Windows Instrumentation With Frida

This training will focus on Windows introspection through function hooking. Attendees will learn how they can enumerate, change and subvert application functionality using Frida. These skills are widely applicable for defense, offense and research.

Are you a defender trying to prototype a new detection? Are you a Red Team operator looking to augment your post-exploitation capabilities? Are you a researcher who needs to understand what an application does and how it can be influenced? Function hooking on Windows is a very powerful capability to have in your toolkit no matter what your primary interest is. This training will deliver concrete, real-world knowledge which attendees can take away and directly apply in the field. While Frida has traditionally been used for Android/IOS pentesting and vulnerability research, this training will show that it can be one of the best tools in your arsenal when it comes to Windows!


  • During the course many labs will require students to prototype hooking logic in JavaScript. As such JavaScript experience will be very helpful but not strictly required.
  • A detailed knowledge of Windows internals is not required but basic familiarity with the Windows API will be beneficial.
  • Attendees need to verify they are able to run PwnAdventure3 on a Windows VM. It can be set on the lowest setting and does not have to run fast. This is important as a substantial portion of the training will consist of hacking PwnAdventure3.


  • A laptop with VMWare Workstation / Player / Fusion. VirtualBox is not supported.
  • Enough system resources to run x2 virtual machines simultaneously.
  • 30GB free hard disk space.
  • Attendees need not bring their own VM, those will be handed out, fully configured, during the training.


Day 1

  • Introduction to function hooking
  • A closer look at familiar tools: Procmon / API Monitor
  • Rapid instrumentation with Frida
  • Tracing API calls
  • Fermion, an electron UI for Frida
  • Hooking to => Change application behaviour
  • Hooking to => Inspect data
  • Hooking to => Subvert application controls
  • Calling native functions from Frida
  • Bug-hunting HackSysExtremeVulnerableDriver
  • Hooking ShowSnaps

Day 2

  • Setting up PwnAdventure3
  • Abusing the implicit trust of the game server
  • Finding a trigger mechanism
  • Unintended use of game functionality
  • Solving “Unbearable Revenge”
  • Finding game objects in memory
  • In-line network proxy
  • Prototyping a parser
  • Crafting packets
  • Applicability of function hooking & porting knowledge to other frameworks

About the Speaker