Solved

How to Hook Winsock Api ,

Posted on 2002-04-26
15
1,598 Views
Last Modified: 2013-12-03
Situation:

Need to intercept the Connect APIs on Windows NT and replace it with my own function, being called
from a DLL, and then have my program call the "old" API function to complete the process.

Connect -> 192.1.1.254

replace to

if (Connect == '192.1.1.254')
{
  Connect == ' 192.1.1.10'
}


Good luck!  Let me know if you have any questions.  I would like VC++6.0 source code...  Thanks!

0
Comment
Question by:kk2k
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 20

Expert Comment

by:Madshi
Comment Utility
Do you need this system wide or only for a specific process? Do you need to do this programatically or would perhaps installing a proxy (or something like that) solve the problem, too?
0
 

Author Comment

by:kk2k
Comment Utility
Just only for a specific process.

0
 
LVL 20

Expert Comment

by:Madshi
Comment Utility
Then you might want to look at my package "madCodeHookLib" (free for non-commercial purpose). With this package you can inject a self-written dll into the specific process. Then in the dll you can hook the connect APIs, again using my package.

Here is the online documentation. It is for the Delphi version of my package, but a C++ package is also available.

http://help.madshi.net/Data/madCodeHook.htm

Here is a demo, which shows all the basic framework you need:

http://help.madshi.net/Data/HookingNotepad.htm

Regards, Madshi.
0
 

Author Comment

by:kk2k
Comment Utility
Hi,Madshi
 
  Can you use your package write some functions  for me


Connect -> 192.1.1.254

replace to

if (Connect == '192.1.1.254')
{
 Connect == ' 192.1.1.10'
}

VC code ~~  thanks~

0
 

Author Comment

by:kk2k
Comment Utility
Hi,Madshi
 
  Can you use your package write some functions  for me


Connect -> 192.1.1.254

replace to

if (Connect == '192.1.1.254')
{
 Connect == ' 192.1.1.10'
}

VC code ~~  thanks~

0
 
LVL 20

Expert Comment

by:Madshi
Comment Utility
I'm sorry. First of all I'm a Delphi programmer. Second, I've not the time to do all the work for you...   :-/   There are also C++ demos in the demo folder. If you dig a bit, you'll be able to do it yourself, I think...
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Here's another great source of information:

http://www.codeguru.com/system/apihook.html

Not only is the article itself excellent, but an example application is supplied and there are references to just about every item written on this topic.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:kk2k
Comment Utility
I want some demo c++ code for my example
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
It really would help if you would READ THE COMMENTS offered here to help you:


Here's another great source of information:

http://www.codeguru.com/system/apihook.html

Not only is the article itself excellent, but AN EXAMPLE APPLICATION IS SUPPLIED and there are references
to just about every item written on this topic.
0
 
LVL 20

Expert Comment

by:Madshi
Comment Utility
The article & source code mentioned by jhance is really a good one. However, I don't like the API hooking method used there, namely Import Table Patching. It's really not the best method. Well, but it's good enough in a lot of situations, so you will have to try out, whether you catch all needed API calls with this method or not.
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
The nicest thing about the article is the collection of references.  All the different techniques have their own advantages and disadvantatges.
0
 
LVL 20

Expert Comment

by:Madshi
Comment Utility
Let me just add a comment to one part of that article:

>> Injecting DLL by using CreateRemoteThread() API function. Well, this is my favorite one. Unfortunately it is supported only by NT and Windows 2K operating systems.

Win9x does have a CreateRemoteThread like function, it's just not exported from kernel32. My package is able to access this internal function...   :-)
0
 

Author Comment

by:kk2k
Comment Utility
OK, but not have source file for my Question .

To: jhance
   you havn't Detail for my Question.

To: Madshi

   i am VC programmer. i don't Use Delphi . but you madCodeHookLib is good tool .
   can you get me some source for vc ?

   i will accept comment as answer in tomorrow.
0
 
LVL 20

Accepted Solution

by:
Madshi earned 200 total points
Comment Utility
Here is a demo that shows you how to hook the well known API "WinExec". You should be able to easily change it to the winsock "Connect" API(s). Do this stuff in a little dll. Then just call "InjectLibrary(otherProcessHandle, 'c:\fullPatj\yourHooking.dll')" in a little launcher application. That's it. Relatively easy, don't you agree?

This demo is directly from the Demo folder of my package. I'm sorry, but I don't have the time to give you full sources for you "Connect" hooking thing. It would cost me too much time...

Regards, Madshi.


// demonstrate how madCodeHook can hook (almost) any API under any win32 OS
// a madCodeHook is normally only process wide
// look at the systemAPI demo for infos about system wide hooks
// (note, that you can even hook so-called shared system APIs under win9x)

#include <windows.h>
#include "madCodeHookLib.h"

// variable for the "next hook", which we then call in the callback function
// it must have *exactly* the same parameters and calling convention as the
// original function
// besides, it's also the parameter that you need to undo the code hook again
UINT (WINAPI *WinExecNextHook)(LPCSTR lpCmdLine, UINT uCmdShow);

// this function is our hook callback function, which will receive
// all calls to the original SomeFunc function, as soon as we've hooked it
// the hook function must have *exactly* the same parameters and calling
// convention as the original function
UINT WINAPI WinExecHookProc(LPCSTR lpCmdLine, UINT uCmdShow)
{
  UINT result;

  // check the input parameters and ask whether the call should be executed
  if (MessageBox(0, lpCmdLine, "Execute?", MB_YESNO | MB_ICONQUESTION) == IDYES)
  {
    // now call the original function, but in minimized form (just for fun :-)
    result = WinExecNextHook(lpCmdLine, SW_SHOWMINIMIZED);
  } else
    // if we didn't execute the call, we should at least return a valid value
    result = ERROR_FILE_NOT_FOUND;
  return result;
}

int pascal WinMain(HINSTANCE hCurInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
  // we install our hook on the API...
  // alternatively to the call below you can also use this one:
  // HookAPI('kernel32.dll', 'WinExec', @WinExecHookProc, @WinExecNextHook);
  HookCode(WinExec, WinExecHookProc, (PVOID*) &WinExecNextHook);
  // now call the original (but hooked) API
  // as a result of the hook the user will receive our messageBox etc
  WinExec("notepad.exe", SW_SHOWNORMAL);
  // *PLEASE* be cautious when you hook APIs in win9x that are in the shared area
  // e.g. kernel32.dll and user32.dll are in the shared area
  // each dll with GetModuleHandle >= $80000000 is in the shared area
  // with madCodeHook you can hook such "shared APIs" like any other
  // but if you don't unhook them, rests of your hooks will remain installed
  // even after your application closes
  // that doesn't impact system stability, but it's not good for performance
  // (under winNT/2000 you don't need to care about unhooking)
  UnhookCode((PVOID*) &WinExecNextHook);

  return 0;
}
0
 
LVL 1

Expert Comment

by:nildo
Comment Utility
What messages are avaliabled on the Socket APIs ?
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This article shows how to make a Windows 7 gadget that accepts files dropped from the Windows Explorer.  It also illustrates how to give your gadget a non-rectangular shape and how to add some nifty visual effects to text displayed in a your gadget.…
This article surveys and compares options for encoding and decoding base64 data.  It includes source code in C++ as well as examples of how to use standard Windows API functions for these tasks. We'll look at the algorithms — how encoding and decodi…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now