By default script information are run utilizing cscript.exe and can output:
- COM ProjIds
- DNS Requests
- Shell Commands
- Network Requests
Although frequent strategies have been hooked, Windows gives quite a few APIs which permit builders to work together with a community, file system and execute instructions. So it’s completely potential to come across scripts leveraging unusual APIs for these capabilities.
Install & Setup
pip set up frida
- Clone (or obtain) the frida-wshook repository.
frida-wshook has been examined on Windows 10 and Windows 7 and ought to work on any Windows 7 + surroundings. On x64 programs CScript is loaded from the C:WindowsSysWow64 listing.
It might work on WindowsXP, however I think that CScript might use the legacy API calls and would bypass the instrumentation.
The script helps a lot of non-obligatory commandline arguments that let you management what APIs the scripting host can name.
utilization: frida-wshook.py [-h] [--debug] [--disable_dns] [--disable_com_init] [--enable_shell] [--disable_net] script frida-wshook.py your pleasant WSH Hooker positional arguments: script Path to focus on .js/.vbs file non-obligatory arguments: -h, --help present this assist message and exit --debug Output debug information --disable_dns Disable DNS Requests --disable_com_init Disable COM Object Id Lookup --enable_shell Enable Shell Commands --disable_net Disable Network Requests
Analyze a script with the default parameters:
python wshook.py dangerous.js
Enable verbose debugging:
python wshook.py --debug dangerous.js
Enable shell (execute) instructions:
python frida-wshook.py --enable_shell dangerous.vbs
python frida-wshook.py --disable_net dangerous.vbs
Check what ProgIds the script makes use of:
python frida-wshook.py --disable_com_init dangerous.vbs
- Network responses usually are not captured
- Disabling Object Lookup may cause the script to solely output the primary ProgId…Malware QA could be missing.
- WSF information with a particular job to focus on at present is not supported
- Change GetAddrInfoExW to make use of .exchange as an alternative of .connect
- Add extra tracing and hooks to cowl extra APIs
- Look at bypassing frequent anti-evaluation methods present in scripts (sleeps and so on)
- Update and enhance community request hooking (ie: at present it captures requests, however not responses)