Help with API Hooking

01/26/2014 18:30 elmarcia#1

Hi epvp i tried hooking the api CreateProcessA to change the parameters of the process to be loaded. But something is wrong cause the process Crashes :(

Here is the code:

Spoiler

And here the images of the assembly code:

Original Call to CreateProcessA (without injected dll):
[Only registered and activated users can see links. Click Here To Register...]

Mine CreateProcessA:
[Only registered and activated users can see links. Click Here To Register...]
Looks like crap isn't it...
Some parameters aren't parsed. Why this happen?

Continue Execution:
[Only registered and activated users can see links. Click Here To Register...]
Nice Crash detected :(

Can someone explain me whats wrong with my code :handsdown:

01/29/2014 07:58 Tension#2

Maybe because it's not CreateProcess?
I've found this on another website:

Code:

DWORD WINAPI CreateProcessInternal(
  __in         DWORD unknown1,                   
  __in_opt     LPCTSTR lpApplicationName,
  __inout_opt  LPTSTR lpCommandLine,
  __in_opt     LPSECURITY_ATTRIBUTES lpProcessAttributes,
  __in_opt     LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in         BOOL bInheritHandles,
  __in         DWORD dwCreationFlags,
  __in_opt     LPVOID lpEnvironment,
  __in_opt     LPCTSTR lpCurrentDirectory,
  __in         LPSTARTUPINFO lpStartupInfo,
  __out        LPPROCESS_INFORMATION lpProcessInformation,
  __in         DWORD unknown2                            
);

but if you want to use CreateProcess you can just hook the CreateProcessInternal Function and return CreateProcess() with your given parameters, it should work.

01/29/2014 18:19 Jeoni#3

Your trampolin (called "jmp" in your detourFunc) does not have execute rights. So when you call the (logical) original function, which begins with your trampolin, it will trigger an access violation at the first instruction of the trampolin.

Correct:

Code:

...
VirtualProtect(jmp, len + 5, PAGE_EXECUTE_READWRITE, &dwback); // this will make your trampolin executable
VirtualProtect(src, len, PAGE_READWRITE, &dwback);
...

With best regards
Jeoni

01/30/2014 17:33 elmarcia#4

Thanks for your replys guys i appreciate it, will try once again if it works :D. Thought the problem was Aclayers.dll that is called when the hook returns. Testing now...