Question
Im trying to get the PROCESS_INFORMATION from CreateProcessW from exe.
what im doing is hooking the call by placing a jmp at the location an nopping bytes
it jmps to my function
then I recall CreateProcessW the same way its done in the exe
then im trying to catch/log the data
then I jmp back to continue the stuff in exe
My problem is that its not logging the PROCESS_INFORMATION right
the ProcessId is not the same as the PID of the created process
This is the function im hooking http://i.stack.imgur.com/tFZRn.png
Then I place the hook/jmp
https://stackoverflow.com/questions/23406751
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian
DWORD CreateProcessMidHookAddress = (DWORD)GetModuleHandleA("MyDll.dll") + 0x16F46;
DWORD CreateProcessMidHookRet = (DWORD)GetModuleHandleA("MyDll.dll") + 0x16F56;
placeJMP((BYTE*)CreateProcessMidHookAddress, (DWORD)CreateProcessMidHook, 16); // JMP from loader.dll + 0x16F46 to my function
An then here is my function It gets called an the process is created just the ProcessId is not the same processId as the created process
__declspec(naked) void CreateProcessMidHook()
{
PROCESS_INFORMATION ProcessInformation;
__asm
{
PUSH EDX; // 52
PUSH EBP; // 55
PUSH 0; // 6A 00
PUSH 5; // 6A 05
PUSH 0; // 6A 00
PUSH 0; // 6A 00
PUSH 0; // 6A 00
PUSH ECX; // 51
PUSH ESI; // 56
CALL EAX; // FF D0 CALLS CreateProcessW
// think problem is here
MOV ProcessInformation, EDX;
PUSHAD;
PUSHFD;
}
// Log function is just like printf, logs to text file
Log("ProcessId : 0x%X \n", ProcessInformation.dwProcessId);
__asm
{
POPFD;
POPAD;
JMP[CreateProcessMidHookRet];
}
}
Solution
I ended up working this out
What i did was i found where in ESP the data was stored
I then made a class to hold the data i needed an placed a void to jmp to the location i needed
BYTE void[0xAddress];
Then i moved the data into my class
MOV pClass, ESP;
There are other ways of doing this But this is what i could work out an get to work
Thanks heaps for your help
