FRIDA, The "Hooker"

so hello everyone ladies and gentlemen uh my name is barnabash tankovac uh and in this presentation we are going to dive into the topic of hookers and autopsy so first things first who am i uh as you can see my name is not for the week so i just use my initials and you can follow me on twitter by the end of cyber sk uh the ink is freshly died on my bsc and i'm an f student of the crazy society security lab here in budapest right now i'm a technical innovation advisor at mrg avitas um yeah i i know it sounds like but uh it's like a part cyber security engineer and bigger part making my colleagues

lives uh much harder but they can tell you that also and another interesting thing i was a blue team participant at nato's lock shields partner on last year and i had the idea to put these beautiful hungarian letters uh in passwords and when the red team had to put these beautiful hungarian letters in the passwords uh they didn't like me that much so basically i'm just good at delivering misery to people but that's not from me let's talk about the talk in this presentation you will be introduced a fantastic tool for monitoring and reverse engineering uh you will know how to monitor and manipulate applications and not only on windows but also on other platforms

yeah uh personally i have never tried the bet hooker but as freedom was my first one but my colleagues have told me a lot about between cars and that they come with a lot of problems and they raise even more problems and are they just randomly crashed when you try to attach them or detach them or things like that uh so before we go into the presentation i want to make some things clear before we start uh the subtitle is hookers and autopsy so i want to talk about this in a few minutes uh before anyone would misunderstand me so what is who car hooking is a general thermos it covers a wider range of

techniques and these techniques work in a special way as they monitor or manipulate intercepted function calls and events and messages passed between the software components and while we are here let's talk about the misbelief that hooking is always something bad or something evil it's not so hooking is utilized by many non-malicious applications like debuggers uh antivirus software benchmarking software so uh they all operate by utilizing hooking and they're still not malicious so in this presentation hooker is the application of script which does the hooking the other one is autopsy so during this so-called autopsy uh our goal is to get as much information about the behavior or the inner state of the autopsy application as much as we can

but we just can't as the application like hey what are you doing inside because it's one transfer so we will need some tools to tinker with these tools are disassemblers which are investigating the application it's a static state while it's not running so it's like the real autopsy the doctors uh execute on that patients and there are debuggers which do the same but in run time so why the application is alive and running and uh this is the kind of autopsy doctors don't do so you may have figured it out uh it's kind of obvious now that uh autopsy is basically reverse engineering in the stock uh but you know hookers and rivers engineering doesn't sound that fancy

it's not good for marketing so ah yeah so uh let's start with a quick heads up paul um who have ever tried to uh somehow reverse engineer or peek into an application uh by debugging by disassembling or even opening the notepad counts [Music] wow we are pretty many hackers down there uh it's cool and how many of you have tried the hooker in these terms there's a bit fewer now okay pretty cool uh let's get down to business uh i present some of the tools which can be used for reverse engineering applications and evaluate from a beginner hacker's point of view so first on our list is windy bg it looks like this it's cool and all but uh it has some

really nice features but it looks very pale and uh it's not so user friendly for uh for a beginner for an experienced eyes it's uh pretty confusing and uh really triggers the what the is this uh feeling in unexperienced people so we are going to uh need another tool uh and i thought about immediately the debugger it's next on our list uh as you can see it has some pretty happy bright colors and it's dark like it has a night mode and we all know that the real hackers only use night mode so it's like 200 percent cooler than windy bg problem is that we only see uh weird hex dumps and uh addresses and

assembly code so i think for a beginner it still really triggers the vtf factor so we are going to need uh another tool for this uh which is api monitor uh it fits into an applications windows api usage and we can see what windows api calls have the trace application called uh that's this is more like it because as you can see it's informative uh it has letters uh it's descriptive it doesn't cause a mentor breakdown for less experienced people uh so it's cool for us uh sadly it has no dark mode but one's got to make sacrifices so api monitor is a pretty good choice but let's say we not only want to monitor applications uh

but we also want to manipulate them then we can use freedom freeda has no graphical user interface sadly but that's not a problem because real hackers only use terminals and frida can trace functions in applications it can operate as a debugger it can discover internal functions in right in runtime for tracing and intercepting and manipulating uh yeah it's cool but uh what does it mean exactly so frida is a dynamic instrumentation instrumentation toolkit it does its thing by injecting the google chrome's va javascript engine into a process and then executes your own javascript in the application a few things about frida it's free as in freedom it's portable on multiple platforms such as windows mac os

linux for mobile devices like android and ios and even a qnx which i didn't know it existed until now but actually it's a embedded platform and i think uh that's pretty cool though that we have this stuff for embedded platforms too and it's uh excessively scriptable uh in many languages such as swift and python and dotnet and javascript and even in c okay so we know what friday is but how does frida work uh for this model there we have our executable which has the addresses of the windows api calls it uses in a table called import address table this table is empty by default and when the application launches it fills up with the memory addresses of

the windows api calls or the application will be using during its run and on the other side there we have our windows api with the functions uh implemented the body of the functions the real working functions and this is called by the executable during runtime [Music] okay it's pretty cool that's the model how it works how an uh standard uh application works in windows uh and there comes our tool it's the frida which contains the node and core components uh in the external tool and then it injects this little module into our executable uh which contains the friday agent uh it has the javascript engine and our own javascript which we wrote to uh who can manipulate the application

