Didier Stevens

SpiderMonkey

My SpiderMonkey is a modified version of Mozilla’s C implementation of JavaScript, with some extra functions to help with malware analysis.

Additional functionality:

  • document.write
  • eval(arg) writes arg to a file
  • window.navigate

Details in my blog posts here, here and here.

spidermonkey3.png

Download source code:

js-1.7.0-mod.tar.gz (https)

MD5: A64B079FAEFD6BA23CAC3FCC7EF41AC7

SHA-256: 74DD063F13647505ABB11FA3D1A5D44DA35A3F73F18FE973F93FBA5E349B8BA9
js-1.5-mod-0.3.tar.gz (https)

MD5: 59D7C7F67903A00AFC97C9BEDD7E1F54

SHA256: B1B51F3FD357635AD6BE90D183416DAA7783972F9BAF15E36B0A5B9BF748A570

19 Comments »

  1. [...] patched this new version (download on my SpiderMonkey page), and decided to add another small trick: implement the window object with the navigate [...]

    Pingback by A Third SpiderMonkey Trick « Didier Stevens — Tuesday 19 August 2008 @ 22:52

  2. nice work.you would like to add support for document.location and navigator.appversion as malicious scripts uses it and we need to manaully tweak them at this moment :(

    Comment by secgeek — Wednesday 20 August 2008 @ 10:51

  3. I’ll put it on my todo list.

    Comment by Didier Stevens — Saturday 23 August 2008 @ 12:00

  4. [...] Adobe Acrobat JavaScript method with a vulnerability (fixed in Adobe Acrobat Reader 8.1.2). My Spidermonkey helps me to extract the shell [...]

    Pingback by Analyzing a Malicious PDF File « Didier Stevens — Monday 20 October 2008 @ 21:44

  5. Would it be possible to publish a Changelog and a set of diffs so that your patches could be applied to, say, spidermonkey 1.9? I’d really just love to be able to patch my local tree with your changes, though without the diffs, it’s rather harder.

    Comment by Nick — Wednesday 22 October 2008 @ 19:35

  6. I don’t have diff files, but I kept a list of files I modified:

    new:
    jsdocument.c
    jsdocument.h

    change:
    makefile.ref
    jsapi.c
    jsproto.tbl
    jsobj.c

    I used this version: ftp://ftp.mozilla.org/pub/mozilla.org/js/js-1.7.0.tar.gz

    Comment by Didier Stevens — Wednesday 22 October 2008 @ 19:50

  7. Wait, sorry, I guess the last release of SpiderMonkey alone was 1.7, I think it’s now rolled into xulrunner (currently 1.9)… I wonder if they’ve changed the spidermonkey source since then.

    Comment by Nick — Wednesday 22 October 2008 @ 20:16

  8. Excellent job! I’ve added a navigator object to spidermonkey. In my blog I gave you credit for the excellent job that you’ve done, and a link back to this post. The exact post is http://blackcodeseo.com/python-spidermonkey-navigator/

    Comment by Matt — Wednesday 29 October 2008 @ 20:56

  9. Thanks. I’ll take a look at this Python-Spidermonkey module.

    Comment by Didier Stevens — Thursday 30 October 2008 @ 14:47

  10. Has anybody had any luck building this version under vista? I get the following error:

    jsobj.obj : error LNK2019: unresolved external symbol _snprintf referenced in fu
    nction _obj_eval
    WINNT6.0_DBG.OBJ/js32.dll : fatal error LNK1120: 1 unresolved externals
    make[1]: *** [WINNT6.0_DBG.OBJ/js32.dll] Error 96
    make[1]: Leaving directory `/d/Code/Personal/js-1.7.0-mod/js/src’

    I am using the make file from the python-spidermonkey source in google code (hxxp://code.google.com/p/python-spidermonkey/source/browse/trunk/js/src/config/WINNT6.0.mk).

    I’d appreciate any help.

    Chris

    Comment by Chris Blazek — Friday 16 January 2009 @ 22:16

  11. Looks like you’re not linking the library with snprintf (or it’s not included in the library). You could try to edit the code and replace snprintf with sprintf (remove the length argument).

    Paul Melson has compiled it: http://pmelson.blogspot.com/2007/12/building-didier-stevens-spidermonkey-in.html

    Comment by Didier Stevens — Saturday 17 January 2009 @ 15:28

  12. Have you been able to patch spidermonkey 1.9?

    Comment by Sebastian — Tuesday 26 May 2009 @ 8:34

  13. Not yet, it’s on my todo list.

    Comment by Didier Stevens — Tuesday 26 May 2009 @ 9:49

  14. I know this is an old thread, but a co-worker asked me to build a copy for him today and I discovered something.

    The unresolved _snprintf is due to a couple of calls to snprintf in jsobj.c that should be replaced with JS_snprintf like all of the others. This fixed the unresolved external for me and I was able to compile for Windows the “normal” way.

    Comment by bgh — Wednesday 16 December 2009 @ 21:49

  15. Thanks for the info. What compiler did you use?

    Comment by Didier Stevens — Saturday 19 December 2009 @ 10:31

  16. Hi! I’ve never used JavaScript before. But now i’ve to start learning and using it. I’ve been given a project related to malicious JavaScript and my senior here asked me to begin reading about SpiderMonkey, Libemu, Malzilla, Jsunpack etc. Here i’d like to ask help from you, are there any links on tutorials that are possibly very good for a total beginner like me, that you would suggest?

    Thanks in advance for any help from you.

    Comment by Js.Newbie — Thursday 24 December 2009 @ 8:26

  17. Do you have any programming experience in another language?

    Comment by Didier Stevens — Thursday 24 December 2009 @ 11:18

  18. Yes i do. I use C, C++ and Java. Ah yeah. I now too have to study Ruby. I’ve just understood what my task actually is about. I need to code a program in Ruby of which it can analyze any malicious JavaScript. (Here i still need to learn JavaScript,needn’t i?)

    Comment by Js.Newbie — Thursday 24 December 2009 @ 14:48

  19. @Js.Newbie Yes, but this shouldn’t be a problem as you now several imperative programming languages. And you’ll need to read the JavaScript specification of the engine you want to emulate.

    Comment by Didier Stevens — Friday 1 January 2010 @ 14:13


RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.