Warning: file_get_contents(/data/phpspider/zhask/data//catemap/6/cplusplus/140.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
C++ C++;钩住winsock_C++_Hook_Winsock - Fatal编程技术网
Fatal编程技术网

C++ C++;钩住winsock

c++

C++ C++;钩住winsock,c++,hook,winsock,C++,Hook,Winsock,我试图钩住winsock send和recv,以便读取进程的所有流量。 我将以下代码作为dll注入目标进程中 #include "dll.h" #include <windows.h> #include <winsock2.h> #include <iostream> #include <fstream> #pragma comment(lib, "ws2_32.lib") using namespace std; DllClass::Dll

我试图钩住winsock send和recv,以便读取进程的所有流量。 我将以下代码作为dll注入目标进程中

#include "dll.h"
#include <windows.h>
#include <winsock2.h>
#include <iostream>
#include <fstream>

#pragma comment(lib, "ws2_32.lib")

using namespace std;

DllClass::DllClass()
{

}


DllClass::~DllClass ()
{

}

BYTE hook[6];
BYTE hook2[6];
BYTE jmp[6] = { 0xe9,0x00, 0x00, 0x00, 0x00 ,0xc3 };  
ofstream myfile;
ofstream myfile2;

DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup)
{  
      DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName);
      ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0);
      DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5);
      memcpy(&jmp[1], &dwCalc, 4);
      WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0);
      return dwAddr;
}    

BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsigned char *lpBackup)
{
DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName);
if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0))
        return TRUE;
return FALSE;  
}

int nSend(SOCKET s, const char *buf, int len,int flags){
UnHookFunction("ws2_32.dll", "send", hook);


int result = send(s,buf,len,flags);


  myfile.open ("C:\\tmp\\log.txt",ios::app | ios::binary);
  myfile << buf;
  myfile.close();




HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook);
return result;
} 

int nRecv(SOCKET s, char* buf, int len, int flags)
{
    UnHookFunction("ws2_32.dll", "recv", hook2);
    DWORD tmp;

    len = recv(s, buf, len, flags);

    if (len > 0)
    {

        myfile2.open ("C:\\tmp\\log.txt",ios::app | ios::binary);
        myfile2 << buf;
        myfile2.close();
    }
   HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2);
    return len;
}
void fun(){ // <-- this is called after the DLL has been injected
HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook);
HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2);
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:

case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

#包括“dll.h”
#包括
#包括
#包括
#包括
#pragma注释(lib,“ws2_32.lib”)
使用名称空间std;
DllClass::DllClass()
{
}
DllClass::~DllClass()
{
}
字节钩子[6];
字节2[6];
字节jmp[6]={0xe9,0x00,0x00,0x00,0x00,0x00,0xc3};
流文件;
流myfile2;
DWORD钩子函数(LPCSTR lpModule、LPCSTR lpFuncName、LPVOID lpFunction、无符号字符*lpBackup)
{  
DWORD dwAddr=(DWORD)GetProcAddress(GetModuleHandle(lpModule),lpFuncName);
ReadProcessMemory(GetCurrentProcess(),(LPVOID)dwAddr,lpBackup,6,0);
DWORD dwCalc=((DWORD)lpFunction-dwAddr-5);
memcpy(&jmp[1],&dwCalc,4);
WriteProcessMemory(GetCurrentProcess(),(LPVOID)dwAddr,jmp,6,0);
返回dwAddr;
}    
BOOL unhookf函数(LPCSTR lpModule,LPCSTR lpFuncName,unsigned char*lpBackup)
{
DWORD dwAddr=(DWORD)GetProcAddress(GetModuleHandle(lpModule),lpFuncName);
if(WriteProcessMemory(GetCurrentProcess(),(LPVOID)dwAddr,lpBackup,6,0))
返回TRUE;
返回FALSE;
}
int nSend(套接字s、常量字符*buf、int len、int标志){
取消钩子功能(“ws2_32.dll”,“发送”,钩子);
int结果=发送(s、buf、len、标志);
myfile.open(“C:\\tmp\\log.txt”,ios::app | ios::binary);
我的文件(0)
{
myfile2.open(“C:\\tmp\\log.txt”,ios::app | ios::binary);

myfile2确保在钩住的函数上使用正确的调用约定。默认调用约定通常是u cdecl。但是“send”和“recv”使用u stdcall(
#define WINAPI u stdcall

两者之间的主要区别是:

