From 9fe62a42745d800035ebb2585fe22ba1680a39ea Mon Sep 17 00:00:00 2001
From: "alexey.min" <alexey.min@c89620c7-9ff5-b9d8-6533-79bafc387231>
Date: Mon, 13 Feb 2012 13:31:46 +0000
Subject: [PATCH] Attempt to fix/hook iphlpapi GetTcpTable()

---
 L2Detect.vcxproj            |  1 +
 L2Detect.vcxproj.filters    |  3 +++
 l2detect/DebugDlg.cpp       |  1 +
 l2detect/net_hook.h         |  3 +++
 l2detect/net_hook_iphlp.cpp | 32 ++++++++++++++++++++++++++++++++
 l2detect/net_hook_my.cpp    | 25 +++++++++++++++++++++++++
 6 files changed, 65 insertions(+)
 create mode 100644 l2detect/net_hook_iphlp.cpp

diff --git a/L2Detect.vcxproj b/L2Detect.vcxproj
index 1a9e1af..a6657c1 100644
--- a/L2Detect.vcxproj
+++ b/L2Detect.vcxproj
@@ -247,6 +247,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="l2detect\ConfigIni.cpp" />
+    <ClCompile Include="l2detect\net_hook_iphlp.cpp" />
     <ClCompile Include="l2detect\RemoteServerInfo.cpp" />
     <ClCompile Include="l2detect\main.cpp" />
     <ClCompile Include="l2detect\stdafx.cpp">
diff --git a/L2Detect.vcxproj.filters b/L2Detect.vcxproj.filters
index 5dfe47b..84f6a0a 100644
--- a/L2Detect.vcxproj.filters
+++ b/L2Detect.vcxproj.filters
@@ -802,5 +802,8 @@
       <Filter>containers\array</Filter>
     </ClCompile>
     <ClCompile Include="l2detect\fakeExport.cpp" />
+    <ClCompile Include="l2detect\net_hook_iphlp.cpp">
+      <Filter>hooks</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/l2detect/DebugDlg.cpp b/l2detect/DebugDlg.cpp
index 4a22b63..0014fe4 100644
--- a/l2detect/DebugDlg.cpp
+++ b/l2detect/DebugDlg.cpp
@@ -308,6 +308,7 @@ void DebugDlg_OnBnClickedValidateInterception( HWND hDlg )
 	if( GetModuleHandleW( L"iphlpapi.dll" ) )
 	{
 		log_error( LOG_WARNING, "Iphlpapi.dll loaded\n" );
+		Hook_GetTcpTable();
 	}
 	else
 	{
diff --git a/l2detect/net_hook.h b/l2detect/net_hook.h
index 55f0718..2fff25b 100644
--- a/l2detect/net_hook.h
+++ b/l2detect/net_hook.h
@@ -12,6 +12,9 @@ void Hook_RestoreConnect_my();
 bool Hook_ValidateInterception_my();
 bool Hook_IsWinsockConnectOrig();
 bool Hook_CheckVirtualProtect();
+void Hook_GetTcpTable();
+
+BOOL __stdcall Call_VirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect );
 
 // checking hooks
 extern const unsigned char original_ws2_32_connect_6_bytes[6];
diff --git a/l2detect/net_hook_iphlp.cpp b/l2detect/net_hook_iphlp.cpp
new file mode 100644
index 0000000..5c9d2f6
--- /dev/null
+++ b/l2detect/net_hook_iphlp.cpp
@@ -0,0 +1,32 @@
+#include "stdafx.h"
+#include "net_hook.h"
+#include "Logger.h"
+#include "ConfigIni.h"
+
+#define INSTR_INT3 0xCC
+
+void Hook_GetTcpTable()
+{
+	DWORD oldProtect = 0;
+	HANDLE hCurProc = GetCurrentProcess();
+	HMODULE hIP = GetModuleHandleW( L"iphlpapi.dll" );
+	if( !hIP )
+	{
+		log_error( LOG_ERROR, "Hook_GetTcpTable(): iphlpapi.dll not loaded\n" );
+		return;
+	}
+	unsigned char *addr = (unsigned char *)GetProcAddress( hIP, "GetTcpTable" );
+	if( addr )
+	{
+		log_error( LOG_DEBUG, "Hook_GetTcpTable(): INT3 on iphlpapi.dll!GetTcpTable() (addr = 0x%08X)\n", (unsigned)addr );
+		Call_VirtualProtectEx( hCurProc, addr, 1, PAGE_READWRITE, &oldProtect );
+		addr[0] = INSTR_INT3;
+	}
+	addr = (unsigned char *)GetProcAddress( hIP, "GetTcpTable2" );
+	if( addr )
+	{
+		log_error( LOG_DEBUG, "Hook_GetTcpTable(): INT3 on iphlpapi.dll!GetTcpTable2() (addr = 0x%08X)\n", (unsigned)addr );
+		Call_VirtualProtectEx( hCurProc, addr, 1, PAGE_READWRITE, &oldProtect );
+		addr[0] = INSTR_INT3;
+	}
+}
diff --git a/l2detect/net_hook_my.cpp b/l2detect/net_hook_my.cpp
index 066f585..0a3dce4 100644
--- a/l2detect/net_hook_my.cpp
+++ b/l2detect/net_hook_my.cpp
@@ -70,6 +70,7 @@ unsigned int   Proxied_VirtualProtectEx = 0;
 
 
 BOOL __stdcall Proxy_VirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect );
+BOOL __stdcall Call_VirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect );
 
 
 void Hook_InterceptConnect_my()
@@ -623,3 +624,27 @@ __declspec(naked) BOOL __stdcall
 	__asm mov ebp, esp
 	__asm jmp Proxied_VirtualProtectEx
 }
+
+
+BOOL __stdcall Call_VirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect )
+{
+	BOOL vp_ret = FALSE;
+	if( Proxied_VirtualProtectEx )
+	{
+		log_error( LOG_DEBUG, "Call_VirtualProtectEx(): using proxy...\n" );
+		vp_ret = Proxy_VirtualProtectEx( hProcess, (void *)connect_orig, 6, flNewProtect, lpflOldProtect );
+	}
+	else
+	{
+		log_error( LOG_DEBUG, "Call_VirtualProtectEx(): calling real...\n" );
+		vp_ret = VirtualProtectEx( hProcess, (void *)connect_orig, 6, flNewProtect, lpflOldProtect );
+	}
+	if( !vp_ret )
+	{
+		DWORD le = GetLastError();
+		log_error( LOG_ERROR, "Call_VirtualProtectEx(): failed for address 0x%08X (err = 0x%08X (%d))\n",
+			(unsigned int)lpAddress, le, le );
+		SetLastError( le );
+	}
+	return vp_ret;
+}