在Acceptexhookproc上断开连接插座

发布于 2025-01-26 12:57:45 字数 2508 浏览 5 评论 0原文

我正在尝试在Acceptexhookproc例程中断开插座。我在.dll上挂上了Acceptex，并注入了.EXE应用程序，如果在我的IF处连接的IP相同，我想要断开连接套接字。

该程序使用Acceptex，而不是WSAACCEPT（我知道使用CF_REJECT的回调），但是此程序并非如此，因为他使用Winsock Library的Acceptex（不是Winsock2）。

const WSAID_DISCONNECTEX: TGuid = '{7fda2e11-8630-436f-a031-f536a6eec157}';

type
  LPFN_DISCONNECTEX = function(const hSocket : TSocket; AOverlapped:
  POverlapped; const dwFlags : DWORD; const dwReserved : DWORD) : BOOL; stdcall; 

function GetAddress(ASocket: TSocket; const AName: String; const AGuid: TGUID): Pointer; inline; overload;
var
  BytesSend: DWORD;
begin
  if WSAIoctl(ASocket, SIO_GET_EXTENSION_FUNCTION_POINTER, @AGuid, DWORD(SizeOf(TGuid)),
    @Result, DWORD(SizeOf(FARPROC)), BytesSend, nil, nil) <> 0 then
    Result := nil;
end;

function AcceptExHookProc(sListenSocket, sAcceptSocket: TSocket;
  lpOutputBuffer: Pointer; dwReceiveDataLength, dwLocalAddressLength,
  dwRemoteAddressLength: DWORD; var lpdwBytesReceived: DWORD;
  lpOverlapped: POverlapped): BOOL; stdcall;
var
  IP            : String;
  LRet, RRet    : Winsock.PSockAddr;
  lsize, rsize  : Integer;

  DisconnectEx    : LPFN_DISCONNECTEX;
  BytesOut        : DWORD;

  Res : Integer;
begin
  Result := TrampolineAcceptEx(sListenSocket, sAcceptSocket, lpOutputBuffer, dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength, lpdwBytesReceived, lpOverlapped); 

  lsize   := 32;
  rsize   := 32;
  Winsock.GetAcceptExSockaddrs(lpOutputBuffer, dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength, LRet, lsize, RRet, rsize);

  IP := Winsock.inet_ntoa(RRet.sin_addr);   

  if (IP = '177.222.164.65') then
  begin
    Res := setsockopt(sAcceptSocket, SOL_SOCKET, SO_UPDATE_ACCEPT_CONTEXT, @sListenSocket, SizeOf(sListenSocket));
      
    WriteLn(Format('Result %d / %d', [Res, GetLastError]));
    // Show result - 1 and sock error 10057
      
    DisconnectEx := GetAddress(sAcceptSocket, 'DisconnectEx', WSAID_DISCONNECTEX);

    if @DisconnectEx <> nil then
      if DisconnectEx(sAcceptSocket, nil, TF_REUSE_SOCKET, 0) then 
        WriteLn('Disconnect ok')
      else
        WriteLn('Disconnect falhou + ' + IntToStr(GetLastError));
        // Show sock error 10057
      
    WriteLn(Format(' [%s] Connection from IP (%s) DISCONNECT', [TimeToStr(Now), IP]));
  end
  else
  begin
    WriteLn(Format('[%s] Connection from IP (%s)', [TimeToStr(Now), IP]));
  end;
end;

有效，但返回false和getlastror show套接字错误10057（未连接套接字。）但是连接仍然存在（我在Process Hacker检查）

原文

i'm trying disconnect a socket at AcceptExHookProc routine.
i hooked AcceptEx at .dll and injected at .exe app who i want disconnect socket if ip connected at socket is same at my if.

the program uses AcceptEx, not WSAAccept (i know about about the callback using CF_REJECT) but isn't the case for this program since him uses AcceptEx from Winsock library (not winsock2).

const WSAID_DISCONNECTEX: TGuid = '{7fda2e11-8630-436f-a031-f536a6eec157}';

type
  LPFN_DISCONNECTEX = function(const hSocket : TSocket; AOverlapped:
  POverlapped; const dwFlags : DWORD; const dwReserved : DWORD) : BOOL; stdcall; 

function GetAddress(ASocket: TSocket; const AName: String; const AGuid: TGUID): Pointer; inline; overload;
var
  BytesSend: DWORD;
begin
  if WSAIoctl(ASocket, SIO_GET_EXTENSION_FUNCTION_POINTER, @AGuid, DWORD(SizeOf(TGuid)),
    @Result, DWORD(SizeOf(FARPROC)), BytesSend, nil, nil) <> 0 then
    Result := nil;
end;

function AcceptExHookProc(sListenSocket, sAcceptSocket: TSocket;
  lpOutputBuffer: Pointer; dwReceiveDataLength, dwLocalAddressLength,
  dwRemoteAddressLength: DWORD; var lpdwBytesReceived: DWORD;
  lpOverlapped: POverlapped): BOOL; stdcall;
var
  IP            : String;
  LRet, RRet    : Winsock.PSockAddr;
  lsize, rsize  : Integer;

  DisconnectEx    : LPFN_DISCONNECTEX;
  BytesOut        : DWORD;

  Res : Integer;
begin
  Result := TrampolineAcceptEx(sListenSocket, sAcceptSocket, lpOutputBuffer, dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength, lpdwBytesReceived, lpOverlapped); 

  lsize   := 32;
  rsize   := 32;
  Winsock.GetAcceptExSockaddrs(lpOutputBuffer, dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength, LRet, lsize, RRet, rsize);

  IP := Winsock.inet_ntoa(RRet.sin_addr);   

  if (IP = '177.222.164.65') then
  begin
    Res := setsockopt(sAcceptSocket, SOL_SOCKET, SO_UPDATE_ACCEPT_CONTEXT, @sListenSocket, SizeOf(sListenSocket));
      
    WriteLn(Format('Result %d / %d', [Res, GetLastError]));
    // Show result - 1 and sock error 10057
      
    DisconnectEx := GetAddress(sAcceptSocket, 'DisconnectEx', WSAID_DISCONNECTEX);

    if @DisconnectEx <> nil then
      if DisconnectEx(sAcceptSocket, nil, TF_REUSE_SOCKET, 0) then 
        WriteLn('Disconnect ok')
      else
        WriteLn('Disconnect falhou + ' + IntToStr(GetLastError));
        // Show sock error 10057
      
    WriteLn(Format(' [%s] Connection from IP (%s) DISCONNECT', [TimeToStr(Now), IP]));
  end
  else
  begin
    WriteLn(Format('[%s] Connection from IP (%s)', [TimeToStr(Now), IP]));
  end;
end;

works but return false and getlasterror show socket error 10057 (Socket is not connected.)
but connection still estabilished (i check at process hacker)

分享到QQ

分享到微博