Created
December 1, 2019 18:27
-
-
Save fwaeytens/0391322209f19c6889df9d2e563afe5a to your computer and use it in GitHub Desktop.
Frida-trace
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| C:\Python27\Scripts>frida-trace.exe -i "CreateFile*" notepad.exe | |
| Instrumenting functions... | |
| CreateFileMappingFromApp: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateFileMappingFromApp.js" | |
| CreateFile2: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateFile2.js" | |
| CreateFileA: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateFileA.js" | |
| CreateFileMapping2: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateFileMapping2.js" | |
| CreateFileW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateFileW.js" | |
| CreateFileMappingW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateFileMappingW.js" | |
| CreateFileMappingNumaW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateFileMappingNumaW.js" | |
| CreateFileMoniker: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\ole32.dll\\CreateFileMoniker.js" | |
| CreateFile2: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFile2.js" | |
| CreateFileA: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileA.js" | |
| CreateFileW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileW.js" | |
| CreateFileMappingA: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileMappingA.js" | |
| CreateFileTransactedA: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileTransactedA.js" | |
| CreateFileMappingNumaA: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileMappingNumaA.js" | |
| CreateFileMappingW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileMappingW.js" | |
| CreateFileTransactedW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileTransactedW.js" | |
| CreateFileMappingNumaW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileMappingNumaW.js" | |
| Started tracing 17 functions. Press Ctrl+C to stop. | |
| /* TID 0xda0 */ | |
| 16795 ms CreateFileMappingW() | |
| 16795 ms CreateFileMappingW() | |
| 16795 ms | CreateFileMappingNumaW() | |
| 16795 ms | CreateFileMappingNumaW() | |
| 16853 ms CreateFileW() | |
| 16853 ms CreateFileW() | |
| 16853 ms 0x80000000 | |
| 16853 ms 0x1 | |
| 16868 ms CreateFileW() | |
| 16868 ms CreateFileW() | |
| 16868 ms 0xc0000000 | |
| 16868 ms 0x7 | |
| 16868 ms CreateFileMappingW() | |
| 16868 ms CreateFileMappingW() | |
| 16868 ms | CreateFileMappingNumaW() | |
| 16868 ms | CreateFileMappingNumaW() | |
| 16868 ms CreateFileW() | |
| 16868 ms CreateFileW() | |
| 16868 ms 0xc0000000 | |
| 16868 ms 0x7 | |
| 16869 ms CreateFileMappingW() | |
| 16869 ms CreateFileMappingW() | |
| 16869 ms | CreateFileMappingNumaW() | |
| 16869 ms | CreateFileMappingNumaW() | |
| 16869 ms CreateFileW() | |
| 16869 ms CreateFileW() | |
| 16869 ms 0x80000000 | |
| 16869 ms 0x5 | |
| 16872 ms CreateFileW() | |
| 16872 ms CreateFileW() | |
| 16872 ms 0x80000000 | |
| In this case we just opened notepad, attached to it, put a few characters and then saved the document. As we can see, frida-trace creates "handlers", which are basically JS files that will get executed when the functions is called. | |
| Let's narrow down the function to "CreateFileW" and print something when the function is called. We can do this by modifying the "handler" for CreatefileW which is in the kernel32 module ("C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileW.js"). | |
| The File is very descriptive and you will see that you can execute something before (onenter) or after (onleave) the actual function is called. For now, let's just print something before the functions is called: | |
| >onEnter: function (log, args, state) { | |
| log('CreateFileW()'); | |
| log('Before Function is called'); | |
| C:\Python27\Scripts>frida-trace.exe -i "CreateFileW" notepad.exe | |
| Instrumenting functions... | |
| CreateFileW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateFileW.js" | |
| CreateFileW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileW.js" | |
| Started tracing 2 functions. Press Ctrl+C to stop. | |
| /* TID 0x198c */ | |
| 14601 ms CreateFileW() | |
| 14601 ms CreateFileW() | |
| 14601 ms Before Function is called | |
| 14617 ms CreateFileW() | |
| 14617 ms CreateFileW() | |
| 14617 ms Before Function is called | |
| 14617 ms CreateFileW() | |
| <SNIP> | |
| If we goto MSDN: https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew | |
| Syntax | |
| C++ | |
| Copy | |
| HANDLE CreateFileW( | |
| LPCWSTR lpFileName, | |
| DWORD dwDesiredAccess, | |
| DWORD dwShareMode, | |
| LPSECURITY_ATTRIBUTES lpSecurityAttributes, | |
| DWORD dwCreationDisposition, | |
| DWORD dwFlagsAndAttributes, | |
| HANDLE hTemplateFile | |
| ); | |
| We see there are 7 arguments. In this case we are interested in the first argument, lpfilename, which is of type LPCWSTR. According to MSDN: An LPCWSTR is a 32-bit pointer to a constant string of 16-bit Unicode characters, which MAY be null-terminated. | |
| If we want to see the value of the first argument, we need to get args[0] and convert it to a 16 bit unicode string, using readUtf16String() from the API. We can see all methods from the API at: https://frida.re/docs/javascript-api/#nativepointer | |
| So we need to change our CreateFileW handler to: | |
| { | |
| onEnter: function (log, args, state) { | |
| log('Kernel32!CreateFileW()'+":"+args[0].readUtf16String()); | |
| }, | |
| onLeave: function (log, retval, state) { | |
| //log(hexdump(Memory.readByteArray(this.buf, 150))); | |
| //log(Memory.readByteArray(this.buf, 150)); | |
| } | |
| } | |
| In the OnLeave section we can spot an additional method to dump the Memory location of the pointer in case we want to read RAW memory... | |
| If we now run frida trace and hook to our notepad and save a file: | |
| C:\Python27\Scripts>frida-trace.exe -i "CreateFileW" notepad.exe | |
| Instrumenting functions... | |
| CreateFileW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateFileW.js" | |
| CreateFileW: Loaded handler at "C:\\Python27\\Scripts\\__handlers__\\KERNEL32.DLL\\CreateFileW.js" | |
| Started tracing 2 functions. Press Ctrl+C to stop. | |
| /* TID 0xe64 */ | |
| 4216 ms CreateFileW() | |
| 4216 ms Kernel32!CreateFileW():C:\Python27\Scripts\__handlers__\KERNEL32.DLL\tralala.txt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment