Windows Instrumentation With Frida
- Buy now
- Learn more
Introduction

Introduction
Binary Ninja License & Course Materials
Environment Setup
API Instrumentation

Well-Known Tools
Lab 1: Evaluating ProcMon & APIMonitor
Frida API Tracing
Lab 2: Frida Trace
Lab 2: Lab Guide
Introducing Fermion

Introducing Fermion
Lab 3: Fermion
Lab 3: Lab Guide
Hooking to -> Change Application Behaviour

Changing Application Behaviour
Lab 4: Manipulating Message Boxes
Lab 4: Lab Guide
Hooking to -> Inspect Data

Inspecting Application Data
Lab 5: Shoulder Surfing Terminal Sessions
Lab 5: Lab Guide
Hooking to -> Hide Data

Hiding Application Data
Lab 6: Hooking the API
Lab 6: Lab Guide
Traversing In-Memory Data Structures
Lab 7: Pointer Arithmetic
Lab 7: Lab Guide
Abusing Data Parsers
Lab 8: Mischief Managed
Lab 8: Lab Guide
Lab 8: Quiz
Calling Native Functions

Calling Native functions
Lab 9: Going Native
Lab 9: Lab Guide
Case Study: Defeating Symantec 2FA

UX/UI Romance Story
Lab 10: A Window to the Heart
Lab 10: Lab Guide
API Automation
Lab 11: Automation
Lab 11: Lab Guide
Case Study: Antimalware Scan Interface (AMSI)

Antimalware Scan Interface (AMSI)
Lab 12: HAMSICONTEXT
Lab 12: Lab Guide
Binary Instrumentation With Stalker

Binary Instrumentation With Stalker
Lab 13: Stalker
Lab 13: Lab Guide
Case Study: Minesweeper

Finally something that matters, Minesweeper
Lab 14: Parsing Board State
Lab 14: Lab Guide
We must go deeper
Lab 15: Automation
Lab 15: Lab Guide
Case Study: DLL Side-Loading

DLL Side-Loading
Lab 16: LoadLibraryExW
Lab 16: Lab Guide
Unit Testing
Lab 17: In-Memory Unit Testing
Lab 17: Lab Guide
PwnAdventure3 Introduction

It's only Game -> PwnAdventure3
Lab 18: Jump Mechanics
Lab 18: Lab Guide
__thiscall Calling Convention
Lab 19: Accessing __thiscall Objects
Lab 19: Lab Guide
Implementing A "Cheat Engine"

Repurposing Application Functionality
Lab 20: Talk talk talk
Lab 20: Lab Guide
Symbol Analysis
Lab 21: Porting to our "Cheat Engine"
Lab 21: Lab Guide
Leveraging Native Game Functionality

Traveling Fast, Traveling Far
Lab 22: Teleportation
Lab 22: Lab Guide
What about p0wn?
Lab 23: Bears With Guns
Lab 23: Lab Guide
Alternate p0wnage -> I Take No Damage
Alternate p0wnage -> The Birds and the Bears
Bonus p0wnage -> Loot Goblin
Advanced Data Structures

PwnAdventure3 Server Setup
C++ Map Containers
Lab 24: Leaking the ClientWorld
Lab 24: Lab Guide
Traversing Red/Black Trees In Memory
Lab 25: Reading the ClientWorld
Lab 25: Lab Guide
Hooking Network Traffic

Overtrained, Overspecialized
Lab 26: Dumping Packets
Lab 26: Lab Guide
Implementing the Network Protocol
Lab 27: Parsing Packets
Lab 27: Lab Guide
Course Review

Course Review
Course Feedback

Lab 19: Accessing __thiscall Objects

In this lab we want to overwrite a property of the __thiscall object. We will tackle this in a few simple steps.

Attach a hook to the non-exported GetWalkingSpeed function pointer
- Print the WalkingSpeed float to the output area. What is the walking speed?

float __thiscall Player::GetWalkingSpeed(class Player* this)
{
    return ((int32_t)((long double)this->m_walkingSpeed));
}

Now, capture the address of the this object by accessing the value of ECX inside your hook
- https://frida.re/docs/javascript-api/#process
You now have the pointer to the object and the offset of the property inside the object (Binary Ninja)
- Using the offset you can now read the float yourself inside the hook
- You can also overwrite the float in memory. What happens when you do that?
- https://frida.re/docs/javascript-api/#nativepointer