Solved How to IAT hook using Ordinal - WS2_32.dll?

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rablidad

Full Member
May 2, 2020
21
183
1
Game Name
RuneScape
Anticheat
None
Tutorial Link
https://guidedhacking.com/threads/iat-hook-import-address-table-hooking-explained.4244/
How long you been coding/hacking?
2
Coding Language
C#/C++
Hi guys, I'm folowing this tutorial: Tutorial - IAT hook Import Address Table Hooking Explained and I'm iterating through the entire IAT to locate the send function from ws2_32.dll module, what happens is that all the iteration occurs succesfully, till it reaches the ws2_32 module, I'm trying to create a packet logger by hooking the send function. After I opened the target program in IDA, I found that the import name table for the ws2_32 module is not showing up the names correctly, idk what's that, but here are screenshots

IMAGE_IMPORT_DESCRIPTOR WS2_32.dll:
1606000735752.png


IMPORT NAME TABLE of WS2_32.dll:
1606000793084.png


what I see when I load it up in PEBear:
1606000843743.png


other modules IMPORT NAME DESCRIPTOR:
1606000862731.png


1606000933627.png


I see there are these ordinal thing instead of names, but i'm not sure how to proceed, thanks!
 
Last edited:

Rablidad

Full Member
May 2, 2020
21
183
1
Got it working guys, by checking the ordinal number, the send function has an ordinal number of 19 (0x13)(it seems to be stable across several windows versions, at least from what I've read on internet), which allowed me to hook it, thanks!

C++:
// dllmain.cpp : Defines the entry point for the DLL application.
#define _CRT_SECURE_NO_WARNINGS

#include <Windows.h>
#include <fstream>
#include <iostream>
#include <cstdio>

#pragma comment(lib,"ws2_32.lib")


typedef int (WINAPI* originalSend)(SOCKET s, const char* buff, int len, int flags);
originalSend hSend;



int newSend(SOCKET s, const char* buff, int len, int flags)
{

    std::cout << "Socket[" << (long)s << "]: ";
    for (int i = 0; i < len; i++)
    {
        std::cout << std::hex << (unsigned int)(unsigned char)buff[i];
    }
    std::cout << std::endl;

    return hSend(s, buff, len, flags);
}



BOOL hookIATSend(const char * szModuleName, const char * szFunctionName)
{
    HMODULE module = GetModuleHandleW(L"game.exe");

    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)module;
    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew);

    // make sure we have valid data
    if (ntHeaders->Signature != IMAGE_NT_SIGNATURE)
        return FALSE;

    // Grab a pointer to the import data directory
    PIMAGE_IMPORT_DESCRIPTOR impDesc = (PIMAGE_IMPORT_DESCRIPTOR)((PBYTE)dosHeader + ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

    // this loop will parse the entries inside the import descriptor
    std::cout << "[!!] Procurando modulos." << std::endl;
    for (UINT uIndex = 0; impDesc[uIndex].Characteristics != 0; uIndex++)
    {
        char* szDllName = (char*)((PBYTE)dosHeader + impDesc[uIndex].Name);

        if (!_strcmpi(szModuleName, szDllName))
        {
            std::cout << "Found!"<< std::endl;

            if (!impDesc[uIndex].FirstThunk || !impDesc[uIndex].OriginalFirstThunk)
                return false;

            PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE)dosHeader + impDesc[uIndex].FirstThunk);
            PIMAGE_THUNK_DATA pOrgThunk = (PIMAGE_THUNK_DATA)((PBYTE)dosHeader + impDesc[uIndex].OriginalFirstThunk);

            for (; pOrgThunk->u1.Function != NULL; pOrgThunk++, pThunk++)
            {
                PIMAGE_IMPORT_BY_NAME import = (PIMAGE_IMPORT_BY_NAME)((PBYTE)dosHeader + pOrgThunk->u1.AddressOfData);

                if (pOrgThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
                {
                    printf("Ordinal: %x\n", (BYTE)pOrgThunk->u1.Ordinal);

                    // if we found the send function
                    if ((BYTE)pOrgThunk->u1.Ordinal == 19)
                    {

                        printf("Hooking IAT\n");
                        DWORD dwJunk = 0;
                        MEMORY_BASIC_INFORMATION mbi;

                        // Make the memory section writable
                        printf("Changing Protection\n");
                     
                        VirtualQuery(pThunk, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
                        VirtualProtect((LPVOID)mbi.BaseAddress, 8, PAGE_EXECUTE_READWRITE, &mbi.Protect);
                     
                        printf("Protection Changed\n");
                     
                        hSend = (originalSend)pThunk->u1.Function;
                        //printf("hSend changed: 0x%x\n", (uintptr_t *)pThunk->u1.Function);

                        // write the new function address
                        pThunk->u1.Function = (ULONGLONG)newSend;
                        VirtualProtect((LPVOID)mbi.BaseAddress, 8, mbi.Protect, &mbi.Protect);
                        return TRUE;
                    }

                    continue;
                }
             
                std::cout << (char*)import->Name << std::endl;
            }
        }
        std::cout << "DLLName: " << szDllName << std::endl;
    }

    return FALSE;
}

void hook()
{
    hookIATSend("WS2_32.dll", "send");
}




BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    AllocConsole();
    freopen("CONOUT$", "w", stdout);
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)hook, NULL, 0, NULL);
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
1606024313172.png
 

Petko123

Biggest paster
Dank Tier VIP
Trump Tier Donator
Feb 19, 2018
142
9,068
8
Function prototype:
typedef int(__stdcall* sendFunc)(SOCKET socket, char* buffer, int len, int flags);
sendFunc hSendFunc;

// socket we use to send our packets
SOCKET socketFunctionCall;

// function that will be placed at start of ws2_32.dll -> send() so that way we create a hook
int __stdcall SendFunc(SOCKET socket, char* buffer, int len, int flags)
{
    // assign socket game is using to our global var so we can send packets outside send hook
    socketFunctionCall = socket;

    printf("[SENT]\nLen: %d\nData (hex): ");
    for (int i = 0; i < len; ++i)
    {
        printf("%02X ", (byte)buffer[i]);
    }
    printf("----------------\n");

    // we need to call original function and get return value (int) and return that int to the function that calls our function
    return hSendFunc(socket, buffer, len, flags);
}

DWORD WINAPI Dllmain(HMODULE hModule)
{
    
    uintptr_t moduleBase = (uintptr_t)GetModuleHandle(NULL);

    // Getting address of ws2_32.dll - send()
    hSendFunc = (sendFunc)(GetProcAddress(GetModuleHandleA("ws2_32.dll"), "send"));

    // Patching first 5 bytes of the function to put jmp SendFunc  (jump to our function)
    hSendFunc = (sendFunc)mem::TrampHook32((BYTE*)hSendFunc, (BYTE*)SendFunc, 5);
}
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods