[Original] My graduation design paper -- Using Hook Technology to achieve network packet capture at the application layer

Chengdu Neusoft Information Technology Vocational College (Level 04)

Apply layer network packet capture using Hook Technology

Class: Class 2 of Visual Programming
INSTRUCTOR: Li Dan
Student ID: 04311110210

Name: Liu Haiping

 
Abstract

Packet capture (interception) technology is mainly used in information security-related fields, especially firewall technology. With the development of the online game industry, many plug-ins for different games emerged. These plug-ins also use packet capture technology, but unlike other packet capture technologies, the packet capture technology in Plug-ins must meet a series of special requirements, such as smooth interception, modification of data packets, and re-transmission. Based on the above requirements, data packets must be captured and modified at the application layer.
This thesis introduces how to intercept network functions by Using Hook and DLL techniques in Windows to capture data packets at the application layer.

Keywords: hook, DLL, plug-in, data packet capture

Summary

Data Packet blocking technique is primarily used in information security field, especially firewall technique. as network game industry grows thritier, lots of plus for different game appeared. these plus has used data packet blocking technique, too. but the difference to the other packet blocking technique is that in plus technique, packet blocking technique must accomplish requirements such as, blocking Data favoringly, modify the data packet and then send them out again, etc. based on these requirements, we must achieve data blocking, modification at the application layer.
My dissertation introduces a method to implement the network packet blocking using techniques as hook, DLL, etc, under the Windows environment. Then accordingly accomplish the data packet scratching at the layer application.

Keyword: hook, DLL, plus, block data packet

Contents

 

1. Introduction 4
2. Requirement Analysis 5
2.1. Background 5
2.2. Basic Requirements 5
2.3. Functional requirements 5
2.4. design constraints 5
3. System Design 6
3.1. Technical Principle 6
3.1.1. dll principles 6
3.1.2. Hook Principle 7
3.1.3. Introduction to API function interception 7
3.2. packet capture procedure principle 7
3.3. Functional Module Design of packet capture program 8
3.4. Structure Design 8
4. Procedures 9
4.1. Hook core code 9
4.2 function interception core code 10
4.3. memory modification core code 11
4.4. dll function export 12
4.5. EXE foreground code function description 12
5. Conclusion 13
6. References 13
7. Thank you 14

 
Introduction

With the development of online games, more and more game plug-ins have emerged. From the market point of view, game plug-ins break the "game rules" of game operators, so more and more game operators begin to set up "anti-plug-ins" departments. From a technical point of view, game plug-ins are part of the Windows core programming technology and are of practical value for learning windows core programming. So I chose this project as my graduation project and want to learn more about the core windows technologies.
This thesis consists of eight chapters: packet capture software requirements, design, and implementation. The following is an overview of each chapter:
The first chapter introduces the framework of the paper.
Chapter 2 requirement analysis: a brief overview of packet capture program requirements, background knowledge, and the development direction of the technology.
Chapter 3 system design: describes the design scheme, design principle, and division of each module.
Chapter 4 program implementation: Write the program code according to the system design, and explain the main core code of this topic.
The fifth chapter concludes that, through the completion of this graduation design, I have learned from the achievements and a summary of the graduation design.
Chapter 6 References: documents referenced during my graduation project.
Chapter 7 thank you.

Requirement Analysis
Background
For a commercial software, it is very important to prevent illegal infringement. This problem is highlighted in online games. With more and more people familiar with online games, online game plug-ins are becoming increasingly popular. The flood of online game plug-ins has brought great losses to game operators. Later, in order to prevent gamers from using plug-ins, the game operator also proposed that once the system finds a player using plug-ins, it will secreate its account. Because of this practice by game operators, players may even bring operators to court. This involves the issue of virtual property. Because China lacks legislation in this area, it may not be the best solution for operators or game players.
Therefore, the gaming operator's home needs to start from plug-in development, study its technical characteristics, and complete its own anti-plug-in functions, which is the fundamental solution to the problem.
In game plug-ins, data packets are intercepted, decrypted, modified, and sealed. Generally, the work of anti-plug-in is completed in two modules: data packet interception and encryption. Due to the difficulty of encryption technology, the cost of research is relatively high, and any password has been cracked for one day. Therefore, starting with preventing packet interception, we can achieve the desired effect with the minimum investment.
We know ourselves, and know each other. This thesis is to study the data packet interception methods commonly used in the game plug-in technology, and lay a foundation for the research of the anti-plug-in technology.
Basic Requirements
Network Packet Capture is completed.
Sets aside interfaces for modifying data packets to complete data packet modification later.
Functional requirements
Complete the DLL module with data packets captured
Print data packets at the front end
Design Constraints
This topic belongs to the Windows core programming and involves attributes modification of the channel memory. All wrong designs and code compilation errors may cause system instability or even crashes. The stability of the system must be considered for all tasks. In addition, we should also consider whether data packets can be easily modified, and whether data packets can be captured in large quantities.
System Design
Technical Principles
This topic has three main technical points. The following describes the principles of each technical point.
DLL principles
DLL is a library that contains code and data that can be used by multiple programs at the same time. Using DLL helps to promote code modularization, code reuse, effective use of memory, and reduce the disk space occupied. Therefore, the operating system and program can load and run faster, and occupy less disk space in the computer.
Once the DLL file image is mapped to the address space of the process, the DLL function can be used by all threads running the process. (4.1)
DLL principle (Fig 4.1)
The virtual memory of the DLL at the first address
Process space process space

 
DLL advantages:
The following table describes some advantages of using DLL:
• Use fewer resources
When multiple programs use the same function library, the DLL can reduce the amount of code duplicated in the disk and physical memory. This not only can greatly affect the programs running on the foreground, but also can greatly affect other programs running on the Windows operating system.
• Promote modular architecture
DLL facilitates the development of modular programs. This helps you develop large programs that require multiple language versions or require a modular architecture. An example of a modular program is a program with multiple modules that can be dynamically loaded at runtime.
• Simplified deployment and Installation
When the functions in the DLL need to be updated or repaired, you do not need to re-establish the link between the program and the DLL to deploy and install the DLL. In addition, if multiple programs use the same DLL, multiple programs will benefit from the update or repair. This issue may occur more frequently when you use a third-party DLL that is regularly updated or repaired.

Hook principles
Hook is a platform for message processing in windows. Applications can set sub-processes on the platform to monitor messages in a specified window, the monitored window can be created by other processes. When a message arrives, process it before the target window processing function. The hook mechanism allows applications to intercept and process window messages or specific events.
A hook is actually a program segment for message processing. It is called by the system and mounted to the system. When a specific message is sent, the hook program captures the message before it reaches the target window, that is, the hook function gets control of the message first. In this case, the hook function can process (Change) the message, continue to transmit the message without processing it, and forcibly end the message transmission. Hook 4.2
Hook mechanism (Fig. 4.2)

Data Interception Overview
API Interception is not a new technology. Many commercial software use this technology. There are two methods to intercept Windows API functions. The first one is Mr. jeffrey Richter's module input section for modifying the EXE file. This method is safe, but complicated. In addition, some EXE files do not have a list of DLL input symbols, blocking may fail. The second method is the commonly used jmp xxx method. Although it is very old, it is very simple and practical. This topic uses the second method. Using the APIS provided by windows, we can easily implement API function interception.

 

Packet capture program principle
The program of this topic is mainly to combine hook, DLL and API function interception technology to achieve data packet capture. Its basic principle is as follows:
The first is to use the Hook Technology to intercept messages and extract the messages we are interested in. Then, use the API Interception Technology to intercept Socket network functions of the corresponding network program; finally, the DLL technology is used to encapsulate the code for Hook and API Interception. Use the EXE program to map the DLL to the process. When the network function of the program mounted by the hook is called, the API function is blocked to intercept the corresponding network function. Finally, extract the desired data packet from the network function.
Functional Module Design of packet capture program
The package capture program consists of two modules: DLL module and exe module.
In the DLL section, you can mount hook hooks, intercept API functions, and process intercepted network functions.
In the EXE program, the DLL is mapped to the process space, and the installation and uninstallation of the input and management hooks of the data packets are accepted.
 
DLL module part DLL loading Module

Structure Design
After the DLL is loaded to the current process space by the EXE, the DLL module is injected into the target process. Call the API Interception Function in the DLL module when it detects the sending and receiving of Network-related knots. After being processed by the API in the DLL, the network function is sent out.

