Didier Stevens

Thursday 19 April 2018

Update: Patched SpiderMonkey

Filed under: My Software,Update — Didier Stevens @ 0:00

I was showing a colleague how to use my patched SpiderMonkey to analyze obfuscated JavaScript, when I realized I had not yet released my latest version.

SpiderMonkey is an opensource JavaScript interpreter. I modified it to help with malware analysis. For example, my version will dump the argument of the eval function, and I’ve implemented document.write and window.navigate (dumping arguments too).

This latest version was developed a couple of years ago (that’s why it’s still based on SpiderMonkey 1.7) to dump arguments to stdout. Previous versions of my patched SpiderMonkey dump arguments to files, in this latest version, you can choose were to dump the arguments. A method was added to object document: document.output(arg). This output method takes one argument: a string. The following values may be used as argument:

  • ‘a’ ASCII/HEX dump
  • ‘x’ HEX dump
  • ‘d’ raw dump
  • ‘A’ pure ASCII/HEX dump
  • ‘x’ pure HEX dump
  • ‘d’ pure raw dump
  • ‘f’ file dump

The ZIP file you can download contains source code and executables for Windows, Linux and OSX. There are 2 versions: js-ascii.exe and js-file.exe. Both are identical, except for their default output behavior. js-file.exe will output arguments by default to files (and thus behave like previous versions of SpiderMonkey) and js-ascii.exe will output arguments by default as ASCII/HEX dump to the console.

I prefer to use js-ascii.exe now, and I’ve renamed it to js.exe (like previous versions).

The ASCII/HEX dump allows me to see exactly, at the byte-level, what is passed as argument to eval.

js-1.7.0-mod-c.zip (https)
MD5: B14B522E81366D6AAF3B7EB235B62707
SHA256: 2CCB2F57DF706A8EE689C54B18A0EA7BB052EF08BA233F1319119825DB32927B

3 Comments »

  1. […] also possible to provide JavaScript scripts for parsing to SpiderMonkey via STDIN. You can pass filename – to js for processing STDIN […]

    Pingback by SpiderMonkey and STDIN | Didier Stevens — Tuesday 24 April 2018 @ 0:00

  2. […] Update: Patched SpiderMonkey […]

    Pingback by Overview of Content Published In April | Didier Stevens — Tuesday 1 May 2018 @ 8:23

  3. […] I created a video to illustrate the new features of my modified SpiderMonkey version: […]

    Pingback by Video: SpiderMonkey Output Options | Didier Stevens — Monday 21 May 2018 @ 10:43


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.