Here are some commands can be used to dump the bytes being sent/received via Winsock send & recv APIs when viewing a time travel debugging trace. A similar approach can be expanded upon to capture more of the winsock APIs such as creation of the socket, etc. You can remove the !position cmd and use it for live WinDbg’ing instead if desired, although if there is a lot of calls to send/recv it will significantly slow application.
Note on receiving this dumps the entire buffer which may be larger than actual bytes received.
For 32-bit application
bp ws2_32!recv "!position;r $t0=poi(@esp+8);r $t1=poi(@esp+0Ch);bp /1 @$ra \".echo *** RECEIVE ***;db @$t0 L@$t1;g\";g"
bp ws2_32!send "!position;.echo *** SEND ***;db poi(@ep+8) L(poi(@esp+0Ch));g"
For 64-bit application
bp ws2_32!recv "!position;r $t0=@rdx;r $t1=@r8;bp /1 @$ra \".echo *** RECEIVE ***;db @$t0 L@$t1;g\";g"
bp ws2_32!send "!position;.echo *** SEND ***;db @rdx L(@r8);g"
If instead you just want to dump any ASCII (-sa) / Unicode (-su) strings that are being hit you can try
For 32-bit applications
bp ws2_32!recv "!position;r $t0=poi(@esp+8);r $t1=poi(@esp+0Ch);bp /1 @$ra \".echo *** RECEIVE ***;s -sa @$t0 L@$t1;s -su @$t0 L@$t1;g\";g"
bp ws2_32!send "!position;.echo *** SEND ***;s -sa poi(@esp+8) L(poi(@esp+0Ch));s -su poi(@esp+8) L(poi(@esp+0Ch));g"
For 64-bit applications
bp ws2_32!recv "!position;r $t0=@rdx;r $t1=@r8;bp /1 @$ra \".echo *** RECEIVE ***;s -sa @$t0 L@$t1;s -su @$t0 L@$t1;g\";g"
bp ws2_32!send "!position;.echo *** SEND ***;s -sa @rdx L(@r8);s -su @rdx L(@r8);g"
chentiangemalc 