{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Evening l夕情丶 的问题《EasyHook recv doesn't “hook” all packets》','https://www.manongdao.com/q-494507.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I managed to write a semiworking EasyHook example that hooks recv function. I wrote a form, added a WebBrowser component, and started the application. The problem is, I get the HTTP packets, but if there's a socket, it seems that recv stops "hooking". The problem is, with an external application, Spystudio, I can get them hooking recv. So, what am I missing?
using System;
using System.Collections.Generic;
using System.Data;
using System.Runtime.InteropServices;
using System.Threading;
using System.Text;
using System.Windows.Forms;
using System.Diagnostics;
using System.IO;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels.Ipc;
using EasyHook;
namespace flashing
{
public partial class Form1 : Form,EasyHook.IEntryPoint
{
public LocalHook CreateRecvHook;
public Form1()
{
InitializeComponent();
}
[DllImport("Ws2_32.dll")]
static extern int recv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Unicode,
SetLastError = true)]
delegate int Drecv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
static int recv_Hooked(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags)
{
int bytesCount = recv(socketHandle, buf, count, socketFlags);
if (bytesCount > 0)
{
byte[] newBuffer = new byte[bytesCount];
Marshal.Copy(buf, newBuffer, 0, bytesCount);
string s = System.Text.ASCIIEncoding.ASCII.GetString(newBuffer);
TextWriter tw = new StreamWriter("log.txt");
tw.Write(s);
tw.Close();
Debug.WriteLine("Hooked:>" + s);
}
return bytesCount;
}
private void bottonHook_Click(object sender, EventArgs e)
{
try
{
CreateRecvHook = LocalHook.Create(
LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
new Drecv(recv_Hooked),
this);
CreateRecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Debug.WriteLine("Error creating the Hook");
return;
}
RemoteHooking.WakeUpProcess();
}
private void buttonLoader_Click(object sender, EventArgs e)
{
axShockwaveFlash1.LoadMovie(0, "test.swf");
}
}
}
edit : I've no doubt about recv, here it is what apimonitor tells me:
# TID Module API Return Error
5 2696 Flash10l.ocx recv ( 1992, 0x07080000, 65536, 0 ) 1
So, can somebody help me?
There are a lot of different functions used with sockets. Maybe the plugin is not using the function named
recv. Off the top of my head I can think ofrecvfrom,recvmsg,WSARecv,WSARecvFrom,WSARecvMsg,ReadFile,ReadFileEx.Then, the plugin could be doing requests with overlapped I/O (possibly complicated by completion routines or completion ports), in which case the data isn't stored during the e.g.
ReadFilefunction call but at some later time. Hooking those would be considerably more challenging.I wrote a tool dumping http using sharppcs in c#. It uses the winpcap-driver. I think it is more reliable tan apihooks.
HTTPSaver (with sources)
SharpPcap
Winpcap
Problem Solved. The line that created trouble was
I changed it to
and now everything works just fine. Thanks everybody :)