Strange behavior hooking to send/recv

Feb 6, 2013 at 4:47 PM
Hello,

I've modified the filemon and filemoninject source to hook into the send/recv functions of ws2_32.dll.

When it executes these two functions, I've noticed that the originals also gets executed prior to entering the hooked functions. What am I doing wrong? I'm trying to intercept the call prior to entering the original function and have my own custom handler.

Thanks
        static int Recv_Hooked(IntPtr s, IntPtr buf, int len, int flags)
        {
            return recv(s, buf, len, flags);
        }

        static int Send_Hooked(IntPtr s, IntPtr buf, int len, int flags)
        {
            return send(s, buf, len, flags);
        }
The rest of the code
        public void Run(RemoteHooking.IContext InContext, string InChannelName)
        {
            //Start the hook
            try
            {
                CreateSendHook = LocalHook.Create(
                    LocalHook.GetProcAddress("Ws2_32.dll", "send"),
                    new Dsend(Send_Hooked),
                    this);


                CreateRecvHook = LocalHook.Create(
                    LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
                    new Drecv(Recv_Hooked),
                    this);

                CreateSendHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
                CreateRecvHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
            }
            catch (Exception ExtInfo)
            {
                Interface.ReportException(ExtInfo);
                System.Diagnostics.Process.GetCurrentProcess().Kill();
                return;
            }
            Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
            RemoteHooking.WakeUpProcess();

            try
            {
                while (true)
                {
                    Thread.Sleep(500);
                    Interface.Ping();
                }
            }
            catch
            {
                // Ping() will raise an exception if host is unreachable
            }

        }

        //Need to Import the functions
        [DllImport("Ws2_32.dll",
            CharSet = CharSet.Unicode,
            SetLastError = true,
            CallingConvention = CallingConvention.StdCall)]
        static extern int recv(
                    IntPtr s,
                    IntPtr buf,
                    int len,
                    int flags
            );

        [DllImport("WS2_32.dll",
            CharSet = CharSet.Unicode,
            SetLastError = true,
            CallingConvention = CallingConvention.StdCall)]
        static extern int send(
                    IntPtr s,
                    IntPtr buf,
                    int len,
                    int flags
            );

        [UnmanagedFunctionPointer(CallingConvention.StdCall,
            CharSet = CharSet.Unicode,
            SetLastError = true)]
        delegate int Dsend(
                    IntPtr s,
                    IntPtr buf,
                    int len,
                    int flags
            );

        //Need this to handle unmanaged hooks
        [UnmanagedFunctionPointer(CallingConvention.StdCall,
            CharSet = CharSet.Unicode,
            SetLastError = true)]
        delegate int Drecv(
                    IntPtr s,
                    IntPtr buf,
                    int len,
                    int flags);
Coordinator
Feb 7, 2013 at 10:09 PM
Can you please go into more detail as to how you determined that the original is being executed in full first?