FridaTrace++ – quick & dirty API monitor, Part 2

June 7, 2020 in Batch Analysis, Frida, Malware Analysis, Sandboxing

In my previous post I described my first encounter with Frida. Since then I slowly incorporate new ideas into the monitor, including:

  • object to object name resolution for APIs that rely on handles
  • data dumps of buffers for common APIs e.g. Read File, Write File
  • generating a list of all objects in a separate file (kinda like list of possible IOCs.)

Adding this functionality is trivial and I am still perplexed that it can be so quick.

Here’s a little demo of how this looks like – list of all files accessed via CreateFile when I launch Notepad:

and buffers intercepted when I opened Python NEWS file, typed ‘a’ and saved it in Notepad:

More to come… stay tuned 🙂

Comments are closed.