Malware instrumentation with frida

Frida trace

1
frida-trace.exe -f malware.exe -i *CreateFile*
2
frida-trace.exe -f malware.exe -i KERNEL32.DLL!CreateFileA
3
frida-trace.exe -f malware.exe -i KERNEL32.DLL!OpenMutex*
4
5
log('File or device: ' + args[0].readAnsiString());
6
log('OpenMutexW: ' + args[2].readUtf16String());
7
8
9
--- casts----
10
args[0].toInt32()
11
args[0].toString()
12
Copied!

VirtualAddr + VirtualProtect

1
import frida
2
import sys
3
import time
4
import argparse
5
6
parser = argparse.ArgumentParser(description='Frida demo.')
7
parser.add_argument("-f", "--file", help="target file to run", required=True)
8
args = parser.parse_args()
9
10
pid = frida.spawn(args.file)
11
session = frida.attach(pid)
12
time.sleep(1)
13
14
script = session.create_script("""
15
console.log("Load Win32 calls ....");
16
17
var vaExportAddress = Module.getExportByName("KERNEL32.DLL", "VirtualAlloc");
18
var vpExportAddress = Module.getExportByName("KERNEL32.DLL", "VirtualProtect");
19
20
21
22
Interceptor.attach(vaExportAddress,
23
{
24
onEnter: function (args)
25
{
26
var vaSize = args[1].toInt32();
27
var vaProtect = args[3];
28
console.log("\\nVirtualAlloc called => Size: " + vaSize + " | Protection: " + vaProtect);
29
30
},
31
onLeave: function (retval)
32
{
33
console.log("VirtualAlloc returned => Address: " + retval);
34
}
35
36
});
37
38
Interceptor.attach(vpExportAddress,
39
{
40
41
onEnter: function (args)
42
{
43
var vpAddress = args[0];
44
var vpSize = args[1].toInt32();
45
var vpProtect = args[2];
46
console.log("\\n VirtualProtect called => Address: " + vpAddress + " | Size: " + vpSize + " | New Protection: " + vpProtect);
47
}
48
49
});
50
51
52
""")
53
54
script.load()
55
frida.resume(pid)
Copied!
python script.py -f malware.exe

Create File + Mutex

1
import frida
2
import sys
3
import time
4
import argparse
5
6
parser = argparse.ArgumentParser(description='Frida demo.')
7
parser.add_argument("-f", "--file", help="target file to run", required=True)
8
args = parser.parse_args()
9
10
pid = frida.spawn(args.file)
11
session = frida.attach(pid)
12
time.sleep(1)
13
14
script = session.create_script("""
15
console.log("Load Win32 calls ....");
16
17
console.log("------------------------ CREATED FILES -------------------------------");
18
var createfileA = Module.getExportByName("KERNEL32.DLL", "CreateFileA");
19
Interceptor.attach(createfileA,
20
{
21
onEnter: function (args)
22
{
23
console.log('CreateFileA: ' + args[0].readAnsiString());
24
}
25
});
26
var createfileW = Module.getExportByName("KERNEL32.DLL", "CreateFileW");
27
Interceptor.attach(createfileW,
28
{
29
onEnter: function (args)
30
{
31
console.log('CreateFileW: ' + args[0].readAnsiString());
32
}
33
});
34
35
36
console.log("------------------------ CREATED Mutex -------------------------------");
37
var createmutexw = Module.getExportByName("KERNEL32.DLL", "CreateMutexW");
38
var createmutexExA = Module.getExportByName("KERNEL32.DLL", "CreateMutexExA");
39
var createmutexExW = Module.getExportByName("KERNEL32.DLL", "CreateMutexExW");
40
var openmutexW = Module.getExportByName("KERNEL32.DLL", "OpenMutexW");
41
42
Interceptor.attach(createmutexw,
43
{
44
onEnter: function (args)
45
{
46
console.log('CreateMutexW: ' + args[2].readAnsiString());
47
}
48
});
49
50
Interceptor.attach(createmutexExA,
51
{
52
onEnter: function (args)
53
{
54
console.log('CreateMutexExA: ' + args[1].readAnsiString());
55
}
56
});
57
58
Interceptor.attach(createmutexExW,
59
{
60
onEnter: function (args)
61
{
62
console.log('CreateMutexExW: ' + args[1].readUtf16String());
63
}
64
});
65
66
Interceptor.attach(openmutexW,
67
{
68
onEnter: function (args)
69
{
70
console.log('OpenMutexW: ' + args[2].readUtf16String());
71
}
72
});
73
74
75
""")
76
77
script.load()
78
frida.resume(pid)
Copied!
Malware Analysis with Dynamic Binary Instrumentation Frameworks
BlackBerry
GitHub - N1ght-W0lf/HawkEye: Malware dynamic instrumentation tool based on frida framework
GitHub
ghidra2frida - The new bridge between Ghidra and Frida - hn security
hn security
Last modified 3mo ago