Frida-Wshook – Script Analysis Tool Based On

frida-wshook is an analysis and instrumentation tool which uses to hook common functions often used by malicious script files which are run using WScript/CScript.The tool intercepts Windows API functions and doesn’t implement function stubs or proxies within the targeted scripting language. This allows it to support analyzing a few different script types such as:.js (JScript).vbs (VBScript).wsf (WSFile) (Initial support/testing. – Does not support specific jobs)By default script files are run using cscript.exe and will output:COM ProjIdsDNS RequestsShell CommandsNetwork RequestsWarning!!! Ensure that you run any malicious scripts on a dedicated analysis system. Ideally, a VM with snapshots so you can revert if a script gets away from you and you need to reset the system.Although common methods have been hooked, Windows provides numerous APIs which allow developers to interact with a network, file system and execute commands. So it is entirely possible to encounter scripts leveraging uncommon APIs for these functions.Install & SetupInstall Python 2.7Install the Frida python bindings using pippip install fridaClone (or download) the frida-wshook repository.Supported OSfrida-wshook has been tested on Windows 10 and Windows 7 and should work on any Windows 7 + environment. On x64 systems CScript is loaded from the C:\Windows\SysWow64 directory.It may work on WindowsXP, but I suspect that CScript may use the legacy API calls and would bypass the instrumentation.UsageThe script supports a number of optional commandline arguments that allow you to control what APIs the scripting host can call.usage: [-h] [–debug] [–disable_dns] [–disable_com_init] [–enable_shell] [–disable_net] your friendly WSH Hookerpositional arguments: script Path to target .js/.vbs fileoptional arguments: -h, –help show this help message and exit –debug Output debug info –disable_dns Disable DNS Requests –disable_com_init Disable COM Object Id Lookup –enable_shell Enable Shell Commands –disable_net Disable Network RequestsAnalyze a script with the default parameters:python bad.jsEnable verbose debugging:python –debug bad.jsEnable shell (execute) commands:python –enable_shell bad.vbsDisable WSASend:python –disable_net bad.vbsCheck what ProgIds the script uses:python –disable_com_init bad.vbsHooked Functionsole32.dllCLSIDFromProgIDExShell32.dllShellExecuteExWs2_32.dllWSASocketWGetAddrInfoExWWSASendWSAStartupKnown IssuesNetwork responses are not capturedDisabling Object Lookup can cause the script to only output the first ProgId…Malware QA can be lacking.WSF files with a specific job to target currently isn’t supportedTODOChange GetAddrInfoExW to use .replace instead of .attachAdd additional tracing and hooks to cover more APIsLook at bypassing common anti-analysis techniques found in scripts (sleeps etc)Update and improve network request hooking (ie: currently it captures requests, but not responses)Feedback / HelpAny questions, comments or requests you can find us on twitter: @seanmw or @herrcoreDownload Frida-Wshook