Malware instrumentation with frida

Frida trace

frida-trace.exe -f malware.exe -i *CreateFile*
frida-trace.exe -f malware.exe -i KERNEL32.DLL!CreateFileA
frida-trace.exe -f malware.exe -i KERNEL32.DLL!OpenMutex*

log('File or device: ' + args[0].readAnsiString());
log('OpenMutexW: ' + args[2].readUtf16String());


--- casts----
args[0].toInt32()
args[0].toString()

VirtualAddr + VirtualProtect

import frida
import sys
import time
import argparse

parser = argparse.ArgumentParser(description='Frida demo.')
parser.add_argument("-f", "--file", help="target file to run", required=True)
args = parser.parse_args()

pid = frida.spawn(args.file)
session = frida.attach(pid)
time.sleep(1)

script = session.create_script("""
       console.log("Load Win32 calls ....");
        
       var vaExportAddress = Module.getExportByName("KERNEL32.DLL", "VirtualAlloc");
       var vpExportAddress = Module.getExportByName("KERNEL32.DLL", "VirtualProtect");
    
       
    
         Interceptor.attach(vaExportAddress,
         {
            onEnter: function (args)
            {
               var vaSize = args[1].toInt32();
               var vaProtect = args[3];
               console.log("\\nVirtualAlloc called => Size: " + vaSize + " | Protection: " + vaProtect);
            
            },
            onLeave: function (retval)
            {
               console.log("VirtualAlloc returned => Address: " + retval);
            }

         });

         Interceptor.attach(vpExportAddress,
         {

            onEnter: function (args)
            {
               var vpAddress = args[0];
               var vpSize = args[1].toInt32();
               var vpProtect = args[2];
               console.log("\\n VirtualProtect called => Address: " + vpAddress + " | Size: " + vpSize + " | New Protection: " + vpProtect);
            }
         
         });

         
         """)

script.load()
frida.resume(pid)

python script.py -f malware.exe

Create File + Mutex

import frida
import sys
import time
import argparse

parser = argparse.ArgumentParser(description='Frida demo.')
parser.add_argument("-f", "--file", help="target file to run", required=True)
args = parser.parse_args()

pid = frida.spawn(args.file)
session = frida.attach(pid)
time.sleep(1)

script = session.create_script("""
		 console.log("Load Win32 calls ....");
        
		 console.log("------------------------ CREATED FILES -------------------------------");
		 var createfileA = Module.getExportByName("KERNEL32.DLL", "CreateFileA");
         Interceptor.attach(createfileA,
         {
            onEnter: function (args)
            {
			  console.log('CreateFileA: ' + args[0].readAnsiString());
            }
         });   
		 var createfileW = Module.getExportByName("KERNEL32.DLL", "CreateFileW");
         Interceptor.attach(createfileW,
         {
            onEnter: function (args)
            {
			  console.log('CreateFileW: ' + args[0].readAnsiString());
            }
         }); 
		 

		console.log("------------------------ CREATED Mutex -------------------------------");
		var createmutexw = Module.getExportByName("KERNEL32.DLL", "CreateMutexW");
        var createmutexExA = Module.getExportByName("KERNEL32.DLL", "CreateMutexExA");
		var createmutexExW = Module.getExportByName("KERNEL32.DLL", "CreateMutexExW");
		var openmutexW = Module.getExportByName("KERNEL32.DLL", "OpenMutexW");
	
		Interceptor.attach(createmutexw,
        {
            onEnter: function (args)
            {
              console.log('CreateMutexW: ' + args[2].readAnsiString());
            }
        });   
		
		Interceptor.attach(createmutexExA,
        {
            onEnter: function (args)
            {
              console.log('CreateMutexExA: ' + args[1].readAnsiString());
            }
        }); 
		
		Interceptor.attach(createmutexExW,
        {
            onEnter: function (args)
            {
              console.log('CreateMutexExW: ' + args[1].readUtf16String());
            }
        }); 
		
		Interceptor.attach(openmutexW,
        {
            onEnter: function (args)
            {
              console.log('OpenMutexW: ' + args[2].readUtf16String());
            }
        }); 
      

         """)

script.load()
frida.resume(pid)

Malware Analysis with Dynamic Binary Instrumentation FrameworksBlackBerry

GitHub - n1ght-w0lf/HawkEye: Malware dynamic instrumentation tool based on frida frameworkGitHub

ghidra2frida - The new bridge between Ghidra and Frida - HN SecurityHN Security

PreviousBasic tips NextTools

Last updated 4 years ago

Was this helpful?