Home

Awesome

Deluder

Release License: GPL v3 python: 3.9

Deluder is a tool for intercepting traffic of proxy unaware applications. It is based on Frida and uses dynamic instrumentation to intercept communication in common networking libraries on multiple platforms.

Deluder was primarily designed to work with PETEP (PEnetration TEsting Proxy), but can also be used as a standalone utility for traffic interception.

Video: Youtube Deluder & PETEP

Networking Libraries

Since Deluder is based on dynamic instrumentation, there is a need for custom scripts for each networking library (e.g. Winsock, OpenSSL, GnuTLS).

Currently, Deluder support the following libraries out of the box:

Scripts for each library are written in JavaScript and can be easily modified or added in deluder/scripts.

Note: Main purpose of Deluder is to support networking/encryption libraries, but you can eventually write scripts to intercept any library functions.

Installation & Usage

Requirements: Python 3.9+

Installation

Deluder is a built on Python and gives you two options, how to use it:

  1. Install it as CLI command using setuptools
    • Download latest Deluder release or clone the repo git clone https://github.com/Warxim/deluder.git
    • Install Deluder using setuptools
      python setup.py install
      
    • Run Deluder as a command
      deluder --help
      
  2. Install requirements and use it in development mode (supports adding new interceptors and scripts without the need for reinstalling)
    • Download latest Deluder release or clone the repo git clone https://github.com/Warxim/deluder.git
    • In downloaded deluder directory, run installation of requirements
      python -m pip install -r requirements.txt
      
    • Run Deluder as module
      python -m deluder --help
      

Usage

There are three main commands in deluder:

Example usages:

# Display help
deluder --help
deluder run --help
deluder attach --help

# Display default config
deluder config

# Run process and attach to it
deluder run -c config.json "C:/Application.exe"
deluder run -i petep "C:/Application.exe"
deluder run --debug --interceptors log,proxifier,log --scripts schannel,openssl "C:/Application.exe"

# Attach to existing process
deluder attach -c config.json 12501
deluder attach -i petep 12501
deluder attach -s schannel,openssl -i log 12000
deluder attach -c config.json "Application.exe"

# Run process and attach to it in a remote host (10.0.0.1 on port 27042) 
deluder run -r 10.0.0.1:27042 -c config.json "C:/Application.exe"
deluder run -r 10.0.0.1:27042 -i petep "C:/Application.exe"
deluder run --remote 10.0.0.1:27042 --debug --interceptors log,proxifier,log --scripts schannel,openssl "C:/Application.exe"

# Attach to existing process in a remote host (10.0.0.1 on port 27042) 
deluder attach -r 10.0.0.1:27042 -c config.json 12501
deluder attach -r 10.0.0.1:27042 -i petep 12501
deluder attach -r 10.0.0.1:27042 -s schannel,openssl -i log 12000
deluder attach -r 10.0.0.1:27042 -c config.json "Application.exe"

Both attach and run have the following parameters:

Recommended Usage

It is recommended to first store config template to a file:

deluder config > config.json

and then configure the deluder through the config.json:

and then run the deluder through attach or run commands:

deluder run -c config.json "C:/Application.exe"
deluder attach -c config.json 12501
deluder attach -c config.json "Application.exe"

PETEP

In order to use Deluder with graphical interface, you can use PETEP (PEnetration TEsting Proxy), which supports integration with Deluder and allows you to conveniently work with the intercepted data.

PETEP

In PETEP you can simply add Deluder proxy or use Deluder preset, which already has Deluder proxy configured. After that you can run Deluder using the following commands:

deluder run -i petep "C:/Application.exe"
deluder attach -i petep 12501
deluder attach -i petep "Application.exe"

Deluder will use a special protocol in order to intercept the data in PETEP. (By default, port 8008 will be used as PETEP server port for Deluder integration.)

Example minimal config for Deluder and PETEP integration:

{
    "ignoreChildProcesses": false,
    "interceptors": [
        {
            "type": "petep",
            "config": {
                "petepHost": "127.0.0.1",
                "petepPort": 8008,
                "autoCloseConnections": true,
                "multipleConnections": true
            }
        }
    ],
    "scripts": [
        {
            "type": "winsock",
            "config": {}
        },
        {
            "type": "openssl",
            "config": {}
        },
        {
            "type": "gnutls",
            "config": {}
        },
        {
            "type": "libc",
            "config": {}
        },
        {
            "type": "schannel",
            "config": {}
        }
    ]
}

Note: Do not try to drop intercepted messages, since that is not supported and will break the interception.

Proxifier

If you do not want to use PETEP, you can use any other proxy tool and use Proxifier interceptor to tunnel the intercepted data through the proxy.

Before running Deluder, setup the proxy tool, so that the proxy server is running. After that you can run Deluder and attach it to some process.

Note: Do not try to drop intercepted messages, since that is not supported and will break the interception.

Setting up Deluder for Proxifier

You can choose two types of proxifying strategies:

Interceptor Modules

In order to write custom interceptor modules, you can add new file with the module in deluder/interceptors and register the module by adding it to INTERCEPTORS_REGISTRY in deluder/interceptors/__init__.py.

Each interceptor module has important methods:

The most important method for you will be the intercept method, in which you can process the traffic. The message parameter is mutable and you can modify the data inside.

Remote Host

In order to intercept network communication of applications on remote hosts, on which you cannot run the deluder and PETEP itself, you can use Frida server, to which you can connect from Deluder.

See Frida Releases and download frida-server for your platform. Once you run the frida-server, you can use Deluder's -r parameter to execute the attach/run commands on the remote machine.

For example, on remote machine, you can run:

frida-server -l 0.0.0.0:27042

and then run the following on your local machine:

deluder run -r REMOTE_IP:27042 -i log "C:/Application.exe"

Script Modules

In order to write custom script modules for networking libraries, you can simply create a new js files in deluder/scripts and then add them to the config file or -s/--scripts parameter.

It is recommended to check existing scripts and use them as inspiration. For more information on how to write these scripts, you can check official Frida guide.

Common functions

All scripts can use common functions, which are available in the common.js file, which is automatically loaded before the custom scripts.

Module variables

Each module has two own variables:

Deluder vs EchoMirage

Deluder uses similar approach known from EchoMirage to intercept the traffic of applications, but thanks to Frida library, it also supports other platforms than Windows. Currently Deluder supports a few extra libraries in comparison to EchoMirage and it is possible to extend Deluder with more protocols for multiple platforms (like Windows, Linux, Mac).

License

Deluder is licensed under GNU GPL 3.0.