I replaced the epilogue code of the original function with a JMP to my fake function.Now, when it comes to reading the data, seems that the data keeps repeating itself.Sometimes, my fake functions gets called twice, with the same data in the buffer.It is very strange, since i'm handling the buffer after everything is received.
Below is my fake function
class hook{..... static void WSARecv();.....};void __declspec(naked) oCHook::WSARecv(){ static SOCKET s; static LPWSABUF buf; static DWORD dwReturn; __asm mov dwReturn, eax __asm push eax __asm mov eax, [ebp + 8] __asm mov s, eax __asm mov eax, [ebp + 12] __asm mov buf, eax if(dwReturn >0) pThis->_WSARecv(s, buf); // pThis is a static member containing the instance of the parent class // _WSARecv is the function that handles the data obtained by the hook. // Now, for some reason _WSARecv gets called twice or even more times, // having the same data in the buffer. // What can be wrong? __asm pop eax __asm pop esi __asm leave __asm retn 0x1C00}
