{"id":7991,"date":"2022-02-19T23:05:02","date_gmt":"2022-02-19T23:05:02","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7991"},"modified":"2022-02-20T10:38:44","modified_gmt":"2022-02-20T10:38:44","slug":"delphi-api-monitoring-with-frida-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2022\/02\/19\/delphi-api-monitoring-with-frida-part-2\/","title":{"rendered":"Delphi API monitoring with Frida, Part 2"},"content":{"rendered":"\n<p>In my previous <a href=\"https:\/\/www.hexacorn.com\/blog\/2022\/01\/28\/delphi-api-monitoring-with-frida\/\" data-type=\"post\" data-id=\"7953\">post<\/a> I have demoed a simple example of Frida-based Delphi API monitor. Let&#8217;s look at one more example &#8212; this time the strings are stored in a different way, with a 32-bit length preceding the actual text which is passed via eax\/edx to the utility functions e.g. LStrAsg and LStrLAsg. These 2 functions are very interesting, because they are often used to initialize strings in Delphi programs. By simply monitoring their input we can sometimes guess what the program&#8217;s functionality is.<\/p>\n\n\n\n<p>Let&#8217;s take 0000E1A0B0CAEFD82B9E71098E92EE08FA3C47B889108B450712B4D9C3AE4D6E sample as an example. A small Delphi downloader that is not really worth any attention, but it&#8217;s perfect to demo Frida&#8217;s capabilities.<\/p>\n\n\n\n<p>Applying Delphi Flirt signatures to the sample tells us that <em>LStrAsg<\/em> is located under 0x00403B3C (0x3B3C) and <em>LStrLAsg<\/em> is located under 0x00403B80 (0x3B80). We can create a quick&amp;dirty handler for both of these functions &#8211; it can look like this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">onEnter(log, args, state) {\n  edx_len = this.context.edx.sub(4).readS32();\n  if (edx_len&gt;0&amp;&amp;edx_len&lt;256)\n  {\n    edx_str = this.context.edx.readUtf8String(edx_len);\n    console.log(JSON.stringify(edx_str));\n  }\n},<\/pre>\n\n\n\n<p>We are taking the value of edx (second argument to both functions), read the length of the string stored as a 32-bit integer at a memory offset at (edx-4), and then we read the UTF8 string from the edx location.<\/p>\n\n\n\n<p>If we now run Frida-trace (sample renamed to 1.exe) we get the following output:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/02\/frida_delphi2-1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/02\/frida_delphi2-1.png\" alt=\"\" class=\"wp-image-7993\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/02\/frida_delphi2-1.png 598w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/02\/frida_delphi2-1-207x300.png 207w\" sizes=\"(max-width: 598px) 100vw, 598px\" \/><\/a><\/figure><\/div>\n\n\n\n<p>Not bad. We can almost immediately tell there is a network connectivity (user agent) and possible destination for the downloaded payload.<\/p>\n\n\n\n<p>Combine it with <em>InternetOpenUrlA <\/em>API monitoring (which should be done by default for any Windows binary), we get a really simple and nice answer to &#8216;what is this program doing?&#8217; question &#8212; that&#8217;s what sandboxes are for, right?<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">frida-trace c:\\test\\1.exe 1.exe -a 1.exe!3B80 -a 1.exe!3B3C -i wininet.dll!InternetOpenUrlA<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/02\/frida_delphi3.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/02\/frida_delphi3.png\" alt=\"\" class=\"wp-image-7995\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/02\/frida_delphi3.png 801w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/02\/frida_delphi3-238x300.png 238w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/02\/frida_delphi3-768x967.png 768w\" sizes=\"(max-width: 801px) 100vw, 801px\" \/><\/a><\/figure>\n\n\n\n<p>Yes, it is THAT simple. <\/p>\n\n\n\n<p>Kudos to <a href=\"https:\/\/twitter.com\/fridadotre\">Frida<\/a> developers, you have created something truly wonderful!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my previous post I have demoed a simple example of Frida-based Delphi API monitor. Let&#8217;s look at one more example &#8212; this time the strings are stored in a different way, with a 32-bit length preceding the actual text &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2022\/02\/19\/delphi-api-monitoring-with-frida-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9,41],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7991"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7991"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7991\/revisions"}],"predecessor-version":[{"id":8006,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7991\/revisions\/8006"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}