# Malware instrumentation with frida ## Frida trace ``` frida-trace.exe -f malware.exe -i *CreateFile* frida-trace.exe -f malware.exe -i KERNEL32.DLL!CreateFileA frida-trace.exe -f malware.exe -i KERNEL32.DLL!OpenMutex* log('File or device: ' + args[0].readAnsiString()); log('OpenMutexW: ' + args[2].readUtf16String()); --- casts---- args[0].toInt32() args[0].toString() ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Mha-yVfuPL0Z5mmzW9u%2F-Mha1JC9vV4_xMkQYsA5%2Fimage.png?alt=media\&token=7ebfbe54-d281-4a75-9c6b-d2b37e3d9eaa) ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Mha-yVfuPL0Z5mmzW9u%2F-Mha1USrPeDpVWid6K_1%2Fimage.png?alt=media\&token=820f4f85-6584-469b-9d1a-3164614ea467) ## VirtualAddr + VirtualProtect ``` import frida import sys import time import argparse parser = argparse.ArgumentParser(description='Frida demo.') parser.add_argument("-f", "--file", help="target file to run", required=True) args = parser.parse_args() pid = frida.spawn(args.file) session = frida.attach(pid) time.sleep(1) script = session.create_script(""" console.log("Load Win32 calls ...."); var vaExportAddress = Module.getExportByName("KERNEL32.DLL", "VirtualAlloc"); var vpExportAddress = Module.getExportByName("KERNEL32.DLL", "VirtualProtect"); Interceptor.attach(vaExportAddress, { onEnter: function (args) { var vaSize = args[1].toInt32(); var vaProtect = args[3]; console.log("\\nVirtualAlloc called => Size: " + vaSize + " | Protection: " + vaProtect); }, onLeave: function (retval) { console.log("VirtualAlloc returned => Address: " + retval); } }); Interceptor.attach(vpExportAddress, { onEnter: function (args) { var vpAddress = args[0]; var vpSize = args[1].toInt32(); var vpProtect = args[2]; console.log("\\n VirtualProtect called => Address: " + vpAddress + " | Size: " + vpSize + " | New Protection: " + vpProtect); } }); """) script.load() frida.resume(pid) ``` **python script.py -f malware.exe** ## Create File + Mutex ``` import frida import sys import time import argparse parser = argparse.ArgumentParser(description='Frida demo.') parser.add_argument("-f", "--file", help="target file to run", required=True) args = parser.parse_args() pid = frida.spawn(args.file) session = frida.attach(pid) time.sleep(1) script = session.create_script(""" console.log("Load Win32 calls ...."); console.log("------------------------ CREATED FILES -------------------------------"); var createfileA = Module.getExportByName("KERNEL32.DLL", "CreateFileA"); Interceptor.attach(createfileA, { onEnter: function (args) { console.log('CreateFileA: ' + args[0].readAnsiString()); } }); var createfileW = Module.getExportByName("KERNEL32.DLL", "CreateFileW"); Interceptor.attach(createfileW, { onEnter: function (args) { console.log('CreateFileW: ' + args[0].readAnsiString()); } }); console.log("------------------------ CREATED Mutex -------------------------------"); var createmutexw = Module.getExportByName("KERNEL32.DLL", "CreateMutexW"); var createmutexExA = Module.getExportByName("KERNEL32.DLL", "CreateMutexExA"); var createmutexExW = Module.getExportByName("KERNEL32.DLL", "CreateMutexExW"); var openmutexW = Module.getExportByName("KERNEL32.DLL", "OpenMutexW"); Interceptor.attach(createmutexw, { onEnter: function (args) { console.log('CreateMutexW: ' + args[2].readAnsiString()); } }); Interceptor.attach(createmutexExA, { onEnter: function (args) { console.log('CreateMutexExA: ' + args[1].readAnsiString()); } }); Interceptor.attach(createmutexExW, { onEnter: function (args) { console.log('CreateMutexExW: ' + args[1].readUtf16String()); } }); Interceptor.attach(openmutexW, { onEnter: function (args) { console.log('OpenMutexW: ' + args[2].readUtf16String()); } }); """) script.load() frida.resume(pid) ``` {% embed url="" %} {% embed url="" %} {% embed url="" %}