StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PODLLHook - GZip decompression of a string
text
Body
copied!<p>I am injecting a dll into firefox (browser) and hooking WSARecv. The problem is, that the data-buffer is Gzip-compressed. I already tried hooking the send() function and removing the "Accept-Encoding: gzip,deflate", but many webservers won't understand this.</p> <p>So I tried to stick with decompressing the buffer, changing some stuff and compressing it again. Therefore I linked the zlib.dll and zlib.lib into my DLL and wrote a small wrapper class:</p> <pre><code>int CGZip::DecompressString(char* src, int srcLen, char** destination, int* destLen) { //Define the source, destination, source length, and destination length char *dest= new char[(unsigned int)destLen]; //Decompress the string in src and place it in dest int result=uncompress((unsigned char *)dest,(uLongf*)destLen,(const unsigned char *)src,srcLen); //Return the results of the decompression *destination = dest; return(result); } </code></pre> <p>But when I include the decompression into the hooked WSARecv my dll won't get loaded anymore (no DLL_PROCESS_ATTACH is called). When I remove the following 5 lines the dll gets loaded again.</p> <pre><code>szUncompressed = (char*)malloc((size_t)lpBuffers->len * 100); CGZip *ziphandler = new CGZip(); ziphandler->DecompressString(lpBuffers->buf, lpBuffers->len, &szUncompressed, &iUncompressedLength); szUncompressed[iUncompressedLength] = '\0'; </code></pre> <p>Any idea why the DLL isn't loading anymore, or how I can easily decompress and compress the data buffer? </p> <p>Thanks in advance : )</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload