MSDN:
int WSARecv(
_In_ SOCKET s,
_Inout_ LPWSABUF lpBuffers,
_In_ DWORD dwBufferCount,
_Out_ LPDWORD lpNumberOfBytesRecvd,
_Inout_ LPDWORD lpFlags,
_In_ LPWSAOVERLAPPED lpOverlapped,
_In_ LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);
typedef struct __WSABUF {
u_long len;
char FAR *buf;
} WSABUF, *LPWSABUF;
问题1:
一个登陆程序。输入账号和密码后。
bp WSARecv后,程序断下来,查看内存lpBuffers,第5个字节( char FAR *buf)开始才是真正的接收数据内存。
可是就是当我先查看lpBuffers,然后查看( char FAR *buf)的内存地址。然后我程序F9继续执行的时候,程序已经跑飞了。
我要关注WSARecv接收的数据,关注它接收到数据后怎么用的。该怎么来调试呢?
问题2:
另外:我用Detours 3.0 Hook WSARecv,接收数据后,我把数据写进文件。也会导致无法登陆。不写文件就可以正常登陆。
pWSARECV pMS_WSARecv = WSARecv;//真正的库函数
int WINAPI MyWSARecv( //我的Hook函数
_In_ SOCKET s,
_Inout_ LPWSABUF lpBuffers,
_In_ DWORD dwBufferCount,
_Out_ LPDWORD lpNumberOfBytesRecvd,
_Inout_ LPDWORD lpFlags,
_In_ LPWSAOVERLAPPED lpOverlapped,
_In_ LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
)
{
int iRet = pMS_WSARecv(s, lpBuffers, dwBufferCount, lpNumberOfBytesRecvd, lpFlags, lpOverlapped, lpCompletionRoutine);
for (int i = 0; i < dwBufferCount; i++)
{
WSABUF *pWSABUF = (lpBuffers + sizeof(WSABUF)*i);
//把接收的数据写文件
//注释词句,登陆程序正常登陆,不注释,被Hook的程序(远程线程注入的方式Hook)就无法正常登陆了
WriteCurrentFile(HookFileName::pHookDataFile, NULL, 0, pWSABUF->buf, pWSABUF->len, 2);
}
return iRet;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课