Simulate wsockexpert and intercept API to intercept packets

Column Reprinted from Zwell:

I do not know if wsockexpert is used by a large user. It can be used to intercept the transmission of network data of a specified process.
Previously, I thought it was using real-time remote DLL injection to change IAT. However, it was later published as a runtime program,
It has already inserted the DLL into all processes, which is similar to the program that simulates sockcap written by Bing ge.
It seems that it is to inject DLL into all processes, but think about it again. If so, then the program started later
It should not be injected into the DLL (unless it is scheduled ^ _ ^, which is too troublesome). Considering this, I guess it is
If you use a hook, it is a little convenient: You don't have to consider whether you have read/write permissions.
Some trouble.
I used apihook to simulate a similar program in the BCB environment, and inserted the DLL into all
Process, and then intercept the Winsock API. Some problems are encountered in the middle. Refer to sockcap and
Xhook of eyas's eldest brother backs up the original DLL in xhook.
Restores the API address, but directly calls the backup function, which improves the execution efficiency,
You can modify the extension function in the following example:

DLL code:

//---------------------------------------------------------------------------
// Mady by Zwell
// 2004.8
// Zwell@sohu.com
//---------------------------------------------------------------------------
# Include <winsock2.h>
# Include <stdio. h>

# Pragma argsused

// Customize the apihook Structure
Typedef struct
{
Farproc funcaddr;
Byte olddata [5];
Byte newdata [5];
} Hookstruct;

Hhook g_hhook;
Hinstance g_hinstdll;
Hmodule;
Handle g_hform; // handle of the receiving information window
DWORD dwidold, dwidnew;

//------------------------------------------------------------------------
// To intercept functions in two libraries, each function defines two hook structures.
// Many packages are not intercepted because this problem is not taken into account during programming,
// Later I thought that ice brother had intercepted each function twice in the program imitating sockcap to understand
// One is wsock32.dll and the other is ws2_32.dll.
//------------------------------------------------------------------------
Hookstruct recvapi;
Hookstruct recvapi1;
Hookstruct sendapi;
Hookstruct sendapi1;
Hookstruct sendtoapi;
Hookstruct sendtoapi1;
Hookstruct wsasendapi;

Void hookon ();
Void hookoff ();
Bool Init ();
Extern "C" _ declspec (dllexport) _ stdcall
Bool installhook ();
Extern "C" _ declspec (dllexport) _ stdcall
Bool uninstallhook ();

Bool hookapi (char * dllname, char * procname, DWORD myfuncaddr, hookstruct * hookfunc );
Int winapi myrecv (socket S, char far * Buf, int Len, int flags );
Int winapi myrecv1 (socket S, char far * Buf, int Len, int flags );
Int winapi mysend (socket S, char far * Buf, int Len, int flags );
Int winapi mysend1 (socket S, char far * Buf, int Len, int flags );
Int winapi mysendto (socket S, const char far * Buf, int Len,
Int flags, const struct sockaddr far * To, int tolen );
Int winapi mysendto1 (socket S, const char far * Buf, int Len,
Int flags, const struct sockaddr far * To, int tolen );
Int winapi mywsasend (
Socket s,
Lpwsabuf lpbuffers,
DWORD dwbuffercount,
Lpdword lpnumberofbytessent,
DWORD dwflags,
Lpwsaoverlapped lpoverlapped,
Lpwsaoverlapped_completion_routine lpcompletionroutine
);
Void sndmsg (char * BUF );

//---------------------------------------------------------------------------
// Entry function
// API Interception is performed when an object is loaded into the database.
// Restore upon release
//---------------------------------------------------------------------------
Int winapi dllentrypoint (hinstance hinst, unsigned long reason, void * lpreserved)
{
Switch (reason)
{
Case dll_process_attach:
G_hinstdll = hinst;
G_hform = findwindow (null, "Zwell ");
If (! Init ())
{
Messageboxa (null, "init", "error", mb_ OK );
Return (false );
}
Break;
Case dll_thread_attach:
Break;
Case dll_thread_detach:
Break;
Case dll_process_detach:
Uninstallhook ();
Break;
}
Return true;
}

