My first encounter with Frida

May 29, 2020 in Malware Analysis, Reversing, Sandboxing

My first real job was a web programmer. Yes, I know. I have no idea either.

This is how I learned HTML, CSS, JavaScript, perl, and php. Today all of it is obsolete, but still brings me a lot of fruits, because at least I am able to compare how many things have changed… well… since back then. Yup, this is what old people do – the fruits are totally rotten.

Today’s JavaScript is not what it used to be, and it’s funny that it became ‘the’ language of the future unlike Java. Speaking of the latter, the Java situation is so dire that it bleeds my heart to describe an observation that I made recently. Once upon a time the wet dream of futurologists is now so obscene and obsolete that infosec found a hipster-driven pleasure in taking it over as a de facto lingua franca of their beloved software creation. There are two separate phrases of French origin in my previous sentence – I encourage you to re-visit it and take pleasure in re-reading them without understanding. Back to Java. One can’t be a red teamer if one doesn’t use at least one Java-based product e.g. Burp. So is the blue teamer that is now using Ghidra – NSA had to be super pissed of with Ilfak’s pricing model to get us here … But I digress.

Seeing JavaScript penetrating every single corner of the virtual world, starting with good ol’ web 1.0, going via JQuery, node.js, React, and tones of other libraries, and then empowering the bloatware emperor aka Elektron applications, anyone who loves machine code, purity of Windows API, direct access to registers, memory, and fundamentally loves full control over the box… shivers when they hear of JavaScript.

These long paragraphs above serve as a personal journey through a catharsis process that this post is about.

I spent many months writing my assembly-based sandbox (the adventure I described in my sandboxing series), so I couldn’t bear the idea that I would be using JavaScript to do API monitoring. This was not the first time – Pedram Amini’s PaiMei python-based framework was and still is a brilliant insult to the purity of raw assembly-based API monitoring. Took me long time to get used to it, I hated it, no… I loathed it… but used it, eventually… and now, in a hindsight I see how revolutionary concept it really was. Because JavaScript-based API monitoring frameworks borrow a lot from that concept… they use python.

Okay, but what am I actually talking about?

I recently posted about limitations of API Monitoring on Windows 10. Around 20,000 people came back to me after that post – many of whom turned out to be just a bunch of infosec Kardashians looking for a virtual selfie with me – and only a few individuals less annoying than me provided actual suggestion. One of them was Frida. I put it on my todo list.

My first time with Frida was… picturesque.

I am not kidding you. I went to the site, ran ‘pip’ to install the thing as they said…:

… and this darn thing installed w/o any issue. w…t… h… I am so used to whine about open source projects requiring a lot of troubleshooting that I am still looking for my jaws somewhere in my basement.

That was just the beginning.

I tried some sample code I bookmarked earlier and hell.. it worked the very first time (only change I had to do was a mod to the address of the function that sample code was hooking, which was different due to ASLR).

I then tried frida-trace:

c:\python\Scripts\frida-trace.exe c:\windows\notepad.exe -i *CreateFile*

Are you kidding me?

Out of the box this thing builds a repo of prototypes for all API functions that it hooked:

All you have to do is .. mod it to your needs:

Seriously… After 20 years I am finally sold on JavaScript…

Comments are closed.