In an effort to learn vtrace I've been trying to attach to a process and hook the import address table and then resume the main thread of a process. When I don't attach to the process the ResumeThread() call works fine. But when I do it spins up a thread then the call to ResumeThread() doesn't work and the main thread never runs. Below is the code...
from ctypes import *
from ctypes import wintypes
from defines import *
import vdb
import vtrace
import sys
from iathook import *
class PROCESS_INFORMATION(ctypes.Structure):
_fields_ = [
("hProcess", HANDLE),
("hThread", HANDLE),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
]
process_info = PROCESS_INFORMATION()
kernel32 = ctypes.WinDLL('kernel32.dll')
bCreateProcessW = kernel32.CreateProcessA(
path_to_binary,
None,
None,
None,
True,
creation_flags,
None,
None,
byref(startupinfo),
byref(process_info))
#launched the process in a suspended state and patch it using DLL injection
#but this code doesn't effect the following code
apptrace = vtrace.getTrace()
apptrace.attach(process_info.dwProcessId) #1
hookSomeStuff = hookIat(apptrace, 'MSVCR110') #2
#apptrace.resumeThread(process_info.hThread) #3
dwPrevSuspendCount = kernel32.ResumeThread(process_info.hThread)
As I mentioned above when I remove the vtrace attach and and hookIat stuff (line #1 & #2). The ResumeThread() call works fine and the main thread runs. I also tried resuming the thread using the vtrace method (line #3) but it tells me that the thread is not suspended. The main thread doesn't actually run so I wonder how it could not be suspended or what happened to it. I also check the events of the binary using procmon and when it attaches it spins up another thread and that seems to throw things off. This may seem awkward and I understand there are many other ways to do this but I'm using it as a learning exercise and now I'm interested why it's not working. Any help is appreciated and thanks in advance for any help.
