Maggotboy's Super Stealth Sniffer V2 (code)

[kabl]

well i dug through the doc i seen about converting the data segment for borlands use but im at a bit of a loss as to what i have to fo now

i made a file for the datasegment

//file
#pragma option -zRSHARED

LPVOID gsh_pvEQKey = NULL;
BOOL gsh_bInjected = FALSE;
HHOOK gsh_hHook = NULL;
TCHAR gsh_szFileName[MAX_PATH] = {_T("\0")};
SOCKADDR_IN gsh_SEQAddr = {0};
DWORD gsh_xorby = 0;
TCHAR gsh_szEvent[MAX_PATH] = {_T("\0")};

//eof

i modifyed the .def file like so

//file
LIBRARY EQSNIFFER

SECTIONS
SHARED READ WRITE SHARED

EXPORTS
blah
blahblah
blahblahblah
//eof

and inside the main .cpp im not really 100% what i had to do as that doc isnt very detailed but im assuming i had to declare allthe datatypes extern but whatelse if any to modify im at a loss...

extern LPVOID gsh_pvEQKey;
extern BOOL gsh_bInjected;
extern HHOOK gsh_hHook;
extern TCHAR gsh_szFileName[MAX_PATH];
extern SOCKADDR_IN gsh_SEQAddr;
extern DWORD gsh_xorby;
extern TCHAR gsh_szEvent[MAX_PATH];

now when i try a comile with this as it is i get erros pointing to the shareddata seg .cpp saying declaration syntex error.....

far as i can tell i did what it said lol any input on this would be welcome..

[fooo]

To address the key press issue...

downloading platform sdk right now (to get dbmon) grats me on having Universal MSDN subscription.

I'm running the latest patch of windows XP, compiling with Visual Studio.NET 2003 (final beta) with no complile errors.

I have an athalon XP 1700 with 512 mb of ram on a MSI motherboard that uses the Via KT266A chipset.

I get the problem both with eqwin and normal everquest.

key presses do not always crash out eq!

it seems to be timing related. The login screen doesn't generally crash you out. But skipping past the everquest splash screens always does.

could be a race condition or something like that that is affecting the crash bug.

will get back with dbmon output.

~fooo

[maggotboy]

fooo -- hehe, aye... I'm an independent software developer, and for what I do, its worth the 2k/yr to have the Universal subscription.

However, you don't need it to download the platform sdk. Besides, if you have VS.NET, you've already got DBMON.EXE -- do a search in the VS install directory.

Maggotboy

[fooo]

heh my boss bought me the universal becuase I told him to... he fired me a while back, and forgot to cancel the subscription. poor him.

anyways here's the DBMON output

2100: Ignoring process attach request for C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
2100: Creating event handle "27.tmp"
2264: time()-cpuSpeed:1462311
2264: TimeGetTime-cpuSpeed: 1470296
2264: Found EQ Process!
2264: Injecting code length 25600 ...
2264: Code allocated at 0x02470000
2264: Setting hook procedure...
2264: Opening global event "27.tmp"




eqcrashes right at 2264 =)

~fooo

[T.C. Jaguar]

Maggotboy,

EQ is crashing when I press a key at the Sony splash screen. rundll32 does exit once eqgame.exe is found.

Athlon 1 GHz, 512 MB RAM, WinXP SP1, VS.NET

1764: Ignoring process attach request for C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
1764: Creating event handle "6F.tmp"
224: time()-cpuSpeed:999984
224: TimeGetTime-cpuSpeed: 1020220
224: Found EQ Process!
224: Injecting code length 132096 ...
224: Code allocated at 0x02460000
224: Setting hook procedure...
224: Opening global event "6F.tmp"

[fooo]

heh... looks like the bug is verified =P

[notaguru]

using VC++ 6.0 Sp5

Ver 2.05 compiles fine with no errors and sends key to the proper port and address.

Hardware:
P4 1.8 512mb intel board geforce4 video

Os:
Win98se

Problem:
after exiting eq, rundll32 is still in the process list and I have to ctr/alt/del then end task to get it out. Going to system info show ******.dll as a system hook, type: Keyboard. Using the renamed ReleaseHook function doesn't exit either.

Question:
Any idea on where I screwed up? What other information do I need to give?

Thanks

PS Great work Maggotboy, Thanks for all the effort and help you have provided here

[Crux]

Make sure SEQ is listening on a port above 1000, preferably above 4000.

'twas my problem. thanks

[Stormdvill]

My Project compiles fine with VS6

When I launch Rundll32 mydll.dll,myInstallHook x.x.x.x 5555 eqgame.exe 0x0078AAD0

With version 1.4 or 2.0 I get the following error dialog box:
An exption occurred while trying to run "mydll.dll,myInstallHook x.x.x.x 5555 eqgame.exe 0x0078AAD0"

It stop on the return statement in the debugger:

// Global hook procedure which captures all mouse events for all processes.
LRESULT CALLBACK EQHOOKPROC(int nCode, WPARAM wParam, LPARAM lParam)
{
// Do-nothing hook procedure ...
return CallNextHookEx(gsh_hHook, nCode, wParam, lParam);
}

It was working great with one of the older version of 2. However I seem to have copied over the working code

Thanks for any help

*Edit I'm on WinXP on my development workstation and gaming workstation if that helps at all...

[seqseq]

Unexpected EOF, line 605 when I try to compile with VC++.net

Version 2.05 of the code as well.

Hmm..

By the way, Maggotboy, this is absolutely amazing!

[Lube~]

Just want to say great work Maggotboy, keep up the good work.

I just downloaded revision 2.05, followed your guide to the letter and it compiled and works like a dream.

Used the following if anyone is interested.

MS Visual Studio C++ 6.0 Enterprise Ed. with SP5
Win2k with SP3

Lube~

[falkore]

DBMON.EXE not installed with VS.net.

Anyhow. Win2K all SP's, VS.NET (academic).

First keystroke dumps eqgame.exe from process list (Kills the Pid, seems)..


It's a bug. =)

[domesticbeer]

Once I press any key bam! right to desktop

Here is dbmon output
2552: Ignoring process attach request for C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
2552: Creating event handle "7C.tmp"
3660: time()-cpuSpeed:1495734
3660: TimeGetTime-cpuSpeed: 1512344
3660: Found EQ Process!
3660: Injecting code length 37888 ...
3660: Code allocated at 0x09940000
3660: Setting hook procedure...
3660: Opening global event "7C.tmp"


using winxp sp1 and VS.Net Enterprise Arch to compile it.

[Ekin]

Finally , it work . Thanks guys.

But , any idea how to make it work with eqw ?

It seem the key screwed up if eq running on eqw .

[darkgrue]

If all you need is a simple debugger, just to view output from OutputDebugString() function, then you may want to check out DebugView from Sysinternals. It is a much, much smaller download.

I was able to get it up and running instantly, as opposed to the Microsoft Debugging Tools. For that you can expect a 7MB download. I gave up trying to decode the bewildering array of options just to get it to cough up the debug messages I wanted. It's obviously a much more powerful tool, but for someone who isn't familiar with the MS development environment or tools, the learning curve is nearly vertical.

I rewrote Maggotboy's 2.05 code to improve the debugging output. However, I was an idiot and left my source at home. I'll post it come the new week. No one will probably miss it, since the code works great without the changes. Mostly did it as part of eyeballing the code to understand at least in broad terms what it was doing and when.

I really wanted to use OutputDebugString within InternalHookProc, but it didn't take me long to realize (CRASH!) that OutputDebugString would probably have to be referenced in the INJECTSTRUCT for the same reason everything else is. I'll play around with that, but if someone who knows what they're doing wants to beat me to the punch (you'll have all weekend <grin>), be my guest.