EasyHook recv 不会“挂钩”所有数据包
我设法编写了一个半工作的 EasyHook 示例来挂钩 recv 函数。我编写了一个表单,添加了一个 WebBrowser 组件,然后启动了该应用程序。问题是,我收到了 HTTP 数据包,但如果有套接字,则似乎 recv 停止“挂钩”。 问题是,通过外部应用程序 Spystudio,我可以让它们挂钩 recv。那么,我错过了什么?
using System;
using System.Collections.Generic;
using System.Data;
using System.Runtime.InteropServices;
using System.Threading;
using System.Text;
using System.Windows.Forms;
using System.Diagnostics;
using System.IO;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels.Ipc;
using EasyHook;
namespace flashing
{
public partial class Form1 : Form,EasyHook.IEntryPoint
{
public LocalHook CreateRecvHook;
public Form1()
{
InitializeComponent();
}
[DllImport("Ws2_32.dll")]
static extern int recv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Unicode,
SetLastError = true)]
delegate int Drecv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
static int recv_Hooked(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags)
{
int bytesCount = recv(socketHandle, buf, count, socketFlags);
if (bytesCount > 0)
{
byte[] newBuffer = new byte[bytesCount];
Marshal.Copy(buf, newBuffer, 0, bytesCount);
string s = System.Text.ASCIIEncoding.ASCII.GetString(newBuffer);
TextWriter tw = new StreamWriter("log.txt");
tw.Write(s);
tw.Close();
Debug.WriteLine("Hooked:>" + s);
}
return bytesCount;
}
private void bottonHook_Click(object sender, EventArgs e)
{
try
{
CreateRecvHook = LocalHook.Create(
LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
new Drecv(recv_Hooked),
this);
CreateRecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Debug.WriteLine("Error creating the Hook");
return;
}
RemoteHooking.WakeUpProcess();
}
private void buttonLoader_Click(object sender, EventArgs e)
{
axShockwaveFlash1.LoadMovie(0, "test.swf");
}
}
}
编辑:我对recv毫无疑问,这是apimonitor告诉我的:
# TID Module API Return Error
5 2696 Flash10l.ocx recv ( 1992, 0x07080000, 65536, 0 ) 1
那么,有人可以帮助我吗?
I managed to write a semiworking EasyHook example that hooks recv function. I wrote a form, added a WebBrowser component, and started the application. The problem is, I get the HTTP packets, but if there's a socket, it seems that recv stops "hooking".
The problem is, with an external application, Spystudio, I can get them hooking recv. So, what am I missing?
using System;
using System.Collections.Generic;
using System.Data;
using System.Runtime.InteropServices;
using System.Threading;
using System.Text;
using System.Windows.Forms;
using System.Diagnostics;
using System.IO;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels.Ipc;
using EasyHook;
namespace flashing
{
public partial class Form1 : Form,EasyHook.IEntryPoint
{
public LocalHook CreateRecvHook;
public Form1()
{
InitializeComponent();
}
[DllImport("Ws2_32.dll")]
static extern int recv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Unicode,
SetLastError = true)]
delegate int Drecv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
static int recv_Hooked(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags)
{
int bytesCount = recv(socketHandle, buf, count, socketFlags);
if (bytesCount > 0)
{
byte[] newBuffer = new byte[bytesCount];
Marshal.Copy(buf, newBuffer, 0, bytesCount);
string s = System.Text.ASCIIEncoding.ASCII.GetString(newBuffer);
TextWriter tw = new StreamWriter("log.txt");
tw.Write(s);
tw.Close();
Debug.WriteLine("Hooked:>" + s);
}
return bytesCount;
}
private void bottonHook_Click(object sender, EventArgs e)
{
try
{
CreateRecvHook = LocalHook.Create(
LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
new Drecv(recv_Hooked),
this);
CreateRecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Debug.WriteLine("Error creating the Hook");
return;
}
RemoteHooking.WakeUpProcess();
}
private void buttonLoader_Click(object sender, EventArgs e)
{
axShockwaveFlash1.LoadMovie(0, "test.swf");
}
}
}
edit : I've no doubt about recv, here it is what apimonitor tells me:
# TID Module API Return Error
5 2696 Flash10l.ocx recv ( 1992, 0x07080000, 65536, 0 ) 1
So, can somebody help me?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
问题解决了。造成麻烦的线路是
我将其更改为
现在一切正常。
谢谢大家:)
Problem Solved. The line that created trouble was
I changed it to
and now everything works just fine.
Thanks everybody :)
套接字使用了许多不同的功能。也许插件没有使用名为
recv的函数。我立即想到了recvfrom、recvmsg、WSARecv、WSARecvFrom、WSARecvMsg、ReadFile、ReadFileEx。然后,插件可能会使用重叠的 I/O 执行请求(可能因完成例程或完成端口而变得复杂),在这种情况下,数据不会在例如
ReadFile函数调用期间存储,而是在稍后存储时间。挂钩这些将更具挑战性。There are a lot of different functions used with sockets. Maybe the plugin is not using the function named
recv. Off the top of my head I can think ofrecvfrom,recvmsg,WSARecv,WSARecvFrom,WSARecvMsg,ReadFile,ReadFileEx.Then, the plugin could be doing requests with overlapped I/O (possibly complicated by completion routines or completion ports), in which case the data isn't stored during the e.g.
ReadFilefunction call but at some later time. Hooking those would be considerably more challenging.我用c#编写了一个使用sharppcs转储http的工具。它使用 winpcap 驱动程序。我认为 tan apihooks 更可靠。
HTTPSaver(带源)
SharpPcap
Winpcap
I wrote a tool dumping http using sharppcs in c#. It uses the winpcap-driver. I think it is more reliable tan apihooks.
HTTPSaver (with sources)
SharpPcap
Winpcap