Skip to content

CKFridaProject/frida_interceptor_scripts

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 

Repository files navigation

This is a collection of Frida Interceptor definitions for Windows API that are commonly abused by malware. This is a derivative of my larger Frida based dynamic malware analysis project. All the definitions are written by me. I will update the list of API in my free time.

List of win32 API

Generic

  • LoadLibraryA
  • LoadLibraryW
  • LoadLibraryExA
  • LoadLibraryExW
  • GetProcAddress
  • GetModuleHandleA
  • GetModuleHandleW
  • GetModuleHandleExA
  • GetModuleHandleExW
  • WinExec
  • ShellExecute

Memory

  • VirtualAlloc
  • VirtualAllocEx
  • VirtualProtect
  • VirtualProtectEx
  • ReadProcessMemory
  • WriteProcessMemory
  • memcpy
  • HeapAlloc

Crypto

  • CryptEncrypt
  • CryptDecrypt
  • CryptAcquireContext
  • CryptGenKey
  • CryptDeriveKey
  • BCryptDecrypt

Internet

  • InternetOpen
  • InternetOpenUrl
  • InternetConnect
  • HttpOpenRequest
  • InternetReadFile
  • InternetWriteFile

WinAPI Sockets

  • WSAStartup
  • bind
  • listen
  • accept
  • connect
  • recv
  • send

Process

  • OpenProcess
  • CreateProcessAsUserA
  • CreateProcessAsUserW
  • CreateProcessA
  • CreateProcessW
  • EnumProcesses
  • CreateProcessInternalA/W
  • QueueUserAPC

Thread

  • CreateRemoteThread
  • CreateRemoteThreadEx
  • OpenThread
  • GetThreadContext
  • SetThreadContext
  • SuspendThread
  • ResumeThread

Registry

  • RegCreateKeyEx
  • RegOpenKeyEx
  • RegSetValueEx
  • RegQueryValue
  • RegDeleteKeyEx
  • RegGetValue

File

  • GetTempPath
  • CopyFile
  • CreateFileA/W
  • WriteFile
  • ReadFile

Service

  • OpenSCManager
  • CreateService

Anti-Analysis/VM/Debug

  • IsDebuggerPresent
  • GetSystemInfo
  • GetVersion
  • GlobalMemoryStatusEx
  • CreateToolhelp32Snapshot
  • Process32First
  • Process32Next
  • Thread32First
  • Thread32Next

Resource section

  • FindResource
  • LoadResource
  • LockResource

Miscellaneous

  • GetAsyncKeyState --> keyloggger
  • SetWindowsHookEx --> keylogger
  • GetForeGroundWindow --> get running window name
  • GetDC --> Screen shot realted
  • BitBlt --> Screenshot related

List of Nt/Zw API:

Memory

  • NtAllocateVirtualMemory
  • NtWriteVirtualMemory
  • NtReadVirtualMemory
  • NtProtectVirtualMemory
  • NtQueryVirtualMemory
  • NtFreeVirtualMemory
  • NtSetInformationVirtualMemory
  • NtOpenProcess
  • NtOpenProcessToken
  • NtQueryInformationToken
  • NtClose
  • NtQuerySystemInformation
  • NtQueryInformationProcess
  • NtCreateSection
  • NtOpenSection
  • NtMapViewOfSection
  • NtUnmapViewOfSection
  • [ ]

Thread

  • NtResumeThread
  • NtCreateThreadEx
  • RtlCreateUserThread

About

Frida interceptor scripts for windows api

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 100.0%