Hooking of function isn't working

[Toshioo]

Hi,

I'm hooking the send() function (from ws2_32.dll) in a program but once I hook it and make the program use that function, the program crashes. For now I'm doing the DLL injection (DLL that contains the function I want to replace by send() ) into the program and the assembly code to hook the function using a program called Cheat Engine, so I know that's not the problem. This the function I'm replacing for send():

Code:

DLLIMPORT int hsend(SOCKET s, const char *buf, int len, int flags)
{
    WSABUF DataBuf;
    DWORD Bytes;

    DataBuf.len = len;
    DataBuf.buf = buf;
       
    WSASend(s, &DataBuf, 1, &Bytes, flags, NULL, NULL);

    return len;
}

For test reasons I'm just trying to send the packet without doing anything else. So I'm using WSASend, since send() will be hooked. Is there any problem with this function?

And one last thing... I made a program with sockets and when I tried this it worked, it sent the packet. But in any other program it crashes...

Thanks for your time

[VictorN]

I'm hooking the send() function (from ws2_32.dll) in a program but once I hook it and make the program use that function, the program crashes. ...

And one last thing... I made a program with sockets and when I tried this it worked, it sent the packet. But in any other program it crashes...

Please, define "crashes"

[Toshioo]

Please, define "crashes"

That message from Windows appears, saying "Program x has stopped working". Like this:

[VictorN]

And did Windows "check the solution to this problem" in your case?
And did you try to debug your code?
And did you try to find out the address where this problem occurred (for instance in Event Viewer)?

[Toshioo]

And did Windows "check the solution to this problem" in your case?
And did you try to debug your code?
And did you try to find out the address where this problem occurred (for instance in Event Viewer)?

Yes Windows looked for a solution. When it found nothing, I clicked 'Debug' and the debugger I have (Delphi 7's debugger) points to ntdll.DbgBreakPoint, which has the assembly code:

Code:

int 3
ret
nop
nop

It points specifically to ret.

In event viewer, the EventData shows this:


3085084194
1
APPCRASH
Não disponÃ*vel
0
cookie.exe
0.0.0.0
4ec37c80
cookie.exe
0.0.0.0
4ec37c80
c0000005
00455306

It was a 0xc0000005 exception

[Paul McKenzie]

Yes Windows looked for a solution. When it found nothing, I clicked 'Debug' and the debugger I have (Delphi 7's debugger)

Are you using Visual Studio? If so, why didn't the Visual Studio debugger get invoked? Delphi 7 isn't going to help.

Second, we have no idea of the value of the parameters you're calling hsend() with.

Code:

DLLIMPORT int hsend(SOCKET s, const char *buf, int len, int flags)
{
    WSABUF DataBuf;
    DWORD Bytes;

    DataBuf.len = len;
    DataBuf.buf = buf;
       
    WSASend(s, &DataBuf, 1, &Bytes, flags, NULL, NULL);

    return len;
}

So what does "buf" contain, and does it point to a valid address?

Regards,

Paul McKenzie

[Toshioo]

Are you using Visual Studio? If so, why didn't the Visual Studio debugger get invoked? Delphi 7 isn't going to help.

Second, we have no idea of the value of the parameters you're calling hsend() with.

Code:

DLLIMPORT int hsend(SOCKET s, const char *buf, int len, int flags)
{
    WSABUF DataBuf;
    DWORD Bytes;

    DataBuf.len = len;
    DataBuf.buf = buf;
       
    WSASend(s, &DataBuf, 1, &Bytes, flags, NULL, NULL);

    return len;
}

So what does "buf" contain, and does it point to a valid address?

Regards,

Paul McKenzie

I don't have Visual Studio installed.

Hmm I thought it was up to the application I'm hooking to pass the correct parameters. Since I'm hooking the send() function, and that code is only ran when there is a call to send(), those parameters will be in the stack?