From: m on
look at Detours in MSDN

"AG" <heyji2(a)gmail.com> wrote in message
news:766c84f2-e56a-4dab-9c2e-21fd0c404553(a)i31g2000yqm.googlegroups.com...
> Hello,
>
> I am working on a taint tracing tool, and I for this I would like to
> intercept socket opening and closing, and reads from sockets.
>
> On linux, this can be done in intercepting system calls
> (SYS_socketcall, SYS_read, SYS_close) but on windows, how can I
> monitor such things ? In the system call table (given by metasploit),
> I don't see the equivalent calls. Though, monitoring the system calls
> during a simple client/server communication, I have identified the
> following function calls:
>
> NtCreateFile (for socket opening ?)
> NtDeviceIoControlFile (for controling the socket ?)
> NtRequestWaitReplyPort
> NtWaitForSingleObject
> NtQueryInformationProcess
> NtClose
> NtUnmapViewOfSection
> NtAllocatevirtualMemory
> NtTerminateProcess
>
> I tried to display some of their buffers, without being able to find
> any of the transmitted data of the communication.
>
> Is there a way to intercept the data buffers in use during read/write
> through a socket if I monitor system calls, or is it useless because
> things does not go like I imagine?
>
> Thanks in advance for your help,
>
> AG.

From: AG on
On Jul 14, 12:32 am, "m" <m...(a)b.c> wrote:
> look at Detours in MSDN

Hello m,

I have difficulties to access the web page on Microsoft web site. But
I have seen that it is dated from 1999, and I assume it does the same
thing than PIN (from Intel) which I am using for this.

But I will definitly try to have a look as well as at the TDI filters.
And come back if it is not what I need.

Thank you all.

AG.