Last active
December 4, 2024 01:38
-
-
Save matterpreter/cf9c8c48d0a95a9699f240c4f37d8fd7 to your computer and use it in GitHub Desktop.
Revisions
-
matterpreter revised this gist
Dec 7, 2020 . 1 changed file with 2 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,8 +9,7 @@ def on_message(message, data): else: print(message) pid = frida.spawn("C:\Temp\stage0.exe") session = frida.attach(pid) script = """ @@ -26,7 +25,7 @@ def on_message(message, data): this.Protect = args[5]; }, onLeave: function (args) { if(!(this.ProcessHandle == 0xffffffff || this.ProcessHandle == 0xffffffffffffffff)){ send("[-] I saw you call NtAllocateVirtualMemory"); send("Process Handle: " + this.ProcessHandle); send("BaseAddress: " + this.BaseAddress); -
Nov 25, 2020 . 1 changed file with 23 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,6 +10,7 @@ def on_message(message, data): print(message) pid = frida.spawn("C:\Temp\SimpleCRT.exe") #pid = frida.spawn("C:\Temp\HookDetector.exe") session = frida.attach(pid) script = """ @@ -36,6 +37,28 @@ def on_message(message, data): } } }); var pNtWriteVirtualMemory = Module.findExportByName("ntdll.dll", 'NtWriteVirtualMemory') Interceptor.attach(pNtWriteVirtualMemory, { onEnter: function (args) { this.Handle = args[0]; this.BaseAddress = args[1]; this.Buffer = args[2]; this.NumberOfBytesToWrite = args[3]; this.NumberOfBytesWritten = args[4]; }, onLeave: function (args) { if(!(this.Handle == 0xffffffff)){ send("[-] I saw you call NtWriteVirtualMemory"); send("Handle: " + this.Handle); send("BaseAddress: " + this.BaseAddress); send("Buffer: " + this.Buffer); send("NumberOfBytesToWrite: " + this.NumberOfBytesToWrite); send("NumberOfBytesWritten: " + this.NumberOfBytesWritten); } } }); """ script = session.create_script(script) -
Nov 24, 2020 . 1 changed file with 10 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,7 +9,7 @@ def on_message(message, data): else: print(message) pid = frida.spawn("C:\Temp\SimpleCRT.exe") session = frida.attach(pid) script = """ @@ -25,13 +25,15 @@ def on_message(message, data): this.Protect = args[5]; }, onLeave: function (args) { if(!(this.ProcessHandle == 0xffffffff)){ send("[-] I saw you call NtAllocateVirtualMemory"); send("Process Handle: " + this.ProcessHandle); send("BaseAddress: " + this.BaseAddress); send("ZeroBits: " + this.ZeroBits); send("RegionSize: " + this.RegionSize); send("AllocationType: " + this.AllocationType); send("Protect: " + this.Protect); } } }); """ -
Oct 13, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,49 @@ import frida import sys def on_message(message, data): if message['type'] == 'send': print(message['payload']) elif message['type'] == 'error': print(message['stack']) else: print(message) pid = frida.spawn("C:\Temp\foo.exe") session = frida.attach(pid) script = """ var pNtAllocateVirtualMemory = Module.findExportByName("ntdll.dll", 'NtAllocateVirtualMemory') Interceptor.attach(pNtAllocateVirtualMemory, { onEnter: function (args) { this.ProcessHandle = args[0]; this.BaseAddress = args[1]; this.ZeroBits = args[2]; this.RegionSize = args[3]; this.AllocationType = args[4]; this.Protect = args[5]; }, onLeave: function (args) { send("[-] I saw you call NtAllocateVirtualMemory"); send("Process Handle: " + this.ProcessHandle); send("BaseAddress: " + this.BaseAddress); send("ZeroBits: " + this.ZeroBits); send("RegionSize: " + this.RegionSize); send("AllocationType: " + this.AllocationType); send("Protect: " + this.Protect); } }); """ script = session.create_script(script) frida.resume(pid) script.on('message', on_message) script.load() try: while True: pass except KeyboardInterrupt: session.detach() sys.exit(0)