{"componentChunkName":"component---src-templates-post-template-js","path":"/windows-windbg-010-socket-en","result":{"data":{"markdownRemark":{"id":"b1138ecf-899a-5c29-92cc-4090434c6467","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/windows-windbg-010-socket\">original page</a>.</p>\n</blockquote>\n<p>I have been reverse-engineering my own modules in order to improve my reverse-engineering skills and become proficient with WinDbg.</p>\n<p>This time I will analyze a Windows socket communication program implemented in C.</p>\n<p>Note: This program was created for verification purposes and does not implement error handling, so it is not intended for production use.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#the-program\">The Program</a></p>\n<ul>\n<li><a href=\"#winsock2\">winsock2</a></li>\n<li><a href=\"#pragma-comment\">pragma comment()</a></li>\n<li><a href=\"#ws2tcpiph\">ws2tcpip.h</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#the-post-request-sending-function\">The POST Request Sending Function</a></p>\n<ul>\n<li><a href=\"#initializing-wsadata\">Initializing WSADATA</a></li>\n<li><a href=\"#specifying-the-destination\">Specifying the Destination</a></li>\n<li><a href=\"#creating-the-socket\">Creating the Socket</a></li>\n<li><a href=\"#establishing-the-connection\">Establishing the Connection</a></li>\n<li><a href=\"#sending-the-http-request\">Sending the HTTP Request</a></li>\n<li><a href=\"#the-udp-communication-function\">The UDP Communication Function</a></li>\n</ul>\n</li>\n<li><a href=\"#verifying-communication\">Verifying Communication</a></li>\n<li>\n<p><a href=\"#reversing\">Reversing</a></p>\n<ul>\n<li><a href=\"#decompiling-with-ghidra\">Decompiling with Ghidra</a></li>\n<li><a href=\"#capturing-a-ttd-trace-with-windbg\">Capturing a TTD Trace with WinDbg</a></li>\n<li><a href=\"#tracing-the-socket-internals\">Tracing the Socket Internals</a></li>\n<li><a href=\"#the-created-socket\">The Created Socket</a></li>\n<li><a href=\"#reading-the-sockaddr_in-structure\">Reading the sockaddr_in Structure</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"the-program\" style=\"position:relative;\"><a href=\"#the-program\" aria-label=\"the program permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The Program</h2>\n<p>The program created for this article is available in the following repository.</p>\n<p>Reference: <a href=\"https://github.com/kash1064/Try2WinDbg/blob/master/build/c/win_tcp_udp.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Try2WinDbg/win<em>tcp</em>udp.c</a></p>\n<p>It implements the following two functions:</p>\n<ul>\n<li>Establish a TCP connection and send a POST request</li>\n<li>Send data over UDP</li>\n</ul>\n<p>The following header files are used:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;winsock2.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdint.h></span></span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">pragma</span> <span class=\"token expression\"><span class=\"token function\">comment</span><span class=\"token punctuation\">(</span>lib<span class=\"token punctuation\">,</span> </span><span class=\"token string\">\"ws2_32.lib\"</span><span class=\"token expression\"><span class=\"token punctuation\">)</span></span></span>\n\n<span class=\"token comment\">// Use when handling IP addresses, etc.</span>\n<span class=\"token comment\">// #include &lt;ws2tcpip.h></span>\n<span class=\"token comment\">// #include &lt;iphlpapi.h></span>\n<span class=\"token comment\">// #pragma comment(lib, \"iphlpapi.lib\")</span>\n\n<span class=\"token comment\">// When used alongside winsock2.h, always place this include after winsock2.h</span>\n<span class=\"token comment\">// #include &lt;windows.h></span></code></pre></div>\n<h3 id=\"winsock2\" style=\"position:relative;\"><a href=\"#winsock2\" aria-label=\"winsock2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>winsock2</h3>\n<p><code class=\"language-text\">winsock2.h</code> is a header file used when implementing Windows Sockets 2 and related functionality.</p>\n<p>It contains API functions and other definitions used for socket communication on Windows.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/winsock2/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Winsock2.h header - Win32 apps | Microsoft Docs</a></p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/_winsock/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Windows Sockets 2 - Win32 apps | Microsoft Docs</a></p>\n<p>Reference: <a href=\"https://en.wikipedia.org/wiki/Winsock\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Winsock - Wikipedia</a></p>\n<p>The first step in Windows socket programming is to initialize the <code class=\"language-text\">WSADATA</code> structure using the <code class=\"language-text\">WSAStartup</code> function defined in <code class=\"language-text\">winsock2.h</code>.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/winsock/ns-winsock-wsadata\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">WSADATA (winsock.h) - Win32 apps | Microsoft Docs</a></p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsastartup\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">WSAStartup function (winsock2.h) - Win32 apps | Microsoft Docs</a></p>\n<p><code class=\"language-text\">WSAStartup</code> takes two arguments: the Windows Sockets version to use, and the <code class=\"language-text\">WSADATA</code> structure to initialize.</p>\n<p>One slightly tricky point is that the first argument to <code class=\"language-text\">WSAStartup</code> is a 16-bit unsigned integer (WORD type), where the lower 8 bits specify the major version and the upper 8 bits specify the minor version of Windows Sockets.</p>\n<p>For this reason, the <code class=\"language-text\">MAKEWORD</code> macro is used to construct the argument value.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms632663(v=vs.85)\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MAKEWORD macro (Windows) | Microsoft Docs</a></p>\n<p>On success, <code class=\"language-text\">WSAStartup</code> returns 0; on failure, it returns one of the defined error codes.</p>\n<p>Although not included in this implementation, error handling for the <code class=\"language-text\">WSAStartup</code> return value should be added in practice.</p>\n<h3 id=\"pragma-comment\" style=\"position:relative;\"><a href=\"#pragma-comment\" aria-label=\"pragma comment permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>pragma comment()</h3>\n<p>When you try to compile source files that include headers like <code class=\"language-text\">winsock2.h</code>, you may encounter errors such as <code class=\"language-text\">error LNK2019: unresolved external symbol</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">win_tcp_udp<span class=\"token punctuation\">.</span>obj : error LNK2019: unresolved external symbol __imp__closesocket@4 referenced in <span class=\"token keyword\">function</span> _send_http_post\nwin_tcp_udp<span class=\"token punctuation\">.</span>obj : error LNK2019: unresolved external symbol __imp__connect@12 referenced in <span class=\"token keyword\">function</span> _send_http_post\nwin_tcp_udp<span class=\"token punctuation\">.</span>obj : error LNK2019: unresolved external symbol __imp__htons@4 referenced in <span class=\"token keyword\">function</span> _send_http_post\nwin_tcp_udp<span class=\"token punctuation\">.</span>obj : error LNK2019: unresolved external symbol __imp__inet_addr@4 referenced in <span class=\"token keyword\">function</span> _send_http_post\nwin_tcp_udp<span class=\"token punctuation\">.</span>obj : error LNK2019: unresolved external symbol __imp__send@16 referenced in <span class=\"token keyword\">function</span> _send_http_post\nwin_tcp_udp<span class=\"token punctuation\">.</span>obj : error LNK2019: unresolved external symbol __imp__sendto@24 referenced in <span class=\"token keyword\">function</span> _send_udp\nwin_tcp_udp<span class=\"token punctuation\">.</span>obj : error LNK2019: unresolved external symbol __imp__socket@12 referenced in <span class=\"token keyword\">function</span> _send_http_post\nwin_tcp_udp<span class=\"token punctuation\">.</span>obj : error LNK2019: unresolved external symbol __imp__WSAStartup@8 referenced in <span class=\"token keyword\">function</span> _send_http_post\nwin_tcp_udp<span class=\"token punctuation\">.</span>obj : error LNK2019: unresolved external symbol __imp__WSACleanup@0 referenced in <span class=\"token keyword\">function</span> _send_http_post\n<span class=\"token punctuation\">.</span>\\build\\bin\\win_tcp_udp<span class=\"token punctuation\">.</span>exe : fatal error LNK1120: 9 unresolved externals</code></pre></div>\n<p>This occurs when the compiler cannot link the required library.</p>\n<p>To resolve this, do one of the following:</p>\n<ul>\n<li>If developing in Visual Studio, go to the project properties under [Configuration Properties] > [Linker] > [Input] and add the library causing the reference error to [Additional Dependencies].</li>\n<li>Add <code class=\"language-text\">#pragma comment(lib, \"&lt;library-name>.lib\")</code> to the source.</li>\n</ul>\n<p>Since I am compiling the C file directly with cl.exe without creating a project, I will use <code class=\"language-text\">pragma</code>.</p>\n<p><code class=\"language-text\">pragma</code> is a directive that instructs the compiler to perform a specific action at compile time.</p>\n<p>In particular, using the <code class=\"language-text\">comment</code> pragma with the <code class=\"language-text\">lib</code> argument lets you specify from the source code which library to link at compile time.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/cpp/c-language/c-pragmas?view=msvc-170\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">C Pragmas | Microsoft Docs</a></p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/cpp/preprocessor/comment-c-cpp?view=msvc-170\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">comment pragma | Microsoft Docs</a></p>\n<p>Therefore, adding <code class=\"language-text\">#pragma comment(lib, \"ws2_32.lib\")</code> avoids the linker error for <code class=\"language-text\">winsock2.h</code>.</p>\n<h3 id=\"ws2tcpiph\" style=\"position:relative;\"><a href=\"#ws2tcpiph\" aria-label=\"ws2tcpiph permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>ws2tcpip.h</h3>\n<p>Not needed for this implementation, but <code class=\"language-text\">ws2tcpip.h</code> is a header file required for TCP/IP communication that defines structures related to IP address retrieval.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/winsock/creating-a-basic-winsock-application\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Creating a Basic Winsock Application - Win32 apps | Microsoft Docs</a></p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/ws2tcpip/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Ws2Tcpip.h header - Win32 apps | Microsoft Docs</a></p>\n<h2 id=\"the-post-request-sending-function\" style=\"position:relative;\"><a href=\"#the-post-request-sending-function\" aria-label=\"the post request sending function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The POST Request Sending Function</h2>\n<p>The function that sends a POST request to an arbitrary address is as follows:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> <span class=\"token function\">send_http_post</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>senddata<span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">char</span> destination<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> RSERVER<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">short</span> port <span class=\"token operator\">=</span> <span class=\"token number\">80</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">char</span> httppath<span class=\"token punctuation\">[</span><span class=\"token number\">20</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"/upload\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">char</span> httphost<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> LSERVER<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> dstSocket<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> result<span class=\"token punctuation\">;</span>\n \n    <span class=\"token keyword\">char</span> toSendText<span class=\"token punctuation\">[</span>MAXBUF<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">char</span> postdata<span class=\"token punctuation\">[</span>MAXBUF<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> read_size<span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// Initialize WSADATA</span>\n    WSADATA data<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">WSAStartup</span><span class=\"token punctuation\">(</span><span class=\"token function\">MAKEWORD</span><span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// Set AF_INET</span>\n    <span class=\"token keyword\">struct</span> <span class=\"token class-name\">sockaddr_in</span> dstAddr<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">memset</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>dstAddr<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>dstAddr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    dstAddr<span class=\"token punctuation\">.</span>sin_port <span class=\"token operator\">=</span> <span class=\"token function\">htons</span><span class=\"token punctuation\">(</span>port<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    dstAddr<span class=\"token punctuation\">.</span>sin_family <span class=\"token operator\">=</span> AF_INET<span class=\"token punctuation\">;</span>\n    dstAddr<span class=\"token punctuation\">.</span>sin_addr<span class=\"token punctuation\">.</span>s_addr <span class=\"token operator\">=</span> <span class=\"token function\">inet_addr</span><span class=\"token punctuation\">(</span>destination<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// Start socket communication (specify SOCK_STREAM)</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating socket...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    dstSocket <span class=\"token operator\">=</span> <span class=\"token function\">socket</span><span class=\"token punctuation\">(</span>AF_INET<span class=\"token punctuation\">,</span> SOCK_STREAM<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>dstSocket <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating socket failed!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating socket succeeded!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n \n    <span class=\"token comment\">// Establish connection</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Connecting...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    result <span class=\"token operator\">=</span> <span class=\"token function\">connect</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">struct</span> <span class=\"token class-name\">sockaddr</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span>dstAddr<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>dstAddr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>result <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Binding failed!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Connecting succeeded!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n \n    <span class=\"token comment\">// Build HTTP request</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating HTTP request...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">sprintf</span><span class=\"token punctuation\">(</span>toSendText<span class=\"token punctuation\">,</span> <span class=\"token string\">\"POST %s HTTP/1.1\\r\\n\"</span><span class=\"token punctuation\">,</span> httppath<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">send</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">,</span> toSendText<span class=\"token punctuation\">,</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>toSendText<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n \n    <span class=\"token function\">sprintf</span><span class=\"token punctuation\">(</span>toSendText<span class=\"token punctuation\">,</span> <span class=\"token string\">\"Host: %s:%d\\r\\n\"</span><span class=\"token punctuation\">,</span> httphost<span class=\"token punctuation\">,</span> port<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">send</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">,</span> toSendText<span class=\"token punctuation\">,</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>toSendText<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">sprintf</span><span class=\"token punctuation\">(</span>postdata<span class=\"token punctuation\">,</span> <span class=\"token string\">\"%s\\r\\n\"</span><span class=\"token punctuation\">,</span> senddata<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">sprintf</span><span class=\"token punctuation\">(</span>toSendText<span class=\"token punctuation\">,</span> <span class=\"token string\">\"Content-Length: %d\\r\\n\"</span><span class=\"token punctuation\">,</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>postdata<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">send</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">,</span> toSendText<span class=\"token punctuation\">,</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>toSendText<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n         \n    <span class=\"token function\">sprintf</span><span class=\"token punctuation\">(</span>toSendText<span class=\"token punctuation\">,</span> <span class=\"token string\">\"\\r\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">send</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">,</span> toSendText<span class=\"token punctuation\">,</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>toSendText<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// Send HTTP request</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Sending HTTP request...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">send</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">,</span> postdata<span class=\"token punctuation\">,</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>postdata<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  \n    <span class=\"token comment\">// Close connection</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>HTTP request is sent!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">closesocket</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">WSACleanup</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"initializing-wsadata\" style=\"position:relative;\"><a href=\"#initializing-wsadata\" aria-label=\"initializing wsadata permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Initializing WSADATA</h3>\n<p>First, initialize the <code class=\"language-text\">WSADATA</code> structure required for socket communication using the <code class=\"language-text\">WSAStartup</code> function.</p>\n<p>Windows Sockets version 2.0 is specified.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// Initialize WSADATA</span>\nWSADATA data<span class=\"token punctuation\">;</span>\n<span class=\"token function\">WSAStartup</span><span class=\"token punctuation\">(</span><span class=\"token function\">MAKEWORD</span><span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<h3 id=\"specifying-the-destination\" style=\"position:relative;\"><a href=\"#specifying-the-destination\" aria-label=\"specifying the destination permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Specifying the Destination</h3>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// Set AF_INET</span>\n<span class=\"token keyword\">struct</span> <span class=\"token class-name\">sockaddr_in</span> dstAddr<span class=\"token punctuation\">;</span>\n<span class=\"token function\">memset</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>dstAddr<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>dstAddr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\ndstAddr<span class=\"token punctuation\">.</span>sin_port <span class=\"token operator\">=</span> <span class=\"token function\">htons</span><span class=\"token punctuation\">(</span>port<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\ndstAddr<span class=\"token punctuation\">.</span>sin_family <span class=\"token operator\">=</span> AF_INET<span class=\"token punctuation\">;</span>\ndstAddr<span class=\"token punctuation\">.</span>sin_addr<span class=\"token punctuation\">.</span>s_addr <span class=\"token operator\">=</span> <span class=\"token function\">inet_addr</span><span class=\"token punctuation\">(</span>destination<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>After initializing the <code class=\"language-text\">WSADATA</code> structure, create a <code class=\"language-text\">sockaddr_in</code> structure and set the address family, destination address, and port number.</p>\n<p>The official documentation shows a method using the <code class=\"language-text\">addrinfo</code> structure, but this implementation uses <code class=\"language-text\">sockaddr_in</code>.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/winsock/creating-a-socket-for-the-client\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Creating a Socket for the Client - Win32 apps | Microsoft Docs</a></p>\n<p>The <code class=\"language-text\">sockaddr_in</code> structure is only for IPv4 communication; use <code class=\"language-text\">sockaddr_in6</code> for IPv6.