//-----------------------------------------------------------------------
Bool Init ()
{
Hookapi ("wsock32.dll", "Recv", (DWORD) myrecv, & recvapi );
Hookapi ("ws2_32.dll", "Recv", (DWORD) myrecv1, & recvapi1 );
Hookapi ("wsock32.dll", "send", (DWORD) mysend, & sendapi );
Hookapi ("ws2_32.dll", "send", (DWORD) mysend1, & sendapi1 );
Hookapi ("wsock32.dll", "sendto", (DWORD) mysendto, & sendtoapi );
Hookapi ("ws2_32.dll", "sendto", (DWORD) mysendto1, & sendtoapi1 );
Hookapi ("wsock32.dll", "wsasend", (DWORD) mywsasend, & wsasendapi );
Dwidnew = getcurrentprocessid (); // obtain the ID of the process
Dwidold = dwidnew;
Hookon (); // start Interception
Return (true );
}
//---------------------------------------------------------------------------
Lresult winapi hook (INT ncode, wparam, lparam)
{
Return (callnexthookex (g_hhook, ncode, wparam, lparam ));
}
//---------------------------------------------------------------------------
Extern "C" _ declspec (dllexport) _ stdcall
Bool installhook ()
{
G_hhook = setwindowshookex (wh_getmessage, (hookproc) Hook, g_hinstdll, 0 );
If (! G_hhook)
{
Messageboxa (null, "set error", "error", mb_ OK );
Return (false );
}
Return (true );
}
//---------------------------------------------------------------------------
Extern "C" _ declspec (dllexport) _ stdcall
Bool uninstallhook ()
{
Hookoff ();
If (g_hhook = NULL)
Return true;
Return (unhookwindowshookex (g_hhook ));
}

//---------------------------------------------------------------------------
// API Interception Based on Input Structure
//---------------------------------------------------------------------------
Bool hookapi (char * dllname, char * procname, DWORD myfuncaddr, hookstruct * hookfunc)
{
Hmodule = loadlibrary (dllname );
Hookfunc-> funcaddr = getprocaddress (hmodule, procname );
If (hookfunc-> funcaddr = NULL)
Return false;

Memcpy (hookfunc-> olddata, hookfunc-> funcaddr, 6 );
Hookfunc-> newdata [0] = 0xe9;
DWORD jmpaddr = myfuncaddr-(DWORD) hookfunc-> funcaddr-5;
Memcpy (& hookfunc-> newdata [1], & jmpaddr, 5 );
Return true;
}
//---------------------------------------------------------------------------
Void hookonone (hookstruct * hookfunc)
{
Handle hproc;
Dwidold = dwidnew;
Hproc = OpenProcess (process_all_access, 0, dwidold );
Virtualprotectex (hproc, hookfunc-> funcaddr, 5, page_readwrite, & dwidold );
Writeprocessmemory (hproc, hookfunc-> funcaddr, hookfunc-> newdata, 5, 0 );
Virtualprotectex (hproc, hookfunc-> funcaddr, 5, dwidold, & dwidold );
}
//---------------------------------------------------------------------------
Void hookon ()
{
Hookonone (& recvapi );
Hookonone (& sendapi );
Hookonone (& sendtoapi );
Hookonone (& recvapi1 );
Hookonone (& sendapi1 );
Hookonone (& sendtoapi1 );
Hookonone (& wsasendapi );
}
//---------------------------------------------------------------------------
Void hookoffone (hookstruct * hookfunc)
{
Handle hproc;
Dwidold = dwidnew;
Hproc = OpenProcess (process_all_access, 0, dwidold );
Virtualprotectex (hproc, hookfunc-> funcaddr, 5, page_readwrite, & dwidold );
Writeprocessmemory (hproc, hookfunc-> funcaddr, hookfunc-> olddata, 5, 0 );
Virtualprotectex (hproc, hookfunc-> funcaddr, 5, dwidold, & dwidold );
}

//---------------------------------------------------------------------------
Void hookoff ()
{
Hookoffone (& recvapi );
Hookoffone (& sendapi );
Hookoffone (& sendtoapi );
Hookoffone (& recvapi1 );
Hookoffone (& sendapi1 );
Hookoffone (& sendtoapi1 );
Hookoffone (& wsasendapi );
}
//---------------------------------------------------------------------------
Int winapi myrecv (socket S, char far * Buf, int Len, int flags)
{
Int nreturn;
Hookoffone (& recvapi );
Nreturn = Recv (S, Buf, Len, flags );
Hookonone (& recvapi );

Char * tmpbuf = new char [Len + 100];
Memset (tmpbuf, 0, sizeof (tmpbuf ));
Sprintf (tmpbuf, "Recv | % d | % s ",
Getcurrentprocessid (),
Len,
Buf );
Sndmsg (tmpbuf );
Delete tmpbuf;
Return (nreturn );
}
//---------------------------------------------------------------------------
Int winapi myrecv1 (socket S, char far * Buf, int Len, int flags)
{
Int nreturn;
Hookoffone (& recvapi1 );
Nreturn = Recv (S, Buf, Len, flags );
Hookonone (& recvapi1 );

