{"id":8007,"date":"2022-02-20T19:14:44","date_gmt":"2022-02-20T19:14:44","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8007"},"modified":"2022-02-20T19:17:18","modified_gmt":"2022-02-20T19:17:18","slug":"delphi-api-monitoring-with-frida-part-3","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2022\/02\/20\/delphi-api-monitoring-with-frida-part-3\/","title":{"rendered":"Delphi API monitoring with Frida, Part 3"},"content":{"rendered":"\n

In part 1<\/a> and part 2<\/a> we looked at individual APIs and I hinted we can automate generation of handlers. Today we will do exactly that.<\/p>\n\n\n\n

The attached python code (delphi.py<\/a>) reads PE file and then searches for code patterns that represent a couple of popular Delphi API functions responsible for string operations. <\/p>\n\n\n\n

For every occurrence found, we generate a handler & print out the offsets (first offset is file position, and the second number is RVA that we need to pass to frida-trace):<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

Once handlers are generated, we can run frida-trace:<\/p>\n\n\n\n

frida-trace c:\\test\\foo.exe foo.exe -a foo.exe!4c04 -a foo.exe!4e70 -a foo.exe!4fac -a foo.exe!4c48<\/pre>\n\n\n\n
\"\"<\/a><\/figure><\/div>\n\n\n\n
This is a full log<\/a>. Lots of string goodness, right? Note the IOCs, and the fact processes seem to be enumerated in order to find if possibly targeted processes are present.<\/p>\n\n\n\n
And in case you are wondering the sample in question (foo.exe) is 00008EB74EEAEFFC64E85F8B0978D4EB056FCF390264A0D4C7D4A15ED5356DD3.<\/p>\n","protected":false},"excerpt":{"rendered":"
In part 1 and part 2 we looked at individual APIs and I hinted we can automate generation of handlers. Today we will do exactly that. The attached python code (delphi.py) reads PE file and then searches for code patterns … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[92,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8007"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8007"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8007\/revisions"}],"predecessor-version":[{"id":8012,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8007\/revisions\/8012"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}