开发者

IAT/EAT hooking "gethostbyname"

开发者 https://www.devze.com 2023-01-24 09:10 出处:网络
I wrote this code to hook API functions by changing the address in the IAT and EAT: http://pastebin.com/7d9N1J2c

I wrote this code to hook API functions by changing the address in the IAT and EAT: http://pastebin.com/7d9N1J2c

This works just fine when I want to hook "recv" or "connect". However for some unknown reason when trying to hook "gethostbyname", my hook function is never called.

I tried to find "gethostbyname" in a debugger by taking the base address of the wsock32.dll module + 0x375e, which is what the ordinal 52 of my wsock32.dll is showing as off开发者_StackOverflowset. But that just makes me end up in some random asm code, not at the beginning of a function. The same method however works fine for trying to find the "recv" entry point.

Does anyone see what I might be doing wrong?


I recommend this tool: http://www.moduleanalyzer.com/

They do exactly the same and show the url that was connected with that API. The problem is that there are more than one API to translate an url to an address. The application you are hooking may be using another version of the API that you're not intercepting.


Run some disassembler like IDA and attach to your process after you hook this functions, ida get apply changes on attaching and play process and check what is wrong.

In other way you have many libraries to do hooks with trampolines like Microsoft Detours, NCodeHook etc.

0

精彩评论

暂无评论...
验证码 换一张
取 消