From: Thomas Dullien [dullien@gmx.de]
Sent: Thursday, October 28, 1999 10:52 AM
To: VULN-DEV@SECURITYFOCUS.COM
Subject: Re: Accessing IE/Netscape incomming data

> You patch winsock.dll typically. You move the official one to owinsck.dll
> and make your new winsock.dll reporcess all the calls then call the original.

Another (IMO nicer) solution is to hook all APIs of a given process; You can
do that quite easily in the PE Header of the target.

Basically you use OpenProcess(), ReadProcessMemory()
and WriteProcessMemory() to substitute the addresses in the PE Header that
point to the winsock library functions with pointers to your own functions. You can
add their code using VirtualAllocEx() and WriteProcessMemory() into the monitored
process's address space.
