From: Thomas Dullien [dullien@gmx.de] Sent: Thursday, October 28, 1999 10:52 AM To: VULN-DEV@SECURITYFOCUS.COM Subject: Re: Accessing IE/Netscape incomming data > You patch winsock.dll typically. You move the official one to owinsck.dll > and make your new winsock.dll reporcess all the calls then call the original. Another (IMO nicer) solution is to hook all APIs of a given process; You can do that quite easily in the PE Header of the target. Basically you use OpenProcess(), ReadProcessMemory() and WriteProcessMemory() to substitute the addresses in the PE Header that point to the winsock library functions with pointers to your own functions. You can add their code using VirtualAllocEx() and WriteProcessMemory() into the monitored process's address space.