0

I am writing an application using the Deviare usermode hooking engine over COM in python. One of the functions I am hooking is CreateProcessA, but I seem to be having trouble passing the appropriate pointers from a hooked function to the ctypes kernel32.CreateProcess call. My goal is to stop a legitimate call to CreateProcess and re-create it in a suspended state.

If needed the Deviare documentation for the function arguments is here: Deviare - Parameters

Also, MSDN for Create Process: kernel32.CreateProcessA

Below is my ctypes call, I don't instantiate anything before this or setup a function definition using 'args', is that necessary in this case?

'parameters' is an object in Deviare containing the function arguments passed to the hooked function (CreateProcessA)

retval = ctypes.windll.kernel32.CreateProcessA(
ctypes.wintypes.LPCWSTR(parameters.GetAt(0).Value),
ctypes.wintypes.LPCWSTR(parameters.GetAt(1).Value),
ctypes.c_ulong(parameters.GetAt(2).PointerVal),
ctypes.c_ulong(parameters.GetAt(3).PointerVal),
ctypes.wintypes.BOOL(parameters.GetAt(4).Value),
ctypes.wintypes.DWORD(0x4),
ctypes.wintypes.LPVOID(parameters.GetAt(6).PointerVal),
ctypes.wintypes.LPCWSTR(parameters.GetAt(7).Value),
ctypes.cast(parameters.GetAt(8).PointerVal, ctypes.POINTER(ctypes.c_ulong)),
ctypes.cast(parameters.GetAt(9).PointerVal, ctypes.POINTER(ctypes.c_ulong)))

My error and some helpful/typed parameters getting passed to the new CreateProcess call:

lpApplicationName | LPCSTR | "" 
lpCommandLine | LPSTR | "python C:\Users\user\PycharmProjects\testing\API_tests_2.py" 
lpProcessAttributes | LPSECURITY_ATTRIBUTES | N/A 
lpThreadAttributes | LPSECURITY_ATTRIBUTES | N/A 
bInheritHandles | BOOL | 1 
dwCreationFlags | DWORD | 0 
lpEnvironment | LPVOID | N/A
lpCurrentDirectory | LPCSTR | "" 
lpStartupInfo | LPSTARTUPINFOA | 0x33eb90 
lpProcessInformation | LPPROCESS_INFORMATION | 0x33eb60 

File "C:\Users\user\PycharmProjects\testing\EventHandlers.py", line 299, in OnFunctionCalled
    ctypes.POINTER(ctypes.c_ulong)))
WindowsError: exception: access violation reading 0x000000000033EBF0

Sometimes the location of the access violation is at the beginning of lpstartupinfo, other times in the middle of it. I'm not sure why, unless something else is wrong in my environment.

I have confirmed the locations of LPSTARTUPINFO & LPPROCESS_INFORMATION to be correct in a debugger.

Blackdragon1400
  • 413
  • 4
  • 18
  • I don't know anything about Deviare, but if it's hooking a call in another process, it should provide a way to read/modify the parameters and then resume the call. Certainly, if a pointed at buffer is in another process, it's meaningless to directly use the pointer in your current process, in which it will point at arbitrary memory. But again, I doubt that's how this hooking API is meant to be used. – Eryk Sun Jan 17 '17 at 14:13
  • Take care you are hooking the ansi version and inspecting wide strings. – Mauro H. Leggieri Feb 25 '17 at 16:55

0 Answers0