JSDetox | Relentless Coding

submited by
Style Pass
2023-05-26 19:30:05

While it does use the browser as user interface, the whole analysis/execution of the javascript code is done in the backend. As with any tool that handles malicious, unknown code, you should consider installing JSDetox into an isolated environment. It is quite easy to install on most linux distributions, so it should be easy to set up JSDetox inside a virtual machine.

A simple example: Original Code var x = 10 * 3 + 100 - 70 / 10; Analysis Result var x = 123;

Despite "normal" obfuscation techniques, the latest Javascript malware makes use of the objects/functions only available in browsers, e.g. the "document" object.

JSDetox emulates parts of a browser, especially the document object (you can even import an HTML document that will be used for the emulation). See the "HTML DOM emulation" or the "Analyzing the Blackhole exploit kit" sceencasts for an example.

This feature makes it possible to handle code like this: document.write('<div id="AU4Ae">212</div>'); var OoF2wUnZ = parseInt(document.getElementById("AU4Ae").innerHTML); if(OoF2wUnZ == 212) { ...

Leave a Comment