</p>\n<p>The <code class=\"language-text\">addrinfo</code> structure used in the official documentation works with both IPv4 and IPv6 sockets.</p>\n<p>Unless there is a specific reason, using <code class=\"language-text\">addrinfo</code> should be fine.</p>\n<p>Reference: <a href=\"https://medium.com/adamedelwiess/operating-system-9-socket-programming-experiment-2-enable-ipv4-and-ipv6-c2f034511cd4\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Operating System 9 | Socket Programming Experiment 2: Enable IPv4 and IPv6 | by Adam Edelweiss | SereneField | Medium</a></p>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/23401147/what-is-the-difference-between-struct-addrinfo-and-struct-sockaddr\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">c - What is the difference between struct addrinfo and struct sockaddr - Stack Overflow</a></p>\n<p><code class=\"language-text\">AF_INET</code> is specified as the address family.</p>\n<p><code class=\"language-text\">AF_INET</code> is the address family for IPv4 communication.</p>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/1593946/what-is-af-inet-and-why-do-i-need-it\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">sockets - What is AF_INET, and why do I need it? - Stack Overflow</a></p>\n<h3 id=\"creating-the-socket\" style=\"position:relative;\"><a href=\"#creating-the-socket\" aria-label=\"creating the socket permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Creating the Socket</h3>\n<p>Create a socket using the <code class=\"language-text\">socket</code> function.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// Start socket communication (specify SOCK_STREAM)</span>\n<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating socket...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\ndstSocket <span class=\"token operator\">=</span> <span class=\"token function\">socket</span><span class=\"token punctuation\">(</span>AF_INET<span class=\"token punctuation\">,</span> SOCK_STREAM<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>dstSocket <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating socket failed!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating socket succeeded!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Because this is a TCP connection, <code class=\"language-text\">SOCK_STREAM</code> is specified as the second argument.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">socket function (winsock2.h) - Win32 apps | Microsoft Docs</a></p>\n<p>The third argument is the <em>protocol</em> parameter, which defines the protocol to use.</p>\n<p>Here TCP is not explicitly specified; 0 is passed instead.</p>\n<p>This means the caller does not specify a protocol.</p>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/3735773/what-does-0-indicate-in-socket-system-call\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">c - what does 0 indicate in socket() system call? - Stack Overflow</a></p>\n<h3 id=\"establishing-the-connection\" style=\"position:relative;\"><a href=\"#establishing-the-connection\" aria-label=\"establishing the connection permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Establishing the Connection</h3>\n<p>Next, use the <code class=\"language-text\">connect</code> function to establish the socket connection.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// Establish connection</span>\n<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Connecting...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nresult <span class=\"token operator\">=</span> <span class=\"token function\">connect</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">struct</span> <span class=\"token class-name\">sockaddr</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span>dstAddr<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>dstAddr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>result <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Binding failed!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Connecting succeeded!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>The <code class=\"language-text\">connect</code> function performs the client-side connection in socket communication.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/winsock/connecting-to-a-socket\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Connecting to a Socket - Win32 apps | Microsoft Docs</a></p>\n<p>This function establishes a TCP connection with the bound socket server.</p>\n<p><img src=\"/70d7cbb162e7199a3a6b8596fc9fc683/socket_client_server.gif\" alt=\"https://www.tutorialspoint.com/unix_sockets/images/socket_client_server.gif\"></p>\n<p>Image source: <a href=\"https://www.tutorialspoint.com/unix_sockets/client_server_model.htm\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Unix Socket - Client Server Model</a></p>\n<h3 id=\"sending-the-http-request\" style=\"position:relative;\"><a href=\"#sending-the-http-request\" aria-label=\"sending the http request permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Sending the HTTP Request</h3>\n<p>The pre-built POST request data is sent to the server using the <code class=\"language-text\">send</code> function.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// Send HTTP request</span>\n<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Sending HTTP request...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">send</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">,</span> postdata<span class=\"token punctuation\">,</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>postdata<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Although not implemented here, receiving a response would use the <code class=\"language-text\">recv</code> function.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/winsock/sending-and-receiving-data-on-the-client\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Sending and Receiving Data on the Client - Win32 apps | Microsoft Docs</a></p>\n<h3 id=\"the-udp-communication-function\" style=\"position:relative;\"><a href=\"#the-udp-communication-function\" aria-label=\"the udp communication function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The UDP Communication Function</h3>\n<p>The function that performs UDP communication is as follows:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> <span class=\"token function\">send_udp</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>senddata<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">char</span> destination<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> RSERVER<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">short</span> port <span class=\"token operator\">=</span> <span class=\"token number\">80</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">char</span> httphost<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> LSERVER<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> dstSocket<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> result<span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">char</span> toSendText<span class=\"token punctuation\">[</span>MAXBUF<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> read_size<span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// Initialize WSADATA</span>\n    WSADATA wsaData<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">WSAStartup</span><span class=\"token punctuation\">(</span><span class=\"token function\">MAKEWORD</span><span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>wsaData<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">struct</span> <span class=\"token class-name\">sockaddr_in</span> dstAddr<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">memset</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>dstAddr<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>dstAddr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    dstAddr<span class=\"token punctuation\">.