On Dec 4, 10:55 am, Tadeusz Slupski <[EMAIL PROTECTED]> wrote: > I am trying to use Rhino and Cobra for the de-obfuscation and detecting > of malicious scripts. The problem is that Rhino has no standard policy > for detecting of unknown objects ( it throws RuntimeException) and > properties (unknown properties are ignored ) .Cobra defines the > standard objects and functions like Window, document.write() , but > browsers also define many non-standard objects and methods, like > ActiveXObject, and we can expect some new non-standard definitions in > future. > Therefore it would be good to make simulation of the > unknown object/function. The simulation should do nothing except > alerting, moreover - it should evaluate parameters of the unknown > function - because the parameters inform us very often about malicious > URL sources or about files to be read or written, and the parameters > are very often obfuscated. > Of course if we know > the object like the ActiveXObject - it is easy to write a script > defining its prototype, and all named properties, including functions > like PrintSnapshot. The script can be executed before the main set of > malicious scripts - and then we can detect if the malicious script uses > PrintSnaphot , what files it tries to open, and to send (because > Rhino knows prototype and automatically evaluates the properties: > CompressedPath and SnapshotPath of the ActiveXObject ). > But I would > like to have the same functionality for really non-standard and unknown > objects. It would be simple if Rhino informed about all unknown names > in a standard way. > But it seems to be complicated - because Rhino > throws RuntimeException if a name of non-standard ( or not defined by > a former script ) OBJECT is found, but for unknown PROPERTY it throws > EcmaError, which is caught further on in the Rhino Engine, and only > the logger informs about the unknown property. > I would prefer to have a choice of three modes: > IGNORE_UNKNOWN_OBJECTS_AND_PROPERTIES > when unknown objects and properties do not throw runtime exception, > only the logger info . > IGNORE_UNKNOWN_PROPERTIES ( this is the current mode of Rhino ) > THROW_ALL_EXCEPTIONS > - in this mode for any unknown name of an object or any unknown > property Rhino should throw some kind of exception, with information > about the property's owner. > > Another mode would be the > simulation of the unknown objects and properties - which I described in > the beginning. But it cannot be the part of Rhino standard - I am > afraid. > > I am thinking about some changes in the Rhino engine > for the option THROW_ALL_EXCEPTIONS. This is not a big task - simply > instead of catching - the EcmaError should be rethrown , with some > additional information. > > Next I > will try to execute the malicious code with "unknown names " , to > catch the exception, extract info , then construct the Javascript with > prototypes of the detected "unknown" object or property, execute the > new script , and execute the malicious code again in a loop. > It will be a longer procedure because only one unknown name can be detected > in one loop. > Do > you have any better advice how to do it in one run - without bigger > ingeration in the Rhino code ? Maybe some Rhino debugger methods would > be useful - but I have no idea about the Rhino debugger. > Tad Slupski
Hmm. Isn't it more complex that this even? A malicious script could attempt to detect the presence of ActiveXObject using typeof or similar, and only attempt to access it if defined. Then you wouldn't detect that the script was malicious even given the changes you propose since there would be no errors from accessing undefined objects/properties. --N _______________________________________________ dev-tech-js-engine-rhino mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
