I have been trying to hook calls to 'recv' from Chrome and Firefox using EasyHook. However, this isn't working - it does not fail with any errors, but also no packets are being caught. I have tried the example program with 'CreateFile' hooks, and that works perfectly fine... Since there is next to no documentation on this, I am having trouble fixing this. Here is my code:
// the injected library
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using EasyHook;
using System.Runtime.InteropServices;
using System.Threading;
using System.Windows.Forms;
namespace SocketMon
{
public class Injection : EasyHook.IEntryPoint
{
SocketMonInterface Interface;
LocalHook CreateFileHook;
Stack<String> Queue = new Stack<String>();
public Injection(RemoteHooking.IContext InContext, String InChannelName)
{
// connect to host...
Interface =
RemoteHooking.IpcConnectClient<SocketMonInterface>(InChannelName);
// validate connection...
Interface.Ping();
}
public void Run(RemoteHooking.IContext InContext, String InChannelName)
{
// install hook...
try
{
CreateFileHook = LocalHook.Create(
LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
new Drecv(recv_Hooked),
this);
CreateFileHook.ThreadACL.SetInclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Interface.ReportException(ExtInfo);
return;
}
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
// wait for host process termination...
try
{
while (true)
{
Thread.Sleep(500);
if (Queue.Count > 0)
{
String[] Package = null;
MessageBox.Show(Queue.Count.ToString());
lock (Queue)
{
Package = Queue.ToArray();
Queue.Clear();
}
Interface.OnRecvData(RemoteHooking.GetCurrentProcessId(), Package);
}
else
Interface.Ping();
}
}
catch
{
// NET Remoting will raise an exception if host is unreachable
}
}
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Unicode,
SetLastError = true)]
delegate int Drecv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
// just use a P-Invoke implementation to get native API access
// from C# (this step is not necessary for C++.NET)
[DllImport("Ws2_32.dll")]
static extern int recv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
public int recv_Hooked(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
)
{
int len = recv(socketHandle, buf, count, socketFlags);
Queue.Push(String.Format("Received {0} bytes of data on socket {1}", socketHandle, count));
return len;
}
}
}
*
//the ipc interface
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace SocketMon
{
public class SocketMonInterface : MarshalByRefObject
{
public void IsInstalled(Int32 InClientPID)
{
Console.WriteLine("SocketMon has been installed in target {0}.\r\n", InClientPID);
}
public void OnRecvData(Int32 InClientPID, String[] InSocketData)
{
for (int i = 0; i < InSocketData.Length; i++)
{
Console.WriteLine(InSocketData[i]);
}
}
public void ReportException(Exception InInfo)
{
Console.WriteLine("The target process has reported" +
" an error:\r\n" + InInfo.ToString());
}
public void Ping()
{
Console.WriteLine("Got pinged");
}
}
}
I have already tried changing SetExclusiveACL to SetInclusiveACL, and that has not helped...
I realised that my code was actually working...
Manually calling 'recv' using P/Invoke worked...
The problem is that Chrome and Firefox did not use 'recv' - when I used SpyStudio to hook them, they actually called other methods in 'wininet.dll,' not using winsocks