I am trying to use Rhino and Cobra for the de-obfuscation and detecting malicious scripts. The problem is that there are the standard objects and functions like Window, document.write() , but browsers also define many non-standard objects and methods, like ActiveXObject, and we can expect some new non-standard definitions in future. Therefore it would be good to make simulation of the unknown object/function which do nothing except alerting, moreover - they should evaluate parameters of the unknown function - because the parameters inform us very often about malicious URL sources or about files to be read or written. The parameters are very often obfuscated, for obvious reasons. Of course if we know the object like the ActiveXObject - it is easy to write a script defining its prototype, and all named properties, including functions like PrintSnapshot. The script can be executed before the main set of malcious scripts - and detect if PrintSnaphot is used, and what files it tries to open, and to send ( evaluating CompressedPath and SnapshotPath of the ActiveXObject ). But I would like to have the same functionality for really non-standard and unknown objects, it means to detect their syntax from the code, without external documentation. It would be simple if Rhino informed about all unknown names in a standard way. But it seems to be complicated - because Rhino throws RuntimeException if a name of non-standard ( or not defined by a former script ) object is found, but for unknown properties it throws EcmaError, which is caught further on in the Rhino Engine, and only the logger informs about the unknown name of a property. I I am trying to use Rhino and Cobra for the de-obfuscation and detecting of malicious scripts. The problem is that Rhino has no standard policy for detecting of unknown objects. It defines the standard objects and functions like Window, document.write() , but browsers also define many non-standard objects and methods, like ActiveXObject, and we can expect some new non-standard definitions in future. Therefore it would be good to make simulation of the unknown object/function. The simulation should do nothing except alerting, moreover - it should evaluate parameters of the unknown function - because the parameters inform us very often about malicious URL sources or about files to be read or written, and the parameters are very often obfuscated. Of course if we know the object like the ActiveXObject - it is easy to write a script defining its prototype, and all named properties, including functions like PrintSnapshot. The script can be executed before the main set of malcious scripts - and then we can detect if the malicious script uses PrintSnaphot , what files it tries to open, and to send (because Rhino knows prototype and automatically evaluates the properties: CompressedPath and SnapshotPath of the ActiveXObject ). But I would like to have the same functionality for really non-standard and unknown objects. It would be simple if Rhino informed about all unknown names in a standard way. But it seems to be complicated - because Rhino throws RuntimeException if a name of non-standard ( or not defined by a former script ) OBJECT is found, but for unknown PROPERTY it throws EcmaError, which is caught further on in the Rhino Engine, and only the logger informs about the unknown property. I would prefer to have a choice of three modes: IGNORE_UNKNOWN_OBJECTS_AND_PROPERTIES when unknown objects and properties do not throw runtime exception, only the logger info . IGNORE_UNKNOWN_PROPERTIES ( this is the current mode of Rhino ) THROW_ALL_EXCEPTIONS - in this mode for any unknown name of an object or any unknown property Rhino should throw some kind of exception, with information about the property's owner.
Another mode would be the simulation of the unknown objects and properties - which I described in the beginning. But it cannot be the part of Rhino standard - I am afraid. I am thinking about some chane in the Rhino engine for the option THROW_ALL_EXCEPTIONS. This is not a big task - simply instead of catching EcmaError it should rethrow it, with additional information. Next I will try to execute the malicious code with "unknown names " , to catch the exception, extract info , then construct the Javascript with prototypes of detected "unknown" object or property, execute the new script , and execute the maslicious code again in a loop. It will be a longer procedure because only one unknown name can be detected in one loop. Do you have any better advice how to do it in one run - without bigger ingeration in the Rhino code ? Maybe some Rhino debugger methods would be useful - but I have no idea about the Rhino debugger. Tad _______________________________________________ dev-tech-js-engine-rhino mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
