Deluder

Deluder is a multiplatform tool for intercepting traffic of proxy unaware applications written in Python using Frida library. Deluder works in a similar fashion as EchoMirage and hooks into target process in order to intercept exported functions of encryption/networking libraries.

Deluder GitHub

In PETEP you can simply add Deluder proxy or use Deluder preset, which already has Deluder proxy configured. After that you can run Deluder using the following commands:

deluder run -i petep "C:/Application.exe"
deluder attach -i petep 12501
deluder attach -i petep "Application.exe"

Deluder will use a special protocol in order to intercept the data in PETEP. (By default, port 8008 will be used as PETEP server port for Deluder integration.)

Deluder Features

Deluder supports the following libraries:

OpenSSL (libssl.dll, ssleay.dll, libssl.dylib)
GnuTLS (libc.so)
SChannel (Secur32.dll)
WinSock (ws2_32.dll, wsock32.dll)
Linux Sockets (libc.so)

You can also use Frida Server in order to hook processes on remote machine.

PETEP Configuration

In PETEP, you can simply add Deluder Proxy module and setup host and port, which will be used by Deluder.

Deluder Configuration

Example minimal config for Deluder:

{
  "ignoreChildProcesses": false,
  "interceptors": [
      {
          "type": "petep",
          "config": {
              "petepHost": "127.0.0.1",
              "petepPort": 8008,
              "autoCloseConnections": true,
              "multipleConnections": true
          }
      }
  ],
  "scripts": [
      {
          "type": "winsock",
          "config": {}
      },
      {
          "type": "openssl",
          "config": {}
      },
      {
          "type": "gnutls",
          "config": {}
      },
      {
          "type": "libc",
          "config": {}
      },
      {
          "type": "schannel",
          "config": {}
      }
  ]
}