;88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 ;88888888888888888888888888888888888888 88888888888888888888888888888888888888 ;88888888888888888888888888888888 8888888888888888888888888888888 ;88888888888888888888888888 88888888888888888888888888 ;8888888888888888888 VirtualAlloc Hooking Script 88888888888888888888 ;8888888888888888888 88888888888888888888 ;8888888888888888888 Author: Kyriakos Economou (@kyREcon/www.anti-reversing.com) 88888888888888888888 ;8888888888888888888 88888888888888888888 ;88888888888888888888888888 Features: Logs Calls to VirtualAlloc + Return Addresses 8888888888888888888888888 ;888888888888888888888888888888888 888888888888888888888888888888 ;888888888888888888888888888888888888888 ODbgScript plugin v1.82.6 88888888888888888888888888888888888888 ;88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 ;________Variables Declarations ________ var virtualAlloc var mymemory var param var tmp1 var tmp2 var counter var kernel32 var logfile var retAddress var calledFrom var hookedonce var startlogging ;_________Script Start *Main* ___________ LCLR ; clear script log window mov startlogging, " ------------------------------ Start ------------------------------ " mov kernel32, "Kernel32.dll" mov virtualAlloc, "VirtualAlloc" call AllocateMemory call PrepareAllocatedMemory Call HookVirtualAlloc mov hookedonce,0 mov logfile, "C:\" ask "Enter name for logfile. Will be saved in C:\ directory. (example: log)" add logfile, $RESULT ;\log.txt" add logfile, ".txt" _run: erun cob cmp hookedonce,0 jne _proceed wrt logfile, startlogging log startlogging _proceed: sto mov tmp1, eip sub tmp1, 5 cmp tmp1, virtualAlloc jne _continue call EvalVirtualAllocParams inc hookedonce _continue: jmp _run ;_______Functions Section _________ AllocateMemory: alloc 10 mov mymemory, $RESULT ; save address of new allocated memory Ret ;//----------------------------------- PrepareAllocatedMemory: mov tmp1, mymemory asm mymemory, "mov edi,edi" add mymemory, 2 asm mymemory, "push ebp" inc mymemory asm mymemory, "mov ebp,esp" mov mymemory, tmp1 Ret ;//----------------------------------- HookVirtualAlloc: gpa virtualAlloc, kernel32 mov virtualAlloc, $RESULT mov tmp1, virtualAlloc ; save VirtualAlloc VA sub virtualAlloc, mymemory mov tmp2, FFFFFFFF sub tmp2, virtualAlloc sub tmp2,4 mov virtualAlloc, tmp1 fill virtualAlloc, 1, E9 inc virtualAlloc mov counter,4 _loop1: fill virtualAlloc, 1, tmp2 shr tmp2, 8 inc virtualAlloc dec counter cmp counter,0 jne _loop1 mov virtualAlloc, tmp1 ;restore mov tmp1, mymemory ;save mov tmp2, virtualAlloc ;save add mymemory, 5 sub virtualAlloc, mymemory ;calc distance fill mymemory, 1, E9 inc mymemory mov counter,4 _loop: fill mymemory, 1, virtualAlloc shr virtualAlloc, 8 inc mymemory dec counter cmp counter,0 jne _loop sub mymemory,5 bp mymemory mov mymemory, tmp1 ;restore mov virtualAlloc,tmp2 ;restore Ret ;//------------------------------------------------- EvalVirtualAllocParams: mov retAddress, [esp+4], 4 log "VirtualAlloc hooked!" wrta logfile,"VirtualAlloc hooked!" mov calledFrom, retAddress, 4 sub calledFrom, 5 eval "Called from: {calledFrom}" log $RESULT wrta logfile, $RESULT eval "Return Address: {retAddress}" log $RESULT wrta logfile, $RESULT log " " wrta logfile, " " log " " ;just to separate completed logs log " " log " ------------------------------------------------------" log " " ;just to separate completed logs log " " wrta logfile," " wrta logfile," " wrta logfile, " ------------------------------------------------------" wrta logfile," " wrta logfile," " Ret ;________ Exit _________ _exit: