OHPen
August 16th, 2006, 05:46
Lo,
i recently finished my hooking engine for Z3NJECT my future oreans product unwrapper. While playing with my hooking engine i analysed the VirtualAllocMemory a bit and got a bit confused.
Here is a part out of the log of my Z3NJECT unwrapper:
The Size you can see at the and of each line is the delta of "regionsize - baseadress = size"
As you all see there are lots of VirtualAllocs during the startup of themida and nearly no one is greater than 0x14 and most of them are alloced at the same baseaddress.
Maybe i have to wrong point of view but this seems very useless to me. Can someone explain the particular need for allocating 1000s of MINI-VirtualAllocs ?
Look forward to your replys,
PAPiLLiON aka OHPen aka PiTcH_SiLoW
i recently finished my hooking engine for Z3NJECT my future oreans product unwrapper. While playing with my hooking engine i analysed the VirtualAllocMemory a bit and got a bit confused.
Here is a part out of the log of my Z3NJECT unwrapper:
Code:
[DRiVER STATUS] [S] - SCManager > Connection established!
[DRiVER STATUS] [S] - z3ndrv.sys > Driver installed!
[DRiVER STATUS] [S] - z3ndrv.sys > Driver started!
[DRiVER STATUS] [S] - Z3N > Connected to symbolic link!
[3580]
[3580]
[3580]
[3580] %s------------------------------------------------
[3580] --- WinLicense Professional ---
[3580] --- (c)2006 Oreans Technologies ---
[3580] ------------------------------------------------
[3580]
[3580]
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FF54] > RegionSize[12FF58] > Size::4
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB24] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FB10] > RegionSize[12FB20] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB04] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB00] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB04] > Size::14
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB00] > Size::10
[PID:3580] ZwAllocateVirtualMemory - Hook function called... > BaseAdress[0x12FAF0] > RegionSize[12FB04] > Size::14
The Size you can see at the and of each line is the delta of "regionsize - baseadress = size"
As you all see there are lots of VirtualAllocs during the startup of themida and nearly no one is greater than 0x14 and most of them are alloced at the same baseaddress.
Maybe i have to wrong point of view but this seems very useless to me. Can someone explain the particular need for allocating 1000s of MINI-VirtualAllocs ?
Look forward to your replys,
PAPiLLiON aka OHPen aka PiTcH_SiLoW
Thx. So i only have to print out the point the the addresses found there 