Hooked recv/send functions , have problem (pro's only)

[Staviko]

So i did it finally ^^
My problem now is that after 20 sec i stop getting calls to send/recv functions ?

The hook is still attached,client still connected , any one please(BakaBug where are you !!!!) ?




Thanks !

[katze123]

Quote:

Originally Posted by Staviko

My problem now is that after 20 sec i stop getting calls to send/recv functions ?

Quote:

Originally Posted by Staviko

The hook is still attached

somethings contrary

[Staviko]

yes exactly , that what i cant understand...as u can see if i try to replace/rename the dll it is still in memory ....also you can see the gui still running and no expel from server means my process is undetected, maybe they have some new trick ?

lol same problem ^^



thanks meak1 (:

meak1 please help,cant understand ):

how it will work ? you mean to place the jump after 5 byte of real jump ?

so how our jump will be called ?

Code:

GetProcAddress(GetModuleHandleA("ws2_32.dll"), "send")+5

?

[meak1]

#Yes

Code:

int Naked MySendDetour(SOCKET s,char *buf, int len, int flags){
	_asm{
		SUB ESP, 0x10
		PUSH ESI
		PUSH EDI
	}

	MySendResult(buf);

	_asm{
		jmp addressbackSend
	}
}

Intercept(INST_JMP, (DWORD)send+0x05,(DWORD)MySendDetour,5);

[pamz12]

meak is not helping at all qq ahaha

[Staviko]

meak1 is the best !

[luki180pl]

What should be in addressbackSend?

[meak1]

Quote:

Originally Posted by luki180pl

What should be in addressbackSend?

maybe the backsend address ?

[Staviko]

Code:

RealSend = (SendPtr)GetProcAddress(GetModuleHandleA("ws2_32.dll"), "send");

BYTE* back = (BYTE*)RealSend+10;
	
    _asm{
		jmp back;
	}

?

Code:

Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

hhhhh

haha

Code:

Applications should call FlushInstructionCache if they generate or modify code in memory. The CPU cannot detect the change, and may execute the old code it cached

also need to save registers...using push/pop/ad/fd

[luki180pl]

Thx Staviko, actually my problem was that i wrote +"0x10" istead of +"0xA".

"also need to save registers...using push/pop/ad/fd" - possibly too hard for me as i know nothing about assembler at all ^^

[Frosttall]

Quote:

Originally Posted by luki180pl

Thx Staviko, actually my problem was that i wrote +"0x10" istead of +"0xA".

"also need to save registers...using push/pop/ad/fd" - possibly too hard for me as i know nothing about assembler at all ^^

Basically you save the current state of the code before the client executes your hook and restore it afterwards. This is required to prevent corrupted states after calling your hook.

Code:

pushad
pushfd
jmp YOUR_HOOK
popfd
popad

For more informations consult

[Staviko]

try pushad pushfd for save integers and flags from original program on stuck befor call ur hook popad popfd after finish ur hook and jmp back

lolll froatol dident saw ur post ^^ hhh

anything u have 2 know ^^

[luki180pl]

Thanks for answers Frosttall and Staviko. Im gonna give it a try tomorrow and tell u the results ^^

[meak1]

my hook dont change registerslol

[Frosttall]

Quote:

Originally Posted by meak1

my hook dont change registerslol

Well you're lucky then , but it is good style to clean up after your work is done.