// TCP static WINDOWS::INT replacementTCP( AFUNPTR functionTCP, WINDOWS::SOCKET s, WINDOWS::CHAR *buf, WINDOWS::INT len, WINDOWS::INT flags, CONTEXT *ctx, WINDOWS::CHAR * functionName ) { WINDOWS::INT retval = 0; PIN_CallApplicationFunction( ctx, PIN_ThreadId(), CALLINGSTD_STDCALL, functionTCP, // send or recv PIN_PARG(WINDOWS::INT), &retval, // return value first PIN_PARG(WINDOWS::SOCKET), s, PIN_PARG(WINDOWS::CHAR *), buf, PIN_PARG(WINDOWS::INT), len, PIN_PARG(WINDOWS::INT), flags, PIN_PARG_END() ); if ( retval != -1 ) { fprintf( LogFile, "%s [%d]:\r\n", functionName, retval ); fprintf( LogFile, "{\r\n" ); PrintHexBuffer( buf, retval, KnobAsciiMode ); fprintf( LogFile, "}\r\n" ); } fflush( LogFile ); return retval; }
static WINDOWS::INT replacementWSASendTo( AFUNPTR functionWSASendTo, WINDOWS::SOCKET s, WINDOWS::LPWSABUF lpBuffers, WINDOWS::DWORD dwBufferCount, WINDOWS::LPDWORD lpNumberOfBytesSend, WINDOWS::DWORD dwFlags, WINDOWS::SOCKADDR * lpTo, WINDOWS::INT iToLen, WINDOWS::LPWSAOVERLAPPED lpOverlapped, WINDOWS::LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine, CONTEXT *ctx, WINDOWS::CHAR * functionName ) { WINDOWS::INT retval = 0; PIN_CallApplicationFunction( ctx, PIN_ThreadId(), CALLINGSTD_STDCALL, functionWSASendTo, // send or recv PIN_PARG(WINDOWS::INT), &retval, // return value first PIN_PARG(WINDOWS::SOCKET), s, PIN_PARG(WINDOWS::LPWSABUF), lpBuffers, PIN_PARG(WINDOWS::DWORD), dwBufferCount, PIN_PARG(WINDOWS::LPDWORD), lpNumberOfBytesSend, PIN_PARG(WINDOWS::DWORD), dwFlags, PIN_PARG(WINDOWS::SOCKADDR *), lpTo, PIN_PARG(WINDOWS::INT), iToLen, PIN_PARG(WINDOWS::LPWSAOVERLAPPED), lpOverlapped, PIN_PARG(WINDOWS::LPWSAOVERLAPPED_COMPLETION_ROUTINE), lpCompletionRoutine, PIN_PARG_END() ); if ( retval != -1 ) { fprintf( LogFile, "%s [%d]:\r\n", functionName, retval ); fprintf( LogFile, "{\r\n" ); PrintHexBuffer( (char *)lpBuffers, retval, KnobAsciiMode ); fprintf( LogFile, "}\r\n" ); } fflush( LogFile ); return retval; }
void OutputReceivedMessage(const Hekate::Protobuf::Proto::Server::HekateMessage &msg) { if (!msg.has_hook_info()) { std::cerr << "Missing Hekate -> client message.\n"; exit(-1); } if (msg.hook_info().has_send()) { auto hookmsg = msg.hook_info().send(); std::cout << "Socket: 0x" << std::hex << hookmsg.socket() << std::endl; std::cout << "Buffer: "; PrintHexBuffer(hookmsg.buffer().c_str(), hookmsg.length()); std::cout << "Length: 0x" << std::hex << hookmsg.length() << std::endl; } else if (msg.hook_info().has_sendto()) { auto hookmsg = msg.hook_info().sendto(); std::cout << "Socket: 0x" << std::hex << hookmsg.socket() << std::endl; std::cout << "Buffer: "; PrintHexBuffer(hookmsg.buffer().c_str(), hookmsg.length()); std::cout << "Length: 0x" << std::hex << hookmsg.length() << std::endl; std::cout << "to struct address: 0x" << std::hex << hookmsg.to_address() << std::endl; std::cout << "to address length: 0x" << std::hex << hookmsg.to_length() << std::endl; } else if (msg.hook_info().has_wsasend()) { auto hookmsg = msg.hook_info().wsasend(); std::cout << "Socket: 0x" << std::hex << hookmsg.socket() << std::endl; for (int i = 0; i < hookmsg.count(); ++i) { std::cout << "Buffer #" << i << std::endl; PrintHexBuffer(hookmsg.buffers(i).c_str(), hookmsg.buffer_size(i)); } std::cout << "Count: 0x" << std::hex << hookmsg.count() << std::endl; std::cout << "Bytes sent address: 0x" << std::hex << hookmsg.bytes_sent_address() << std::endl; std::cout << "Flags: 0x" << std::hex << hookmsg.flags() << std::endl; std::cout << "Overlapped address: 0x" << std::hex << hookmsg.overlapped_address() << std::endl; std::cout << "Overlapped routine address: 0x" << std::hex << hookmsg.overlapped_routine_address() << std::endl; } else if (msg.hook_info().has_wsasendto()) { auto hookmsg = msg.hook_info().wsasendto(); std::cout << "Socket: 0x" << std::hex << hookmsg.socket() << std::endl; for (int i = 0; i < hookmsg.count(); ++i) { std::cout << "Buffer #" << i << std::endl; PrintHexBuffer(hookmsg.buffers(i).c_str(), hookmsg.buffer_size(i)); } std::cout << "Count: 0x" << std::hex << hookmsg.count() << std::endl; std::cout << "Bytes sent address: 0x" << std::hex << hookmsg.bytes_sent_address() << std::endl; std::cout << "Flags: 0x" << std::hex << hookmsg.flags() << std::endl; std::cout << "to struct address: 0x" << std::hex << hookmsg.to_address() << std::endl; std::cout << "to struct length: 0x" << std::hex << hookmsg.to_length() << std::endl; std::cout << "Overlapped address: 0x" << std::hex << hookmsg.overlapped_address() << std::endl; std::cout << "Overlapped routine address: 0x" << std::hex << hookmsg.overlapped_routine_address() << std::endl; } else if (msg.hook_info().has_recv()) { auto hookmsg = msg.hook_info().recv(); std::cout << "Socket: 0x" << std::hex << hookmsg.socket() << std::endl; std::cout << "Buffer: "; std::cout << "Buffer address: " << hookmsg.buffer() << std::endl; std::cout << "Length: 0x" << std::hex << hookmsg.length() << std::endl; } else if (msg.hook_info().has_recvfrom()) { auto hookmsg = msg.hook_info().recvfrom(); std::cout << "Socket: 0x" << std::hex << hookmsg.socket() << std::endl; std::cout << "Buffer: "; std::cout << "Buffer address: " << hookmsg.buffer() << std::endl; std::cout << "Length: 0x" << std::hex << hookmsg.length() << std::endl; std::cout << "from struct address: 0x" << std::hex << hookmsg.from_address() << std::endl; std::cout << "from length address: 0x" << std::hex << hookmsg.from_length_address() << std::endl; } else if (msg.hook_info().has_wsarecv()) { auto hookmsg = msg.hook_info().wsarecv(); std::cout << "Socket: 0x" << std::hex << hookmsg.socket() << std::endl; for (int i = 0; i < hookmsg.count(); ++i) { std::cout << "Buffer #" << i << std::endl; std::cout << "Buffer address: " << hookmsg.buffers(i) << std::endl; } std::cout << "Count: 0x" << std::hex << hookmsg.count() << std::endl; std::cout << "Bytes received address: 0x" << std::hex << hookmsg.bytes_received_address() << std::endl; std::cout << "Flags address: 0x" << std::hex << hookmsg.flags_address() << std::endl; std::cout << "Overlapped address: 0x" << std::hex << hookmsg.overlapped_address() << std::endl; std::cout << "Overlapped routine address: 0x" << std::hex << hookmsg.overlapped_routine_address() << std::endl; } else if (msg.hook_info().has_wsarecvfrom()) { auto hookmsg = msg.hook_info().wsarecvfrom(); std::cout << "Socket: 0x" << std::hex << hookmsg.socket() << std::endl; for (int i = 0; i < hookmsg.count(); ++i) { std::cout << "Buffer #" << i << std::endl; std::cout << "Buffer address: " << hookmsg.buffers(i) << std::endl; } std::cout << "Count: 0x" << std::hex << hookmsg.count() << std::endl; std::cout << "Bytes received address: 0x" << std::hex << hookmsg.bytes_received_address() << std::endl; std::cout << "Flags address: 0x" << std::hex << hookmsg.flags_address() << std::endl; std::cout << "from struct address: 0x" << std::hex << hookmsg.from_address() << std::endl; std::cout << "from struct length: 0x" << std::hex << hookmsg.from_length_address() << std::endl; std::cout << "Overlapped address: 0x" << std::hex << hookmsg.overlapped_address() << std::endl; std::cout << "Overlapped routine address: 0x" << std::hex << hookmsg.overlapped_routine_address() << std::endl; } else if(msg.has_acknowledge()) { std::cout << "Received acknowledge message from server." << std::endl; std::cout << "Code: " << msg.acknowledge().debug_response_id() << std::endl; } else if (msg.hook_info().has_filter_message()) { auto filtermsg = msg.hook_info().filter_message(); std::cout << "Received filter hit message." << std::endl; std::cout << "Filter hit id: 0x" << std::hex << filtermsg.filter_id() << std::endl; if (filtermsg.broken()) { std::cout << "Application is currently in a paused state." << std::endl; } } else { std::cerr << "Received unknown/empty message from server." << std::endl; } }