bcdsys:
If you don't know Portable Executable format you cannot write a program to set a hook on tcp socket api function in usermode.
A PE executable contains a table fullfilled with addresses of api functions imported when the program is loaded in memory by Windows.
Some programs import dynamically api functions directly using LoadLibrary/GetProcaddress api functions
When imports table do exist, you can add a routine in the targeted program to patch the table with a new address at runtime for the desired api function to set a hook.
Or you can write another program to do the job.
(in this case, some problems will probably occur with the hardware protection used in not too old microprocessors: memory section have or have not a "execute" attrbute. Trying to run a program, for example in the stack, will
lead to an error message box !)
|