An instrumentation script based on Frida which leverages Control Flow Guard to intercept indirect calls in CFG-enabled Windows binaries.
Python
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
README.md
frida-cfg-hook.py

README.md

frida-cfg-hook

This is a sample instrumentation script based on the Frida instrumentation toolkit which leverages Control Flow Guard to intercept indirect calls in CFG-enabled Windows binaries.

This is based on an idea by @deroko_, who first implemented it in C.

This sample instrumentation script will attach to a running process and hook the ntdll!LdrpValidateUserCallTarget function, and every time it's called it will log the address from which it was invoked, and the function pointer that CFG is about to validate. Hopefully you should be able to customize it to meet your needs by modifying the Javascript part of the code.

frida-cfg-hook has been tested on 32-bit Windows 8.1 Update 3.

Usage

Just run the Python script specifying the PID or the name of the running process you want to instrument. Examples:

python frida-cfg-hook.py 1234

or

python frida-cfg-hook.py calc.exe

Dependencies