SinaKarvandi · November 24, 2023 09:10
diff --git a/intercepting-memory-allocations.ds b/intercepting-memory-allocations.ds
 start path "C:\Windows\notepad.exe"
 g
 ? .thread_intercept_thread = 0;
 ? .target_pid = $pid;
 ? .target_tid = 0;
 ? .target_allocation_address = 0;
 ? .target_allocation_size = 0;
 ? .is_commited = 0;

 !sysret stage post script {
 	if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
 		spinlock_unlock(&.thread_intercept_thread);
 		.target_tid = 0;
 		printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s | located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));
 		
 		pause();
 	}
 }

 !syscall 18 stage pre script {
 	
 	if ($pid == .target_pid) {
 		spinlock_lock(&.thread_intercept_thread);
 		.target_tid = $tid;
 		.target_allocation_address = @rdx;
 		.target_allocation_size = @r9;
 				
 		//
 		// Use bitwise AND to check if the bit is set
 		// MEM_COMMIT = 0x00001000
 		//
 		if (dq(@rsp+20) & 0x00001000) {
 			.is_commited = 1;
 		}
 		else {
 			.is_commited = 0;
 		}
 		
 		if (dq(rdx) == 0) {
 			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx | is commited: %llx\n", $pid, $pname, dq(r9), .is_commited);
 		}
 		else {
 			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx, user-specific addr: %llx | is commited: %llx\n\n", $pid, $pname, dq(r9), dq(rdx), .is_commited);
 		}
 	}
 }
	start path "C:\Windows\notepad.exe"
	g
	? .thread_intercept_thread = 0;
	? .target_pid = $pid;
	? .target_tid = 0;
	? .target_allocation_address = 0;
	? .target_allocation_size = 0;
	? .is_commited = 0;

	!sysret stage post script {
	if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
	spinlock_unlock(&.thread_intercept_thread);
	.target_tid = 0;
	printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s \| located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));

	pause();
	}
	}

	!syscall 18 stage pre script {

	if ($pid == .target_pid) {
	spinlock_lock(&.thread_intercept_thread);
	.target_tid = $tid;
	.target_allocation_address = @rdx;
	.target_allocation_size = @r9;

	//
	// Use bitwise AND to check if the bit is set
	// MEM_COMMIT = 0x00001000
	//
	if (dq(@rsp+20) & 0x00001000) {
	.is_commited = 1;
	}
	else {
	.is_commited = 0;
	}

	if (dq(rdx) == 0) {
	printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s \| requested size: %llx \| is commited: %llx\n", $pid, $pname, dq(r9), .is_commited);
	}
	else {
	printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s \| requested size: %llx, user-specific addr: %llx \| is commited: %llx\n\n", $pid, $pname, dq(r9), dq(rdx), .is_commited);
	}
	}
	}