Dynamic Instruction Allocation - Browser Hacking.

[xxOR]

Hey guys,

I'm having a bit of a problem in figuring out how i can find the address of an instruction which is placed at an dynamic address. The range is quite large so signature scans are a bit unrealistic. The instruction is allocated outside any named modules of the program and appears to be written to an allocated memory region.

The target process is a plugin for a browser, so the memory is obviously allocated when the plugin loads. The plugin is contained within an executable, to which all the modules are loaded. But again the target address is written outside any named modules.
I've tried finding pointers to instruction addresses but no luck.

Any ideas?

Thank you.

[Fovea]

Conditional breakpoint on VirtualAlloc coming from the plugin's module or periphery modules. Find out when and where the allocated memory is stored and that should be your pointer. This is probably going to be a mess if the plugin is Flash, or any other highly used plugin because memory references will most likely have multiple levels of indirection because of multiple flash/other files.

Signature scanning shouldn't really be a problem anyways... just look through every page that is not associated with a module (and other relevant information in the MEMORY_BASIC_INFORMATION structure) and scan it with a non-trivial algorithm (Knuth-Morris-Pratt or Boyer-Moore are two algorithms that come to mind).

[xxOR]

Thanks for such a useful reply!