I am working on dll which hooks winsock2 functions, using C++ and detours. My goal is to modify TCP traffic that goes from and to the original executable. At some point, I need to stop certain packet delivery (so that original executable has no idea about that packet at all, but still keeps the connection).
With WSASend hook, it's clear (you just don't call original WSASend and return 0). But I have no idea how to make it in WSARecv hook using WSAOVERLAPPED structure.
I hope this code below demonstrates what do I want:
__declspec(dllexport) int WINAPI WSARecv_hook(SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesRecvd, LPDWORD lpFlags, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)
{
// Recieve real data
int ret = WSARecv_real(s, lpBuffers, dwBufferCount, lpNumberOfBytesRecvd, lpFlags, lpOverlapped, lpCompletionRoutine);
// Loop over lpBuffers and analyze it
for(int i=0; i < dwBufferCount; i++)
{
// analyze it
if(packet_should_be_blocked(lpBuffers[i].buf, lpBuffers[i].len))
{
// Do or return what?
} else {
// Otherwise, just process as usual
}
}
return ret;
}
How do I pretend that nothing happened and no packet was recieved (like fake WSA_IO_PENDING)? Any ideas/thoughts?
P.S. From what I know, executable is not using completion routine (lpCompletionRoutine is always NULL), only overlapped structure.