Results 1 to 6 of 6

Thread: Themida - VirtualAllocMemory of four bytes

  1. #1
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5

    Themida - VirtualAllocMemory of four bytes

    Lo,

    i recently finished my hooking engine for Z3NJECT my future oreans product unwrapper. While playing with my hooking engine i analysed the VirtualAllocMemory a bit and got a bit confused.

    Here is a part out of the log of my Z3NJECT unwrapper:

    Code:
    [DRiVER STATUS] [S]   -   SCManager > Connection established!
    [DRiVER STATUS] [S]   -   z3ndrv.sys > Driver installed!
    [DRiVER STATUS] [S]   -   z3ndrv.sys > Driver started!
    [DRiVER STATUS] [S]   -   Z3N > Connected to symbolic link!
    
    [3580]  
    [3580] 
    [3580] 
    [3580] %s------------------------------------------------
    [3580]  ---        WinLicense Professional           ---
    [3580]  ---      (c)2006 Oreans Technologies         ---
    [3580]  ------------------------------------------------ 
    [3580] 
    [3580] 
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FF54] > RegionSize[12FF58] > Size::4
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB04] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB00] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB04] > Size::14
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB00] > Size::10
     [PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB04] > Size::14
    The Size you can see at the and of each line is the delta of "regionsize - baseadress = size"
    As you all see there are lots of VirtualAllocs during the startup of themida and nearly no one is greater than 0x14 and most of them are alloced at the same baseaddress.
    Maybe i have to wrong point of view but this seems very useless to me. Can someone explain the particular need for allocating 1000s of MINI-VirtualAllocs ?

    Look forward to your replys,

    PAPiLLiON aka OHPen aka PiTcH_SiLoW
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  2. #2
    you are reading wrong data.
    Actually you are only printing stack address where argument is passed not argument itself.

  3. #3
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    @lo deroko while reading your post and looking at the addresses in front of me it seems clear Thx. So i only have to print out the point the the addresses found there

    Cheers,

    PAPiLLiON
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  4. #4
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Yehawwwww,

    your da man deroko
    It works now.

    Now looks like this what is more readable

    Code:
    [708]  
    [708] 
    [708] 
    [708] %s------------------------------------------------
    [708]  ---        WinLicense Professional           ---
    [708]  ---      (c)2006 Oreans Technologies         ---
    [708]  ------------------------------------------------ 
    [708] 
    [708] 
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x0] > RegionSize[2EC]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x0] > RegionSize[100000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x16DB000] > RegionSize[5000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x0] > RegionSize[100000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x17DB000] > RegionSize[5000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x0] > RegionSize[100000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x18DB000] > RegionSize[5000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x0] > RegionSize[100000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x19DB000] > RegionSize[5000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x0] > RegionSize[100000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x1ADB000] > RegionSize[5000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x0] > RegionSize[100000]
     [PID:708] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x1BDB000] > RegionSize[5000]
    Shit, this is embrassing ....
    Last edited by OHPen; August 16th, 2006 at 07:49.
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  5. #5
    It helps to go over the API reference entry carefully again whenever you see strange behavior

  6. #6
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Yes you are right LLXX i was just to lazy to take a deeper look at the addresses, hrhr. I look more precious in future.

    Regards
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

Similar Threads

  1. Question about Themida and Debugging.
    By pigmeu in forum The Newbie Forum
    Replies: 3
    Last Post: July 26th, 2009, 04:31
  2. Unpacking Themida 2.0.3
    By Omnomnom in forum The Newbie Forum
    Replies: 7
    Last Post: March 15th, 2009, 17:30
  3. Themida protected plugin dll
    By OHPen in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: January 5th, 2009, 01:41
  4. Reversing a algorithm: 4 bytes read - 8 bytes written
    By DakienDX in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: September 20th, 2001, 13:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •