StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PODetour on winsock recv doesn't return anything
text
Body
copied!<p>I injected a dll into a server because I needed to block some bad packets that the server isn't discarding.</p> <p>Snippet from my code:</p> <pre><code>#pragma comment(lib, "detours.lib") #pragma comment(lib, "Ws2_32.lib") #pragma comment(lib, "Mswsock.lib") (...) int (WINAPI *pRecv)(SOCKET s, char* buf, int len, int flags) = recv; int WINAPI MyRecv(SOCKET s, char* buf, int len, int flags); (...) AllocConsole(); freopen("CONOUT$", "w", stdout); DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourAttach(&(PVOID&)pRecv, MyRecv); if(DetourTransactionCommit() == NO_ERROR) cout << "[" << MyRecv << "] successfully detoured." << endl; </code></pre> <p>and for testing purposes I'm just printing the data out.</p> <pre><code>int WINAPI MyRecv(SOCKET s, char* buf, int len, int flags) { cout << "[ RECV " << len << " ] "; for ( int i = 0; i < len; i++ ) { printf( "%02x ", unsigned char (buf[i]) ); } printf( "\n" ); return pRecv(s, buf, len, flags); } </code></pre> <p>Now I hooked it and it displays <code>[ address ] successfully detoured.</code>.<br> I guess everything is hooked and working.</p> <p>Now I go to the client and start sending packets.<br> For example I log in, now this sends a packet to the server.<br> And I was successful in logging in so the server should've recieved the packet I have sent. </p> <p>Now I check the console hooked to the <code>server</code> and nothing gets printed.<br> Which is odd, So I tried hooking WPE_PRO on the server and started communicating to with the client again. Now I found out that even WPE can't log the packets. </p> <p>How is this possible? Why is this happening?</p> <p>I'm trying to build a packet logger/filter on the server to keep bad packets out.<br> Hackers are using packets to crash our servers.</p> <p>Info on the application I'm trying to hook:</p> <pre><code>It works like a relay server. It receives info from the client then sends it to the right server inside the internal network. So Client <-> `Application` <-> Servers So what I'm trying to hook is the Application . </code></pre> <hr> <p><em>UPDATE</em></p> <p>Tried setting a breakpoint on the <code>recv()</code>, <code>WSArecv()</code> function and it doesn't break. </p> <pre><code>Address Ordinal Name Library ------- ------- ---- ------- 004121A8 23 socket WS2_32 004121A4 20 sendto WS2_32 004121E8 3 closesocket WS2_32 0041219C 9 htons WS2_32 004121A0 17 recvfrom WS2_32 004121E4 111 WSAGetLastError WS2_32 004121E0 115 WSAStartup WS2_32 004121DC 11 inet_addr WS2_32 004121D8 WSAIoctl WS2_32 004121D4 WSAConnect WS2_32 004121D0 22 shutdown WS2_32 004121CC 12 inet_ntoa WS2_32 004121C8 2 bind WS2_32 004121C4 8 htonl WS2_32 004121B4 16 recv WS2_32 004121BC WSASocketA WS2_32 004121B8 19 send WS2_32 004121B0 WSAAccept WS2_32 004121AC 13 listen WS2_32 004121C0 21 setsockopt WS2_32 </code></pre> <p>Only these dll are being imported, when I checked the PE:</p> <pre><code>pdh.dll WS2_32.dll KERNEL32.dll USER32.dll GDI32.dll WINMM.dll </code></pre> <hr> <p><em>UPDATE</em></p> <p>Just to test if my code works, I hooked the DLL to the client and yes the packets got logged/printed. Confirms that my code works. Hmmmm.</p> <hr> <p><em>UPDATE</em></p> <p>Also tried to detour the ff.</p> <pre><code>int ( WINAPI *pSend )( SOCKET s, const char *buf, int len, int flags ) = send; int ( WINAPI *pRecv )( SOCKET s, char *buf, int len, int flags ) = recv; int ( WINAPI *pRecvFrom )( SOCKET s, char *buf, int len, int flags, sockaddr *from, int *fromlen ) = recvfrom; int ( WINAPI *pWSARecvEx )( SOCKET s, char *buf, int len, int *flags ) = WSARecvEx; </code></pre> <p>and still nothing.</p> <hr> <p><em>UPDATE</em></p> <p>So I used <code>wireshark</code> and saw the packets passing through.<br> I've been debugging the program all day setting breakpoints on all winsock calls and still got nothing.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload