Frida-Wshook - Script Analysis Tool Based On Frida.Re
Wednesday, September 25, 2019
Edit
Frida-Wshook - Script Analysis Tool Based On Frida.Re - Hi friends mederc, In the article that you read this time with the title Frida-Wshook - Script Analysis Tool Based On Frida.Re, We have prepared this article well for you to read and retrieve information from it. hopefully fill the posts
Article Analysis Tool,
Article Frida-Wshook,
Article Linux,
Article Python,
Article Scripts,
Article Tool,
Article Windows, we write this you can understand. Alright, happy reading.
Title : Frida-Wshook - Script Analysis Tool Based On Frida.Re
link : Frida-Wshook - Script Analysis Tool Based On Frida.Re
Install & Setup
Supported OS
frida-wshook has been tested on Windows 10 as well as Windows seven as well as should piece of work on whatever Windows seven + environment. On x64 systems CScript is loaded from the C:\Windows\SysWow64 directory.
It may piece of work on WindowsXP, but I suspect that CScript may exercise the legacy API calls as well as would bypass the instrumentation.
Usage
The script supports a discover of optional commandline arguments that let yous to command what APIs the scripting host tin call.
Hooked Functions
Known Issues
TODO
Feedback / Help
Any questions, comments or requests yous tin discovery us on twitter: @seanmw or @herrcore
You are now reading the article Frida-Wshook - Script Analysis Tool Based On Frida.Re with the link address https://mederc.blogspot.com/2019/09/frida-wshook-script-analysis-tool-based.html
Title : Frida-Wshook - Script Analysis Tool Based On Frida.Re
link : Frida-Wshook - Script Analysis Tool Based On Frida.Re
Frida-Wshook - Script Analysis Tool Based On Frida.Re
frida-wshook is an analysis as well as instrumentation tool which uses frida.re to hook mutual functions oftentimes used past times malicious script files which are run using WScript/CScript.
The tool intercepts Windows API functions as well as doesn't implement role stubs or proxies inside the targeted scripting language. This allows it to back upwards analyzing a few dissimilar script types such as:
- .js (JScript)
- .vbs (VBScript)
- .wsf (WSFile) (Initial support/testing. - Does non back upwards specific jobs)
By default script files are run using cscript.exe as well as volition output:
- COM ProjIds
- DNS Requests
- Shell Commands
- Network Requests
Warning!!! Ensure that yous run whatever malicious scripts on a dedicated analysis system. Ideally, a VM alongside snapshots then yous tin revert if a script gets away from yous as well as yous demand to reset the system.
Although mutual methods convey been hooked, Windows provides numerous APIs which let developers to interact alongside a network, file organization as well as execute commands. So it is exclusively possible to meet scripts leveraging uncommon APIs for these functions.
Install & Setup
- Install Python 2.7
- Install the Frida python bindings using pip
pip install frida
- Clone (or download) the frida-wshook repository.
Supported OS
frida-wshook has been tested on Windows 10 as well as Windows seven as well as should piece of work on whatever Windows seven + environment. On x64 systems CScript is loaded from the C:\Windows\SysWow64 directory.
It may piece of work on WindowsXP, but I suspect that CScript may exercise the legacy API calls as well as would bypass the instrumentation.
Usage
The script supports a discover of optional commandline arguments that let yous to command what APIs the scripting host tin call.
usage: frida-wshook.py [-h] [--debug] [--disable_dns] [--disable_com_init] [--enable_shell] [--disable_net] script frida-wshook.py your friendly WSH Hooker positional arguments: script Path to target .js/.vbs file optional arguments: -h, --help exhibit this assistance message as well as move --debug Output debug information --disable_dns Disable DNS Requests --disable_com_init Disable COM Object Id Lookup --enable_shell Enable Shell Commands --disable_net Disable Network Requests
Analyze a script alongside the default parameters:python wshook.py bad.js
Enable verbose debugging:python wshook.py --debug bad.js
Enable musical rhythm out (execute) commands:python frida-wshook.py --enable_shell bad.vbs
Disable WSASend:python frida-wshook.py --disable_net bad.vbs
Check what ProgIds the script uses:python frida-wshook.py --disable_com_init bad.vbs
Hooked Functions
- ole32.dll
- Shell32.dll
- Ws2_32.dll
Known Issues
- Network responses are non captured
- Disabling Object Lookup tin drive the script to only output the commencement ProgId...Malware QA tin last lacking.
- WSF files alongside a specific project to target currently isn't supported
TODO
- Change GetAddrInfoExW to exercise .replace instead of .attach
- Add additional tracing as well as hooks to encompass to a greater extent than APIs
- Look at bypassing mutual anti-analysis techniques constitute inward scripts (sleeps etc)
- Update as well as ameliorate network asking hooking (ie: currently it captures requests, but non responses)
Feedback / Help
Any questions, comments or requests yous tin discovery us on twitter: @seanmw or @herrcore
Thus the article Frida-Wshook - Script Analysis Tool Based On Frida.Re
That's all the article Frida-Wshook - Script Analysis Tool Based On Frida.Re this time, hopefully can benefit you all. okay, see you in another article posting.
You are now reading the article Frida-Wshook - Script Analysis Tool Based On Frida.Re with the link address https://mederc.blogspot.com/2019/09/frida-wshook-script-analysis-tool-based.html