Here are some ideas on how you can test the functionality of your keysniffers without launching EQ ...
This method will work with any of the keysniffers on here. Depending on how your code works, you might have to pass your sniffer different parameters. If you've hardcoded everything, then you'll need to make changes in the code to use this method.
1) On your windows box, open up Internet Explorer (only once) and minimize it. I recommend IE because it initializes winsock. Some sniffers (like Maggotboy's hooking version) do not initialize winsock, rather depending on the app to do it.
2) On your Linux box, open up a shell window. Launch tcpdump so that it reads only packets from your windows box and only on the port you want. For example:
tcpdump 'host 1.2.3.4 && port 12345'
(where 1.2.3.4 is replaced with the address of your windows box, and 12345 is replaced with the port you selected for sniffing.)
3) If testing the hooking sniffer, start it, setting the offset to 0x01000000. For example:
rundll32.exe mysniff.dll,InstallHook 192.168.1.1 12345 iexplore.exe 0x01000000
(replace 192.168.1.1 with the address of your seq box, and 12345 with the port of your choice -- must match the port you selected for tcpdump)
4) if testing a 'regular' keysniffer, enter or code the process name to iexplore, and enter/code the offset to 0x01000000. Run the sniffer.
5) watch the tcpdump screen. You should see something like:
08:25:22.123456 a.b.c.d.xxxx > j.k.l.m.yyyyyy: udp 8
a.b.c.d is the address of your windows box.
xxxx is the sending port number. This is an ephemeral port, so the number will vary.
j.k.l.m should be the address of your seq box
yyyyy should be the port you specified to use.
udp 8 indicates there were 8 bytes of data sent in a udp packet.
*******************************
Notes:
This tests only that your sniffer is sending something. It does not verify that it is sending the key correctly.
To verify that what you are ripping from memory is being sent correctly, you need to have a way to look at the key the windows box is getting. You can either launch a sniffer that outputs it to the screen, or run Maggotboy's hook from a debugger.
On the linux box, launch tcpdump with the -X option.
tcpdump -X 'host 1.2.3.4 && port 12345'
When you send the key, you will receive a line similar to the one above. However, you will also receive three lines of Hex + Ascii dump. The dump includes the UDP header info, so the key actually appears starting at offset 0x001C in the dump.
Also note that the 'endian-ness' may be different that what you expect. If you have a keysniffer that displays the key with a printf command like:
printf ("Key = \t0x%016llx\n\n", key);
or
printf ("Key = \t0x%016I64x\n\n", key);
the udp key will appear to be "flipped." For example:
if printf gives: key = 0x12345678abcdefgh (8 bytes, 64 bits)
starting at offset 0x1c in tcpdump you will see:
ghef cdab 7856 3412
*************************************
Once you reach this point successfully, you can be reasonably sure that:
1) your keysniffer is correctly sending udp data
2) your keysniffer is corectly sending what it thinks it found at the offset given.
The only question remaining is: did it get the actual key, or did it get garbage?
There is one way to tell for sure -- fire up EQ, get a key, and see if seq decodes properly.
The other way is to write a program that has known values placed at a certain location and see if you get what is expected in return...
**************************************
I hope this is helpful. I prefer to test my applications with something other than the actual eq executable as much as possible.