zaneGittins · December 11, 2020 17:54
diff --git a/NTMonitor2.py b/NTMonitor2.py
 # NTMonitor
 # Author: Zane Gittins
 # Modified version of code by Matt Hand, all credit goes to Matt Hand for original script.
 # Blog post by Matt Hand here: https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa
 # Takes executable as arg.
 # Monitors NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory.

 import frida
 import sys
 import argparse

 def on_message(message, data):
    if message['type'] == 'send':
        print(message['payload'])
    elif message['type'] == 'error':
        print(message['stack'])
    else:
     print(message)

 if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("--executable", "-e", help="Executable to monitor")
    args = parser.parse_args()

    if(args.executable):
        print(("Monitoring: " + str(args.executable)))
    else:
        print(parser.print_help())
        exit(1)

    pid = frida.spawn(args.executable)
    session = frida.attach(pid)

    script = """
    var pNtAllocateVirtualMemory = Module.findExportByName("ntdll.dll", 'NtAllocateVirtualMemory')
    Interceptor.attach(pNtAllocateVirtualMemory, {
        onEnter: function (args) {
            this.ProcessHandle = args[0];
            this.BaseAddress = args[1];
            this.ZeroBits = args[2];
            this.RegionSize = args[3];
            this.AllocationType = args[4];
            this.Protect = args[5];
        },
        onLeave: function (args) {
            if(!(this.ProcessHandle == 0xffffffff || this.ProcessHandle == 0xffffffffffffffff)){
                send("[-] I saw you call NtAllocateVirtualMemory");
                send("Process Handle: " + this.ProcessHandle);
                send("BaseAddress: " + this.BaseAddress);
                send("ZeroBits: " + this.ZeroBits);
                send("RegionSize: " + this.RegionSize);
                send("AllocationType: " + this.AllocationType);
                send("Protect: " + this.Protect);
            }
        }
    });
    var pNtWriteVirtualMemory = Module.findExportByName("ntdll.dll", 'NtWriteVirtualMemory')
    Interceptor.attach(pNtWriteVirtualMemory, {
        onEnter: function (args) {
            this.Handle = args[0];
            this.BaseAddress = args[1];
            this.Buffer = args[2];
            this.NumberOfBytesToWrite = args[3];
            this.NumberOfBytesWritten = args[4];
        },
        onLeave: function (args) {
            if(!(this.Handle == 0xffffffff)){
                send("[-] I saw you call NtWriteVirtualMemory");
                send("Handle: " + this.Handle);
                send("BaseAddress: " + this.BaseAddress);
                send("Buffer: " + this.Buffer);
                send("NumberOfBytesToWrite: " + this.NumberOfBytesToWrite);
                send("NumberOfBytesWritten: " + this.NumberOfBytesWritten);
            }
        }
    });
    var pNtProtectVirtualMemory = Module.findExportByName("ntdll.dll", 'NtProtectVirtualMemory')
    Interceptor.attach(pNtProtectVirtualMemory, {
        onEnter: function (args) {
            this.Handle = args[0];
            this.BaseAddress = args[1];
            this.RegionSize = args[2];
            this.NewProtect = args[3];
            this.OldProtect = args[4];
        },
        onLeave: function (args) {
            if(!(this.Handle == 0xffffffff)){
                send("[-] I saw you call NtProtectVirtualMemory");
                send("Handle: " + this.Handle);
                send("BaseAddress: " + this.BaseAddress);
                send("RegionSize: " + this.RegionSize);
                send("NewProtect: " + this.NewProtect);
                send("OldProtect: " + this.OldProtect);
            }
        }
    });
    """

    script = session.create_script(script)
    frida.resume(pid)
    script.on('message', on_message)
    script.load()

    try:
        while True:
            pass
    except KeyboardInterrupt:
        session.detach()
        sys.exit(0)
	# NTMonitor
	# Author: Zane Gittins
	# Modified version of code by Matt Hand, all credit goes to Matt Hand for original script.
	# Blog post by Matt Hand here: https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa
	# Takes executable as arg.
	# Monitors NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory.

	import frida
	import sys
	import argparse

	def on_message(message, data):
	if message['type'] == 'send':
	print(message['payload'])
	elif message['type'] == 'error':
	print(message['stack'])
	else:
	print(message)

	if __name__ == "__main__":
	parser = argparse.ArgumentParser()
	parser.add_argument("--executable", "-e", help="Executable to monitor")
	args = parser.parse_args()

	if(args.executable):
	print(("Monitoring: " + str(args.executable)))
	else:
	print(parser.print_help())
	exit(1)

	pid = frida.spawn(args.executable)
	session = frida.attach(pid)

	script = """
	var pNtAllocateVirtualMemory = Module.findExportByName("ntdll.dll", 'NtAllocateVirtualMemory')
	Interceptor.attach(pNtAllocateVirtualMemory, {
	onEnter: function (args) {
	this.ProcessHandle = args[0];
	this.BaseAddress = args[1];
	this.ZeroBits = args[2];
	this.RegionSize = args[3];
	this.AllocationType = args[4];
	this.Protect = args[5];
	},
	onLeave: function (args) {
	if(!(this.ProcessHandle == 0xffffffff \|\| this.ProcessHandle == 0xffffffffffffffff)){
	send("[-] I saw you call NtAllocateVirtualMemory");
	send("Process Handle: " + this.ProcessHandle);
	send("BaseAddress: " + this.BaseAddress);
	send("ZeroBits: " + this.ZeroBits);
	send("RegionSize: " + this.RegionSize);
	send("AllocationType: " + this.AllocationType);
	send("Protect: " + this.Protect);
	}
	}
	});
	var pNtWriteVirtualMemory = Module.findExportByName("ntdll.dll", 'NtWriteVirtualMemory')
	Interceptor.attach(pNtWriteVirtualMemory, {
	onEnter: function (args) {
	this.Handle = args[0];
	this.BaseAddress = args[1];
	this.Buffer = args[2];
	this.NumberOfBytesToWrite = args[3];
	this.NumberOfBytesWritten = args[4];
	},
	onLeave: function (args) {
	if(!(this.Handle == 0xffffffff)){
	send("[-] I saw you call NtWriteVirtualMemory");
	send("Handle: " + this.Handle);
	send("BaseAddress: " + this.BaseAddress);
	send("Buffer: " + this.Buffer);
	send("NumberOfBytesToWrite: " + this.NumberOfBytesToWrite);
	send("NumberOfBytesWritten: " + this.NumberOfBytesWritten);
	}
	}
	});
	var pNtProtectVirtualMemory = Module.findExportByName("ntdll.dll", 'NtProtectVirtualMemory')
	Interceptor.attach(pNtProtectVirtualMemory, {
	onEnter: function (args) {
	this.Handle = args[0];
	this.BaseAddress = args[1];
	this.RegionSize = args[2];
	this.NewProtect = args[3];
	this.OldProtect = args[4];
	},
	onLeave: function (args) {
	if(!(this.Handle == 0xffffffff)){
	send("[-] I saw you call NtProtectVirtualMemory");
	send("Handle: " + this.Handle);
	send("BaseAddress: " + this.BaseAddress);
	send("RegionSize: " + this.RegionSize);
	send("NewProtect: " + this.NewProtect);
	send("OldProtect: " + this.OldProtect);
	}
	}
	});
	"""

	script = session.create_script(script)
	frida.resume(pid)
	script.on('message', on_message)
	script.load()

	try:
	while True:
	pass
	except KeyboardInterrupt:
	session.detach()
	sys.exit(0)