Frida-Extract – Based RunPE (And MapViewOfSection) Extraction Tool

FridaExtract is a based RunPE extraction tool. RunPE type injection is a common technique used by malware to hide code within another process. It also happens to be the final stage in a lot of packers : )NOTE: Frida now also supports extraction of injected PE files using the “MapViewOfSection" technique best described here.Using FridaExtract you can automatically extract and reconstruct a PE file that has been injected using the RunPE method… and bypass these packers!Why Frida?There are tons of great tools that already extract RunPE injected code, FridaExtract is not better than these. But it is easier to install, easier to build (lol), easier to run, and easier to hack. No compilers, no build environments, just a simple "pip install" and you’re up and running.The code is specifically commented and organized to act as a template for you to build your own Frida projects. This is more of a proof of concept that demonstrates how to setup hooks in a Windows environment. Please copy-paste-hack this any way you like!Getting StartedWarning: FridaExtract only works under Windows 32bit. There are currently some mystery bugs with wow64 so we recommend sticking to Windows7 32bit or Windows Server 2008 32bit.First start a VM (see warning above) if you are going to be unpacking malware.Install Python 2.7Remember to set your python and pip paths ; )Install Frida by typing pip install frida in cmdClone this repository and you are ready to extract!Extracting PE FilesFridaExtract is only able to extract RunPE injected PE files so it is fairly limited. If you are using a VM that is easy to snapshot-run-revert then you can just try FridaExtract blindly on every malware sample and see what comes out but we don’t recommend it. Instead, FridaExtract is good compliment to a sandbox (we <3 malwr). First run the sample in a sandbox and note the API calls.For RunPE technique if you see the following API calls then FridaExtract may be the tool for you:CreateProcessWriteVirtualMemory (to remote process)ResumeThread (in remote process)For the MapViewOfSection technique if you see the following API calls then FridaExtract may be the tool for you:CreateProcessNtCreateSectionNtUnmapViewOfSection (remote process)NtMapViewOfSection (remote process)ExamplesBy default FridaExtract will attempt to automatically extract the injected PE file, reconstruct it, and dump it to a file called dump.bin.python bad.exeDump To FileA dump file can be specified using the --out_file command.python bad.exe --out_file extracted.exePass ArgumentsIf the packed PE file you are attempting to extract requires arguments you can pass them using the --args command. Multiple arguments can be passed as comma separated.python bad.exe --args passwordDump RawFridaExtract will automatically attempt to reconstruct the dumped memory into a PE file. If this isn't working and you just want a raw dump of all memory written to the subprocess you can use the --raw command. Instead of writing the reconstructed PE to the dump file the raw memory segments will be written in order of address.python bad.exe --rawVerboseFridaExtract uses hooks on the following APIs to extract the injected PE file:ExitProcessNtWriteVirtualMemoryNtCreateThreadNtResumeThreadNtDelayExecutionCreateProcessInternalWNtMapViewOfSectionNtUnmapViewOfSectionNtCreateSectionTo trace these APIs and print the results use the -v or --verbose command.python bad.exe --verboseCaveatsFrida uses userland hooks that can easily be bypassed. If you need a more robust DBI tool try PIN! A great example of using PIN to extract RunPE is provided by here.Frida injects a javascript runtime into the process you are analyzing, it is not stealthy. For a decent overview of how Frida may be detected by malware check this out.AcknowledgmentsHuge thanks to @oleavr for helping me with my endless questions about FridaHat tip to @skier_t for his awesome PE rebuilding script and so much more!Feedback / HelpAny questions, comments, requests hit us up on twitter: @herrcore or @seanmwAnything Frida specific find us lurking on IRC: #frida at irc.freenode.netPull requests welcome!Download Frida-Extract