Char * tmpbuf = new char [Len + 100];
Memset (tmpbuf, 0, sizeof (tmpbuf ));
Sprintf (tmpbuf, "recv1 | % d | % s ",
Getcurrentprocessid (),
Len,
Buf );
Sndmsg (tmpbuf );
Delete tmpbuf;
Return (nreturn );
}
//---------------------------------------------------------------------------
Int winapi mysend (socket S, char far * Buf, int Len, int flags)
{
Int nreturn;
Hookoffone (& sendapi );
Nreturn = Send (S, Buf, Len, flags );
Hookonone (& sendapi );

Char * tmpbuf = new char [Len + 100];
Memset (tmpbuf, 0, sizeof (tmpbuf ));
Sprintf (tmpbuf, "Send | % d | % s ",
Getcurrentprocessid (),
Len,
Buf );
Sndmsg (tmpbuf );
Delete tmpbuf;
Return (nreturn );
}
//---------------------------------------------------------------------------
Int winapi mysend1 (socket S, char far * Buf, int Len, int flags)
{
Int nreturn;
Hookoffone (& sendapi1 );
Nreturn = Send (S, Buf, Len, flags );
Hookonone (& sendapi1 );

Char * tmpbuf = new char [Len + 100];
Memset (tmpbuf, 0, sizeof (tmpbuf ));
Sprintf (tmpbuf, "send1 | % d | % s ",
Getcurrentprocessid (),
Len,
Buf );
Sndmsg (tmpbuf );
Delete tmpbuf;
Return (nreturn );
}
//--------------------------------------------------------------------------
Int winapi mysendto (socket S, const char far * Buf, int Len,
Int flags, const struct sockaddr far * To, int tolen)
{
Int nreturn;
Hookoffone (& sendtoapi );
Nreturn = sendto (S, Buf, Len, flags, to, tolen );
Hookonone (& sendtoapi );

Char * tmpbuf = new char [Len + 100];
Memset (tmpbuf, 0, sizeof (tmpbuf ));
Sprintf (tmpbuf, "sendto | % d | % s ",
Getcurrentprocessid (),
Len,
Buf );
Sndmsg (tmpbuf );
Delete tmpbuf;
Return (nreturn );
}
//--------------------------------------------------------------------------
Int winapi mysendto1 (socket S, const char far * Buf, int Len,
Int flags, const struct sockaddr far * To, int tolen)
{
Int nreturn;
Hookoffone (& sendtoapi1 );
Nreturn = sendto (S, Buf, Len, flags, to, tolen );
Hookonone (& sendtoapi1 );

Char * tmpbuf = new char [Len + 100];
Memset (tmpbuf, 0, sizeof (tmpbuf ));
Sprintf (tmpbuf, "sendto1 | % d | % s ",
Getcurrentprocessid (),
Len,
Buf );
Sndmsg (tmpbuf );
Delete tmpbuf;
Return (nreturn );
}
//----------------------------------------------------------------------------
Int winapi mywsasend (
Socket s,
Lpwsabuf lpbuffers,
DWORD dwbuffercount,
Lpdword lpnumberofbytessent,
DWORD dwflags,
Lpwsaoverlapped lpoverlapped,
Lpwsaoverlapped_completion_routine lpcompletionroutine
)
{
Int nreturn;
Hookoffone (& wsasendapi );
Nreturn = wsasend (S, lpbuffers, dwbuffercount,
Lpnumberofbytessent, dwflags, lpoverlapped, lpcompletionroutine );
Hookonone (& wsasendapi );

Char * tmpbuf = new char [* lpnumberofbytessent + 100];
Memset (tmpbuf, 0, sizeof (tmpbuf ));
Sprintf (tmpbuf, "wsasend | % d | % s ",
Getcurrentprocessid (),
Lpnumberofbytessent,
Lpbuffers-> BUF );
Sndmsg (tmpbuf );
Delete tmpbuf;
Return (nreturn );
}

//-----------------------------------------------------------------
// Send messages to the window
// Considering the simplicity, the copydatastruct structure is used.
// Memory ing should be faster
//-----------------------------------------------------------------
Void sndmsg (char * BUF)
{
Copydatastruct CDs;
CDs. dwdata = sizeof (copydatastruct );
CDs. cbdata = strlen (BUF );
CDs. lpdata = Buf;
Sendmessage (g_hform, wm_copydata, (wparam) null, (lparam) & CDs );
}

Main form code:
//---------------------------------------------------------------------------

# Include <VCL. h>
# Pragma hdrstop

# Include "main_form.h"
//---------------------------------------------------------------------------
# Pragma package (smart_init)
# Pragma link "hexedit"
# Pragma resource "*. DFM"
Tform1 * form1;