 

 

 

 

 

Program Implementation
Hook core code
The hook part mainly mounts the message hook of a specific target program to share the DLL code and data with the target process. The packet capture program completes the above functions. It mainly uses the findjavaswex () function to find calss name (you can use Spy ++ to determine the Class Name of the Target Program) to determine the handle of the target program. To identify the target thread, and then use setwindowshookex () to mount the message hook.
In this way, once the Target Program (thread) starts, all messages of the program must first pass through our DLL module. After we finish processing the messages we are interested in, then send the message.
The specific code is as follows. In the following code, some exception detection sections are added:

G_harmins = find1_wex (null, null,/* "Target Program class name" */, null );
// Find the handle of the target thread
Dwthreadid = getwindowthreadprocessid (g_harmins, null );
// ID of the Save thread
If (dwthreadid = NULL) // exception detection
{
MessageBox (hwnd, "the program to be injected is not opened", "error", mb_ OK );
}
Else if (g_hinsmouse! = NULL & g_hinskeyboard! = NULL)
{
MessageBox (hwnd, "you have already injected, no need to inject multiple times", "error", mb_ OK );
}
Else
{
G_hinsmsg = setwindowshookex (wh_getmessage, getmsgproc,
Getmodulehandle ("dllname"), dwthreadid );
// Install the message hook. For more information about the parameters, see msdn.
}

Core code of function Interception
Function interception mainly replaces network functions. First, dynamically load wsock32.dll. All the network receiving and sending functions are in this DLL. Then, use the getprocaddress () function to obtain the first address of the network function we want to intercept from the DLL, then, use the assembly language to save a copy of the function we want to intercept for later recovery. Finally, use the Assembly again, overwrite the address of our function to the network function we want to intercept.
In this way, when the system calls the network function to send and receive data, it actually calls the function we compile to implement function interception.
The Code is as follows:
Hmodule = loadlibrary ("wsock32.dll ");
// Load the wsock32.dll Module
Pfsend = getprocaddress (hmodule, "send ");
// Obtain the send function entry address from the wsock32.dll module.
If (pfsend = NULL)
Return false;
// Save a copy of pfsend-oldsend
_ ASM
{
Lea EDI, oldsend
MoV ESI, pfsend
ClD
Movsd
Movsb
}
Newsend [0] = 0xe9; // The relative command of JMP mysend
// Use our mysend function to replace the pfsend function entry
_ ASM
{
Lea eax, mysend
MoV EBX, pfsend
Sub eax, EBX
Sub eax, 5
MoV dword ptr [newsend + 1], eax
}

The above two sections of code only intercept the send function in wsock32.dll. We know that all network functions have two statuses: Send and Recv, and common network connection methods include TCP and UDP. Therefore, we should also intercept the functions of Recv, sendto (UDP sending), and recvto (UDP accepted). The basic method is send.

Core code of memory modification
Memory modification is a key piece of code to be written in this program. Because Windows Memory is protected. Each process has its own private 4 GB virtual address space, and the EXE and DLL programs are mapped to the 2 GB address at the bottom. For the sake of security, Windows strictly mark the 2 GB memory space. All EXE and DLL code are marked as read-only, therefore, it is impossible for a process to access the stack, global memory, or heap memory of another process. Therefore, we must use the APIS provided by windows to modify the memory attributes.
The following code modifies the memory to the writable state:
Void _ stdcall sendhookon () // send
{
Handle hproc;
Dwidold = dwidnew;
Hproc = OpenProcess (process_all_access, 0, dwidold );
// Obtain the Process Handle
Virtualprotectex (hproc, pfsend, 5, page_readwrite, & dwidold );
// Modify the attribute of the first five bytes of send in the process to writable.
Writeprocessmemory (hproc, pfsend, newsend, 5, 0 );
// Change the first five bytes in the process to JMP to mysend
Virtualprotectex (hproc, pfsend, 5, dwidold, & dwidold );
// Modify the attribute of the first five bytes of send in the process to the original attribute.
Bhook = true;
}

When we no longer need to modify the memory content, we should restore the memory to the previous read-only status so that the windows memory structure will not be damaged. The following code completes the described function.

