intercepting-memory-allocations

intercepting-memory-allocations.ds

start path "C:\Windows\notepad.exe"
g
? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;
? .is_commited = 0;

!sysret stage post script {
	if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
		spinlock_unlock(&.thread_intercept_thread);
		.target_tid = 0;
		printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s | located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));
		
		pause();
	}
}

!syscall 18 stage pre script {
	
	if ($pid == .target_pid) {
		spinlock_lock(&.thread_intercept_thread);
		.target_tid = $tid;
		.target_allocation_address = @rdx;
		.target_allocation_size = @r9;
				
		//
		// Use bitwise AND to check if the bit is set
		// MEM_COMMIT = 0x00001000
		//
		if (dq(@rsp+20) & 0x00001000) {
			.is_commited = 1;
		}
		else {
			.is_commited = 0;
		}
		
		if (dq(rdx) == 0) {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx | is commited: %llx\n", $pid, $pname, dq(r9), .is_commited);
		}
		else {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx, user-specific addr: %llx | is commited: %llx\n\n", $pid, $pname, dq(r9), dq(rdx), .is_commited);
		}
	}
}