</span>sin_port <span class=\"token operator\">=</span> <span class=\"token function\">htons</span><span class=\"token punctuation\">(</span>port<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    dstAddr<span class=\"token punctuation\">.</span>sin_family <span class=\"token operator\">=</span> AF_INET<span class=\"token punctuation\">;</span>\n    dstAddr<span class=\"token punctuation\">.</span>sin_addr<span class=\"token punctuation\">.</span>s_addr <span class=\"token operator\">=</span> <span class=\"token function\">inet_addr</span><span class=\"token punctuation\">(</span>destination<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// Start socket communication (specify SOCK_DGRAM)</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating socket...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    dstSocket <span class=\"token operator\">=</span> <span class=\"token function\">socket</span><span class=\"token punctuation\">(</span>AF_INET<span class=\"token punctuation\">,</span> SOCK_DGRAM<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>dstSocket <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating socket failed!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Creating socket succeeded!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// Send UDP packet</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>Sending UDP...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">sendto</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">,</span> senddata<span class=\"token punctuation\">,</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>senddata<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>SOCKADDR <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>dstAddr<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>dstAddr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\t==>UDP is sent!!\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">closesocket</span><span class=\"token punctuation\">(</span>dstSocket<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">WSACleanup</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The implementation is essentially the same as the TCP version, so details are omitted.</p>\n<p>The differences are: the socket is created with <code class=\"language-text\">SOCK_DGRAM</code> for UDP, and since there is no three-way handshake, <code class=\"language-text\">connect</code> is not used; data is transferred with <code class=\"language-text\">sendto</code> instead.</p>\n<h2 id=\"verifying-communication\" style=\"position:relative;\"><a href=\"#verifying-communication\" aria-label=\"verifying communication permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Verifying Communication</h2>\n<p>I ran this program and used Wireshark to verify that communication was actually taking place.</p>\n<p>First, I confirmed that the POST request was sent:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 540px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/64768d2f9690187105b1c5461918aaac/07484/image-70.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 64.16666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABsklEQVQ4y51S207CQBTsrxmNJhpFQfBG/AtffPDfjBiFAlIoKJdaBLZAgdJWCpTYjrsbCHjBJjaZnLPb2dk5Z49wdX2D7f0wdg7C2NoLYXM3hFDsAsdnlwgdn3FETuI4ip0jchrHYfQcYfqfge0dRikncooDio3tPQjS4yOUnIRq9gmVbBbllIhaLgdCCIim0ahBo7E1X7N8ERc54zAwjtDMS7CLRZgUPVHEUMpjTEn//QRNecWo0YDTacO1THjTCXzvA77vw/O8b/DXYMkRpHQFhVQd5TyBXDRQU2yUK0PYtvvjdnZJEISkqCIpDpCXh3h4aEMUu7hPaHh+NtBqvePtzUajYXMnq6JrS85kVNzeEiSTbdzdEaTTOs076PXGnLAoa1XoT0G13qFOHBjGFJblYjCYwDRduO7HrweWYr+LCrLcpGXq0PUx+v0xd2YYE77udp35/oSXb1nTwLKFQqFJS9ShKCZeXgwORbFQrZqo0Mep1UzeRyY4m3nBgnKRIJHooFQa8INMgJARzxlU1aItmH4R+3MO6/UudWLCcWaBQ7sqttahRYd50eTV11yHIJef8U/CCQzXhkMAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/64768d2f9690187105b1c5461918aaac/8ac56/image-70.webp 240w,\n/static/64768d2f9690187105b1c5461918aaac/d3be9/image-70.webp 480w,\n/static/64768d2f9690187105b1c5461918aaac/9e625/image-70.webp 540w\"\n              sizes=\"(max-width: 540px) 100vw, 540px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/64768d2f9690187105b1c5461918aaac/8ff5a/image-70.png 240w,\n/static/64768d2f9690187105b1c5461918aaac/e85cb/image-70.png 480w,\n/static/64768d2f9690187105b1c5461918aaac/07484/image-70.png 540w\"\n            sizes=\"(max-width: 540px) 100vw, 540px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/64768d2f9690187105b1c5461918aaac/07484/image-70.png\"\n            alt=\"image-70.png\"\n            title=\"image-70.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I also confirmed that the UDP packet was received:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 714px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/816c1ea998498b98edaeb6ba60edab0f/d67ca/image-71.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 33.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABG0lEQVQoz52NTUsCYRSF5/8ELSK0WkQQQaswnD50wjbt+xnRKgqinCmbnNEkLSKIMgjaqCV9QYsoBRdtxqWrhHdmnt6JkmgR6IGHe+65cK5iXlawrx9IXlQxziuYxTLH5WdO7+vkSi+kr6ro8pYq3lAoPcm8xtljnZO7Goe3rx3y1bcvlI38EWu5PKv7BZZX1hlPLDEUjdE/qdI3oTIaS0g/RyiiMaYtMjKzwHA0LqdGWM7ByDyh6ThhNc7A1CwKv/TeaGDu7JLc3MLQDVLSZzNZMpaNnbYktvSZDgd29ju3MFN76NtJFOG6CCFwPR/HaSJaLfA8epXi+z4BgRzH4aPdJtiCJ8EztwuEcP8UNpu0ZWGgn7xb/i3sRZ9q5+QYMReR+QAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/816c1ea998498b98edaeb6ba60edab0f/8ac56/image-71.webp 240w,\n/static/816c1ea998498b98edaeb6ba60edab0f/d3be9/image-71.webp 480w,\n/static/816c1ea998498b98edaeb6ba60edab0f/80c40/image-71.webp 714w\"\n              sizes=\"(max-width: 714px) 100vw, 714px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/816c1ea998498b98edaeb6ba60edab0f/8ff5a/image-71.png 240w,\n/static/816c1ea998498b98edaeb6ba60edab0f/e85cb/image-71.png 480w,\n/static/816c1ea998498b98edaeb6ba60edab0f/d67ca/image-71.png 714w\"\n            sizes=\"(max-width: 714px) 100vw, 714px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/816c1ea998498b98edaeb6ba60edab0f/d67ca/image-71.png\"\n            alt=\"image-71.png\"\n            title=\"image-71.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Now that I’ve confirmed the program works correctly, let’s reverse-engineer it.</p>\n<h2 id=\"reversing\" style=\"position:relative;\"><a href=\"#reversing\" aria-label=\"reversing permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Reversing</h2>\n<h3 id=\"decompiling-with-ghidra\" style=\"position:relative;\"><a href=\"#decompiling-with-ghidra\" aria-label=\"decompiling with ghidra permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Decompiling with Ghidra</h3>\n<p>I started by locating the <code class=\"language-text\">main</code> function from the <code class=\"language-text\">entry</code> function.</p>\n<p>I then identified the <code class=\"language-text\">send_http_post</code> and <code class=\"language-text\">send_udp</code> functions, and set the image base to the value loaded when <code class=\"language-text\">win_tcp_udp.exe</code> was executed.</p>\n<h3 id=\"capturing-a-ttd-trace-with-windbg\" style=\"position:relative;\"><a href=\"#capturing-a-ttd-trace-with-windbg\" aria-label=\"capturing a ttd trace with windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Capturing a TTD Trace with WinDbg</h3>\n<p>To facilitate analysis, I captured a TTD trace of the compiled program.</p>\n<p>The TTD trace capture procedure is described in the following article:</p>\n<p>Reference: <a href=\"/windows-windbg-008-time-travel-debugging-en\">Introduction to a New Debugging Method with WinDbg Preview Time Travel Debugging</a></p>\n<p>The captured trace file is also available in the following repository:</p>\n<p>Reference: <a href=\"https://github.com/kash1064/Try2WinDbg/blob/master/traces/win_tcp_udp.zip\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">kash1064/Try2WinDbg</a></p>\n<h3 id=\"tracing-the-socket-internals\" style=\"position:relative;\"><a href=\"#tracing-the-socket-internals\" aria-label=\"tracing the socket internals permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Tracing the Socket Internals</h3>\n<p>As the first analysis target, I decided to trace the behavior of the <code class=\"language-text\">socket</code> function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 550px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/31cf08774dc03bba6fb203b469fa0aae/dd45a/image-73.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 46.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABpElEQVQoz42SW2/bMAyF/f9/0wqsW7J6bdM2bTDUaJpuXRbk4qtkWfL1G31BXraH0jgQLZHnkJS8LFO8vW04hYo4gTxv6U1rx26nBt+WhkjHlE1FJ1/b/YtugqcSzWuwJtznxCfJ7hhJdMP7Jh38oizJBR8x7/HPNZe/5lwfVnw//mQRbXjp1ix1wOz3SvxXlvkK/3jLk17xlAcS88x9+sxD1q+BrAFB8yJY4/mZz8Xxki/xgov9Dz7tVty1S67M3bB33z7im1s+hzO+plfMtc8su+FbuhgwS26YK59F/SBY4llbksQxKqs4HiA8jaWXrsHk1eT3MQlGG5zV1KWlMTVNXlPmDuf0eVSec44sS+UShPAIh31H00BVCaGZCGV+fUxhzJBcCmElhJUIWiHU8n+eodY52+2WOCo4SIVp2lHXcim2IgzNeClFJUKavSBJLW3bx7Q0PZoR9eR7xhRS2UGILNK5JI+1O1cTichYYU2SFCIqz0dE0t6PC9mzQ55Sbiio78izhZXEUA4cJ2lZqe5MojI3zbAbxBJBKm81ihi6+J/9BbP7rreQUFCPAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/31cf08774dc03bba6fb203b469fa0aae/8ac56/image-73.webp 240w,\n/static/31cf08774dc03bba6fb203b469fa0aae/d3be9/image-73.webp 480w,\n/static/31cf08774dc03bba6fb203b469fa0aae/12b65/image-73.webp 550w\"\n              sizes=\"(max-width: 550px) 100vw, 550px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/31cf08774dc03bba6fb203b469fa0aae/8ff5a/image-73.png 240w,\n/static/31cf08774dc03bba6fb203b469fa0aae/e85cb/image-73.png 480w,\n/static/31cf08774dc03bba6fb203b469fa0aae/dd45a/image-73.png 550w\"\n            sizes=\"(max-width: 550px) 100vw, 550px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/31cf08774dc03bba6fb203b469fa0aae/dd45a/image-73.png\"\n            alt=\"image-73.png\"\n            title=\"image-73.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From Ghidra’s disassembly output, I set a breakpoint at <code class=\"language-text\">0xdf726e</code> and advanced execution with the <code class=\"language-text\">g</code> command.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">> bu 0x00df726e\n> g</code></pre></div>\n<p>Stepping into the <code class=\"language-text\">socket</code> function, I could see that it handles an object with <code class=\"language-text\">Prolog</code> in its name.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5aa795fee13d8d07c18442c435645cfe/f058b/image-74.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 46.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABn0lEQVQoz42S2Y6bQBRE/f8/lNdR3iZKRhlLxpCAw05jFoON2emTC7YUZZ6mpVI1EpzuqsvO+fUV6/AF13lhbA3AZmgM/NNPutte/IVL9oOpN9CjyTKYm38UT98FocJxAnxfkeVX1jXPkJ7lnQkSVdK1M59dO9/3sCwT33MJZL8+N7c7SdIzDAPnTHGKUyw52AoTjD8Bpp9g+RFxFJLnGWWRo1RCXVcr0Md2bDzP25TnOW07oNKRZZy5BleOe8X315D9N8X7u+LtNeL4llKVlRx4pmnuTNMkyWZ2p9MJ0zQltk1RlI/Ik8YPevpuIJWbNWXNLatAfyKy4zgcjAOrn9OUrusY+gnX7eWmPUESUNQl2SWjnTq6sdt8WIatkqZpGMdxg2mtHx3atkR+9peeV+hInAzMw0IXCyBsubt36t81V+9Kday4uTfpunlW1P4Drr2tQF88DEMptpYuNFEsQ5Hp9qHcyu9AyReZ6CKKRMX/UVfYFjlVahvGCosimVwSUcjvE8UylHmhN6RLib+oBR1pdCYqRaFI6Q20wfQD+hcxwKsrrj13jwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5aa795fee13d8d07c18442c435645cfe/8ac56/image-74.webp 240w,\n/static/5aa795fee13d8d07c18442c435645cfe/d3be9/image-74.webp 480w,\n/static/5aa795fee13d8d07c18442c435645cfe/8aab1/image-74.webp 630w\"\n              sizes=\"(max-width: 630px) 100vw, 630px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5aa795fee13d8d07c18442c435645cfe/8ff5a/image-74.png 240w,\n/static/5aa795fee13d8d07c18442c435645cfe/e85cb/image-74.png 480w,\n/static/5aa795fee13d8d07c18442c435645cfe/f058b/image-74.png 630w\"\n            sizes=\"(max-width: 630px) 100vw, 630px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5aa795fee13d8d07c18442c435645cfe/f058b/image-74.png\"\n            alt=\"image-74.png\"\n            title=\"image-74.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I searched for information about <code class=\"language-text\">Prolog</code> for a while but couldn’t find anything relevant, so I skipped it for now.</p>\n<p>If anyone has more insight, please let me know.</p>\n<h3 id=\"the-created-socket\" style=\"position:relative;\"><a href=\"#the-created-socket\" aria-label=\"the created socket permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The Created Socket</h3>\n<p>Next, let’s look at the line immediately after the <code class=\"language-text\">socket</code> function call.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 654px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2e2565f594cff149c4bdd1c3b1b05539/68e9c/image-75.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 38.