Void _ stdcall sendhookoff ()
{
Handle hproc;
Dwidold = dwidnew;
Hproc = OpenProcess (process_all_access, 0, dwidold );
Virtualprotectex (hproc, pfsend, 5, page_readwrite, & dwidold );
Writeprocessmemory (hproc, pfsend, oldsend, 5, 0 );
Virtualprotectex (hproc, pfsend, 5, dwidold, & dwidold );
Bhook = false;
}

The above two sections of code only modify the send function in TCP. We know that all network functions have two statuses: Send and Recv, and common network connection methods include TCP and UDP. Therefore, Recv, sendto, and recvto must be completed ). The basic method is the same as send.

 

DLL function Export
When we complete the DLL function module, we will talk about exporting the function functions in the DLL to the function name of the rule. Because the C ++ compiler will modify the function name during compilation, it will be difficult for us to call the function in our own DLL. Therefore, we need to specify the name of the function to be exported, in this way, we can conveniently call.
There are two ways to solve the above problem:
Method 1:
Before the name of the global function to be exported, add the following: extern "C" _ declspec (dllexport), which indicates that the function in a DLL is exported and complies with the call conventions of Standard C.
Method 2:
Use the module definition file (. Def) and add it to the project. Add the following code:
Library (Dynamic Link Library name)
Exports (the name of the function to be exported is listed below)

 

EXE front-end code Function Description
The EXE front-end mainly installs, uninstalls, and receives messages from the DLL module mounted by the hook, and prints data packets in its window.
The EXE part uses the MFC dialog box to complete the following tasks:
Use _ declspec (dllexport) to accept the exported function. Because the EXE front-end needs to call the function in the DLL, it must be told that the function is obtained from the DLL. Otherwise, the system will report the error of undefined function.
Compile the corresponding code of the message to install and uninstall the hook. When EXE obtains the function in the DLL, it needs to start the hook at the front end. The procedure is as follows: add a button, add the event response function, and call the function in the DLL.
Processing user-defined messages. Because we send the address and size of data packets to the EXE end in the form of messages, the EXE end must respond to the messages sent by the DLL end, step 1: Define the Message Type in the header file. 2. Add message ing in the message ing macro. 3. Add a message processing function in the CPP File Based on Message ing.
Print the data packet to the window, and print the data packet content based on the packet address and length in the message.

 

 

Conclusion
Through this graduation project, I am not only familiar with the core programming of windows, but also deeply learn hook and other technical gains, but also obviously feel that my self-learning ability has been greatly improved.
During this period and process of graduation project, we can deeply understand that, through actual software development and program design, we can further understand and use the knowledge we have learned.
In short, I feel that this graduation project has benefited a lot. On the basis of learning the relevant knowledge, I can fully apply it to the actual situation and further improve my learning ability. Therefore, this graduation project is a test of the University's two years of learning knowledge, but also a help and inspiration for future study and work.

 

 

 

 

References
Books:

Author: Jeffrey Richter title: Windows core programming
Published by: Microsoft Press

Author: George Shepherd, David J. kruglinski title: VC. NET technology insider
Published by: Microsoft Press

Author: Charles Petzold: Windows Programming
Published by: Microsoft Press

Author: Prasad Dabak, milind borate, Sandeep phadke
Title: untitled ented Windows NT Chinese edition published by: M & T

Online Information:

Author: Jiang Shan from: Microsoft China Community article name: hook special website:
Http://www.microsoft.com/china/community/program/originalarticles/techdoc/hook.mspx

Author: Fang from: xfocus team document center article name: Application layer packet capture solution and implementation
Web: http://www.xfocus.net/articles/200411/751.html

Author: tomh from: xfocus team Documentation Center article name: interception of API functions under Win2k
Web: http://www.xfocus.net/articles/200201/336.html

Thank you
First of all, I would like to thank my parents for their support for my years of parenting and my studies. You know, when I was in junior high school, my parents paid a great deal for me to study computers.
Secondly, I would like to thank my instructor Li Dan for spending a lot of time guiding me so that I can complete this paper.
Then, I would like to thank all of my friends for helping me as I grow up.
Finally, thank God !! Pai_^