Thread: dll to encrypt packet sends

Hello, how i can encrypt packets sends of a program...

I'm attaching the dll to program, but i dont know how to encrypt all packets before the program send it.

i know that i need to attach a function to a windows function, but i dont know how do it...

if anyone can just post a snippet (the attaching of the function, and a simple encrypt method)

Thank you.

Hello,

I dont know what you mean, but i'll try to explain it more...

A program, any... to send anything to internet via TCP, use a function of windows that i dont remember the name, ...

so, i need that my dll, when attach to a process, encrypt all packets before the program send it, understand?

PROGRAM -> WINDOWS API (SOCKETS) -> SEND

after hooked

PROGRAM -> WINDOWS API (SOCKETS) -> MY DLL FUNC TO ENCRYPT IT -> SEND

or

PROGRAM -> MY DLL FUNC TO ENCRYPT IT -> WINDOWS API (SOCKETS) -> SEND

Thank you.

Sorry, but i cant use it, i need a code to hook send/recv functions ...

My problem is people using WPE PRO (Packet Editor) to cheat on my program, this program (WPE) load and hook a dll on my program, so a alternative method is detecting when a DLL is loaded in memory, and unload it if isn't allowed, anyone have a piece of code to detect and unhook a DLL?

Remember, i dont have the sources, so it need to be using windows API functions.

Originally Posted by splintter

Anyone?

I really need help on this, did not want the COMPLETE CODE, just the functions and a exemple :|

Here is a link to AES (Rijndael) algorithms used for encryption/decryption.

I'm not sure writing a hook is such a good idea to defeat the packet editor. Anyone with basic rootkit experience can identify any installed hook. Search the "nefarious" sites and you'll find a lot of examples of how to identify any installed hook.

Also, I would assume that the packet editor is using the TCP/IP stack to capture the packets. Why not use raw sockets to defeat the packet editor?

Hello BobS0327,

I'll look at AES.

What you mean by RAW packets? can you show a exemple? sorry, but my english is bad, and i didn't understand what you mean...

Here is a link to a CodeProject article on raw sockets.

Anyway,

RAW Sockets will be blocked by some workstations firewalls and routers.

I need to hook and encrypt send/recv. Encryptation can be simple.

I was about 1 week asking for help, many says some arguments, but no one help-me with a snippet (Yes, i'm not a good programmer, my english is sucks, but i learn more by see a code and modify it).

I did not want the complete code, just a exemple and i'll try by myself.

Originally Posted by splintter

Anyway,

RAW Sockets will be blocked by some workstations firewalls and routers.

I need to hook and encrypt send/recv. Encryptation can be simple.

I was about 1 week asking for help, many says some arguments, but no one help-me with a snippet (Yes, i'm not a good programmer, my english is sucks, but i learn more by see a code and modify it).

I did not want the complete code, just a exemple and i'll try by myself.

Here is a very basic example of a userland trampoline hook. It hooks the MessageBox function of any injected app.
If you're only dealing with a bunch of script kiddies, this will work fine. The MyMessageBox function will become your send function.
So, you'll have to modify that function accordingly which will include any encryption algorithms.

Code:

//File dllmain2.cpp
// Compile cl.exe /LD dllmain2.cpp

#pragma comment(lib, "user32.lib")
#include <windows.h>
#include <stdio.h>

bool HOOKED = false;

#pragma optimize("", off) 
int _declspec(naked) _stdcall MsgBoxTramp (HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
{
    __asm{
        nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            _emit 0xAA
            _emit 0xAA
            _emit 0xAA
            _emit 0xAA
            _emit 0xAA
            ret
    }
}
#pragma optimize("", on)

#pragma optimize("", off) //Turn optimisation off. Unreferenced code is removed by compiler optimization.

int _stdcall MyMessageBox(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
{
    int retval;
    char* NewText = (char*)malloc(256); // Just to indicate that malloc can be called.  Not really relevant
    strcpy(NewText, "You have been hooked!!!");
    retval = MsgBoxTramp(hWnd, NewText, lpCaption, uType); 
    free (NewText);
    return retval;
}

void HookMsgBox(void)
{
    //Initialise our vars, get pointers as chars to BOTH our trampoline function _and_ the hook function
    unsigned char NewData[5], OldData[5], TrampJump[5]; //This is a 5 byte hook, it could be more but I use Windows XP SP2..
    unsigned char* MessageBoxPtr = (unsigned char*)&MessageBoxA;
    unsigned char* HookTramp = (unsigned char*)&MsgBoxTramp;

    DWORD OldProtect;
    int i;
    //First off, we fill our replacement code arrays with data:
    //NewData will contain the bytes for the jmp to be installed.
    //Make the first byte an E9, meaning jmp.
    NewData[0] = 0xE9;
    //Set the remaining 4 bytes to the address offset. An ‘E9 jmp’ tells the processor to increment or decrement its EIP, it doesn’t tell the processor what the EIP should be.
    *(PDWORD)&NewData[1] = (DWORD)( (DWORD)MyMessageBox - ((DWORD)MessageBoxA + 5)); //Note the +5. The last byte of your jmp will be located at MessageBoxA+5, and this is where the address offset needs to be calculated from. (Change in address = New minus Old. Complex maths formula ain't it? ;> )

    //TrampJump will contain the bytes where you that hardcode the jump back to MessageBox. It is technically fine for TrampJump to just have a “jmp [MessageBoxA+5]” tagged at the end of it, as the compiler can do that. But I don’t trust compilers.
    TrampJump[0] = 0x68; //Push
    *(PDWORD)&TrampJump[1] = (DWORD)MessageBoxA + 5; //Push Address, as I explained already. :>
    VirtualProtectEx(GetCurrentProcess(), MessageBoxA, 10, PAGE_EXECUTE_WRITECOPY, &OldProtect); //Unprotect the target memory. 10 bytes for good measure.
    for (i = 0; i < 5; i++){
        OldData[i] = MessageBoxPtr[i]; //Grab the overwritten bytes
        MessageBoxPtr[i] = NewData[i]; //Insert the new bytes. *MAKE SURE YOU DON’T CUT OFF PART OF AN INSTRUCTION!*
    }
    VirtualProtectEx(GetCurrentProcess(), MessageBoxA, 10, OldProtect, NULL); //Reprotect the memory.

    VirtualProtectEx(GetCurrentProcess(), MsgBoxTramp, 25, PAGE_EXECUTE_WRITECOPY, &OldProtect);
    for (i = 0; i < 5; i++){
        HookTramp[i] = OldData[i]; //Make the first 5 bytes of the trampoline equal the bytes removed.
    }
    for (i = 0; i < 50; i++){
        //Search for the last 5 bytes that you put aside for this push operation.
        if (HookTramp[i] == 0xAA &&
            HookTramp[i+1] == 0xAA &&
            HookTramp[i+2] == 0xAA &&
            HookTramp[i+3] == 0xAA &&
            HookTramp[i+4] == 0xAA)
        {
            //Overwrite the bytes when found
            HookTramp[i] = TrampJump[0];
            HookTramp[i+1] = TrampJump[1];
            HookTramp[i+2] = TrampJump[2];
            HookTramp[i+3] = TrampJump[3];
            HookTramp[i+4] = TrampJump[4];
            break;
        }
    }
    VirtualProtectEx(GetCurrentProcess(), MsgBoxTramp, 25, OldProtect, NULL);
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, 
    LPVOID lpvReserved )
	{
    
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:

            if(!HOOKED)
            {
			HookMsgBox();
                HOOKED = true;
            }
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}