exe-analyzer/api_hooking.py at main · futuretonight/exe-analyzer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
import tkinter as tk
import sys

# Check if frida is available
try:
    import frida
    FRIDA_AVAILABLE = True
except ImportError:
    FRIDA_AVAILABLE = False

# JavaScript code for API hooking
JS_CODE = """
Interceptor.attach(Module.findExportByName(null, 'CreateFileA'), {
    onEnter: function(args) {
        send("File opened: " + Memory.readUtf8String(args[0]));
    }
});

Interceptor.attach(Module.findExportByName(null, 'CreateFileW'), {
    onEnter: function(args) {
        send("File opened (W): " + Memory.readUtf16String(args[0]));
    }
});

Interceptor.attach(Module.findExportByName(null, 'InternetOpenA'), {
    onEnter: function(args) {
        send("Network request: " + Memory.readUtf8String(args[0]));
    }
});

Interceptor.attach(Module.findExportByName(null, 'socket'), {
    onEnter: function(args) {
        send("Socket created");
    }
});

Interceptor.attach(Module.findExportByName(null, 'connect'), {
    onEnter: function(args) {
        send("Connection attempt");
    }
});

Interceptor.attach(Module.findExportByName(null, 'RegOpenKeyExA'), {
    onEnter: function(args) {
        if (args[1]) {
            send("Registry access: " + Memory.readUtf8String(args[1]));
        }
    }
});

Interceptor.attach(Module.findExportByName(null, 'RegOpenKeyExW'), {
    onEnter: function(args) {
        if (args[1]) {
            send("Registry access (W): " + Memory.readUtf16String(args[1]));
        }
    }
});
"""

def on_message(message, data, result_text):
    """Handle messages from the Frida script"""
    if message['type'] == 'send':
        result_text.insert(tk.END, f"[API HOOK] {message['payload']}\n")
        result_text.see(tk.END)
    elif message['type'] == 'error':
        result_text.insert(tk.END, f"[API HOOK] Error: {message['stack']}\n")
        result_text.see(tk.END)

def hook_process(target_process, result_text):
    """Hook into a process to monitor API calls"""
    if not FRIDA_AVAILABLE:
        result_text.insert(tk.END, "[API HOOK] Error: Frida library not available. API hooking disabled.\n")
        result_text.see(tk.END)
        return

    try:
        result_text.insert(tk.END, f"[API HOOK] Attaching to process {target_process}...\n")
        session = frida.attach(target_process)

        result_text.insert(tk.END, "[API HOOK] Creating script...\n")
        script = session.create_script(JS_CODE)

        # Set up message handler
        script.on("message", lambda message, data: on_message(message, data, result_text))

        result_text.insert(tk.END, "[API HOOK] Loading script...\n")
        script.load()

        result_text.insert(tk.END, f"[API HOOK] Successfully monitoring process {target_process}\n")
        result_text.see(tk.END)

    except Exception as e:
        result_text.insert(tk.END, f"[API HOOK] Error setting up API hooking: {str(e)}\n")
        result_text.see(tk.END)