PaiMei Heap Trace Demo

This is a cool short hack on top of PaiMei and demonstrates the ease of function hooking on top of the new utils.hook_container utility class (yet to be included in the "official" release).

The heap_trace.py script attaches to the target, sets function return hooks on RtlAllocateHeap, RtlFreeHeap and RtlReAllocateHeap. You can also specify a callback for function entry, which is useful if you want to modify the arguments for example. The script ties to uDraw to make the flashy demo, alternatively you can generate flat files such as heap_trace.gml (view with oreas) and heap_trace.png.

The below graph shows orange blocks with the allocating call address, blue blocks with the allocated block size and yellow blocks (not seen in this graph) with the re-allocated buffer size.