally Posted by luki180pl View Post
Thx Staviko, actually my problem was that i wrote +"0x10" istead of +"0xA".

"also need to save registers...using push/pop/ad/fd" - possibly too hard for me as i know nothing about assembler at all ^^
Basically you save the current state of the code before the client executes your hook and restore it afterwards. This is required to prevent corrupted states after calling your hook.

Code:
pushad
pushfd
jmp YOUR_HOOK
popfd
popad
For more informations consult [Only registered and activated users can see links. Click Here To Register...]
05/26/2015 20:04 Staviko#12
try pushad pushfd for save integers and flags from original program on stuck befor call ur hook popad popfd after finish ur hook and jmp back

lolll froatol dident saw ur post ^^ hhh

anything u have 2 know ^^

[Only registered and activated users can see links. Click Here To Register...]
05/26/2015 23:08 luki180pl#13
Thanks for answers Frosttall and Staviko. Im gonna give it a try tomorrow and tell u the results ^^
05/27/2015 01:36 meak1#14
my hook dont change registerslol
05/27/2015 08:00 Frosttall#15
Quote:
Originally Posted by meak1 View Post
my hook dont change registerslol
Well you're lucky then , but it is good style to clean up after your work is done.
Page 1 of 2 1 2