My SpiderMonkey is a modified version of Mozilla’s C implementation of JavaScript, with some extra functions to help with malware analysis.
Additional functionality:
- document.write
- eval(arg) writes arg to a file
- window.navigate
Details in my blog posts here, here and here.
Download source code:
MD5: A64B079FAEFD6BA23CAC3FCC7EF41AC7
SHA-256: 74DD063F13647505ABB11FA3D1A5D44DA35A3F73F18FE973F93FBA5E349B8BA9
js-1.5-mod-0.3.tar.gz (https)
MD5: 59D7C7F67903A00AFC97C9BEDD7E1F54
SHA256: B1B51F3FD357635AD6BE90D183416DAA7783972F9BAF15E36B0A5B9BF748A570
[...] patched this new version (download on my SpiderMonkey page), and decided to add another small trick: implement the window object with the navigate [...]
Pingback by A Third SpiderMonkey Trick « Didier Stevens — Tuesday 19 August 2008 @ 22:52
nice work.you would like to add support for document.location and navigator.appversion as malicious scripts uses it and we need to manaully tweak them at this moment
Comment by secgeek — Wednesday 20 August 2008 @ 10:51
I’ll put it on my todo list.
Comment by Didier Stevens — Saturday 23 August 2008 @ 12:00
[...] Adobe Acrobat JavaScript method with a vulnerability (fixed in Adobe Acrobat Reader 8.1.2). My Spidermonkey helps me to extract the shell [...]
Pingback by Analyzing a Malicious PDF File « Didier Stevens — Monday 20 October 2008 @ 21:44
Would it be possible to publish a Changelog and a set of diffs so that your patches could be applied to, say, spidermonkey 1.9? I’d really just love to be able to patch my local tree with your changes, though without the diffs, it’s rather harder.
Comment by Nick — Wednesday 22 October 2008 @ 19:35
I don’t have diff files, but I kept a list of files I modified:
new:
jsdocument.c
jsdocument.h
change:
makefile.ref
jsapi.c
jsproto.tbl
jsobj.c
I used this version: ftp://ftp.mozilla.org/pub/mozilla.org/js/js-1.7.0.tar.gz
Comment by Didier Stevens — Wednesday 22 October 2008 @ 19:50
Wait, sorry, I guess the last release of SpiderMonkey alone was 1.7, I think it’s now rolled into xulrunner (currently 1.9)… I wonder if they’ve changed the spidermonkey source since then.
Comment by Nick — Wednesday 22 October 2008 @ 20:16
Excellent job! I’ve added a navigator object to spidermonkey. In my blog I gave you credit for the excellent job that you’ve done, and a link back to this post. The exact post is http://blackcodeseo.com/python-spidermonkey-navigator/
Comment by Matt — Wednesday 29 October 2008 @ 20:56
Thanks. I’ll take a look at this Python-Spidermonkey module.
Comment by Didier Stevens — Thursday 30 October 2008 @ 14:47