/ JavaScript

JavaScript Analysis Tools

Before diving into some JavaScript, I wanted to post some of my favorite tools in my toolbox. These tools are the same ones that I'll be using throughout my JavaScript series (if you can call 3 blog posts a series?).

I highly recommend setting up a VM with REMnux. REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It comes preconfigured with a huge amount of tools which saves a ton of time.

Please note: Information and some examples used in this blog are either based off of or in some cases taken directly from each individual tool's respective GitHub page/site. I've included links to each tool mentioned. All credit goes to the authors of each respective tool. For more information on any of the tools, please refer to the links included.

JSBeautifier

JSBeautifier reformats ugly JavaScript, unpacks scripts packed by Dean Edward's popular packer and deobfuscates scripts processed by javascriptobfuscator.com

This tool can be ran from the CLI, however, if I'm able to access the internet, I'll typically just open jsbeautifier.org in my browser and pop the code in there.

Code Pre JSBeautifier
Figure 1: Pre JSBeautifier

Code Post JSBeautifier
Figure 2: Post JSBeautifier

JSDetox

JSDetox is a JavaScript malware analysis tool that uses static analysis/deobfuscation techniques and an execution engine featuring HTML DOM emulation.

Features

Static Analysis/Deobfuscation

JSDetox has the ability to reformat/beautify code much like JSBeautifier, as well as analyzing and precomputing static code. For example:

Original Code
var x = 10 * 3 + 100 - 70 / 10;

Analyzed Code
var x = 123;

For me, this feature is a bit hit or miss. Sometimes JSDetox does an excellent job of deobfuscating/beautifying and other times it completely whiffs.

HTML DOM Emulation

Many times, malicious JavaScript will use objects and functions only available in browsers that manipulate the "document" object.

JSDetox emulates parts of a browser, especially the document object. You can also import an HTML document that will be used for the emulation. Because of this, code such as:
document.write('<span>Hello World</span>');


`

`

This is a pretty handy feature as a lot of malicious JavaScript will manipulate the DOM. Because JSDetox will emulate the DOM object, we are able to analyze this code easily.

JSDetox
Figure 3: JSDetox
Document.write() Call Emulated
Figure 4: JSDetox Document.write() Call eumulated
Resulting Executed Code
Figure 5: JSDetox Code Executed

Data Analysis
JSDetox can also be used to analyze shellcode embedded in JavaScript malware. Most shellcode is stored in unicode sequences such as this:

%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4...

The data analysis part of JSDetox can parse strings such as these and extract the shellcode to be viewed as classic hexdump or disassembled code.

Many instances of shellcode contain data (in most cases a URL to download the real malware) that is "encrypted" with a small XOR loop - the analysis function scans for these and shows possible matches.

This is another feature of JSDetox that is pretty useful. It can save a good chunk of time when used under certain circumstances.

Overall, JSDetox is a fairly useful tool, especially for beginners. However, it has failed a few too many times for me and as such I've dropped it and never picked up back up again.

Rhino Debugger

The Rhino JavaScript debugger is a GUI that allows debugging of interpreted JavaScript scripts run in Rhino. The debugger allows you to control execution of the script, view/watch variables throughout execution, etc.

This is a great tool and I recommend giving it a shot. I've used it before, but I'm partial to Chrome and the Chrome Debugger. It's my favorite!

Google Chrome DevTools/V8

Last but not least, we have Google Chrome DevTools (my favorite!). Chrome's DevTools are my go-to for anything JavaScript, JScript, WScript, etc. It's convenient, it's quick, it works. DevTools feature a fully featured console (V8) as well as a debugger with features just like Rhino. It also includes features such as snippets, format (essentially JSBeautifier), etc.

Chrome DevTools include a ton of features and I strongly encourage you to get familiar with the tools by both taking a look at the documentation at the link above, as well as messing around with it yourself!

These are just a handful of my favorite tools. Below are some additional tools available for you to try. If you're looking for some additional tools, a simple Google search will return a bunch more than I have listed. I recommend giving them all a shot and figuring out which are your favorites!

  • [jsunpack-n](jsunpack-n - A javascript unpacker that emulates browser functionality.) - A javascript unpacker that emulates browser functionality.
  • SpiderMonkey - JavaScript engine from Mozilla
  • Node.js - Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Muzi

Jared is a Senior Consultant at Booz Allen Hamilton. His current interests are network security, keyboards, tequila, and Korean culture. These interests are bound to change in the next hour.

Read More