Skip to content

Instantly share code, notes, and snippets.

@teddymwai

teddymwai/intercepting-memory-allocations.ds

Forked from SinaKarvandi/intercepting-memory-allocations.ds
Created November 25, 2023 00:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save teddymwai/498ced4a85a14b5a53e92464be0127b8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save teddymwai/498ced4a85a14b5a53e92464be0127b8 to your computer and use it in GitHub Desktop.
Download ZIP
intercepting-memory-allocations
Raw
intercepting-memory-allocations.ds
start path "C:\Windows\notepad.exe"
g
? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;
? .is_commited = 0;
!sysret stage post script {
if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
spinlock_unlock(&.thread_intercept_thread);
.target_tid = 0;
printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s | located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));
pause();
}
}
!syscall 18 stage pre script {
if ($pid == .target_pid) {
spinlock_lock(&.thread_intercept_thread);
.target_tid = $tid;
.target_allocation_address = @rdx;
.target_allocation_size = @r9;
//
// Use bitwise AND to check if the bit is set
// MEM_COMMIT = 0x00001000
//
if (dq(@rsp+20) & 0x00001000) {
.is_commited = 1;
}
else {
.is_commited = 0;
}
if (dq(rdx) == 0) {
printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx | is commited: %llx\n", $pid, $pname, dq(r9), .is_commited);
}
else {
printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx, user-specific addr: %llx | is commited: %llx\n\n", $pid, $pname, dq(r9), dq(rdx), .is_commited);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment