DEVHIDE
Login Or Sign up

Python Ctypes Windows Access Violation - reading memory location

497 Views Asked by At

I am writing an application using the Deviare usermode hooking engine over COM in python. One of the functions I am hooking is CreateProcessA, but I seem to be having trouble passing the appropriate pointers from a hooked function to the ctypes kernel32.CreateProcess call. My goal is to stop a legitimate call to CreateProcess and re-create it in a suspended state.

If needed the Deviare documentation for the function arguments is here: Deviare - Parameters

Also, MSDN for Create Process: kernel32.CreateProcessA

Below is my ctypes call, I don't instantiate anything before this or setup a function definition using 'args', is that necessary in this case?

'parameters' is an object in Deviare containing the function arguments passed to the hooked function (CreateProcessA)

retval = ctypes.windll.kernel32.CreateProcessA(
ctypes.wintypes.LPCWSTR(parameters.GetAt(0).Value),
ctypes.wintypes.LPCWSTR(parameters.GetAt(1).Value),
ctypes.c_ulong(parameters.GetAt(2).PointerVal),
ctypes.c_ulong(parameters.GetAt(3).PointerVal),
ctypes.wintypes.BOOL(parameters.GetAt(4).Value),
ctypes.wintypes.DWORD(0x4),
ctypes.wintypes.LPVOID(parameters.GetAt(6).PointerVal),
ctypes.wintypes.LPCWSTR(parameters.GetAt(7).Value),
ctypes.cast(parameters.GetAt(8).PointerVal, ctypes.POINTER(ctypes.c_ulong)),
ctypes.cast(parameters.GetAt(9).PointerVal, ctypes.POINTER(ctypes.c_ulong)))

My error and some helpful/typed parameters getting passed to the new CreateProcess call:

lpApplicationName | LPCSTR | "" 
lpCommandLine | LPSTR | "python C:\Users\user\PycharmProjects\testing\API_tests_2.py" 
lpProcessAttributes | LPSECURITY_ATTRIBUTES | N/A 
lpThreadAttributes | LPSECURITY_ATTRIBUTES | N/A 
bInheritHandles | BOOL | 1 
dwCreationFlags | DWORD | 0 
lpEnvironment | LPVOID | N/A
lpCurrentDirectory | LPCSTR | "" 
lpStartupInfo | LPSTARTUPINFOA | 0x33eb90 
lpProcessInformation | LPPROCESS_INFORMATION | 0x33eb60 

File "C:\Users\user\PycharmProjects\testing\EventHandlers.py", line 299, in OnFunctionCalled
    ctypes.POINTER(ctypes.c_ulong)))
WindowsError: exception: access violation reading 0x000000000033EBF0

Sometimes the location of the access violation is at the beginning of lpstartupinfo, other times in the middle of it. I'm not sure why, unless something else is wrong in my environment.

I have confirmed the locations of LPSTARTUPINFO & LPPROCESS_INFORMATION to be correct in a debugger.

python windows hook ctypes usermode
Original Q&A
0

There are 0 best solutions below

Related Questions in PYTHON

Related Questions in WINDOWS

Related Questions in HOOK

Related Questions in CTYPES

Related Questions in USERMODE

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.