当函数使用uu cdecl时,调用方负责堆栈清理。然而,当函数使用u stdcall时,被调用函数负责堆栈清理


int WINAPI nSend(SOCKET s, const char *buf, int len,int flags);
int WINAPI nRecv(SOCKET s, char* buf, int len, int flags)



有关更多信息,请参阅。
确定。即使启用了DataExecutionPrevention,它现在也可以工作。如果将来有人遇到类似问题,请参阅下面的工作代码:

dllmain.cpp:


#include "dll.h"
#include <windows.h>
#include <winsock2.h>
#include <iostream>
#include <fstream>

#pragma comment(lib, "ws2_32.lib")

using namespace std;

DllClass::DllClass()
{

}


DllClass::~DllClass ()
{

}

BYTE hook[6];
BYTE hook2[6];
BYTE jmp[6] = { 0xe9,0x00, 0x00, 0x00, 0x00 ,0xc3 };  
ofstream myfile;
ofstream myfile2;
DWORD pPrevious;

DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup)
{  
      DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName);
      ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0);
      DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5);
      VirtualProtect((void*) dwAddr, 6, PAGE_EXECUTE_READWRITE, &pPrevious);
      memcpy(&jmp[1], &dwCalc, 4);
      WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0);
      VirtualProtect((void*) dwAddr, 6, pPrevious, &pPrevious);
      FlushInstructionCache(GetCurrentProcess(),0,0);
      return dwAddr;
}    

BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsigned char *lpBackup)
{
DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName);

if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0))
        return TRUE;
        FlushInstructionCache(GetCurrentProcess(),0,0);

return FALSE;  
}

int __stdcall nSend(SOCKET s, const char *buf, int len,int flags){
UnHookFunction("ws2_32.dll", "send", hook);


int result = send(s,buf,len,flags);


  myfile.open ("C:\\tmp\\log.txt",ios::app | ios::binary);
  myfile << buf;
  myfile.close();




HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook);
return result;
} 

int __stdcall nRecv(SOCKET s, char* buf, int len, int flags)
{
    UnHookFunction("ws2_32.dll", "recv", hook2);
    DWORD tmp;

    len = recv(s, buf, len, flags);

    if (len > 0)
    {

        myfile2.open ("C:\\tmp\\log.txt",ios::app | ios::binary);
        myfile2 << buf;
        myfile2.close();
    }
   HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2);
    return len;
}
void fun(){
HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook);
HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2);
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
HookFunction("ws2_32.dll", "send", (LPVOID*) nSend, hook);
HookFunction("ws2_32.dll", "recv", (LPVOID*) nRecv, hook2);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}



测试并使用Win XP 32位上的几乎所有程序以及Win 7 x64上的一些程序。我使用了:int_ustdcall nRecv(sockets s,char*buf,int len,int flags);现在它可以在Firefox中工作,但如果我将其插入internet explorer或任何windows软件(explorer usw)。它仍然会崩溃…尝试使用FlushinsttructionCache-“如果应用程序在内存中生成或修改代码,则应调用FlushinInstructionCache。CPU无法检测到更改,可能会执行缓存的旧代码。”情况越来越好……现在我在HookFunction&UnHookFunction(返回之前)的末尾调用FlushinInstructionCache现在它在Win XP x86上与InternetExplorer一起工作,但在Win7 x64上它仍然在InternetExplorer(32位)中崩溃,如果我尝试将它注入explorer.exe(在XP x86上),DataExecutionPrevention会终止进程-。-“有什么想法吗?(顺便说一句,谢谢你已经帮了很多忙)x64挂接与x86不同。0xE9只能使用JMP 32个有符号位。因此,如果您的JMP大于此值,这可能是您的问题。请尝试使用0xFF 0x25 JMP。在x64上,前5个字节也可能不同。(不是您通常使用的x86(mov edi、edi)、(push ebp)使用VirtualProtect()修复了遗留问题。感谢您的帮助:)

#ifndef _DLL_H_
#define _DLL_H_

#if BUILDING_DLL
# define DLLIMPORT __declspec (dllexport)
#else /* Not BUILDING_DLL */
# define DLLIMPORT __declspec (dllimport)
#endif /* Not BUILDING_DLL */


class DLLIMPORT DllClass
{
  public:
    DllClass();
    virtual ~DllClass(void);

  private:

};
extern "C" __declspec(dllexport) void fun();

#endif /* _DLL_H_ */