0

i'm trying disconnect a socket at AcceptExHookProc routine. i hooked AcceptEx at .dll and injected at .exe app who i want disconnect socket if ip connected at socket is same at my if.

the program uses AcceptEx, not WSAAccept (i know about about the callback using CF_REJECT) but isn't the case for this program since him uses AcceptEx from Winsock library (not winsock2).

const WSAID_DISCONNECTEX: TGuid = '{7fda2e11-8630-436f-a031-f536a6eec157}';

type
  LPFN_DISCONNECTEX = function(const hSocket : TSocket; AOverlapped:
  POverlapped; const dwFlags : DWORD; const dwReserved : DWORD) : BOOL; stdcall; 

function GetAddress(ASocket: TSocket; const AName: String; const AGuid: TGUID): Pointer; inline; overload;
var
  BytesSend: DWORD;
begin
  if WSAIoctl(ASocket, SIO_GET_EXTENSION_FUNCTION_POINTER, @AGuid, DWORD(SizeOf(TGuid)),
    @Result, DWORD(SizeOf(FARPROC)), BytesSend, nil, nil) <> 0 then
    Result := nil;
end;

function AcceptExHookProc(sListenSocket, sAcceptSocket: TSocket;
  lpOutputBuffer: Pointer; dwReceiveDataLength, dwLocalAddressLength,
  dwRemoteAddressLength: DWORD; var lpdwBytesReceived: DWORD;
  lpOverlapped: POverlapped): BOOL; stdcall;
var
  IP            : String;
  LRet, RRet    : Winsock.PSockAddr;
  lsize, rsize  : Integer;

  DisconnectEx    : LPFN_DISCONNECTEX;
  BytesOut        : DWORD;

  Res : Integer;
begin
  Result := TrampolineAcceptEx(sListenSocket, sAcceptSocket, lpOutputBuffer, dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength, lpdwBytesReceived, lpOverlapped); 

  lsize   := 32;
  rsize   := 32;
  Winsock.GetAcceptExSockaddrs(lpOutputBuffer, dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength, LRet, lsize, RRet, rsize);

  IP := Winsock.inet_ntoa(RRet.sin_addr);   

  if (IP = '177.222.164.65') then
  begin
    Res := setsockopt(sAcceptSocket, SOL_SOCKET, SO_UPDATE_ACCEPT_CONTEXT, @sListenSocket, SizeOf(sListenSocket));
      
    WriteLn(Format('Result %d / %d', [Res, GetLastError]));
    // Show result - 1 and sock error 10057
      
    DisconnectEx := GetAddress(sAcceptSocket, 'DisconnectEx', WSAID_DISCONNECTEX);

    if @DisconnectEx <> nil then
      if DisconnectEx(sAcceptSocket, nil, TF_REUSE_SOCKET, 0) then 
        WriteLn('Disconnect ok')
      else
        WriteLn('Disconnect falhou + ' + IntToStr(GetLastError));
        // Show sock error 10057
      
    WriteLn(Format(' [%s] Connection from IP (%s) DISCONNECT', [TimeToStr(Now), IP]));
  end
  else
  begin
    WriteLn(Format('[%s] Connection from IP (%s)', [TimeToStr(Now), IP]));
  end;
end;

works but return false and getlasterror show socket error 10057 (Socket is not connected.) but connection still estabilished (i check at process hacker)

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
Luiz Felipe
  • 1
  • 2
  • You are not checking the return value of `TrampolineAcceptEx()` for success before retrieving the IP or disconnecting the socket. – Remy Lebeau May 06 '22 at 07:46
  • Related/dupe: [TCP shutdown with sockets connected through AcceptEx()](https://stackoverflow.com/questions/9169086/). Try updating the `SO_UPDATE_ACCEPT_CONTEXT` state on the accepted socket before disconnecting it. The socket is not fully connected until you update its state. – Remy Lebeau May 06 '22 at 09:45
  • one thing who i didn't said is, i'm testing connections with a flood tool, it's why i'm trying do. disconnect sockets if was flooding. and this flood the result was false.... i see connections estabilished at process hacker and i need close these sockets. – Luiz Felipe May 07 '22 at 15:06
  • setsockopt(sAcceptSocket, SOL_SOCKET, SO_UPDATE_ACCEPT_CONTEXT, @sListenSocket, SizeOf(sListenSocket)) return -1 and 10057 error at getlasterror too. – Luiz Felipe May 07 '22 at 16:17
  • Please [edit] your question to show where and how you are invoking `SO_UPDATE_ACCEPT_CONTEXT`. I find it very unlikely that it would fail the way you claim if `AcceptEx()` succeeded. That being said, flood avoidance is best handled by placing a firewall/loadbalancer in front of the server, not by the server itself. – Remy Lebeau May 07 '22 at 16:49
  • topic updated with new codes, i know but isn't the case here usage of firewall. i need disconnect the specific ip at acceptex. as said previous i'm using an flood program and the result of AcceptEx was false when flood. – Luiz Felipe May 07 '22 at 20:01
  • @RemyLebeau topic updated as u said, please help – Luiz Felipe May 09 '22 at 01:35

0 Answers0