Frida-Wshook – Script Analysis Tool Based On

Frida-Wshook - Script Analysis Tool Based On

frida-wshook is an analysis and instrumentation device which makes use of to hook frequent capabilities usually utilized by malicious script information that are run utilizing WScript/CScript.
The device intercepts Windows API capabilities and would not implement perform stubs or proxies inside the focused scripting language. This permits it to assist analyzing a couple of totally different script varieties comparable to:

By default script information are run utilizing cscript.exe and can output:

  • COM ProjIds
  • DNS Requests
  • Shell Commands
  • Network Requests
Warning!!! Ensure that you just run any malicious scripts on a devoted evaluation system. Ideally, a VM with snapshots so you possibly can revert if a script will get away from you and you’ll want to reset the system.

Although frequent strategies have been hooked, Windows gives quite a few APIs which permit builders to work together with a community, file system and execute instructions. So it’s completely potential to come across scripts leveraging unusual APIs for these capabilities.

Install & Setup

pip set up frida
  • Clone (or obtain) the frida-wshook repository.

Supported OS
frida-wshook has been examined on Windows 10 and Windows 7 and ought to work on any Windows 7 + surroundings. On x64 programs CScript is loaded from the C:WindowsSysWow64 listing.
It might work on WindowsXP, however I think that CScript might use the legacy API calls and would bypass the instrumentation.

The script helps a lot of non-obligatory commandline arguments that let you management what APIs the scripting host can name.

utilization: [-h] [--debug] [--disable_dns] [--disable_com_init]
                       [--enable_shell] [--disable_net]
                       script your pleasant WSH Hooker

positional arguments:
  script              Path to focus on .js/.vbs file

non-obligatory arguments:
  -h, --help          present this assist message and exit
  --debug             Output debug information
  --disable_dns       Disable DNS Requests
  --disable_com_init  Disable COM Object Id Lookup
  --enable_shell      Enable Shell Commands
  --disable_net       Disable Network Requests

Analyze a script with the default parameters:

python dangerous.js

Enable verbose debugging:

python --debug dangerous.js

Enable shell (execute) instructions:

python --enable_shell dangerous.vbs

Disable WSASend:

python --disable_net dangerous.vbs

Check what ProgIds the script makes use of:

python --disable_com_init dangerous.vbs

Hooked Functions

  • ole32.dll
  • Shell32.dll
  • Ws2_32.dll

Known Issues

  • Network responses usually are not captured
  • Disabling Object Lookup may cause the script to solely output the primary ProgId…Malware QA could be missing.
  • WSF information with a particular job to focus on at present is not supported


  • Change GetAddrInfoExW to make use of .exchange as an alternative of .connect
  • Add extra tracing and hooks to cowl extra APIs
  • Look at bypassing frequent anti-evaluation methods present in scripts (sleeps and so on)
  • Update and enhance community request hooking (ie: at present it captures requests, however not responses)

Feedback / Help
Any questions, feedback or requests yow will discover us on twitter: @seanmw or @herrcore


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.