Replacing WS2_32.DLL

I am trying to replace WS2_32.DLL to create a small firewall and logging system.
I 've made a tool which reads a dll and generates CPP,and DEF files that have stubs for the functions inside with
their ordinals.
For WS2_32.DLL , this looks as follows:

#include <stdio.h>
#include <windows.h>


int _stdcall (*_L_accept)();
int _stdcall (*_L_bind)();

extern "C" void _stdcall __declspec(naked) _I_accept()
      asm {jmp _L_accept;}

extern "C" void _stdcall __declspec(naked) _I_bind()
      asm {jmp _L_bind;}


And the DEF file is:


accept=_I_accept @1
bind=_I_bind @2

The Entry routine in the CPP file looks like this:

      if (fwd == DLL_PROCESS_ATTACH)
            hDLL = LoadLibrary("ws2_31.dll"); // This ws2_31.dll is the original ws2_32.dll
            if (!hDLL)
                  return FALSE;

            _L_accept = GetProcAddress(hDLL,"accept");
            _L_bind = GetProcAddress(hDLL,"bind");
            return TRUE;
      if (fwd == DLL_PROCESS_DETACH)

      return TRUE;

And I link this CPP with my own assembly stub:

// -----
.model flat,stdcall
L equ <LARGE>


extrn DllEntryPoint:PROC
ADllEntryPoint PROC hInstance:DWORD, fdwReason:DWORD, resvd:DWORD

PUSH L resvd
PUSH L fdwReason
PUSH L hInstance
CALL DllEntryPoint

dd 4096 dup(?)

End ADllEntryPoint            

This procedure works when I use another DLL with an app, however when I copy the generated DLL in C:\windows\system32 (through booting with DOS) , the Windows won't start (XP) , even WINLOGON.EXE crashes when loads it.
Can you see any possible problem and/or suggest a different way of making the trick ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This is not the best approach.  You are attempting to write what is called a "SHIM" DLL, replacing the real DLL with one of your own and intercepting calls.  While this can be done, Windows XP works against you since this DLL is one of the "protected" ones in the system.

But to succeed you must implement ALL exports in the original DLL, even the undocumented ones that don't even have names.  Run DUMPBIN /EXPORTS on the original and get your list and start working!!

A better approach is to use one of the interfaces in Windows that Microsoft has provided for doing this.  There are two that are most useful here:

1) If you are interested ONLY in TCPIP traffic, you have the WINSOCK SPI:

2) If you are interested in ANY network traffic, you have the NDIS Intermediate API:
WxWAuthor Commented:
The tool I made gets every export from the original DLL and creates a stub that jmps with assembly to the correct entry point. WS2_32.DLL exports 500 items, and most of them are unnamed, only exported by ordinal value. But I still import them with dummy function names.

I found the problem, its because my linker (damn borland !) assings arbitary ordinal numbers , not choosing the ones the DEF file specifies. Rather than change my linker (which requires I would reinstall MS VC 2003 into my 1GB free disk !) , can you suggest me a tool that can change the ordinal numbers in a module so I apply it to the new DLL ?

Thanks a lot.
WxWAuthor Commented:
If i use NDIS , i will have to create a driver...which is something I 've never done !.
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

WxWAuthor Commented:
Or can you tell me how to change the ordinal value's myself by manipulating the DLL itself?
Here you'll find documentation about how PE files look like:

Have you already found a solution for the problem with the system file protection? Because if you don't find one, you can forget about the whole idea.
Could I find out which version of borland you are using?
Also, are you trying to develop something like ?  If so, you might be interested in the library they use.
WxWAuthor Commented:
builder 6
Replacing a shared lib is not the way to go. What if the user doesnt want your dll-changes anymore
Did the shim approach work? I would like to do the same to implement something on windows along the lines of tcpdump and at the same time showing the process that is using a particular socket(UDP or TCP). I may also want to sniff around while I am at it, which I assume is no problem. An yeah if you did get it to work eventually which compiler did the trick?

WxWAuthor Commented:
No it doesn't work altought I managed to make it the way I told you. I am pretty sure that the DLL exports everything that should be exported and jumps to the original dll when processing is finished, and XP complains that the dll is incorrect, for unknown reasons. I am still trying to use a NDIS driver.

However, the trick worked for other DLL's, so you can use it.
If you find a way to do it with WS2_32.DLL, or if you find an already working solution, please tell us.

Can I have the stub file and the DEF file, or better still can you tell me how to generate those for a DLL?

I gather that you only tried it for XP, am I right? Did you use VC eventually?

WxWAuthor Commented:
I used a program I made, called 'wrappit' . This program reads the exports (generated by depends.exe) and creates 3 files. The CPP file, which contains functions with the _I_ prefix which jump to the original functions.
The ASM file, which does the same if you want to use assembly, and
the DEF file, which specifies the same ordinals.

And finally, I link the compiled object file, with my .ASM object shown above. That prohibits you to use C++ runtime functions as you would have to link against your compiler's libraries, but I only needed Win32 API.

If you want the source code of 'wrappit', I would be glad to share, send me e-mail at
PAQed, with points refunded (250)

E-E Admin

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.