Introduction
Network snoop introduces the basics of building a network sniffer to pick up all information being sent using TCP socket via send
and recv
API, obviously, these will be the two APIs to hook to get information about data being sent/received. This code is more about introducing the readers to API hooking using Network snoop as an example. The reader can modify the code to hook APIs related to socket using UDP (which is why readers require knowledge of sockets, networking).
Background
Before we start, reader will require basic knowledge of socket programming, windows hooks and a tad bit of assembly level programming.
Using the Code
The attached code is built using VS2010 express edition. The code must be referred to while going through this article. Also 64-bit API hooking code has been attached, but not tested.
We will start with the introduction of sockets APIs used to send and receive information, these are send
and recv
. The attached code will try to hook/Hijack these APIs and attempt to log all information passed through them.
The following code is mentioned in the DLL module:
struct NetSnoop{
NetSnoop()
{
_beginthread(sendThread,0,0);
_beginthread(recvThread,0,0);
}
...
}
g_NetSnoop;
Notice the variable g_NetSnoop
declared globally, this object will be created (and its constructor will be called which will call sendThread
and recvThread
) every time the DLL is loaded into a new/different process. To get the DLL to load in a different process, we use Windows hook API (mentioned in the code: NetSnoop.cpp).
SetWindowsHookEx(WH_CBT,hookFunction,h,0);
Here the variable h
holds the module handle of the DLL mentioned earlier. Calling SetWindowsHookEx
will cause all threads that belong to the caller's desktop to load the DLL whose module is passed to it, in this case:
HMODULE h=LoadLibraryA("NetSnoopDll.dll");
Reader will have to be aware of Windows hook.
Another way is to call (without using hook) CreateRemoteThread
, you can call the above function sendThread
and recvThread
, please read up CreateRemoteThread
on MSDN. (This method is not used in code.)
Now comes the best part: API hooking (APIHook.cpp).
We will discuss API hooking for send
API, the rest are all the same, refer to the code at all times, this is important.
The function void sendThread(void*)
will perform API hack, notice that this function is called from constructor of struct NetSnoop
(via different thread) or via API CreateRemoteThread
.
Follow the code.
We first start by getting the address of the function and use VirtualProtect
.
Be sure to use VirtualProtect
to alter the protection of a committed page, else you will get an exception (386 memory segment protection!). Look up MSDN for VirtualProtect
.
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission);
The code after that is self explanatory.
Do use disassembly of function call to better understand how it works, you will notice the following code added at the function address:
MOV EAX,function adress
JMP EAX
We are injecting the following code at the function call address using opcodes:
64 bit code is mentioned in attachment. Before we tamper with the instructions at the function address, we first store the original instructions so as to restore them when needed.
Remember: 32-bit DLL cannot be loaded/injected in 64-bit process space and vice-versa which is why you would require a separate 64-bit APP/DLL to snoop network traffic for 64-bit processes.
How It Works
When the hooked function (in this case send
) is called, the instruction pointer (EIP) is taken to the function address and will start executing from there (well...this how any function call works).
We have decisively placed a JMP
instruction at that very location. This will cause the EIP
to move to the function Mysend
, notice that this function has the very same signature, calling convection as the original function, this is to avoid any stack corruption.
Once the EIP
is routed to function Mysend
(as done in attached code):
- Log whatever is needed
- Restore the function's original instruction
- Call the original function to complete the functionality
In API hooking of send
function, please note that send
function is called twice by the application:
- Called by the application, through the
JMP
instruction, EIP
is routed to Mysend
- Inside
Mysend
, after restoring the original instructions (shown below)
Code snippet from APIHook.cpp, int WSAAPI Mysend(...)
...
DWORD dPermission=0;
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission);
memcpy(send,StoreOriginal_Send,sizeof(StoreOriginal_Send)); int ret=send(s,buf,len,flags);
if(bExit==false) {
memcpy(send, Trap_Send, sizeof(Trap_Send)); }
Hence to maintain the stack, RET
instruction is also called twice:
- After it returns from the original
send
function called from inside Mysend
- After it returns from
Mysend
Restore (done in destructor)
Another important thing is to restore everything when the application exits.
This is important, when the application (NetworkSnoop
) exits, the Hook will be released by code (or by OS if hook is active when application is closed/terminated).
When applications are being unhooked, the injected DLL is removed, if code is not restored, the JMP
instruction will cause the EIP
to jump to an invalid memory location (since DLL is removed) causing a crash.
The application restores all in a destructor of a global object, the destructor is called during DLL unload, refer to the code.
~NetSnoop()
{
bExit=true; while(uiInUse!=0) Sleep(500);
DWORD dPermission=0;
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission);
memcpy(send,StoreOriginal_Send,sizeof(StoreOriginal_Send)); VirtualProtect(recv,sizeof(Trap_recv),PAGE_EXECUTE_READWRITE,&dPermission);
memcpy(recv,StoreOriginal_recv,sizeof(StoreOriginal_recv)); }
Debug the Call
The reader will have to write a simple console based application mentioned below and debug the send call via disassembly to better understand the introduction of a JMP
instruction.
#include<windows.h>
#include<WinSock2.h>
int main()
{
MessageBoxA(0,"","",0); int z=send(0,0,0,0); return z;
}
Points of Interest
The best part is that NetworkSnoop
introduces API hooking using Windows Hook. This allows you to hook any function in any process provided your hook injects the DLL into it, for the hook to work, the targeted thread must have a message loop. I do hope you enjoy this short article on Network snoop. API hook technique is widely used, most famous is FRAPS (www.fraps.com), it uses the technique to hook DirectX calls to get information about game performance.
History
- 11th March, 2011: Initial post
- 2nd May, 2011: Correction in code to perform logging after recv API is called