Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to use the Winstrument framework". In daily operation, I believe many people have doubts about how to use the Winstrument framework. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful for you to answer the doubts about "how to use the Winstrument framework"! Next, please follow the editor to study!

Winstrument

Winstrument is an evaluation framework for Windows applications. Winstrument is a modular framework based on Frida implementation, which can help researchers reverse engineering analysis of Windows applications and find the corresponding attack surface.

Winstrument is implemented based on Frida, and Frida is a powerful dynamic detection framework, which can assist reverse engineering analysis and debugging by injecting Javascript runtime into the process, while the injected runtime provides API to realize function hook and modification.

Although there are many Frida-based tools in the community, these tools are often small, single-function scripts, and it is difficult to find a tool that can be used to accomplish reverse tasks. In addition, the structure of Frida may require us to use a lot of code to handle callbacks and data, which also makes script development more difficult.

The goal of Winstrument is to solve these problems by creating a simple, modular framework and to assist researchers in analyzing Windows applications.

Function introduction

The main function of Winstrument is realized through its module, and with the help of the built-in module of the tool, researchers can accomplish the following tasks:

View the read and write of the file, and the size of bytes read or written

View reads and writes to the registry

View the call to the LoadLibrary () function and check the associated DLL load to identify potential DLL hijacking attacks

View socket activity

View the child processes and parameters generated by CreateProcess

Review system calls related to named pipes

Detect the CLSID key in the registry

Detect forgery process

Winstrument is easy to extend, and although its built-in modules provide the most basic functions, researchers can also extend their functions through custom modules. Winstrument also comes with a REPL for managing modules, generating and detecting target processes. The list of features is as follows:

View available modules

Dynamically load the required modules

Configure settings information and store it in TOML format

Use the selected module to detect the target and store the output in the SQLite database

View and export data in various formats, including table, JSON, and grep-able output

Tool installation

The project supports Python v3.7 environment, and if you have already installed Python and pip, you can install, deploy, and configure the tool directly using the following commands:

Pip install winstrument

Next, run the tool using the following command:

Use of winstrument tool

Most of the interaction between the researchers and Winstrument is done through REPL. Here is an example of using Winstrument's file_rw module to perform detection:

> winstrument > listLoaded Modules:Available Modules:dllscom_hijackfile_rwprocesspipesimpersonateregistrysocket > use file_rw > set target "C:\ Windows\ System32\ mspaint.exe" > runSpawned 7720instrumented process with pid: 7720 and path: C:\ Windows\ System32\ mspaint.exedetached from 7720 for reason process-terminated module time target function fh path Mode bytes -file_rw 2020 -07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x4d4 C:\ Windows\ Fonts\ staticcache.dat GENERIC_READ 60file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x60c C:\ WINDOWS\ Registration\ R0000000001. Clb GENERIC_READ 5941file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x6d4 C:\ Users\ oster\ AppData\ Local\ IconCache.db GENERIC_READ 140547file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x75c\\.\ MountPointManager 0x0 174file_rw 2020-07-10 20:57:30 / mspaint.exe ReadFile 0x768 C:\ Users 0x100081 504file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x798 C:\ Users\ oster\ Desktop\ desktop.ini GENERIC_READ 2070file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x7d8 C:\ Users\ oster\ Pictures\ Camera Roll\ desktop.ini GENERIC_READ 570file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x87c C:\ Users\ Public\ Desktop\ desktop.ini GENERIC_READ 174file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x8d4 C:\ Users\ oster\ Dropbox\ desktop.ini GENERIC_READ 176file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x908 C:\ 0x100081 402file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x914 C:\ 0x100081 298file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0xd28 C:\ Users\ oster\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ f01b4d95cf55d32a.automaticDestinations-ms GENERIC_READ 294329file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0xddc C:\ Users\ oster\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ AutomaticDestinations\ f01b4d95cf55d32a .automaticDestinations-ms GENERIC_READ 90728file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe ReadFile 0x5f4 C:\ Users\ oster\ Pictures\ Untitled.png GENERIC_READ 40file_rw 2020-07-10 20:57:30 C:/.../mspaint. Exe WriteFile 0x450 C:\ WINDOWS\ Debug\ WIA\ wiatrace.log GENERIC_WRITE 2940file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe WriteFile 0xebc\.\ MountPointManager 0x0 5941file_rw 2020-07-10 20:57:30 C:/.../mspaint.exe WriteFile 0x1010 C:\ Users\ oster

The following is a sample output of Winstrument for notepad detection:

Spawned 31076instrumented process with pid: 31076 and path: C:\ Windows\ System32\ notepad.exeChild removed: 31076instrumented process with pid: 53004 and path: C:\ Users\ oster\ AppData\ Local\ Temp\ frida-69a0a581de60aa12d04f3bc2e3bde82d\ frida-winjector-helper-32.exeChild removed: 53004instrumented process with pid: 33820 and path: C:\ Users\ oster\ AppData\ Local\ Temp\ frida-winjector-helper-32.exeChild removed: 33820instrumented process with pid: 31092 and path: C:\ Users\ oster\ AppData\ Local\ Temp\ frida- 69a0a581de60aa12d04f3bc2e3bde82d\ frida-winjector-helper-64.exeChild removed: 31092detached from 31076 for reason process-terminated module time target dll writeable_path-- -dlls 2020-07-10 22:54:48 C:/.../winstrument.exe ntdll.dll C:\ Python38\ Scriptsdlls 2020-07-10 22:54:48 C:/.../python.exe pywintypes38.dll c:\ python38\ lib\ site-packages\ pywin32_system32\ pywintypes38.dlldlls 2020-07-10 22:54:48 c:/.../python.exe pythoncom38.dll c:\ python38dlls 2020-07-10 22 54:48 c:/.../python.exe frida-winjector-helper-32.exe C:\ Users\ oster\ AppData\ Local\ Temp\ frida-69a0a581de60aa12d04f3bc2e3bde82d\ frida-winjector-helper-32.exedlls 2020-07-10 22:54:48 C:/.../frida-winjector-helper-32.exe iphlpapi.dll C:\ Users\ oster\ AppData\ Local\ Temp\ frida-69a0a581de60aa12d04f3bc2e3bde82ddlls 2020-07-10 22:54:48 C:/.../notepad.exe frida-agent.dll license Agreement

The development and release of this project follows the GPL v3 open source license agreement.

At this point, the study on "how to use the Winstrument framework" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.