I'm patching connect() to redirect network traffic as part of a library (NetHooker) and this works well, but it depends on ws2_32.dll remaining the same and doesn't work if the syscall is used directly. So what I'm wondering is if there's a way to catch the syscall itself without a driver. Anyone know if this is possible?
A:
Cody, maybe you could take a look at http://research.microsoft.com/en-us/projects/detours/
Also, I wrote some code that, given the name of dll export will redirect it to another function pointer by patching the image in memory, let me know if you want the code.
Mo Flanagan
2009-01-27 23:04:09
Thanks for your input. Detours is a great library (aside from the licensing, but that's not really relevant here), but it only allows hooking functions rather than the actual syscall instructions. As far as I can see, this can only be done by a driver, sadly.
Cody Brocious
2009-01-28 16:51:40
+1
A:
Cody,
Instead of system call hooking, you might want to look into writing a layered service provider.
http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx
Brian Mitchell
2009-03-22 19:37:15