While Hooking on a Winsock function "gethostbyname", how the site address could be re-directed to another one?!!
Getting the Argument list of function got as following.

;-------------------------After getting arguments list,Call the original API here......................
mov eax,[ebp + Org_GHBN] ;Original Address of gethostbyname.
mov [esp].PUSHA_STRUCT._EAX,eax ;save our original Entry pnt in pusha'ed stack

lea edi,[ esp + sizeof PUSHA_STRUCT + 4 + 4 ] ;edi -> ;argument list of API

;push the arguments required by the API (C calling convention).
; push [ edi + 8 ] ;3rd argument
; push [ edi + 4 ] ;2nd argument

push [ edi ] ;1st argument - gethostbyname ONLY have 1 arg

lea ecx,[ ebp + API_return_1 ]
push ecx
jmp eax ;force the API to return to our code at the API_return label

API_return_1: ;our call to original API will return here

........Code for Patch the OEP with a jmp instruction
........ Goes here....
............ ..............
ret 4 ;return to the calling process (ret 4 b'cos 1 argument)

Code Credit :OCY
Posted on 2003-11-10 04:33:44 by zakham
I get quadratic eyes when looking at your code, here is what I have:
gethostbyname db 5 dup (?)

stdcall memcpy,OFFSET gethostbynameold,[gethostbyname],5
stdcall hook,[gethostbyname],(OFFSET ws32gethostbyname-5)
mov esi,[esp+08h]
mov edi,[esp+04h]
mov ecx,[esp+0Ch]
rep movsb
retn 0Ch
mov edx,[esp+04h]
mov eax,[esp+08h]
sub eax,edx
mov byte [edx],0E9h
mov [edx+01h],eax
retn 08h


push esi edi
stdcall memcpy,[gethostbyname],OFFSET gethostbynameold,5
pop edi esi
stdcall [TlsSetValue],[dwTLSreturn],[esp]
mov dword [esp],OFFSET ws32connectret
jmp [gethostbyname]

push eax
mov eax,[eax]
mov eax,[eax]
mov [eax+hostent.h_list],7F000001h ; hostent.h_list = 0Ch, 7F000001h =
call [GetLastError]
push eax
stdcall hook,[gethostbyname],(OFFSET ws32gethostbyname-5)
stdcall [TlsGetValue],[dwTLSreturn]
pop ecx
push eax
stdcall [SetLastError],ecx
pop eax
xchg eax,[esp]
Posted on 2003-11-10 16:03:07 by comrade