Hinstance hdll;
Bool _ stdcall (* installhook )();
Bool _ stdcall (* uninstallhook )();
//---------------------------------------------------------------------------
_ Fastcall tform1: tform1 (tcomponent * owner)
: Tform (owner)
{
Application-> onhint = displayhint;
}
//---------------------------------------------------------------------------
Void _ fastcall tform1: button1click (tobject * sender)
{
G_dindex = 0;

Hdll = loadlibrary ("DLL. dll ");
If (hdll = NULL)
MessageBox (null, "loadlibrary", "error", mb_ OK | mb_iconerror );
Installhook = getprocaddress (hdll, "installhook ");
If (! Installhook)
{
MessageBox (null, "installhook", "error", mb_ OK | mb_iconerror );
}
Uninstallhook = getprocaddress (hdll, "uninstallhook ");
If (! Uninstallhook)
{
MessageBox (null, "uninstallhook", "error", mb_ OK | mb_iconerror );
}
Installhook ();

Startbtn-> enabled = false;
Stopbtn-> enabled = true;
}
//---------------------------------------------------------------------------
Void _ fastcall tform1: button2click (tobject * sender)
{
G_dindex = 0;
Uninstallhook ();
Freelibrary (hdll );
Startbtn-> enabled = true;
Stopbtn-> enabled = false;
}
//---------------------------------------------------------------------------
Void _ fastcall tform1: oncopydata (tmessage & MSG)
{
Copydatastruct * CDS = (copydatastruct *) msg. lparam;
Ansistring tmpbuf = (char *) CDS-> lpdata;
Tlistitem * li = lv-> items-> Add ();
Li-> caption = g_dindex;
If (tmpbuf. substring (1, tmpbuf. pos ("|")-1). pos ("send")> 0)
{
Li-> imageindex = 1;
}
Else
{
Li-> imageindex = 0;
}

Li-> subitems-> Add (tmpbuf. substring (1, tmpbuf. pos ("|")-1 ));
Tmpbuf = tmpbuf. substring (tmpbuf. pos ("|") + 1, tmpbuf. Length ());
Li-> subitems-> Add (tmpbuf. substring (1, tmpbuf. pos ("|")-1 ));
Tmpbuf = tmpbuf. substring (tmpbuf. pos ("|") + 1, tmpbuf. Length ());
Li-> subitems-> Add (tmpbuf. substring (1, tmpbuf. pos ("|")-1 ));
Li-> subitems-> Add (tmpbuf. substring (tmpbuf. pos ("|") + 1, tmpbuf. Length ()));
}

Void _ fastcall tform1: lvinsert (tobject * sender, tlistitem * item)
{
G_dindex ++;
Lv-> perform (lvm_scroll, 0, 10 );
}
//---------------------------------------------------------------------------

Void _ fastcall tform1: lvclick (tobject * sender)
{
If (LV-> itemindex <0)
Return;
Hexedit1-> loadfrombuffer (LV-> items-> item [LV-> itemindex]-> subitems-> strings [3]. c_str (),
Lv-> items-> item [LV-> itemindex]-> subitems-> strings [3]. Length ());
}
//---------------------------------------------------------------------------

Void _ fastcall tform1: speedbutton3click (tobject * sender)
{
Lv-> clear ();
}
//---------------------------------------------------------------------------

Void _ fastcall tform1: formclose (tobject * sender, tcloseaction & Action)
{
If (stopbtn-> enabled)
Button2click (sender );
}
//---------------------------------------------------------------------------

Void _ fastcall tform1: lvadvancedcustomdrawitem (tcustomlistview * sender,
Tlistitem * item, tcustomdrawstate state, tcustomdrawstage,
Bool & defadradraw)
{
If (item-> imageindex = 0)
{
Lv-> canvas-> brush-> color = 0x00fff5ec;
}
}
//---------------------------------------------------------------------------

Void _ fastcall tform1: lvkeyup (tobject * sender, word & Key,
Tshiftstate shift)
{
If (LV-> itemindex <0)
Return;
Hexedit1-> loadfrombuffer (LV-> items-> item [LV-> itemindex]-> subitems-> strings [3]. c_str (),
Lv-> items-> item [LV-> itemindex]-> subitems-> strings [3]. Length ());
}
//---------------------------------------------------------------------------
Void _ fastcall tform1: displayhint (tobject * sender)
{
Statusbar1-> simpletext = getlonghint (Application-> hint );
}

Program:
Http://www.donews.net/images/www_donews_net/zwell/8521/o_zwsockhook.JPG

If you have any program limitations, please discuss them together.

Suei8423, edited on
---
Welcome to my blog:
Http://www.donews.net/zwell/