I'm currently working on a project which requires to hook TCP send and recv API in IE to monitor the TCP data. It works fine on IE9 and IE10. But it stop working on IE11. After some research, I found IE11 uses WSASend and WSARecv to send and receive data. So I decided to hook WSASend and WSARecv.
WSARecv is an overlapped operation. There are 3 ways to get the result of overlapped operations. When overlapped operations are used, they either have an associated event, a completion routine, or are associated with an I/O Completion port. I checked the overlapped structure when IE11 calls WSARec and found both event and completion routine are NULL, so I assume IE11 uses IO completion port to get the result of the overlapped operations.
The problem is GetQueuedCompletionStatus or GetQueuedCompletionStatusEx is never called by IE11. I use API monitor or hook those 2 functions directly and never see those 2 functions are called. I don't know if IE11 uses a different sets of APIs to get the result of WSARec. I wonder if anyone has encounter the similar problem. Which API should I hook? If there is an alternative way to achieve the same goal. Basically what I want to do is monitor TCP data in IE11.
you can set a breakpoint in ntdll!NtDeviceIoControlFile, which all socket APIs are finally routed to, so you can know which one is used.