0

if I load in my C# application a flash application A that opens a socket with a server B, is it possible to setup a local hook so that i can read the packets exchanged between A and the server B?

  • I may obtain the flash application sources if needed, but I'm not the one who wrote them
  • I'm new to C# ( to be honest, I'm still wondering what's the best language to write this kind of application for windows ) and to hooking, so any example would be really appreciated :)
  • I'm working client side
VahidN
  • 18,457
  • 8
  • 73
  • 117
kaharas
  • 597
  • 2
  • 17
  • 39
  • What are you trying to achieve? If you want to see the packets for analysis during development, than @yodaj007 is the way to go! If you need to do something during runtime, than maybe you should consider pcap library before going into api-hooking. – TCS Dec 23 '10 at 16:22
  • wireshark was my first option, BUT not every wireless card may be set to promiscous mode ( mine is an example ), and I need the program to run on every windows PC. I'd like to use other solutions, but none comes to my mind: feel free to suggest alternatives :) – kaharas Dec 23 '10 at 17:05
  • I need to write a program that logs actions taken while playing a flash game, and corresponding server responses. I need only to log them, so hooking may be eccessive, but I can't see any other solution. Well, to be honest i thinked to something else, that is edit hosts file and redirect flash socket traffic to localhost, and write a c# proxy that listen to it. But it doesn't seems much more easy or smart... – kaharas Dec 23 '10 at 17:06
  • Ok, so this isn't for debugging on a development box? Why are we logging this traffic? Sorry, but this is starting to smell unethical somehow. –  Dec 23 '10 at 18:01
  • And you're asking the same question twice. http://stackoverflow.com/questions/4517832/tracking-flash-application-packets –  Dec 23 '10 at 18:02
  • And a similar question here: http://stackoverflow.com/questions/4382600/intercept-flash-socket-with-java –  Dec 23 '10 at 18:03
  • It's everything except unethical. I repeat, I just want to log the game actions, nothing more: i can't think how this may harm someone or something. It would have been A LOT different if i'd ask how to edit packets. By the way, questions may look similar, but there's a key difference: the programming language. As I've already said, I'm not sure this can be done in every programming language, and since asking "what is the best programming language to do this" is against the rules, I asked one question for every programmimng language I may be willing to use. – kaharas Dec 23 '10 at 18:42
  • I hope having asked the question in different programming language is not a problem. If it is, and if I broke some rule, please forgive me. But if this is not the case, please let's go back in topic : i can give you all the informations you want about the project, but I'm not any more willing to try to convince you of my good intentions – kaharas Dec 23 '10 at 18:46

1 Answers1

1

Yes you can. You should use EasyHook library to hook native socket API calls from C#. And by placing hooks on connect, send and recv functions you can hook any traffic in Windows based application.

Here's an example:

private IntPtr _socketsLib;
private LocalHook _createConnectHook;
private LocalHook _createRecvHook;
private LocalHook _createSendHook;

_socketsLib = NativeAPI.LoadLibrary("Ws2_32.dll");
_createConnectHook = LocalHook.Create(LocalHook.GetProcAddress("Ws2_32.dll", "connect"), new NativeSocketMethod.DConnect(connect_Hooked), this);
_createRecvHook = LocalHook.Create(LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
                                           new NativeSocketMethod.Drecv(recv_Hooked), this);

_createSendHook = LocalHook.Create(LocalHook.GetProcAddress("Ws2_32.dll", "send"),
                              new NativeSocketMethod.Dsend(send_Hooked), this);
_createConnectHook.ThreadACL.SetExclusiveACL(new int[1]);
_createRecvHook.ThreadACL.SetExclusiveACL(new int[1]);
_createSendHook.ThreadACL.SetExclusiveACL(new int[1]);

private static int connect_Hooked(IntPtr socketHandle, ref NativeSocketMethod.sockaddr name, ref int namelen)
    {
        // TODO: do something with data here
        return NativeSocketMethod.connect(socketHandle, ref name, ref namelen);
    }

private static int recv_Hooked(IntPtr socketHandle, IntPtr buf, int count, int socketFlags)
    {
        // TODO: do something with data here
        return NativeSocketMethod.recv(socketHandle, buf, count, socketFlags);
    }

private static int send_Hooked(IntPtr socketHandle, IntPtr buf, int count, int socketFlags)
    {
        // TODO: do something with data here
        return NativeSocketMethod.send(socketHandle, buf, count, socketFlags);
    }

And NativeSocketMethod.cs

public static class NativeSocketMethod
{
    [DllImport("Ws2_32.dll")]
    public static extern int connect(IntPtr socketHandle, ref sockaddr Address, ref int Addresslen);
    [DllImport("Ws2_32.dll")]
    public static extern int getpeername(IntPtr s, ref sockaddr Address, ref int namelen);
    [DllImport("ws2_32.dll")]
    public static extern IntPtr inet_ntoa(in_addr a);
    [DllImport("ws2_32.dll")]
    public static extern ushort ntohs(ushort netshort);
    [DllImport("Ws2_32.dll")]
    public static extern int recv(IntPtr socketHandle, IntPtr buf, int Buffercount, int socketFlags);
    [DllImport("Ws2_32.dll")]
    public static extern int send(IntPtr socketHandle, IntPtr buf, int count, int socketFlags);

    public enum AddressFamily
    {
        AppleTalk = 0x11,
        BlueTooth = 0x20,
        InterNetworkv4 = 2,
        InterNetworkv6 = 0x17,
        Ipx = 4,
        Irda = 0x1a,
        NetBios = 0x11,
        Unknown = 0
    }

    [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet=CharSet.Unicode, SetLastError=true)]
    public delegate int DConnect(IntPtr socketHandle, ref NativeSocketMethod.sockaddr Address, ref int Addresslen);

    [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet=CharSet.Unicode, SetLastError=true)]
    public delegate int Drecv(IntPtr socketHandle, IntPtr buf, int Buffercount, int socketFlags);

    [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet=CharSet.Unicode, SetLastError=true)]
    public delegate int Dsend(IntPtr socketHandle, IntPtr buf, int count, int socketFlags);

    [StructLayout(LayoutKind.Sequential)]
    public struct in_addr
    {
        [MarshalAs(UnmanagedType.ByValArray, SizeConst=4)]
        public byte[] sin_addr;
    }

    public enum ProtocolType
    {
        BlueTooth = 3,
        ReliableMulticast = 0x71,
        Tcp = 6,
        Udp = 0x11
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct sockaddr
    {
        public short sin_family;
        public ushort sin_port;
        public NativeSocketMethod.in_addr sin_addr;
        [MarshalAs(UnmanagedType.ByValArray, SizeConst=8)]
        public byte[] sin_zero;
    }

    public enum SocketType
    {
        Unknown,
        Stream,
        DGram,
        Raw,
        Rdm,
        SeqPacket
    }
}
Nazar Grynko
  • 561
  • 1
  • 5
  • 26
  • Please note this answer is more for “is it possible to setup a local hook so that i can read the packets exchanged between A and the server B” question. – Nazar Grynko Sep 05 '12 at 12:45
  • Nice example. I wrapped all the _variables declaration into a "void hook()" function on a Program class (ConsoleApplication) the recv, connect and send functions are never reached- I know that I start programs which make use of ws2_32.dll ... http://paste.kde.org/727724/ – dza Apr 18 '13 at 19:44