Malware instrumentation with frida

Frida trace

frida-trace.exe -f malware.exe -i *CreateFile*
frida-trace.exe -f malware.exe -i KERNEL32.DLL!CreateFileA
frida-trace.exe -f malware.exe -i KERNEL32.DLL!OpenMutex*
log('File or device: ' + args[0].readAnsiString());
log('OpenMutexW: ' + args[2].readUtf16String());
--- casts----
args[0].toInt32()
args[0].toString()

VirtualAddr + VirtualProtect

import frida
import sys
import time
import argparse
parser = argparse.ArgumentParser(description='Frida demo.')
parser.add_argument("-f", "--file", help="target file to run", required=True)
args = parser.parse_args()
pid = frida.spawn(args.file)
session = frida.attach(pid)
time.sleep(1)
script = session.create_script("""
console.log("Load Win32 calls ....");
var vaExportAddress = Module.getExportByName("KERNEL32.DLL", "VirtualAlloc");
var vpExportAddress = Module.getExportByName("KERNEL32.DLL", "VirtualProtect");
Interceptor.attach(vaExportAddress,
{
onEnter: function (args)
{
var vaSize = args[1].toInt32();
var vaProtect = args[3];
console.log("\\nVirtualAlloc called => Size: " + vaSize + " | Protection: " + vaProtect);
},
onLeave: function (retval)
{
console.log("VirtualAlloc returned => Address: " + retval);
}
});
Interceptor.attach(vpExportAddress,
{
onEnter: function (args)
{
var vpAddress = args[0];
var vpSize = args[1].toInt32();
var vpProtect = args[2];
console.log("\\n VirtualProtect called => Address: " + vpAddress + " | Size: " + vpSize + " | New Protection: " + vpProtect);
}
});
""")
script.load()
frida.resume(pid)

python script.py -f malware.exe

Create File + Mutex

import frida
import sys
import time
import argparse
parser = argparse.ArgumentParser(description='Frida demo.')
parser.add_argument("-f", "--file", help="target file to run", required=True)
args = parser.parse_args()
pid = frida.spawn(args.file)
session = frida.attach(pid)
time.sleep(1)
script = session.create_script("""
console.log("Load Win32 calls ....");
console.log("------------------------ CREATED FILES -------------------------------");
var createfileA = Module.getExportByName("KERNEL32.DLL", "CreateFileA");
Interceptor.attach(createfileA,
{
onEnter: function (args)
{
console.log('CreateFileA: ' + args[0].readAnsiString());
}
});
var createfileW = Module.getExportByName("KERNEL32.DLL", "CreateFileW");
Interceptor.attach(createfileW,
{
onEnter: function (args)
{
console.log('CreateFileW: ' + args[0].readAnsiString());
}
});
console.log("------------------------ CREATED Mutex -------------------------------");
var createmutexw = Module.getExportByName("KERNEL32.DLL", "CreateMutexW");
var createmutexExA = Module.getExportByName("KERNEL32.DLL", "CreateMutexExA");
var createmutexExW = Module.getExportByName("KERNEL32.DLL", "CreateMutexExW");
var openmutexW = Module.getExportByName("KERNEL32.DLL", "OpenMutexW");
Interceptor.attach(createmutexw,
{
onEnter: function (args)
{
console.log('CreateMutexW: ' + args[2].readAnsiString());
}
});
Interceptor.attach(createmutexExA,
{
onEnter: function (args)
{
console.log('CreateMutexExA: ' + args[1].readAnsiString());
}
});
Interceptor.attach(createmutexExW,
{
onEnter: function (args)
{
console.log('CreateMutexExW: ' + args[1].readUtf16String());
}
});
Interceptor.attach(openmutexW,
{
onEnter: function (args)
{
console.log('OpenMutexW: ' + args[2].readUtf16String());
}
});
""")
script.load()
frida.resume(pid)