In my previous post I described my first encounter with Frida. Since then I slowly incorporate new ideas into the monitor, including:

• object to object name resolution for APIs that rely on handles
• data dumps of buffers for common APIs e.g. Read File, Write File
• generating a list of all objects in a separate file (kinda like list of possible IOCs.)

Adding this functionality is trivial and I am still perplexed that it can be so quick.

Here’s a little demo of how this looks like – list of all files accessed via CreateFile when I launch Notepad:

and buffers intercepted when I opened Python NEWS file, typed ‘a’ and saved it in Notepad:

More to come… stay tuned 🙂