如何处理钩子的WSARecv [英] How to handle hooked WSARecv
问题描述
我正在处理一个涉及挂钩 WSARecv 的项目.我知道如何钩住这个函数,我的意思是它与钩住另一个函数一样.无论如何,最困难的部分是当使用 WSARecv 执行重叠操作时.想法是,当应用程序接收到数据以拦截该数据并可以对其进行修改时,我正在为此使用管道.本机DLL将所有数据隧道传输到托管的服务器".这将处理输入等,并将其返回给本机DLL.这对于 WSASend , send 和 recv 非常有用.但是,最困难的部分是当应用程序使用重叠的套接字时.
I'm working on a project that involves hooking WSARecv. I know how to hook this function, I mean its just the same as hooking another function. Anyway the hard part is when WSARecv is used to perform overlapped operations. The idea is that when an application receives data to intercept that and be possible to modify this, I'm using pipes for this. The native DLL tunnels all data to a managed 'server'. This processes the input etc and returns it back to the native DLL. This works great for WSASend, send and recv. However the hard part is when an application uses overlapped sockets.
因此,在处理数据之前,我需要首先接收到的数据,这是困难的部分.我将如何做这样的事情?我想到了这一点,但它们似乎都一团糟:
So I need the received data first before I can process it, this is the hard part. How would I do something like this? I thought of this, but they both seem like a mess:
使用WSAOverlapped调用 WSARecv 时:创建一个新线程,使用 WaitForSingleObject 并传递WSAOverlapped结构的 hEvent .通知事件后,将数据处理到托管服务器,然后将数据传递给程序.
When WSARecv is called using the WSAOverlapped:
Create a new thread, use WaitForSingleObject and pass the hEvent of the WSAOverlapped structure. When the event is signaled process the data to the managed server and pass the data to the program.
使用完成例程调用 WSARecv 时:创建一个新线程,使用 lpOperationCompleted 将对原始函数的调用修改为一个新函数.使用 SleepEx 将线程置于警报状态.调用OperationCompleted时,将处理数据并将数据传递回程序.
When WSARecv is called using the completion routine:
Create a new thread, modify the call to the original function with lpOperationCompleted to a new function. Use SleepEx to put the thread in an alertable state. When the OperationCompleted is called process the data and pass data back to the program.
我可以发布我的代码,但我没有写,因为这似乎是一个糟糕的解决方案.因此,这实际上没有意义.
我想不出更好的解决方案,这似乎太可怕了,因为当应用程序多次调用 WSARecv 时(例如,大型服务器使用重叠的套接字来处理许多客户端),它将为创建一个新线程.每次通话都似乎是个坏主意.
I cannot think of a better solution and this seems horrible because when an application calls WSARecv a lot (for example a large server using overlapped sockets to handle lots of clients) it creates a new thread for every call and that just seems like a bad idea.
那我该怎么做?
推荐答案
无需为每个重叠的IO调用创建线程.
There's no need to create a thread for each overlapped IO call.
使用重叠操作时,它们要么具有关联的事件(可以安全地忽略),完成例程,要么与I/O完成端口关联.
When overlapped operations are used, they either have an associated event (which you can safely ignore), a completion routine, or are associated with an I/O Completion port.
要处理前两种情况,您都应同时挂钩 WSARecv() 和
To handle the first two cases you should hook both WSARecv() and WSAGetOverlappedResult().
If you need to handle the last, you'll also need to hook GetQueuedCompletionStatus()
现在,当您接到 WSARecv()的电话时,在这种情况下,您无需进行任何特殊操作(除非可能保存一些与 lpOverlapped 相关的信息(例如缓冲区),并处理 WSAGetOverlappedResult()中的数据(应用程序必须调用该数据才能获取成功/错误和已传输的字节.)
Now, when you get a call to WSARecv(), for the event case, you do nothing special there (except possibly save some information in relation to the lpOverlapped, eg. the buffer), and process the data in WSAGetOverlappedResult() (which the application must call to get the success/error and bytes transferred.)
如果存在完成例程,请保存 lpOverlapped 和 lpCompletionRoutine ,然后将您自己的完成例程传递给实际的 WSARecv().
If a completion routine is present, save the lpOverlapped and lpCompletionRoutine, and pass your own completion routine to the real WSARecv().
您的例程应处理数据并调用原始的完成例程.
Your routine should process the data and call the original completion routine.
要处理I/O完成端口的情况,请 WSARecv()将 lpOverlapped 和缓冲区等保存在 GetQueuedCompletionStatus()中,调用原始文件,如果返回的重叠结构匹配,则处理数据.
To handle the I/O completion port case, have WSARecv() save lpOverlapped and buffers etc., in GetQueuedCompletionStatus(), call the original, and if the returned overlapped structure matches, handle the data.
您还应该注意,重叠的操作可能会立即完成,在这种情况下,不会发出事件信号,不会调用完成例程,并且(IIRC)不会在IOCP上排队.
You should also note that overlapped operations may complete immediately, in which case the event isn't signaled, the completion routine isn't called, and (IIRC) no completion is queued on the IOCP.
这篇关于如何处理钩子的WSARecv的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
