Frida-Wshook - Script Analysis Tool Based On Frida.Re


frida-wshook is an analysis as well as instrumentation tool which uses frida.re to hook mutual functions oftentimes used past times malicious script files which are run using WScript/CScript.
The tool intercepts Windows API functions as well as doesn't implement role stubs or proxies inside the targeted scripting language. This allows it to back upwards analyzing a few dissimilar script types such as:
  • .js (JScript)
  • .vbs (VBScript)
  • .wsf (WSFile) (Initial support/testing. - Does non back upwards specific jobs)
By default script files are run using cscript.exe as well as volition output:
  • COM ProjIds
  • DNS Requests
  • Shell Commands
  • Network Requests
Warning!!! Ensure that yous run whatever malicious scripts on a dedicated analysis system. Ideally, a VM alongside snapshots then yous tin revert if a script gets away from yous as well as yous demand to reset the system.
Although mutual methods convey been hooked, Windows provides numerous APIs which let developers to interact alongside a network, file organization as well as execute commands. So it is exclusively possible to meet scripts leveraging uncommon APIs for these functions.

Install & Setup
pip install frida
  • Clone (or download) the frida-wshook repository.

Supported OS
frida-wshook has been tested on Windows 10 as well as Windows seven as well as should piece of work on whatever Windows seven + environment. On x64 systems CScript is loaded from the C:\Windows\SysWow64 directory.
It may piece of work on WindowsXP, but I suspect that CScript may exercise the legacy API calls as well as would bypass the instrumentation.

Usage
The script supports a discover of optional commandline arguments that let yous to command what APIs the scripting host tin call.
usage: frida-wshook.py [-h] [--debug] [--disable_dns] [--disable_com_init]                        [--enable_shell] [--disable_net]                        script  frida-wshook.py your friendly WSH Hooker  positional arguments:   script              Path to target .js/.vbs file  optional arguments:   -h, --help          exhibit this assistance message as well as move   --debug             Output debug information   --disable_dns       Disable DNS Requests   --disable_com_init  Disable COM Object Id Lookup   --enable_shell      Enable Shell Commands   --disable_net       Disable Network Requests
Analyze a script alongside the default parameters:
python wshook.py bad.js
Enable verbose debugging:
python wshook.py --debug bad.js
Enable musical rhythm out (execute) commands:
python frida-wshook.py --enable_shell bad.vbs
Disable WSASend:
python frida-wshook.py --disable_net bad.vbs
Check what ProgIds the script uses:
python frida-wshook.py --disable_com_init bad.vbs

Hooked Functions

Known Issues
  • Network responses are non captured
  • Disabling Object Lookup tin drive the script to only output the commencement ProgId...Malware QA tin last lacking.
  • WSF files alongside a specific project to target currently isn't supported

TODO
  • Change GetAddrInfoExW to exercise .replace instead of .attach
  • Add additional tracing as well as hooks to encompass to a greater extent than APIs
  • Look at bypassing mutual anti-analysis techniques constitute inward scripts (sleeps etc)
  • Update as well as ameliorate network asking hooking (ie: currently it captures requests, but non responses)

Feedback / Help
Any questions, comments or requests yous tin discovery us on twitter: @seanmw or @herrcore