WS2_32.DLL

WSAStartup(WORD wVersionRequested,LPWSADATA lpWSAData);
initiates use of WS2_32.DLL by a process.
初始化WS2_32.DLL

WSAGetLastError(void);
returns the error status for the last operation that failed.
返回最后操作的错误状态.

SOCKET(int af,int type,int protocol);
creates a socket that is bound to a specific service provider.
创建socket

shutdown(SOCKET s,int how);
disables sends or receives on a socket.
停止一个socket的发送和接收活动.
阅读更多

c# hook ws2_32.dll 问题

09-25

[code=C#]rnusing System;rnusing System.Collections.Generic;rnusing System.Text;rnusing System.Runtime.InteropServices;rnrnnamespace testrnrn class HookSocketrn rn [DllImport("ws2_32.dll")]rn private static extern int send(int s, IntPtr buf, int len, int flag);rnrn [DllImport("ws2_32.dll")]rn private static extern int recv(int s, IntPtr buf, int len, int flag);rn private static APIHOOK send_Hook = new APIHOOK();rn private delegate int sendCallback(int s, IntPtr buf, int len, int flag);rn private delegate int recvCallback(int s, IntPtr buf, int len, int flag);rn recvCallback recvcb = new recvCallback(toProc);rnrn public HookSocket()rn rnrn bool result = send_Hook.Install("ws2_32.dll", "recv", Marshal.GetFunctionPointerForDelegate(recvcb));rn if (result)rn rn MainLogUtil.logSys("init successfully!");rn rn elsern rn MainLogUtil.logSys("init failed!");rn rnrn rn private static int sendProc(int s, IntPtr buf, int len, int flag)rn rn rn private static int toProc(int s, IntPtr buf, int len, int flag)rn rn tryrn rn byte[] buffer = new byte[1024 * 1024 * 5];rn send_Hook.Suspend(); //暂停拦截,转交系统调用 rn int ret = recv(s, buf, len, flag); //发送数据,此处可对包进行处理操作rn send_Hook.Continue(); //恢复HOOK rn if (len < buffer.Length)rn rn Marshal.Copy(buf, buffer, 0, len); //读封包数据 rnrn string hookcontent = System.Text.Encoding.UTF8.GetString(buffer);rn int index = hookcontent.IndexOf("Content-Length: ");rn int bodyLen = 0;rn if (index >= 0)rn rn int index2 = hookcontent.IndexOf("\r\n", index);rn bodyLen = int.Parse(hookcontent.Substring(index + 16, index2 - index - 16));rn rn if (bodyLen > 0)rn rnrn ProxyFactory.factory(buffer);rn rn if (len >= 10 * 1024)rn rn int asdfsafasdf = 0;rn rn rn MainLogUtil.logSys("success:" + len);rn return ret;rn rn catch (Exception ex)rn rn MainLogUtil.logSys("error:" + ex.Message);rn string ssdf = ex.Message + ex.StackTrace;rn rn return 0;rn rnrn rnrnrnrn[/code]rnrn[code=C#]rnusing System;rnusing System.Collections.Generic;rnusing System.Text;rnusing System.Runtime.InteropServices;rnusing System.Security.Permissions;rnusing System.Collections;rnrnrnnamespace testrnrnrn public class APIHOOKrn rn #region Api声明rn [DllImport("Kernel32.dll", EntryPoint = "GetModuleHandleA", CharSet = CharSet.Ansi)]rn static extern IntPtr GetModuleHandle(rn string lpModuleNamern );rn [DllImport("Kernel32.dll")]rn static extern bool VirtualProtect(rn IntPtr lpAddress,rn int dwSize,rn int flNewProtect,rn ref int lpflOldProtectrn );rn [DllImport("Kernel32.dll", EntryPoint = "lstrcpynA", CharSet = CharSet.Ansi)]rn static extern IntPtr lstrcpyn(rn byte[] lpString1,rn byte[] lpString2,rn int iMaxLengthrn );rn [DllImport("Kernel32.dll")]rn static extern IntPtr GetProcAddress(rn IntPtr hModule,rn string lpProcNamern );rn [DllImport("Kernel32.dll")]rn static extern bool FreeLibrary(rn IntPtr hModulern );rn #endregionrn #region 常量定义表rn const int PAGE_EXECUTE_READWRITE = 0x40;rn #endregionrn #region 变量表rn IntPtr ProcAddress;rn int lpflOldProtect = 0;rn byte[] OldEntry = new byte[5];rn byte[] NewEntry = new byte[5];rn IntPtr OldAddress;rn #endregionrn public APIHOOK() rn public APIHOOK(string ModuleName, string ProcName, IntPtr lpAddress)rn rn Install(ModuleName, ProcName, lpAddress);rn rn public bool Install(string ModuleName, string ProcName, IntPtr lpAddress)rn rn IntPtr hModule = GetModuleHandle(ModuleName); //取模块句柄 rn if (hModule == IntPtr.Zero) return false;rn ProcAddress = GetProcAddress(hModule, ProcName); //取入口地址 rn if (ProcAddress == IntPtr.Zero) return false;rn if (!VirtualProtect(ProcAddress, 5, PAGE_EXECUTE_READWRITE, ref lpflOldProtect)) return false; //修改内存属性 rn Marshal.Copy(ProcAddress, OldEntry, 0, 5); //读取前5字节 rn NewEntry = AddBytes(new byte[1] 233 , BitConverter.GetBytes((Int32)((Int32)lpAddress - (Int32)ProcAddress - 5))); //计算新入口跳转 rn Marshal.Copy(NewEntry, 0, ProcAddress, 5); //写入前5字节 rn OldEntry = AddBytes(OldEntry, new byte[5] 233, 0, 0, 0, 0 );rn OldAddress = lstrcpyn(OldEntry, OldEntry, 0); //取变量指针 rn Marshal.Copy(BitConverter.GetBytes((double)((Int32)ProcAddress - (Int32)OldAddress - 5)), 0, (IntPtr)(OldAddress.ToInt32() + 6), 4); //保存JMP rn FreeLibrary(hModule); //释放模块句柄 rn return true;rn rn public void Suspend()rn rn Marshal.Copy(OldEntry, 0, ProcAddress, 5);rn rn public void Continue()rn rn Marshal.Copy(NewEntry, 0, ProcAddress, 5);rn rn public bool Uninstall()rn rn if (ProcAddress == IntPtr.Zero) return false;rn Marshal.Copy(OldEntry, 0, ProcAddress, 5);rn ProcAddress = IntPtr.Zero;rn return true;rn rn static byte[] AddBytes(byte[] a, byte[] b)rn rn ArrayList retArray = new ArrayList();rn for (int i = 0; i < a.Length; i++)rn rn retArray.Add(a[i]);rn rn for (int i = 0; i < b.Length; i++)rn rn retArray.Add(b[i]);rn rn return (byte[])retArray.ToArray(typeof(byte));rn rn rnrnrnrn[/code]rnrnrn为什么在IDE里运行可以拦截到数据包?一离开开发环境单独运行就拦截不到?rn怎么解决这个问题?

