65,186
社区成员
发帖
与我相关
我的任务
分享dll注入拦截send后如何找到报文
DLL远程注入拦截了WS2_32.dll的send和recv,recv拦截正常,但send只有报头,
我按报头长度往后输出都是空值是怎么回事?
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
obj_HookAPI_Send.Init("WS2_32.dll", "send", "MySend");
Inject_Send(&obj_HookAPI_Send);
obj_HookAPI_Recv.Init("WS2_32.dll", "recv", "MyRecv");
Inject_Recv(&obj_HookAPI_Recv);
//obj_HookAPI_RecvFrom.Init("Ws2_32.dll", "WSARecv", "MyWSARecv");
//Inject_RecvFrom(&obj_HookAPI_RecvFrom);
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
//拦截send处理函数
int WINAPI MySend(SOCKET s, const char FAR *buf, int len, int flags)
{
int ret = 0;
//下面这段就是通过WM_COPYDATA传递消息的方法,
//将一些sendto()的数据通过字符串方式传递给
//名为”XsockSpy”的窗体。
//XsockSpy窗体只需要响应对WM_COPYDATA的处理和显示就OK了,很简单。
string strPost = "";
strPost = strPost + (char)buf[0];
strPost = strPost + (char)buf[1];
strPost = strPost + (char)buf[2];
strPost = strPost + (char)buf[3];
string strGet = "";
strGet = strGet + (char)buf[0];
strGet = strGet + (char)buf[1];
strGet = strGet + (char)buf[2];
if (strPost == "POST")
{
for (int i = 0; i < len + 2 + 932; i++)
{
WX_DebugInfo::Debug_Info((char)buf[i]);
}
WX_DebugInfo::Debug_Info("发送Post数据:");
WX_DebugInfo::Debug_Info("数据包大小:", len);
WX_DebugInfo::Debug_Info(buf, len, 'p');
strPost.clear();
}
else if (strGet == "GET")
{
WX_DebugInfo::Debug_Info("发送Get数据:");
WX_DebugInfo::Debug_Info("数据包大小:", len);
WX_DebugInfo::Debug_Info(buf, len, 'p');
strPost.clear();
}
HookOff(&obj_HookAPI_Send);//关钩子
ret = send(s, buf, len, flags);
HookOn(&obj_HookAPI_Send);
//wchar_t* cbuf = new wchar_t[len];
//MultiByteToWideChar(CP_ACP, 0, buf, len + 1, LPWSTR(cbuf), len + 1);
//调用真正的sendto()函数
if (ret == SOCKET_ERROR)
{
WX_DebugInfo::Debug_Info(GetLastError());
}
//开钩子
return ret;
}
我按报头长度往后输出都是空值是怎么回事?
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
obj_HookAPI_Send.Init("WS2_32.dll", "send", "MySend");
Inject_Send(&obj_HookAPI_Send);
obj_HookAPI_Recv.Init("WS2_32.dll", "recv", "MyRecv");
Inject_Recv(&obj_HookAPI_Recv);
//obj_HookAPI_RecvFrom.Init("Ws2_32.dll", "WSARecv", "MyWSARecv");
//Inject_RecvFrom(&obj_HookAPI_RecvFrom);
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
//拦截send处理函数
int WINAPI MySend(SOCKET s, const char FAR *buf, int len, int flags)
{
int ret = 0;
//下面这段就是通过WM_COPYDATA传递消息的方法,
//将一些sendto()的数据通过字符串方式传递给
//名为”XsockSpy”的窗体。
//XsockSpy窗体只需要响应对WM_COPYDATA的处理和显示就OK了,很简单。
string strPost = "";
strPost = strPost + (char)buf[0];
strPost = strPost + (char)buf[1];
strPost = strPost + (char)buf[2];
strPost = strPost + (char)buf[3];
string strGet = "";
strGet = strGet + (char)buf[0];
strGet = strGet + (char)buf[1];
strGet = strGet + (char)buf[2];
if (strPost == "POST")
{
for (int i = 0; i < len + 2 + 932; i++)
{
WX_DebugInfo::Debug_Info((char)buf[i]);
}
WX_DebugInfo::Debug_Info("发送Post数据:");
WX_DebugInfo::Debug_Info("数据包大小:", len);
WX_DebugInfo::Debug_Info(buf, len, 'p');
strPost.clear();
}
else if (strGet == "GET")
{
WX_DebugInfo::Debug_Info("发送Get数据:");
WX_DebugInfo::Debug_Info("数据包大小:", len);
WX_DebugInfo::Debug_Info(buf, len, 'p');
strPost.clear();
}
HookOff(&obj_HookAPI_Send);//关钩子
ret = send(s, buf, len, flags);
HookOn(&obj_HookAPI_Send);
//wchar_t* cbuf = new wchar_t[len];
//MultiByteToWideChar(CP_ACP, 0, buf, len + 1, LPWSTR(cbuf), len + 1);
//调用真正的sendto()函数
if (ret == SOCKET_ERROR)
{
WX_DebugInfo::Debug_Info(GetLastError());
}
//开钩子
return ret;
}
...全文
请发表友善的回复…
发表回复
