Deluder is a tool for intercepting traffic of proxy unaware applications. It is based on Frida and uses dynamic instrumentation to intercept communication in common networking libraries on multiple platforms.
Deluder was primarily designed to work with PETEP (PEnetration TEsting Proxy), but can also be used as a standalone utility for traffic interception.
Video: Youtube Deluder & PETEP
Since Deluder is based on dynamic instrumentation, there is a need for custom scripts for each networking library (e.g. Winsock, OpenSSL, GnuTLS).
Currently, Deluder support the following libraries out of the box:
- WinSock (ws2_32.dll, wsock32.dll)
- send
- sendto
- recv
- recvfrom
- WSA_Send
- WSA_SendTo
- WSA_Recv
- WSA_RecvFrom
- Linux sockets (libc.so)
- send
- sendto
- recv
- recvfrom
- OpenSSL (libssl.dll, ssleay.dll, libssl.dylib)
- SSL_write
- SSL_write_ex
- SSL_read
- SSL_read_ex
- GnuTLS (libgnutls.so, libgnutls.dll, libgnutls.dylib)
- gnutls_record_send
- gnutls_record_recv
- SChannel (Secur32.dll)
- EncryptMessage
- DecryptMessage
Scripts for each library are written in JavaScript and can be easily modified or added in deluder/scripts.
Note: Main purpose of Deluder is to support networking/encryption libraries, but you can eventually write scripts to intercept any library functions.
Requirements: Python 3.9+
Deluder is a built on Python and gives you two options, how to use it:
- Install it as CLI command using setuptools
- Download latest Deluder release
or clone the repo
git clone https://github.com/Warxim/deluder.git
- Install Deluder using setuptools
python setup.py install
- Run Deluder as a command
deluder --help
- Download latest Deluder release
or clone the repo
- Install requirements and use it in development mode (supports adding new interceptors and scripts without the need for reinstalling)
- Download latest Deluder release
or clone the repo
git clone https://github.com/Warxim/deluder.git
- In downloaded deluder directory, run installation of requirements
python -m pip install -r requirements.txt
- Run Deluder as module
python -m deluder --help
- Download latest Deluder release
or clone the repo
There are three main commands in deluder:
- config - displays default configuration file structure in JSON
- run [app] - runs new process and attaches Deluder to it
- attach [pid/process name] - attaches to process by PID or process name
Example usages:
# Display help
deluder --help
deluder run --help
deluder attach --help
# Display default config
deluder config
# Run process and attach to it
deluder run -c config.json "C:/Application.exe"
deluder run -i petep "C:/Application.exe"
deluder run --debug --interceptors log,proxifier,log --scripts schannel,openssl "C:/Application.exe"
# Attach to existing process
deluder attach -c config.json 12501
deluder attach -i petep 12501
deluder attach -s schannel,openssl -i log 12000
deluder attach -c config.json "Application.exe"
# Run process and attach to it in a remote host (10.0.0.1 on port 27042)
deluder run -r 10.0.0.1:27042 -c config.json "C:/Application.exe"
deluder run -r 10.0.0.1:27042 -i petep "C:/Application.exe"
deluder run --remote 10.0.0.1:27042 --debug --interceptors log,proxifier,log --scripts schannel,openssl "C:/Application.exe"
# Attach to existing process in a remote host (10.0.0.1 on port 27042)
deluder attach -r 10.0.0.1:27042 -c config.json 12501
deluder attach -r 10.0.0.1:27042 -i petep 12501
deluder attach -r 10.0.0.1:27042 -s schannel,openssl -i log 12000
deluder attach -r 10.0.0.1:27042 -c config.json "Application.exe"
Both attach and run have the following parameters:
- -c/--config [path-to-config.json] - Uses given config (recommended)
- -d/--debug - Enables debug with verbose output
- -i/--interceptors [proxifier,log,log] - Enables given interceptors
- -s/--scripts [winsock,openssl] - Enables given scripts (networking libraries)
- -r/--remote [ip:port] - Uses remote frida-server host
- --ignore-child-processes - Disables automatic child process hooking
It is recommended to first store config template to a file:
deluder config > config.json
and then configure the deluder through the config.json:
- setup interceptors
- depending on your needs, you can add/remove interceptors
- if you use Deluder with PETEP, simply remove all interceptors except for "petep" from the config file
- setup scripts
- If you are testing an application, you should only enable scripts for used libraries.
