• Stars
    star
    127
  • Rank 282,790 (Top 6 %)
  • Language
    JavaScript
  • Created over 7 years ago
  • Updated over 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Script analysis tool based on Frida.re

frida-wshook

frida-wshook is an analysis and instrumentation tool which uses frida.re to hook common functions often used by malicious script files which are run using WScript/CScript.

The tool intercepts Windows API functions and doesn't implement function stubs or proxies within the targeted scripting language. This allows it to support analyzing a few different script types such as:

  • .js (JScript)
  • .vbs (VBScript)
  • .wsf (WSFile) (Initial support/testing. - Does not support specific jobs)

By default script files are run using cscript.exe and will output:

  • COM ProjIds
  • DNS Requests
  • Shell Commands
  • Network Requests

Warning!!! Ensure that you run any malicious scripts on a dedicated analysis system. Ideally, a VM with snapshots so you can revert if a script gets away from you and you need to reset the system.

Although common methods have been hooked, Windows provides numerous APIs which allow developers to interact with a network, file system and execute commands. So it is entirely possible to encounter scripts leveraging uncommon APIs for these functions.

Install & Setup

pip install frida
  • Clone (or download) the frida-wshook repository.

Supported OS

frida-wshook has been tested on Windows 10 and Windows 7 and should work on any Windows 7 + environment. On x64 systems CScript is loaded from the C:\Windows\SysWow64 directory.

It may work on WindowsXP, but I suspect that CScript may use the legacy API calls and would bypass the instrumentation.

Usage

The script supports a number of optional commandline arguments that allow you to control what APIs the scripting host can call.

usage: frida-wshook.py [-h] [--debug] [--disable_dns] [--disable_com_init]
                       [--enable_shell] [--disable_net]
                       script

frida-wshook.py your friendly WSH Hooker

positional arguments:
  script              Path to target .js/.vbs file

optional arguments:
  -h, --help          show this help message and exit
  --debug             Output debug info
  --disable_dns       Disable DNS Requests
  --disable_com_init  Disable COM Object Id Lookup
  --enable_shell      Enable Shell Commands
  --disable_net       Disable Network Requests

Analyze a script with the default parameters:

python wshook.py bad.js

Enable verbose debugging:

python wshook.py --debug bad.js

Enable shell (execute) commands:

python frida-wshook.py --enable_shell bad.vbs

Disable WSASend:

python frida-wshook.py --disable_net bad.vbs

Check what ProgIds the script uses:

python frida-wshook.py --disable_com_init bad.vbs

Hooked Functions

Known Issues

  • Network responses are not captured
  • Disabling Object Lookup can cause the script to only output the first ProgId...Malware QA can be lacking.
  • WSF files with a specific job to target currently isn't supported

TODO

  • Change GetAddrInfoExW to use .replace instead of .attach
  • Add additional tracing and hooks to cover more APIs
  • Look at bypassing common anti-analysis techniques found in scripts (sleeps etc)
  • Update and improve network request hooking (ie: currently it captures requests, but not responses)

Feedback / Help

Any questions, comments or requests you can find us on twitter: @seanmw or @herrcore