Attempt to fix/hook iphlpapi GetTcpTable()

L2Detect.vcxproj

@@ -247,6 +247,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="l2detect\ConfigIni.cpp" />
+    <ClCompile Include="l2detect\net_hook_iphlp.cpp" />
     <ClCompile Include="l2detect\RemoteServerInfo.cpp" />
     <ClCompile Include="l2detect\main.cpp" />
     <ClCompile Include="l2detect\stdafx.cpp">

L2Detect.vcxproj.filters

@@ -802,5 +802,8 @@
       <Filter>containers\array</Filter>
     </ClCompile>
     <ClCompile Include="l2detect\fakeExport.cpp" />
+    <ClCompile Include="l2detect\net_hook_iphlp.cpp">
+      <Filter>hooks</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>

l2detect/DebugDlg.cpp

@@ -308,6 +308,7 @@ void DebugDlg_OnBnClickedValidateInterception( HWND hDlg )
 	if( GetModuleHandleW( L"iphlpapi.dll" ) )
 	{
 		log_error( LOG_WARNING, "Iphlpapi.dll loaded\n" );
+		Hook_GetTcpTable();
 	}
 	else
 	{

l2detect/net_hook.h

@@ -12,6 +12,9 @@ void Hook_RestoreConnect_my();
 bool Hook_ValidateInterception_my();
 bool Hook_IsWinsockConnectOrig();
 bool Hook_CheckVirtualProtect();
+void Hook_GetTcpTable();
+
+BOOL __stdcall Call_VirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect );
 
 // checking hooks
 extern const unsigned char original_ws2_32_connect_6_bytes[6];

l2detect/net_hook_iphlp.cpp

@@ -0,0 +1,32 @@
+#include "stdafx.h"
+#include "net_hook.h"
+#include "Logger.h"
+#include "ConfigIni.h"
+
+#define INSTR_INT3 0xCC
+
+void Hook_GetTcpTable()
+{
+	DWORD oldProtect = 0;
+	HANDLE hCurProc = GetCurrentProcess();
+	HMODULE hIP = GetModuleHandleW( L"iphlpapi.dll" );
+	if( !hIP )
+	{
+		log_error( LOG_ERROR, "Hook_GetTcpTable(): iphlpapi.dll not loaded\n" );
+		return;
+	}
+	unsigned char *addr = (unsigned char *)GetProcAddress( hIP, "GetTcpTable" );
+	if( addr )
+	{
+		log_error( LOG_DEBUG, "Hook_GetTcpTable(): INT3 on iphlpapi.dll!GetTcpTable() (addr = 0x%08X)\n", (unsigned)addr );
+		Call_VirtualProtectEx( hCurProc, addr, 1, PAGE_READWRITE, &oldProtect );
+		addr[0] = INSTR_INT3;
+	}
+	addr = (unsigned char *)GetProcAddress( hIP, "GetTcpTable2" );
+	if( addr )
+	{
+		log_error( LOG_DEBUG, "Hook_GetTcpTable(): INT3 on iphlpapi.dll!GetTcpTable2() (addr = 0x%08X)\n", (unsigned)addr );
+		Call_VirtualProtectEx( hCurProc, addr, 1, PAGE_READWRITE, &oldProtect );
+		addr[0] = INSTR_INT3;
+	}
+}

l2detect/net_hook_my.cpp

@@ -70,6 +70,7 @@ unsigned int   Proxied_VirtualProtectEx = 0;
 
 
 BOOL __stdcall Proxy_VirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect );
+BOOL __stdcall Call_VirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect );
 
 
 void Hook_InterceptConnect_my()
@@ -623,3 +624,27 @@ __declspec(naked) BOOL __stdcall
 	__asm mov ebp, esp
 	__asm jmp Proxied_VirtualProtectEx
 }
+
+
+BOOL __stdcall Call_VirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect )
+{
+	BOOL vp_ret = FALSE;
+	if( Proxied_VirtualProtectEx )
+	{
+		log_error( LOG_DEBUG, "Call_VirtualProtectEx(): using proxy...\n" );
+		vp_ret = Proxy_VirtualProtectEx( hProcess, (void *)connect_orig, 6, flNewProtect, lpflOldProtect );
+	}
+	else
+	{
+		log_error( LOG_DEBUG, "Call_VirtualProtectEx(): calling real...\n" );
+		vp_ret = VirtualProtectEx( hProcess, (void *)connect_orig, 6, flNewProtect, lpflOldProtect );
+	}
+	if( !vp_ret )
+	{
+		DWORD le = GetLastError();
+		log_error( LOG_ERROR, "Call_VirtualProtectEx(): failed for address 0x%08X (err = 0x%08X (%d))\n",
+			(unsigned int)lpAddress, le, le );
+		SetLastError( le );
+	}
+	return vp_ret;
+}