- If you do not know, which scripts to use, usually it is good to start first with the SSL/TLS libraries (openssl, schannel, gnutls) and if these are not capturing anything, try to use socket libraries (winsock, libc).
and then run the deluder through attach or run commands:
deluder run -c config.json "C:/Application.exe"
deluder attach -c config.json 12501
deluder attach -c config.json "Application.exe"
In order to use Deluder with graphical interface, you can use PETEP (PEnetration TEsting Proxy), which supports integration with Deluder and allows you to conveniently work with the intercepted data.
In PETEP you can simply add Deluder proxy or use Deluder preset, which already has Deluder proxy configured. After that you can run Deluder using the following commands:
deluder run -i petep "C:/Application.exe"
deluder attach -i petep 12501
deluder attach -i petep "Application.exe"
Deluder will use a special protocol in order to intercept the data in PETEP. (By default, port 8008 will be used as PETEP server port for Deluder integration.)
Example minimal config for Deluder and PETEP integration:
{
"ignoreChildProcesses": false,
"interceptors": [
{
"type": "petep",
"config": {
"petepHost": "127.0.0.1",
"petepPort": 8008,
"autoCloseConnections": true,
"multipleConnections": true
}
}
],
"scripts": [
{
"type": "winsock",
"config": {}
},
{
"type": "openssl",
"config": {}
},
{
"type": "gnutls",
"config": {}
},
{
"type": "libc",
"config": {}
},
{
"type": "schannel",
"config": {}
}
]
}
Note: Do not try to drop intercepted messages, since that is not supported and will break the interception.
If you do not want to use PETEP, you can use any other proxy tool and use Proxifier interceptor to tunnel the intercepted data through the proxy.
Before running Deluder, setup the proxy tool, so that the proxy server is running. After that you can run Deluder and attach it to some process.
Note: Do not try to drop intercepted messages, since that is not supported and will break the interception.
You can choose two types of proxifying strategies:
- length (default) - relies on 4B length sent before the intercepted data (
[4B data length][data]
) - suffix - relies on appending contant suffix to intercepted data
- buffer - relies on buffer size and requires you to setup big enough buffer in both proxy tool and Deluder
In order to write custom interceptor modules, you can add new file with the module
in deluder/interceptors and register the module by adding it to
INTERCEPTORS_REGISTRY
in deluder/interceptors/__init__.py.
Each interceptor module has important methods:
default_config()
- provides default config, which can be overriden through command arguments
init()
- when interceptor gets initialized
intercept(message)
- intercept message
destroy()
- called when Deluder finishes
The most important method for you will be the intercept
method, in which you
can process the traffic. The message parameter is mutable and you can modify the data inside.
In order to intercept network communication of applications on remote hosts, on which you cannot run the deluder and PETEP itself, you can use Frida server, to which you can connect from Deluder.
See Frida Releases and download frida-server for your platform. Once you run the frida-server, you can use Deluder's -r
parameter to execute the attach/run commands on the remote machine.
For example, on remote machine, you can run:
frida-server -l 0.0.0.0:27042
and then run the following on your local machine:
deluder run -r REMOTE_IP:27042 -i log "C:/Application.exe"
In order to write custom script modules for networking libraries, you can simply
create a new js files in deluder/scripts and then add them
to the config file or -s/--scripts
parameter.
It is recommended to check existing scripts and use them as inspiration. For more information on how to write these scripts, you can check official Frida guide.
All scripts can use common functions, which are available in the common.js
file,
which is automatically loaded before the custom scripts.
Each module has two own variables:
module.type
- module code (file name without extension)module.config
- module config provided in Deluder config file
Deluder uses similar approach known from EchoMirage to intercept the traffic of applications, but thanks to Frida library, it also supports other platforms than Windows. Currently Deluder supports a few extra libraries in comparison to EchoMirage and it is possible to extend Deluder with more protocols for multiple platforms (like Windows, Linux, Mac).
Deluder is licensed under GNU GPL 3.0.