;88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 ;88888888888888888888888888888888888888 88888888888888888888888888888888888888 ;88888888888888888888888888888888 8888888888888888888888888888888 ;88888888888888888888888888 88888888888888888888888888 ;8888888888888888888 VirtualProtect Hooking Script 88888888888888888888 ;8888888888888888888 88888888888888888888 ;8888888888888888888 Author: Kyriakos Economou (@kyREcon/www.anti-reversing.com) 88888888888888888888 ;8888888888888888888 88888888888888888888 ;88888888888888888888888888 Features: Logs Calls to VirtualProtect + Return Addresses 8888888888888888888888888 ;888888888888888888888888888888888 888888888888888888888888888888 ;888888888888888888888888888888888888888 ODbgScript plugin v1.82.6 88888888888888888888888888888888888888 ;88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 ;________Variables Declarations ________ var virtualProtect var mymemory var param var tmp1 var tmp2 var counter var kernel32 var logfile var retAddress var calledFrom var hookedonce var startlogging ;_________Script Start *Main* ___________ LCLR ; clear script log window mov startlogging, " ------------------------------ Start ------------------------------ " mov kernel32, "Kernel32.dll" mov virtualProtect, "VirtualProtect" call AllocateMemory call PrepareAllocatedMemory Call HookVirtualProtect mov hookedonce,0 mov logfile, "C:\" ask "Enter name for logfile. Will be saved in C:\ directory. (example: log)" add logfile, $RESULT ;\log.txt" add logfile, ".txt" _run: erun cob cmp hookedonce,0 jne _proceed wrt logfile, startlogging log startlogging _proceed: sto mov tmp1, eip sub tmp1, 5 cmp tmp1, virtualProtect jne _continue call EvalVirtualProtectParams inc hookedonce _continue: jmp _run ;_______Functions Section _________ AllocateMemory: alloc 10 mov mymemory, $RESULT ; save address of new allocated memory Ret ;//----------------------------------- PrepareAllocatedMemory: mov tmp1, mymemory asm mymemory, "mov edi,edi" add mymemory, 2 asm mymemory, "push ebp" inc mymemory asm mymemory, "mov ebp,esp" mov mymemory, tmp1 Ret ;//----------------------------------- HookVirtualProtect: gpa virtualProtect, kernel32 mov virtualProtect, $RESULT mov tmp1, virtualProtect ; save VirtualProtect VA sub virtualProtect, mymemory mov tmp2, FFFFFFFF sub tmp2, virtualProtect sub tmp2,4 mov virtualProtect, tmp1 fill virtualProtect, 1, E9 inc virtualProtect mov counter,4 _loop1: fill virtualProtect, 1, tmp2 shr tmp2, 8 inc virtualProtect dec counter cmp counter,0 jne _loop1 mov virtualProtect, tmp1 ;restore mov tmp1, mymemory ;save mov tmp2, virtualProtect ;save add mymemory, 5 sub virtualProtect, mymemory ;calc distance fill mymemory, 1, E9 inc mymemory mov counter,4 _loop: fill mymemory, 1, virtualProtect shr virtualProtect, 8 inc mymemory dec counter cmp counter,0 jne _loop sub mymemory,5 bp mymemory mov mymemory, tmp1 ;restore mov virtualProtect,tmp2 ;restore Ret ;//------------------------------------------------- EvalVirtualProtectParams: mov retAddress, [esp+4], 4 log "VirtualProtect hooked!" wrta logfile,"VirtualProtect hooked!" mov calledFrom, retAddress, 4 sub calledFrom, 5 eval "Called from: {calledFrom}" log $RESULT wrta logfile, $RESULT eval "Return Address: {retAddress}" log $RESULT wrta logfile, $RESULT log " " wrta logfile, " " log " " ;just to separate completed logs log " " log " ------------------------------------------------------" log " " ;just to separate completed logs log " " wrta logfile," " wrta logfile," " wrta logfile, " ------------------------------------------------------" wrta logfile," " wrta logfile," " Ret ;________ Exit _________ _exit: