We help IT Professionals succeed at work.

Hooking connection between client <-> server using DLL Injection

2,313 Views
Last Modified: 2013-11-13
Hello,
I need to hook socket in one application, so I will be able to send packets to client/server and modify sent/received. I've managed to do it with madCodeHook by hooking recv/send calls, but there's one problem - via this method I'm not able to send packets to this socket. That's because recv doesn't take the packet as a parameter, but empty buffer which will store it. So I started to look for a workaround...

After playing a bit with OllyDbg and reading winsock documentantion I found out few things. First, the application is calling WSAAsyncSelect so winsock will post a message everytime it receives a packet. I also found the message ID. Later, after receiving it it's calling select function, to check whether socket is readable (so there's something in the queue). If it is, it's using recv function to get the packet.

The problem is, how can I emulate it... First, I've hooked the call to 'select' function and everytime it gets called I print a message on the screen so I see when it's used. Then, starting from the beginning, I need to send a faked message telling the application there's a packet waiting for receiving... and here's the problem. I have the message id, window handle and I (think I) know what parameters do I need to send. I tried the following:
PostMessage(WindowHandle, MessageID, 0, FD_READ);
Result value was true, so it sent the message however nothing happened - my hooked select function wasn't called.

So my question is - did I miss any other important function on the way? Or maybe I am sending message to the window incorrectly?

Thanks in advance
Comment
Watch Question

This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for your answer, however I'm sure it's working in asynchronous mode all of the time. There's no need for LSP, cause I'm hooking all calls to specific functions now too.

I've checked it in OllyDbg and via hook, select() is called every time and only, if a packet arrives. I also found few references to that message, although I wasn't able to trace back from that place to message loop (which I found earlier, but it's too messed up to understand something). It's comparing the message ID with the ID picked via WSAAsyncSelect, but still... only if a packet arrived. I think there can be some other kind of check before that, or maybe first it's comparing wParam with socket id... dunno. I landed in a big switch statement, but without message IDs. Jump to function in which it's comparing message ID, is done by CALL EBX - but this instruction is used for other messages too, so I wasn't really able to discover where do it assign this value.

Author

Commented:
Are there any other ways of checking whether socket received a message (except wsaasyncselect and select)? So I'll look for them via OllyDbg.
Sorry to disagree with you, but unless the programmer had a pathological misunderstanding of the way asynchronous sockets work, he would never call select() on an asynchronous socket.  The call to select() is used to discover if a socket is ready for reading or writing; if the call to select() indicates that the socket is ready to read (or to write), then you call recv() (or send()).  But with asynchronous sockets, there is no need to discover whether the socket is ready to read or write; asynchronous sockets tell you when they are ready, by sending you the message specified in WSAAsyncSelect().  
There is thus never a need to call select() with asynchronous sockets.  The fact that your target app is calling select() tends to indicate that the socket is not asynchronous at the time of the call, although the socket might be switched to asyncronous mode later on (or switched out of it earlier).

Author

Commented:
So, the programmer have a pathological misunderstanding of the way in which asynchronous sockets work. I've hooked select() function, and it's called ONLY and ALWAYS when new packets arrives.

But still - should I send those messages via PostMessage or SendMessage? Should I send it to window (so I get handle by FindWindow) or entire application (handle from OpenProcess I think)? Also: are there any other functions which are used to check whether new data arrived?
If the socket is truly operating in asynchronous mode, then SendMessage and PostMessage should both work.  I would tend to prefer PostMessage, so your hook function is not blocked.  The message should be sent/posted to the handle of the window specified in the call to WSAAsyncSelect.
Read this thread from the newsgroups: "How to set the socket Readabilty status?" at http://groups.google.com/group/microsoft.public.win32.programmer.networks/browse_frm/thread/a709230c4e8e7562/52c9f55e9733e733 .  Note particularly the last posting.  Note also that some apps (like Firefox, apparently) bypass the Winsock API and go directly to the WSPxxx class of functions, so maybe you need to hook these too.

Author

Commented:
I already know everything what is written in that thread, but soon I'll compare the handle I have from FindWindow with the one passed in WSAAsyncSelect. Maybe that's the problem.
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Then it seems to me that I gave you the answer, when I told you that "The message should be sent/posted to the handle of the window specified in the call to WSAAsyncSelect."

Author

Commented:
Pff, that's obvious. The problem was that I assumed it's sending it to main window.
If the OP made an incorrect assumption about the identity of the window to which messages should be sent/posted, and if he corrected that assumption based on my advice that "The message should be sent/posted to the handle of the window specified in the call to WSAAsyncSelect", then the OP did not find the soution on his own, he was not provided with misleading answers, and in fact he obtained his answer from me.

Author

Commented:
It had nothing to do with your 'advice'. I granted you half of the points, which definitely should be enough for repeating everything I already knew. Once again - things you were saying were obvious and didn't bring any solution.
I see your offer to split points.

I will leave it up to the moderator, whose decision I will accept

Author

Commented:
I've answered him multiple times and explained it.
And I remain dissatisfied with the Asker's response.  The Asker specifically asked which window the message should be posted to: "Should I send it to window (so I get handle by FindWindow) or entire application (handle from OpenProcess I think)?"  He also asked how it should be sent: PostMessage or SendMessage.  I gave him the answer to both: use PostMessage to avoid blocking, and don't use either of the Windows he mentioned, rather, use the Window handle from the call to WSAAsyncSelect.
The Asker now wants to cancel his question, although he is now offering to split points as an assisted answer.  I thus remain dissatisfied, and I am therefore clicking the "Object" button.

Author

Commented:
I was giving you 250 points from the beginning, and as I already explained - you helped me in nothing and your answers were misleading.
Vee_Mod, I read your comments very carefully, and in my opinion I followed them exactly.  
Your comment explains that "ONLY if the Asker doesn't respond - or you are dissatisfied with the response - should anyone use the 'Object'."
As I stated in my post, I remain dissatisfied with the Asker's response, and I therefore clicked the "object" button.
Frankly, I have never been in this situation before, where the Asker asks to withdraw the question without awarding points.  I am completely unfamiliar with correct procedure, and I am doing the best I can.
Anyway, I won't hit the "object" button again.


Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.