ws2_32.dll和wsock32.dll api捕获的问题

12-06

http://www.codeproject.com/system/hooksys.asp?target=hookrn我利用上述code框架(修改exe的输入节),实现我的网络api捕获功能。(win2k, xprn下)最开始我只是捕获wsock32.dll,一般的应用程序都没什么问题,在测试rnoutlook express6和bulletftp2.42的时候,发现不能捕获,或者应用程序rn通过只是通过ws2_32.lib连接的也不能捕获。rn后来我试图添加对ws2_32.dll相关api捕获,发现很多问题。rn为了排除我的code问题,我只是捕获,连log都不记录了。好比:rnint WINAPI CModuleScope::Myconnect(rn SOCKET s,rn const struct sockaddr* name,rn int namelenrn )rnrn //sm_pInstance->LogMessage("Myconnect");rn return ::connect(s, name, namelen);rnrn以foxmail4.2为例,当我只是捕获wsock32.dll的connect,可以很好的工作,无论rnfoxmail4.2在我的server启动之前启动还是后启动。当我加入对ws2_32.dll捕获或rn者只是对ws2_32.dll捕获,如果foxmail先启动,然后启动我的server,没有问题;rn如果我的server先启动,然后启动foxmail,总是告诉我网络子系统初始化出错。rn很多网络应用程序在我的server启动后启动,都会出现不能初始化网络子系统的问rn题。rn关于进程创建:rn 上面对于进程创建是通过PsSetCreateProcessNotifyRoutine在内核空间添加自己rn处理信息的方式获得进程创建的事件,然后通过LoadLibrary将我们的hooktool.dllrn植入目标进程,在该dll的DLL_PROCESS_ATTACH事件中做api hook的事情。rn 哪位大侠研究过那个hook机制,请指定一二。rn 谢谢了!!!

没有更多推荐了,返回首页