anomaly api_hook signature

[gand3lf]

I'm using the following code to print the argument passed to the Sleep function.

#!/bin/env python
# -*- coding: utf-8 -*-

from winappdbg import Debug, EventHandler
from winappdbg.win32 import PVOID, DWORD, HANDLE

class MyEventHandler( EventHandler ):

    apiHooks = {

        "kernel32.dll": [
            ("Sleep", (DWORD, )),
        ],
    }

    def pre_Sleep(self, event, ra, dwMilliseconds):
        proc = event.get_process()
        proc.suspend()
        print "%d" % (ra>>32)  # This print the value passed to the Sleep function!
        print dwMilliseconds
        proc.resume()


def simple_debugger( argv ):
    with Debug( MyEventHandler(), bKillOnExit

        debug.attach( int(argv[0]) )
        debug.loop()

if __name__ == "__main__":
    import sys
    simple_debugger( sys.argv[1:] )

I would ask why does the "ra" parameter contain the value passed to the Sleep function? The dwMilliseconds contains a strange garbage value...

[gand3lf]

I see that this problem is solved if I compile the target program in 64-bit. But I think that this behaviour can be patched in some way.

[MarioVilas]

The Python VM must match the target program - either they're both 64 bit or both 32 bit.