hooking.js
will find address of the Windows API WriteFile
(lives in kernel32.dll/kernelbase.dll) and hexdump the contents of the 1st argument passed to it:notepad.exe
through Frida and supply it with the above hooking.js
code, so that we can start instrumenting the WriteFile
API and inspect the contents of the buffer that is being written to disk:hooking.js
code and the instrumentation happens instantly - it does not require us to re-spawn the notepad or re-attaching Frida to it. In the above GIF, this can be seen at the end when we request the console to spit out the process.id
(the frida is attached to) and the notepad process ID gets printed out to the screen instantly.WriteFile
, we can use frida-trace
tool like so:frida-trace
to see if explorer.exe ever calls any functions named *Cred*
when we invoke the credentials popup:CredUIPromptForWindowsCredentialsW
made when the prompt is first invoked:Cred*
API calls are made (in red):The CredUnPackAuthenticationBuffer function converts an authentication buffer returned by a call to the CredUIPromptForWindowsCredentials function into a string user name and password.
CredUnPackAuthenticationBufferW
in a frida javascript like so:CredUnPackAuthenticationBufferW
instrumented, entering credentials in the prompt launched by explorer.exe, gives us the expected result - the credentials are seen in plaintext: