The Power of MHS: Generic Packet Sniffer/Editor

Submit Tutorials Related to Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Postby L. Spiro » Sun Nov 09, 2008 4:57 pm

Lodrik wrote:How did you find 'EBP+0x00;
EBP+0x04;
EBP+0x08;
EBP+0x0c;
EBP+0x10;
EBP+0x14'?


This is how you get the parameters to any function.
They are in the same order as they are passed to the function, so all you need is to know the parameters, which are listed on the MSDN.


Lodrik wrote:Is it the same in sendto, recvto and WSASend functions?


The same on any function.


Lodrik wrote:How did you find out where the breakpoint has to be set?
Did you look for a specific piece of code or is it just random?


The breakpoint has to be set at the start of the function as soon as the stack has been realigned.


Lodrik wrote:How do we know when the stack gets realigned?


When you see a line containing SUB ESP or ENTER.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby Lodrik » Sun Nov 09, 2008 7:34 pm

Thanks for your answers, I just have some more questions left. :)

The breakpoint has to be set at the start of the function as soon as the stack has been realigned.


Does it need to be exactly on SUB ESP or ENTER or may it be at any line after these commands?
Also what can we do if there are not any SUB ESP or ENTER in the function?

Also what does the stack tab display in MHS's disassembler and how to activate it?
Last edited by Lodrik on Sun Nov 09, 2008 10:36 pm, edited 1 time in total.
Lodrik
I Have A Few Questions
 
Posts: 2
Joined: Sun Nov 09, 2008 8:52 am

Postby L. Spiro » Sun Nov 09, 2008 10:35 pm

#1: It can be anywhere as long as EBP has been set. The obvious reason people set it to the line after EBP is set is because anywhere else there is a chance the code will not go there (JMP around it) or the parameters have been modified.

#2: It shows you the stack. Single-step through some code to see it.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby LIVEAID » Thu Feb 05, 2009 5:12 am

hey all i went the "automation" method and tried to add the script but i got this error


Code: Select all
ERROR: Line: 4 Undeclared identifier (wsock32_recv).  File: C:\Documents and Settings\MyPC\Desktop\SNIFFER.lss
ERROR: Line: 41 Unable to compile function.  File: C:\Documents and Settings\MyPC\Desktop\SNIFFER.lss



someone help please?


Live
Code: Select all
Nothing can stop the man with the right mental attitude from achieving his goal; nothing on earth can help the man with the wrong mental attitude.
- Thomas Jefferson
User avatar
LIVEAID
Been Around More
 
Posts: 314
Joined: Tue Jan 29, 2008 11:36 am
Location: Google Inc.

Postby L. Spiro » Thu Feb 05, 2009 7:47 am

wsock32_recv is not a script function.
If you want its address, do as the tutorial suggests:
Code: Select all
ws2_32_recv = GetRemoteFuncAddress("WS2_32.dll", "recv");



L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: The Power of MHS: Generic Packet Sniffer/Editor

Postby DrGamut » Tue Mar 02, 2010 2:40 am

The buffer is not populated with the bytes of the packet of information until right before the function returns, so we can't just breakpoint at the start of the function.


Hi, I'm trying to write a winsock packet editor in C++. I have a DLL that injects into a running process and hooks ws2_32.dll's send() and recv() using Microsoft Detours 2.1.

It works, but I cannot modify the buffer used by recv(). Rather, the buffer parameter passed to recv() is populated with bytes, but modifying them at this stage is entirely inconsequential and the process seems to get the original data.

Is there any advice for me on how I would go about modifying the buffer used by recv() in my DLL? Since I'm not using the debugger/breakpoint method as described in this thread. I can't seem to find information on this and the only winsock packet editors I know of are not open source.
DrGamut
I Have A Few Questions
 
Posts: 2
Joined: Tue Mar 02, 2010 2:36 am

Re: The Power of MHS: Generic Packet Sniffer/Editor

Postby DrGamut » Tue Mar 02, 2010 5:22 am

Nevermind, I figured it out. You simply have to set the buffer AFTER calling the original recv() from your hook function.
DrGamut
I Have A Few Questions
 
Posts: 2
Joined: Tue Mar 02, 2010 2:36 am

Previous

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron