Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo
int WSAAPI
send (
IN SOCKET s,
IN const char FAR * buf,
IN int len,
IN int flags
);
s A descriptor identifying a connected socket.
buf A buffer containing the data to be transmitted.
len The length of the data in buf.
flags Specifies the way in which the call is made.
mezzo wrote:If I breakpoint the wsock32.send function, does this mean that the 2e value down on the stack is the memory location (pointer) to the packet that is about to be send ? or how am I to see this ?
ENTER
PUSH EBP
MOV EBP, ESP
SUB ESP X
void On_BP_27(LPVOID lpvAddress, LPPROC_INFO_MHS lpProcInfo)
{
extern DWORD packetptr = {"", lpProcInfo->pcContext->Ebp + 0x0C};
//As L. Spiro pointed out, EBP+0x10 == 3rd parameter, or length
extern DWORD len = {"", lpProcInfo->pcContext->Ebp + 0x10};
//buffer to hold the bytes of the packet
BYTE packet[256] = {0};
//buffer to hold the packet string we print out
char packetstr[1024] = {0};
//Read the 2nd parameter--packetptr == EBP+0x0C--from memory into buffer 'packet'
ReadProcessMemory(GetCurProcessHandle(), (void *)packetptr, &packet, len, NULL);
//populate the packet string so we can output it to console
for (int i = 0; i < len; i++)
SPrintF(&packetstr[(i * 3)], "%02X ", packet[i]);
//output the string to console
PrintF("SEND | % 3i | %s", len, packetstr);
}
PUSH EBP
MOV EBP, ESP
SUB ESP X
71AB428A | 8BFF | MOV EDI, EDI |
71AB428C | 55 | PUSH EBP |
71AB428D | 8BEC | MOV EBP, ESP |
71AB428F | 83EC 10 | SUB ESP, 10 |
xxxx dunno what this is, is this esi of instr after the call ?? (this is ebp+0x04)
But it breaks for every packet sent...
L. Spiro wrote:In regards to 5, when the break is hit you will already be inside the API function you breakpointed.
You use the list to set a breakpoint on an API function. It is faster to use the list to go to the API function and just set the breakpoint a few instructions down (rather than setting one at the start and waiting for it to break and setting another).
L. Spiro wrote:This will all be automatable in MHS 4.0.0.7 (scripts to get the API function address and set breakpoints and start the debugger), coming probably tomorrow.
- Code: Select all
PUSH EBP
MOV EBP, ESP
SUB ESP X
The first line, pushes the original value of EBP onto the stack.
Second line moves the value of the stack pointer into ebp.
Not a clue what line 3 does.
xxxx dunno what this is, is this esi of instr after the call ?? (this is ebp+0x04)
Users browsing this forum: No registered users and 0 guests