Frida-Wshook - Script Analysis Tool Based On Frida.Re

frida-wshook is an analysis as well as instrumentation tool which uses frida.re to hook mutual functions oftentimes used past times malicious script files which are run using WScript/CScript.

The tool intercepts Windows API functions as well as doesn't implement role stubs or proxies inside the targeted scripting language. This allows it to back upwards analyzing a few dissimilar script types such as:

• .js (JScript)
• .vbs (VBScript)
• .wsf (WSFile) (Initial support/testing. - Does non back upwards specific jobs)

By default script files are run using cscript.exe as well as volition output:

• COM ProjIds
• DNS Requests
• Shell Commands
• Network Requests

Warning!!! Ensure that yous run whatever malicious scripts on a dedicated analysis system. Ideally, a VM alongside snapshots then yous tin revert if a script gets away from yous as well as yous demand to reset the system.

Although mutual methods convey been hooked, Windows provides numerous APIs which let developers to interact alongside a network, file organization as well as execute commands. So it is exclusively possible to meet scripts leveraging uncommon APIs for these functions.

Install & Setup

• Install Python 2.7
• Install the Frida python bindings using pip

pip install frida

• Clone (or download) the frida-wshook repository.

Supported OS
frida-wshook has been tested on Windows 10 as well as Windows seven as well as should piece of work on whatever Windows seven + environment. On x64 systems CScript is loaded from the C:\Windows\SysWow64 directory.
It may piece of work on WindowsXP, but I suspect that CScript may exercise the legacy API calls as well as would bypass the instrumentation.

Usage
The script supports a discover of optional commandline arguments that let yous to command what APIs the scripting host tin call.

usage: frida-wshook.py [-h] [--debug] [--disable_dns] [--disable_com_init]                        [--enable_shell] [--disable_net]                        script  frida-wshook.py your friendly WSH Hooker  positional arguments:   script              Path to target .js/.vbs file  optional arguments:   -h, --help          exhibit this assistance message as well as move   --debug             Output debug information   --disable_dns       Disable DNS Requests   --disable_com_init  Disable COM Object Id Lookup   --enable_shell      Enable Shell Commands   --disable_net       Disable Network Requests

Analyze a script alongside the default parameters:

python wshook.py bad.js

Enable verbose debugging:

python wshook.py --debug bad.js

Enable musical rhythm out (execute) commands:

python frida-wshook.py --enable_shell bad.vbs

Disable WSASend:

python frida-wshook.py --disable_net bad.vbs

Check what ProgIds the script uses:

python frida-wshook.py --disable_com_init bad.vbs

Hooked Functions

• ole32.dll
  • CLSIDFromProgIDEx
• Shell32.dll
  • ShellExecuteEx
• Ws2_32.dll
  • WSASocketW
  • GetAddrInfoExW
  • WSASend
  • WSAStartup

Known Issues

• Network responses are non captured
• Disabling Object Lookup tin drive the script to only output the commencement ProgId...Malware QA tin last lacking.
• WSF files alongside a specific project to target currently isn't supported

TODO

• Change GetAddrInfoExW to exercise .replace instead of .attach
• Add additional tracing as well as hooks to encompass to a greater extent than APIs
• Look at bypassing mutual anti-analysis techniques constitute inward scripts (sleeps etc)
• Update as well as ameliorate network asking hooking (ie: currently it captures requests, but non responses)

Feedback / Help
Any questions, comments or requests yous tin discovery us on twitter: @seanmw or @herrcore

Download Frida-Wshook