This is a sample instrumentation script based on the Frida instrumentation toolkit which leverages Control Flow Guard to intercept indirect calls in CFG-enabled Windows binaries.
This is based on an idea by @deroko_, who first implemented it in C.
This sample instrumentation script will attach to a running process and hook the ntdll!LdrpValidateUserCallTarget function, and every time it's called it will log the address from which it was invoked, and the function pointer that CFG is about to validate. Hopefully you should be able to customize it to meet your needs by modifying the Javascript part of the code.
frida-cfg-hook has been tested on 32-bit Windows 8.1 Update 3.
Just run the Python script specifying the PID or the name of the running process you want to instrument. Examples:
python frida-cfg-hook.py 1234
or
python frida-cfg-hook.py calc.exe