Didier Stevens

SpiderMonkey

My SpiderMonkey is a modified version of Mozilla’s C implementation of JavaScript, with some extra functions to help with malware analysis.

Additional functionality:

  • document.write
  • eval(arg) writes arg to a file
  • window.navigate

Details in my blog posts here, here and here.

spidermonkey3.png

Download source code:

js-1.7.0-mod.tar.gz (https)

MD5: A64B079FAEFD6BA23CAC3FCC7EF41AC7

SHA-256: 74DD063F13647505ABB11FA3D1A5D44DA35A3F73F18FE973F93FBA5E349B8BA9
js-1.5-mod-0.3.tar.gz (https)

MD5: 59D7C7F67903A00AFC97C9BEDD7E1F54

SHA256: B1B51F3FD357635AD6BE90D183416DAA7783972F9BAF15E36B0A5B9BF748A570

33 Comments »

  1. [...] patched this new version (download on my SpiderMonkey page), and decided to add another small trick: implement the window object with the navigate [...]

    Pingback by A Third SpiderMonkey Trick « Didier Stevens — Tuesday 19 August 2008 @ 22:52

  2. nice work.you would like to add support for document.location and navigator.appversion as malicious scripts uses it and we need to manaully tweak them at this moment :(

    Comment by secgeek — Wednesday 20 August 2008 @ 10:51

  3. I’ll put it on my todo list.

    Comment by Didier Stevens — Saturday 23 August 2008 @ 12:00

  4. [...] Adobe Acrobat JavaScript method with a vulnerability (fixed in Adobe Acrobat Reader 8.1.2). My Spidermonkey helps me to extract the shell [...]

    Pingback by Analyzing a Malicious PDF File « Didier Stevens — Monday 20 October 2008 @ 21:44

  5. Would it be possible to publish a Changelog and a set of diffs so that your patches could be applied to, say, spidermonkey 1.9? I’d really just love to be able to patch my local tree with your changes, though without the diffs, it’s rather harder.

    Comment by Nick — Wednesday 22 October 2008 @ 19:35

  6. I don’t have diff files, but I kept a list of files I modified:

    new:
    jsdocument.c
    jsdocument.h

    change:
    makefile.ref
    jsapi.c
    jsproto.tbl
    jsobj.c

    I used this version: ftp://ftp.mozilla.org/pub/mozilla.org/js/js-1.7.0.tar.gz

    Comment by Didier Stevens — Wednesday 22 October 2008 @ 19:50

  7. Wait, sorry, I guess the last release of SpiderMonkey alone was 1.7, I think it’s now rolled into xulrunner (currently 1.9)… I wonder if they’ve changed the spidermonkey source since then.

    Comment by Nick — Wednesday 22 October 2008 @ 20:16

  8. Excellent job! I’ve added a navigator object to spidermonkey. In my blog I gave you credit for the excellent job that you’ve done, and a link back to this post. The exact post is http://blackcodeseo.com/python-spidermonkey-navigator/

    Comment by Matt — Wednesday 29 October 2008 @ 20:56

  9. Thanks. I’ll take a look at this Python-Spidermonkey module.

    Comment by Didier Stevens — Thursday 30 October 2008 @ 14:47

  10. Has anybody had any luck building this version under vista? I get the following error:

    jsobj.obj : error LNK2019: unresolved external symbol _snprintf referenced in fu
    nction _obj_eval
    WINNT6.0_DBG.OBJ/js32.dll : fatal error LNK1120: 1 unresolved externals
    make[1]: *** [WINNT6.0_DBG.OBJ/js32.dll] Error 96
    make[1]: Leaving directory `/d/Code/Personal/js-1.7.0-mod/js/src’

    I am using the make file from the python-spidermonkey source in google code (hxxp://code.google.com/p/python-spidermonkey/source/browse/trunk/js/src/config/WINNT6.0.mk).

    I’d appreciate any help.

    Chris

    Comment by Chris Blazek — Friday 16 January 2009 @ 22:16

  11. Looks like you’re not linking the library with snprintf (or it’s not included in the library). You could try to edit the code and replace snprintf with sprintf (remove the length argument).

    Paul Melson has compiled it: http://pmelson.blogspot.com/2007/12/building-didier-stevens-spidermonkey-in.html

    Comment by Didier Stevens — Saturday 17 January 2009 @ 15:28

  12. Have you been able to patch spidermonkey 1.9?

    Comment by Sebastian — Tuesday 26 May 2009 @ 8:34

  13. Not yet, it’s on my todo list.

    Comment by Didier Stevens — Tuesday 26 May 2009 @ 9:49

  14. I know this is an old thread, but a co-worker asked me to build a copy for him today and I discovered something.

    The unresolved _snprintf is due to a couple of calls to snprintf in jsobj.c that should be replaced with JS_snprintf like all of the others. This fixed the unresolved external for me and I was able to compile for Windows the “normal” way.

    Comment by bgh — Wednesday 16 December 2009 @ 21:49

  15. Thanks for the info. What compiler did you use?

    Comment by Didier Stevens — Saturday 19 December 2009 @ 10:31

  16. Hi! I’ve never used JavaScript before. But now i’ve to start learning and using it. I’ve been given a project related to malicious JavaScript and my senior here asked me to begin reading about SpiderMonkey, Libemu, Malzilla, Jsunpack etc. Here i’d like to ask help from you, are there any links on tutorials that are possibly very good for a total beginner like me, that you would suggest?

    Thanks in advance for any help from you.

    Comment by Js.Newbie — Thursday 24 December 2009 @ 8:26

  17. Do you have any programming experience in another language?

    Comment by Didier Stevens — Thursday 24 December 2009 @ 11:18

  18. Yes i do. I use C, C++ and Java. Ah yeah. I now too have to study Ruby. I’ve just understood what my task actually is about. I need to code a program in Ruby of which it can analyze any malicious JavaScript. (Here i still need to learn JavaScript,needn’t i?)

    Comment by Js.Newbie — Thursday 24 December 2009 @ 14:48

  19. @Js.Newbie Yes, but this shouldn’t be a problem as you now several imperative programming languages. And you’ll need to read the JavaScript specification of the engine you want to emulate.

    Comment by Didier Stevens — Friday 1 January 2010 @ 14:13

  20. I may be old, but I’m slow. ;-)

    > 15. Thanks for the info. What compiler did you use?

    I used Visual Studio 2008, and used the instructions provided by Mozilla for building in that environment.

    There is a Windows build “package” that includes cygwin and various utilities and configuration batch files. Google “mozillabuild” to find the Windows build instructions and a download link for that package.

    Comment by bgh — Thursday 1 April 2010 @ 17:24

  21. Bootcamp XX: Strona, która coś robi III…

    Z zadaniem dotyczącym analizy obfuskowanego skryptu poradziło sobie już kilka osób. Udało mi się zainspirować tym zadaniem powstanie ciekawego wpisu: Beating JavaScript obfuscators with Firebug. Ja ze swojej strony przygotowałem drobną modyfikację zada…

    Trackback by Wampiryczny blog — Thursday 15 April 2010 @ 15:01

  22. [...] what it was doing. To do the deobfuscation, I used Didier Stevens modified version of spidermonkey (http://blog.didierstevens.com/programs/spidermonkey/). Spidermonkey is Mozilla’s C implementation of javascript, and the modified version has some [...]

    Pingback by c26labs » Simple javascript deobfuscation — Sunday 18 July 2010 @ 13:08

  23. I’m having problem understanding how to install this. Could anyone help? I’m using Ubuntu 10.04. All the install instructions I can find wants me to run make -f Makefile.ref and then just copy header files. There’s no binary?

    Comment by William — Saturday 20 November 2010 @ 13:37

  24. @William Correct, there’s no binary, you’ve to build with make. After that, you’ll find file js somewhere in the subdirectories, can’t remember which exactly.

    Comment by Didier Stevens — Saturday 20 November 2010 @ 19:36

  25. Hey There,

    I built the conventional release of 1.8 spidermonkey .. do I need to rebuild your own version or can I just patch the current build of my spidermonkey ??

    Do you have only 1.7 .. or 1.8 is available ?..
    thanks in advance
    [patc0m]

    Comment by Patc0m — Thursday 23 December 2010 @ 11:41

  26. ho.. ops .. sorry I forgot to mention .. I build in UBUNTU .. 10.0.4 (64bits)
    ;-)
    thanks again

    Comment by Patc0m — Thursday 23 December 2010 @ 11:42

  27. @Patc0m You need to build my version. And I’ve not updated to 1.8 yet, but I list the changed source files, so you can diff and apply your own on 1.8.

    Comment by Didier Stevens — Saturday 25 December 2010 @ 11:38

  28. okidok .. this is what I thought .. :-)

    thanks Didier .. as a researcher I must tell you that, your work is always appreciated and super-useful !!!!

    Comment by Patc0m — Monday 27 December 2010 @ 9:29

  29. [...] SpiderMonkey [...]

    Pingback by Malicious PDF Analysis Workshop Screencasts « Didier Stevens — Wednesday 25 May 2011 @ 15:59

  30. I tried to build using make -f Makefile.ref and I get the following error:
    config.mk:150: config/WINNT6.1-WOW64.mk: No such file or directory
    cat: ../../dist/WINNT6.1-WOW64_DBG.OBJ/nspr/Version: No such file or directory
    make: *** No rule to make target `config/WINNT6.1-WOW64.mk’. Stop.

    I don’t know what to do next.

    Comment by cashcashjonny — Friday 20 April 2012 @ 10:50

  31. @cachcashjonny What environment?

    Comment by Didier Stevens — Saturday 21 April 2012 @ 10:19

  32. @ Comment 31. by Didier Stevens — Saturday 21 April 2012 @ 10:19

    I am using windows 7 home premium with cygwin, I also tried: mingw32-make -f Makefile.ref (on another machine with windows 7 home premium with codeblocks & MingW) which failed.

    I also put Visual C++ 2010 in the path and ran nmake -f Makefile.ref resulting in the following error:

    config.mk(40) : fatal error U1034: syntax error : separator missing
    Stop.

    Thank you.

    Comment by cashcashjonny — Sunday 22 April 2012 @ 0:46

  33. @cashcashjonny I’ve done that myself. Have you tried to compile the unpatched SM following their instructions for Windows?

    Comment by Didier Stevens — Monday 23 April 2012 @ 19:22


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 227 other followers

%d bloggers like this: