While Hooking on a Winsock function "gethostbyname", how the site address could be re-directed to another one?!!
Getting the Argument list of function got as following.
Code Credit :OCY
Getting the Argument list of function got as following.
;-------------------------After getting arguments list,Call the original API here......................
mov eax,[ebp + Org_GHBN] ;Original Address of gethostbyname.
mov [esp].PUSHA_STRUCT._EAX,eax ;save our original Entry pnt in pusha'ed stack
lea edi,[ esp + sizeof PUSHA_STRUCT + 4 + 4 ] ;edi -> ;argument list of API
;push the arguments required by the API (C calling convention).
; push [ edi + 8 ] ;3rd argument
; push [ edi + 4 ] ;2nd argument
push [ edi ] ;1st argument - gethostbyname ONLY have 1 arg
lea ecx,[ ebp + API_return_1 ]
push ecx
jmp eax ;force the API to return to our code at the API_return label
API_return_1: ;our call to original API will return here
........Code for Patch the OEP with a jmp instruction
........ Goes here....
............ ..............
ret 4 ;return to the calling process (ret 4 b'cos 1 argument)
Code Credit :OCY
I get quadratic eyes when looking at your code, here is what I have:
gethostbyname db 5 dup (?)
init:
stdcall memcpy,OFFSET gethostbynameold,[gethostbyname],5
stdcall hook,[gethostbyname],(OFFSET ws32gethostbyname-5)
retn
memcpy:
mov esi,[esp+08h]
mov edi,[esp+04h]
mov ecx,[esp+0Ch]
rep movsb
retn 0Ch
hook:
mov edx,[esp+04h]
mov eax,[esp+08h]
sub eax,edx
mov byte [edx],0E9h
mov [edx+01h],eax
retn 08h
...
ws32gethostbyname:
push esi edi
stdcall memcpy,[gethostbyname],OFFSET gethostbynameold,5
pop edi esi
stdcall [TlsSetValue],[dwTLSreturn],[esp]
mov dword [esp],OFFSET ws32connectret
jmp [gethostbyname]
ws32gethostbynameret:
push eax
mov eax,[eax]
mov eax,[eax]
mov [eax+hostent.h_list],7F000001h ; hostent.h_list = 0Ch, 7F000001h = 127.0.0.1
call [GetLastError]
push eax
stdcall hook,[gethostbyname],(OFFSET ws32gethostbyname-5)
stdcall [TlsGetValue],[dwTLSreturn]
pop ecx
push eax
stdcall [SetLastError],ecx
pop eax
xchg eax,[esp]
retn