0

I am hooking a few functions from my server(C++). I want to hook certain functions, to be able to dump the packets, some clients send(connect/disconnect packages). I already hooked the functions recv/recvfrom and WSARecv/WSARecvFrom. Only the WSARecvFrom function gets called (many) times, but only on server startup. Which functions do I have to hook, to lookup the connect/disconnect packages of remote machines? I noticed, that the 4 receive functions never get called while playing on the server! Why?

Example:

typedef int (WINAPI *def_recv)(SOCKET s, char* buf, int len, int flags);
def_recv Real_recv;
int WINAPI custom_recv(SOCKET s, char* buf, int len, int flags) {
    Log("recv ...");
    return Real_recv(s, buf, len, flags);
}
Real_recv = (def_recv)DetourFunction((PBYTE)(DWORD)GetProcAddress(GetModuleHandleA("ws2_32.dll"), "recv"),(PBYTE)&custom_recv);
tshepang
  • 12,111
  • 21
  • 91
  • 136
cpppp
  • 1
  • If it's your server and your code, why do you need to use Detours? You could presumably modify your server code to log/spew the data you receive after the real API call returns. – selbie Jul 16 '11 at 11:15
  • Possibly related: http://stackoverflow.com/questions/4589328/easyhook-recv-doesnt-hook-all-packets – Ben Voigt Jul 16 '11 at 14:11

2 Answers2

1

My psychic powers tell me that your server code is using asynchronous or overlapped I/O.

Those calls to WSARecvFrom you observe on startup are the buffers getting "posted". When data actually arrives, the callback function specified as the last parameter to WSARecvFrom is invoked.

What you likely want to do is hook WSARecvFrom and replace the lpCompletionRoutine parameter with your own callback function. It's in your own callback function where you'll log/spew the data you are trying to observe (then call the real callback function the app is expecting). And the server code could be using different callback functions for different calls to WSARecvFrom - so tread carefully.

It's also entirely possible the server code isn't setting a callback function. Could be using IOCP or just polling the overlapped structure. YMMV.

Ajay
  • 18,086
  • 12
  • 59
  • 105
selbie
  • 100,020
  • 15
  • 103
  • 173
  • Those callbacks will be called only once each.... the receive function has to be called again to continue receiving data, even in overlapped mode. – Ben Voigt Jul 16 '11 at 14:11
1

From an answer of mine:

There are a lot of different functions used with sockets. Maybe the plugin is not using the function named recv. Off the top of my head I can think of recvfrom, recvmsg, WSARecv, WSARecvFrom, WSARecvMsg, ReadFile, ReadFileEx.

Then, the plugin could be doing requests with overlapped I/O (possibly complicated by completion routines or completion ports), in which case the data isn't stored during the e.g. ReadFile function call but at some later time. Hooking those would be considerably more challenging.

Community
  • 1
  • 1
Ben Voigt
  • 277,958
  • 43
  • 419
  • 720