Help with API Hooking

[elmarcia]

Hi epvp i tried hooking the api CreateProcessA to change the parameters of the process to be loaded. But something is wrong cause the process Crashes

Here is the code:

 Spoiler

Code:

#include <windows.h>

void* detourFunc(BYTE *src, const BYTE *dst, const int len)
{
	BYTE *jmp = (BYTE*)malloc(len+5);
	DWORD dwback;

	VirtualProtect(src, len, PAGE_READWRITE, &dwback);

	memcpy(jmp, src, len);	jmp += len;

	jmp[0] = 0xE9;
	*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;

	src[0] = 0xE9;
	*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;

	VirtualProtect(src, len, dwback, &dwback);

	return (jmp-len);
}

   typedef BOOL   (__stdcall * CreateProcessA_t)(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,
   LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,
   LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation);
    CreateProcessA_t oCreateProcessA = NULL;


  BOOL __stdcall hkCreateProcessA (LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,
   LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,
   LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation)
 {

	

	 return oCreateProcessA(lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,
		 dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation);
 }



 void Hook()
 {
	 //CreateProcessA hook
	 DWORD dwCreateProcess = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessA");
	 oCreateProcessA = (CreateProcessA_t)detourFunc((BYTE*)dwCreateProcess, (BYTE*)&hkCreateProcessA, 5);

 }


 DWORD WINAPI dwMainThread( LPVOID )
{	

	Hook();

	return TRUE;
}

BOOL WINAPI DllMain( HINSTANCE hInstDLL,DWORD dwReason,LPVOID lpReserved )
{
	if( dwReason==DLL_PROCESS_ATTACH )
		CreateThread(0,0,dwMainThread,0,0,0);

return TRUE;
}

And here the images of the assembly code:

Original Call to CreateProcessA (without injected dll):


Mine CreateProcessA:

Looks like crap isn't it...
Some parameters aren't parsed. Why this happen?

Continue Execution:

Nice Crash detected

Can someone explain me whats wrong with my code

[​Tension]

Maybe because it's not CreateProcess?
I've found this on another website:

Code:

DWORD WINAPI CreateProcessInternal(
  __in         DWORD unknown1,                   
  __in_opt     LPCTSTR lpApplicationName,
  __inout_opt  LPTSTR lpCommandLine,
  __in_opt     LPSECURITY_ATTRIBUTES lpProcessAttributes,
  __in_opt     LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in         BOOL bInheritHandles,
  __in         DWORD dwCreationFlags,
  __in_opt     LPVOID lpEnvironment,
  __in_opt     LPCTSTR lpCurrentDirectory,
  __in         LPSTARTUPINFO lpStartupInfo,
  __out        LPPROCESS_INFORMATION lpProcessInformation,
  __in         DWORD unknown2                            
);

but if you want to use CreateProcess you can just hook the CreateProcessInternal Function and return CreateProcess() with your given parameters, it should work.

[Jeoni]

Your trampolin (called "jmp" in your detourFunc) does not have execute rights. So when you call the (logical) original function, which begins with your trampolin, it will trigger an access violation at the first instruction of the trampolin.

Correct:

Code:

...
VirtualProtect(jmp, len + 5, PAGE_EXECUTE_READWRITE, &dwback); // this will make your trampolin executable
VirtualProtect(src, len, PAGE_READWRITE, &dwback);
...

With best regards
Jeoni

[elmarcia]

Thanks for your replys guys i appreciate it, will try once again if it works . Thought the problem was Aclayers.dll that is called when the hook returns. Testing now...