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABu0lEQVQoz5WRW2/aUBCE+f+/pEoTpUoJhaioIEraB5KWVDTG+G7APjbgK8YX4OspeepjVxqd0e7qaGanpeoaijrHWbr8rdMZLLehbE5EScyRM/9TLeXHL2aTn/imyzEvSbwtyrNHYPpkwY7DNmUfxhSbhCJMLjwPIvIweuvLebFLycWOdB3SmnZumHaumXy84qn9npf7W14fOmj9O6bdG156Et1rnrtXTB7eMet/QB3eo3/toY0+YX7/jPmtj9pvo/ZuaZn6HabextA6bMSAbTDCW42heWJjDEiXYxJnTKgNEfoXEntEYo2JnEdi45FUQlgDhD/kWE9o6bqNKe1qmslq5XE8gmFUHIozwgkR9gbPDFhpPmtTIMwQV13jaCv0mYVnhSS7TN47I0sLeUPlFWWuyA8XNE1NU59YLkuqqsJ1HYJAUJYHqrJ8e6tS7jTUcl4UheT1v6HMVRVdN/g9m7FYqHLhjGUfqMsjkbUjMmUITk5mZeTLnL3ksRYTy368iMkMqSxISTIZzl4qtCwbx3FQFIUwDKTl80VhWdasvRVCSJtSpSd8PM+7KPYv8LFdm220vbgppYNaqv0Dgw5OWzAP3qIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2e2565f594cff149c4bdd1c3b1b05539/8ac56/image-75.webp 240w,\n/static/2e2565f594cff149c4bdd1c3b1b05539/d3be9/image-75.webp 480w,\n/static/2e2565f594cff149c4bdd1c3b1b05539/d7085/image-75.webp 654w\"\n              sizes=\"(max-width: 654px) 100vw, 654px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2e2565f594cff149c4bdd1c3b1b05539/8ff5a/image-75.png 240w,\n/static/2e2565f594cff149c4bdd1c3b1b05539/e85cb/image-75.png 480w,\n/static/2e2565f594cff149c4bdd1c3b1b05539/68e9c/image-75.png 654w\"\n            sizes=\"(max-width: 654px) 100vw, 654px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2e2565f594cff149c4bdd1c3b1b05539/68e9c/image-75.png\"\n            alt=\"image-75.png\"\n            title=\"image-75.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The <code class=\"language-text\">socket</code> function returns a file descriptor pointing to the created socket.</p>\n<p>Looking at the EAX register, the following value was stored:</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">> r eax\neax=00000150</code></pre></div>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">socket function (winsock2.h) - Win32 apps | Microsoft Docs</a></p>\n<p>This file descriptor handle cannot be retrieved in TTD, but with live debugging it can be examined using the <code class=\"language-text\">!handle</code> command:</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">> r eax\neax=00000108\n\n> <span class=\"token operator\">!</span>handle 108 f\nHandle 108\n  <span class=\"token function\">Type</span>         \tFile\n  Attributes   \t0\n  GrantedAccess\t0x16019f:\n         ReadControl<span class=\"token punctuation\">,</span>WriteDac<span class=\"token punctuation\">,</span>Synch\n         Read/List<span class=\"token punctuation\">,</span><span class=\"token function\">Write</span><span class=\"token operator\">/</span>Add<span class=\"token punctuation\">,</span>Append/SubDir/CreatePipe<span class=\"token punctuation\">,</span>ReadEA<span class=\"token punctuation\">,</span>WriteEA<span class=\"token punctuation\">,</span>ReadAttr<span class=\"token punctuation\">,</span>WriteAttr\n  HandleCount  \t2\n  PointerCount \t65534\n  No Object Specific Information available</code></pre></div>\n<p>To inspect the file object contents, kernel debugging would probably be required (I think).</p>\n<h3 id=\"reading-the-sockaddr_in-structure\" style=\"position:relative;\"><a href=\"#reading-the-sockaddr_in-structure\" aria-label=\"reading the sockaddr_in structure permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Reading the sockaddr_in Structure</h3>\n<p>The next target for analysis corresponds to the following section of the source code:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">struct</span> <span class=\"token class-name\">sockaddr_in</span> dstAddr<span class=\"token punctuation\">;</span>\n\n<span class=\"token function\">memset</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>dstAddr<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>dstAddr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\ndstAddr<span class=\"token punctuation\">.</span>sin_port <span class=\"token operator\">=</span> <span class=\"token function\">htons</span><span class=\"token punctuation\">(</span>port<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\ndstAddr<span class=\"token punctuation\">.</span>sin_family <span class=\"token operator\">=</span> AF_INET<span class=\"token punctuation\">;</span>\ndstAddr<span class=\"token punctuation\">.</span>sin_addr<span class=\"token punctuation\">.</span>s_addr <span class=\"token operator\">=</span> <span class=\"token function\">inet_addr</span><span class=\"token punctuation\">(</span>destination<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>This allocates a <code class=\"language-text\">sockaddr_in</code> memory region and sets the port number, address family, and IP address.</p>\n<p>The <code class=\"language-text\">sockaddr_in</code> structure has the following layout.</p>\n<p>The <code class=\"language-text\">in_addr</code> structure stores an IPv4 address in 4 bytes.</p>\n<p><code class=\"language-text\">sin_zero</code> is a system-reserved field and is zero-padded.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">typedef</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">sockaddr_in</span> <span class=\"token punctuation\">{</span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">if</span> <span class=\"token expression\"><span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span></span></span>\n  <span class=\"token keyword\">short</span>          sin_family<span class=\"token punctuation\">;</span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">else</span></span>\n  ADDRESS_FAMILY sin_family<span class=\"token punctuation\">;</span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">endif</span></span>\n  USHORT         sin_port<span class=\"token punctuation\">;</span>\n  IN_ADDR        sin_addr<span class=\"token punctuation\">;</span>\n  CHAR           sin_zero<span class=\"token punctuation\">[</span><span class=\"token number\">8</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> SOCKADDR_IN<span class=\"token punctuation\">,</span> <span class=\"token operator\">*</span>PSOCKADDR_IN<span class=\"token punctuation\">;</span></code></pre></div>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/ws2def/ns-ws2def-sockaddr_in\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SOCKADDR_IN (ws2def.h) - Win32 apps | Microsoft Docs</a></p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/winsock2/ns-winsock2-in_addr\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">in_addr (winsock2.h) - Win32 apps | Microsoft Docs</a></p>\n<p>Note that <code class=\"language-text\">sin_port</code> and <code class=\"language-text\">sin_addr</code> require values in network byte order, which is why the source code uses the <code class=\"language-text\">htons</code> and <code class=\"language-text\">inet_addr</code> functions.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-htons\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">htons function (winsock.h) - Win32 apps | Microsoft Docs</a></p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-inet_addr\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">inet_addr function (winsock2.h) - Win32 apps | Microsoft Docs</a></p>\n<p>With the structure layout understood, I set a breakpoint at <code class=\"language-text\">0xdf7227</code>, the address after the <code class=\"language-text\">memset</code> call.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 543px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/573d26875a221e470c21f73fe4403d2f/29579/image.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 66.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACr0lEQVQ4y02Te28bRRTF/f0/CRISBUpV8QcUEdLQhkCT5lGnjuOs196H9/3emfX+etaGhlldzazmzpl7zrkzM9YyjiPexsN1XeLI0LYcRmtGnPc/4NzfMg5QlxFNFdLUDduyxa86dpoHc8xnhNkREPytj+f5JMmA70En0M4Y1p9vuFte43U+909zxR2fwg238Q2L7COL8hqnWpKSkeg7AE6jLErKsiBN9wIcsWaq0LK5fsf5w1su7Qdu/Rdcbb/hoviF8+Q3/i5O+CO+4NfojJPyhMvh6r8KR1zHZb1eEyeWLDsyaHqLM/+As1wyThfUoWKDaQKKJKfOW4rU6h/6rgfJMhvs/nA4S3OyOCXe7XlaCqwEoz3n5h3LxZyu7wmCmO02ZLcreHIsy6Vl5VRsooogb/CygFlhK9pBIvsu7m5DkNUkdUdlW3LT4fz5Hav5R3o7kGc6JH093xDlGWVVsd/vMVOMe6yYzt50p/zenPDafcXL8Gde+mf8uJEu7Smn7T+s3n/P47+AWdqzepK7fksYtarU0jSWsjY0kq42PTPfiMIYcxfMJfodi3jH7TbF6yMCm+GcfasKrzDDSN/XqjIll3ZpmmidUBQZTTfQCrAfBmajHQ8aVmlFmRaUMiTYINE59OP64jWr+xtpaAXUieLUdFKfabbH5vvf+OpyGISEYUAUWYpyqmak0s3OX69E+RorneJ45GEBWxc2Cr0D5UuCuCZV4+6a9rkP00QOx7GoWGkztYFikOPnP6lCAYpy23S6uGAXyn1H5ni9zpQ40tSTmVmdPwMWeSFK6vZ4UEtM/1MfDriXb3jU0+uV13VWLyk+6BiGhl3UyJRBjAbpaHVp8wxYldKwLOXkoOQjYCX3HlYPPK5WGD3D/X7UvtF+rcoqzblMEVWtt3FLVBq+AOqF2CDCCgFdAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/573d26875a221e470c21f73fe4403d2f/8ac56/image.webp 240w,\n/static/573d26875a221e470c21f73fe4403d2f/d3be9/image.webp 480w,\n/static/573d26875a221e470c21f73fe4403d2f/4b567/image.webp 543w\"\n              sizes=\"(max-width: 543px) 100vw, 543px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/573d26875a221e470c21f73fe4403d2f/8ff5a/image.png 240w,\n/static/573d26875a221e470c21f73fe4403d2f/e85cb/image.png 480w,\n/static/573d26875a221e470c21f73fe4403d2f/29579/image.png 543w\"\n            sizes=\"(max-width: 543px) 100vw, 543px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/573d26875a221e470c21f73fe4403d2f/29579/image.png\"\n            alt=\"image.png\"\n            title=\"image.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Checking the <code class=\"language-text\">memset</code> return value, I found that the allocated memory starts at <code class=\"language-text\">0x55d810</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">> r eax\neax=0055d810</code></pre></div>\n<p>Looking at the memory, it appears that a 16-byte region has values set.</p>\n<p>The <code class=\"language-text\">sockaddr_in</code> structure uses 2 bytes each for the port and address family, 4 bytes for the IP address, and 8 bytes for the system-reserved field.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 517px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/96374987ee5c17149aca7c34d5cbca5d/fa2f5/image-1.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 31.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLUlEQVQY0z1Q2XKDMAzk/7+pR6ZpmplCOGxjbgwEQogh6R9sJWcmDzuWtdJKKy/LMhy+D+D3FIbY77+QJAmapkFRFOj7HmVZoqprdF3nch3l7vc7tnXFtm0vPB5/8LTOcDz+QKUaDTUFQYCcxFnUxXmOkAZFceyG+r6PnESHoXfiVVU5lARrN3hCCOx2nwijGD1tIKUk4ed2aZqiaVsnlGU5WtpaKQVjOudAiMT9FfVIJXG7rfCKoqSpv9DUNJCVVGu0JMJTWcgY48S5zpgWmni2zMOZf3JPuA2jKMLH+xv84ERCDW0avbZj23w/SS6kVC6OyXpNp6nrysVCCrBLxrJYeOM4USHf5Ix1tRjHkYgF8zxjmiayccPlciHMFC+Ot9bCUp555vjl+ut8xT8XoqsBy1ipXAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/96374987ee5c17149aca7c34d5cbca5d/8ac56/image-1.webp 240w,\n/static/96374987ee5c17149aca7c34d5cbca5d/d3be9/image-1.webp 480w,\n/static/96374987ee5c17149aca7c34d5cbca5d/7f59e/image-1.webp 517w\"\n              sizes=\"(max-width: 517px) 100vw, 517px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/96374987ee5c17149aca7c34d5cbca5d/8ff5a/image-1.png 240w,\n/static/96374987ee5c17149aca7c34d5cbca5d/e85cb/image-1.png 480w,\n/static/96374987ee5c17149aca7c34d5cbca5d/fa2f5/image-1.png 517w\"\n            sizes=\"(max-width: 517px) 100vw, 517px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/96374987ee5c17149aca7c34d5cbca5d/fa2f5/image-1.png\"\n            alt=\"image-1.png\"\n            title=\"image-1.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Advancing execution, the port number, address family, and IP address were written into the previously empty memory region.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 496px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/28807a629a0e13d12b351cd801596f5c/bb630/image-2.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 31.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABG0lEQVQY01WR246DMAxE+f+PW4rEnVYQCBAuCS1U7bbqdtY26kMfRrHI2HMcPN3USLMcwzBA6wZBECAvjrher1iWBeu6Yp5nDOOIxTnxGWPw+3jg9Xrhfr/h8Xzi/X7jj+SlaYIf30dxPGKipjAMUVUVmqZBEsdSn04n+h6hrmtkaYooiuDcgq7rUJWleBlG6xZeVZWIkwRK1bhcLmKapgnWWqlnOh2p740Qj+MglLyBoZM9rLZt0fU9vDzP4B8OKIqCUi1KSmQDN3Hdk8mYXkhH2oBplFISzkO4ZnIR3XmMvBMqnM9nwtbSyO/GNdOyuNlaB0MBHLht2xehiAk/A0siWL9WdvvKNNjaWUj53T4/hVfm4H0Ds4vu/gFdE7teJSikEQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/28807a629a0e13d12b351cd801596f5c/8ac56/image-2.webp 240w,\n/static/28807a629a0e13d12b351cd801596f5c/d3be9/image-2.webp 480w,\n/static/28807a629a0e13d12b351cd801596f5c/6f16c/image-2.webp 496w\"\n              sizes=\"(max-width: 496px) 100vw, 496px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/28807a629a0e13d12b351cd801596f5c/8ff5a/image-2.png 240w,\n/static/28807a629a0e13d12b351cd801596f5c/e85cb/image-2.png 480w,\n/static/28807a629a0e13d12b351cd801596f5c/bb630/image-2.png 496w\"\n            sizes=\"(max-width: 496px) 100vw, 496px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/28807a629a0e13d12b351cd801596f5c/bb630/image-2.png\"\n            alt=\"image-2.png\"\n            title=\"image-2.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This was a bit hard to read, so I changed the display format:</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">> dyb 0055d810\n          76543210 76543210 76543210 76543210\n          <span class=\"token operator\">--</span><span class=\"token operator\">--</span><span class=\"token operator\">--</span><span class=\"token operator\">--</span> <span class=\"token operator\">--</span><span class=\"token operator\">--</span><span class=\"token operator\">--</span><span class=\"token operator\">--</span> <span class=\"token operator\">--</span><span class=\"token operator\">--</span><span class=\"token operator\">--</span><span class=\"token operator\">--</span> <span class=\"token operator\">--</span><span class=\"token operator\">--</span><span class=\"token operator\">--</span><span class=\"token operator\">--</span>\n0055d810  00000010 00000000 00000000 01010000  02 00 00 50\n0055d814  10101001 11111110 01100100 00011110  a9 fe 64 1e\n0055d818  00000000 00000000 00000000 00000000  00 00 00 00\n0055d81c  00000000 00000000 00000000 00000000  00 00 00 00</code></pre></div>\n<p>Port 80 is stored as <code class=\"language-text\">0x0050</code> in network byte order (big-endian).</p>\n<p>The 4 bytes starting at <code class=\"language-text\">0x55d814</code> contain the IP address, also in network byte order.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I spent the end of the year doing socket programming and reverse-engineering.</p>\n<p>Hope the new year brings good things.</p>","fields":{"slug":"/windows-windbg-010-socket-en","tagSlugs":["/tag/win-dbg-en/","/tag/kernel-en/","/tag/reversing-en/","/tag/c-c-en/","/tag/english/"]},"frontmatter":{"date":"2022-01-01","description":"","tags":["WinDbg (en)","Kernel (en)","Reversing (en)","C/C++ (en)","English"],"title":"Reversing a Windows Sockets TCP/UDP Communication Program","socialImage":{"publicURL":"/static/5c0b851ce6b11ba9ab8d74d12a5a4a1b/windows-windbg-010-socket.png"}}}},"pageContext":{"slug":"/windows-windbg-010-socket-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}