Proxocket: A Tool for Capturing and Modifying Winsock Traffic
Proxocket is a tool developed by Luigi Auriemma that allows you to capture and modify the network traffic of any Windows application that uses the Winsock API. Winsock is a standard interface for accessing network services, such as TCP/IP and UDP/IP. Proxocket works by replacing the original Winsock DLL files (ws2_32.dll and wsock32.dll) with proxy DLL files that relay the traffic between the application and the real Winsock DLL files, while also logging it to a .cap file that can be opened with Wireshark or other packet analyzers. Proxocket can also modify the traffic by using a custom DLL file that implements some callback functions.
Proxocket can be useful for various purposes, such as:
Sniffing the traffic of an application without installing a network driver or using raw sockets.
Sniffing the traffic going to localhost (127.0.0.1), which is normally not captured by network drivers or raw sockets.
Sniffing the traffic before it is encrypted or obfuscated by applications that use Stunnel, TOR, or other proxies.
Modifying the traffic to test the behavior or security of an application.
To use Proxocket, you need to copy the proxy DLL files (ws2_32.dll and wsock32.dll) to the same directory as the .exe file of the application you want to monitor. You can also create a custom DLL file that implements some callback functions to modify the traffic, and place it in the same directory as well. Proxocket will create a .cap file in the same directory, which will contain all the captured packets. You can open this file with Wireshark or other packet analyzers to inspect the traffic.
For more information about Proxocket, you can visit its official website[^3^] or read this blog post[^1^] by Erik Hjelmvik from Netresec. You can also read this article[^2^] by Microsoft to learn more about using RPC with Winsock Proxy.In this section, we will show you an example of using Proxocket to capture and modify the traffic of a simple chat application that uses TCP/IP. The chat application consists of a server and a client, which communicate by sending and receiving messages over a socket. The server listens on port 1234 and accepts connections from clients. The client connects to the server and sends a message to it. The server echoes back the message to the client.
To use Proxocket with the chat application, we need to do the following steps:
Download Proxocket from its official website and extract the zip file.
Copy the proxy DLL files (ws2_32.dll and wsock32.dll) to the same directory as the chat server and chat client .exe files.
Create a custom DLL file that implements some callback functions to modify the traffic. For this example, we will use a simple DLL file that changes every "hello" message to "goodbye". The source code of the DLL file is shown below.
Compile the DLL file using a C compiler, such as Visual Studio or MinGW. Name the DLL file as proxocket.dll and place it in the same directory as the chat server and chat client .exe files.
Run the chat server and chat client applications. Proxocket will create two .cap files in the same directory, one for each application. These files will contain all the captured packets.
Open the .cap files with Wireshark or other packet analyzers to inspect the traffic. You will see that Proxocket has modified the traffic by changing every "hello" message to "goodbye".
The source code of the custom DLL file for Proxocket is shown below. It defines four callback functions: proxocket_init, proxocket_connect, proxocket_send, and proxocket_recv. These functions are called by Proxocket whenever an application calls the corresponding Winsock functions: WSAStartup, connect, send, and recv. The proxocket_init function is called once when Proxocket is loaded. The proxocket_connect function is called whenever an application establishes a connection with a remote host. The proxocket_send function is called whenever an application sends data to a remote host. The proxocket_recv function is called whenever an application receives data from a remote host. In these functions, we can access and modify the parameters and return values of the Winsock functions. For this example, we only modify the data buffer in the proxocket_send and proxocket_recv functions by replacing every occurrence of "hello" with "goodbye".