-
Notifications
You must be signed in to change notification settings - Fork 28
/
frida-heap-trace.py
91 lines (76 loc) · 2.48 KB
/
frida-heap-trace.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# written by crackinglandia
import sys
import frida
def on_message(message, data):
print "[%s] -> %s" % (message, data)
def main(target_process):
session = frida.attach(target_process)
script = session.create_script("""
var RtlAllocateHeapAddr = Module.findExportByName('ntdll.dll', 'RtlAllocateHeap');
console.log('RtlAllocateHeap address: ' + RtlAllocateHeapAddr.toString());
var RtlFreeHeapAddr = Module.findExportByName('ntdll.dll', 'RtlFreeHeap');
console.log('RtlFreeHeap address: ' + RtlFreeHeapAddr.toString());
var RtlReAllocateHeapAddr = Module.findExportByName('ntdll.dll', 'RtlReAllocateHeap');
console.log('RtlReAllocateHeap address: ' + RtlReAllocateHeapAddr.toString());
var log_out;
// PVOID RtlAllocateHeap(
// _In_ PVOID HeapHandle,
// _In_opt_ ULONG Flags,
// _In_ SIZE_T Size
// );
console.log('>> Hooking ntdll!RtlAllocateHeap...');
Interceptor.attach(RtlAllocateHeapAddr, {
onEnter: function (args){
this.log_out = 'RtlAllocateHeap(' + args[0].toString() + ' , ' + args[1].toString() + ' , ' + args[2].toString();
},
onLeave: function (retval){
this.log_out += ') = ' + retval.toString();
console.log(this.log_out);
}
});
// BOOLEAN RtlFreeHeap(
// _In_ PVOID HeapHandle,
// _In_opt_ ULONG Flags,
// _In_ PVOID HeapBase
// );
console.log('>> Hooking ntdll!RtlFreeHeap...');
Interceptor.attach(RtlFreeHeapAddr, {
onEnter: function(args){
this.log_out = 'RtlFreeHeap(' + args[0].toString() + ' , ' + args[1].toString() + ' , ' + args[2].toString();
},
onLeave: function (retval){
this.log_out += ') = ' + this.context.eax.and(0xff);
console.log(this.log_out);
}
});
// PVOID RtlReAllocateHeap
// (
// HANDLE heap,
// ULONG flags,
// PVOID ptr,
// SIZE_T size
// )
console.log('>> Hooking ntdll!RtlReAllocateHeap...');
Interceptor.attach(RtlReAllocateHeapAddr, {
onEnter: function(args){
this.log_out = 'RtlReAllocateHeap(' + args[0].toString() + ' , ' + args[1].toString() + ' , ' + args[2].toString() + ' , ' + args[3].toString();
},
onLeave: function (retval){
this.log_out += ') = ' + retval.toString();
console.log(this.log_out);
}
})
""")
script.on('message', on_message)
script.load()
raw_input('[!] Press <Enter> at any time to detach from instrumented program.\n\n')
session.detach()
if __name__ == '__main__':
if len(sys.argv) < 2:
print 'Usage: %s <process name or PID>' % __file__
sys.exit(1)
try:
target_process = int(sys.argv[1])
except ValueError:
target_process = sys.argv[1]
main(target_process)