[Music] uh and uh these parts the external and inner free the part do communicate with json messages all along the run [Music] okay now that we know how what friday is and how frida works let's look at some hooking possibilities with frida for instance let's just take a look at this very basic model so we have the user application we have the system on the right side and we have the free agent in the middle uh basically it's in the executable but uh it's easier to describe it this way so the user uh calls the windows api function to execute alpha.bat uh our frida agent is trained to intercept these calls and it sees that oh so execute just entered

me and i want to attach this beat.bet to the executables list so when it leaves the freedom agent and the executable it goes to the windows api system and has uh two arguments to execute alpha.bet what the user called and also beta.bet what our fida agent wanted to do for the operating system it's no problem it executes it and returns with the answers of both that bad files and uh now we have a problem because we have two outputs when the user only called one so we have to uh define the only function when the function comes back from the system and goes back to the user uh and we have to scrape uh the beta.bets

output and like send it to our server or do something with it let's suppose we wanted to gather these so you just send it to our server and send the output of alpha.bet back to the user so the user basically sees nothing about what just happened and we still got what we wanted so i guess it's pretty cool because uh it's just so stealthy and so hacky i okay um we have this and we have a very huge load of api calls uh but why what can we use this for uh we can do security auditing which is basically spying on applications we can manipulate arguments and return values like we did it uh in the only function

script of an output and we can do arbitrary execution uh during the user's api calls like as we added this beat.bet to the executables list in the model before uh so security editing is uh as i said spying but this is what basically our api monitor does and we wanted to do some more we wanted more functionality and that's why we chose free in the first place so uh let's rather take a look at uh manipulating arguments and return values uh by this uh we will do this uh [Music] by doing a small demonstration on an average malware's abilities so i guess everyone knows what malware are technically a malicious software but what is malware analysis well it's

essentially the reverse engineering of that malware sample the uh process of learning what is inside the malware how does it work uh its behavior its function calls its operation the services connect to so actually it's pretty much and uh why are we doing this we are doing this because if we learn how the malware works we can stop it we can uh look for that behavior and we can build a decent protection against it now uh malware authors know this and they want to prevent the reverse engineering of the malware and they do this by these anti-analysis measurements they take basically is the response to melbourne analysis and it's done by somehow uh looking for the traces and

clues of this reverse engineering thing uh well it can be done really many ways but the most basic one is checking for virtual machine uh existence but why because male analysts uh analyze malware in virtual machines as they don't want to analyze malware on their own computer as doctors don't bring their patient to home and auto see it on their launch table so vm checking is the most easy thing and it's easily done by checking in the windows registry for wii and traces there are more sophisticated ways to check for vms other than checking the registry but for now this will be the one we are using so let's take a small break from storytelling and get our hands dirty

you can see anything it's cool now you can see it's even more cooler so i just happen to have this malware right here on my desktop and if we launch the small there we can see that it writes hello world is it uh visible by everyone okay uh so it writes hello world and exits the keystroke and if you execute again and again and again it does the same thing so somehow the malware just uh got the hunch that it's a virtual machine or some analyze this environment [Applause] [Music] work for me please so um how will we at the trader uh we can attach frida on the play uh to an application but the problem is

here that the malware already rendered checks as you can see it instantly uh writes out that hello world uh little line so uh we know that it already ran the checks when we will attach with frida so we have to somehow make work around this problem and it's done by suspended starting it's basically creating a process and not giving it creating a process in a suspended state where it's not getting a single cpu tick or execution possibility from the os so when the process is created it haven't run a single line of code and then we can attach frida and then let the malware run while frida is already intercepting all his api calls all its api calls

so we need to have the on enter and only functions designed uh i brought this model from the slide before so we can see the malware uh passing to os on the on enter and getting bank developer to the only for simplicity reasons we will design the only function uh as we can always give back the answer the more we wants to hear so how do we reverse engineer this smaller how do we know how do we know what does it want to hear or what is it checking for uh we can use this little tool here it's called process monitor uh it's visible too cool and we can check what registry calls the modeler makes

we can see that stacking text has called these operations for the path of this one in a virtualbox guest relations it's a common tool on virtual machines and we can check the uh that it's right here in our computer so okay we could do this register key but we all know how fragile windows is so let's just uh try to lie to the mother somehow um [Music] to reverse an application on windows you have to install linux on windows yeah i know and check for the application on the path for users name desktop and we can see that stagnate is here so we can use this pretty tool our inverse engineers love it strings and give it our mallar so it gives us a

load of output and we don't know what to look at but we know that from the process monitor that we need to look for registry operations so we just grab for reg open and voila we have these windows api calls which we are tracing which we are looking for so let's pop our code editor and check what javascript we have there so we can see that the api call will be the registry open key xw uh the dll name is where this call is in the windows api it's stolen from docs microsoft and basically this is just a lot of logging and this is our uh masterpiece our code which will change the world uh

if the windows api call returns zero it means that the a registry key is found so we have to say it's not found it's not there so we just returned to which is uh the definition of it's not there it's not found and if we now launch our uh application with this terminal so this is our free attach.pi and this is our stock.exe we just have to launch it uh first uh i'm not cheating so as you can see stacking texas is just writing helper but if we do it with 3d attach we lie to them all there it thinks that it's a real system and detects us so uh i gotta clean my computer from my

mother now so thank you for your attention and if you have any questions uh please feel free to ask

you