Didier Stevens

SpiderMonkey

My SpiderMonkey is a modified version of Mozilla’s C implementation of JavaScript, with some extra functions to help with malware analysis.

Additional functionality:

  • document.write
  • eval(arg) writes arg to a file
  • window.navigate

Details in my blog posts here, here, here, here and here.

spidermonkey3.png

Download source code and binaries (Windows, Linux and OSX):

js-1.7.0-mod-c.zip (https)
MD5: B14B522E81366D6AAF3B7EB235B62707
SHA256: 2CCB2F57DF706A8EE689C54B18A0EA7BB052EF08BA233F1319119825DB32927B

39 Comments »

  1. […] patched this new version (download on my SpiderMonkey page), and decided to add another small trick: implement the window object with the navigate […]

    Pingback by A Third SpiderMonkey Trick « Didier Stevens — Tuesday 19 August 2008 @ 22:52

  2. nice work.you would like to add support for document.location and navigator.appversion as malicious scripts uses it and we need to manaully tweak them at this moment 😦

    Comment by secgeek — Wednesday 20 August 2008 @ 10:51

  3. I’ll put it on my todo list.

    Comment by Didier Stevens — Saturday 23 August 2008 @ 12:00

  4. […] Adobe Acrobat JavaScript method with a vulnerability (fixed in Adobe Acrobat Reader 8.1.2). My Spidermonkey helps me to extract the shell […]

    Pingback by Analyzing a Malicious PDF File « Didier Stevens — Monday 20 October 2008 @ 21:44

  5. Would it be possible to publish a Changelog and a set of diffs so that your patches could be applied to, say, spidermonkey 1.9? I’d really just love to be able to patch my local tree with your changes, though without the diffs, it’s rather harder.

    Comment by Nick — Wednesday 22 October 2008 @ 19:35

  6. I don’t have diff files, but I kept a list of files I modified:

    new:
    jsdocument.c
    jsdocument.h

    change:
    makefile.ref
    jsapi.c
    jsproto.tbl
    jsobj.c

    I used this version: ftp://ftp.mozilla.org/pub/mozilla.org/js/js-1.7.0.tar.gz

    Comment by Didier Stevens — Wednesday 22 October 2008 @ 19:50

  7. Wait, sorry, I guess the last release of SpiderMonkey alone was 1.7, I think it’s now rolled into xulrunner (currently 1.9)… I wonder if they’ve changed the spidermonkey source since then.

    Comment by Nick — Wednesday 22 October 2008 @ 20:16

  8. Excellent job! I’ve added a navigator object to spidermonkey. In my blog I gave you credit for the excellent job that you’ve done, and a link back to this post. The exact post is http://blackcodeseo.com/python-spidermonkey-navigator/

    Comment by Matt — Wednesday 29 October 2008 @ 20:56

  9. Thanks. I’ll take a look at this Python-Spidermonkey module.

    Comment by Didier Stevens — Thursday 30 October 2008 @ 14:47

  10. Has anybody had any luck building this version under vista? I get the following error:

    jsobj.obj : error LNK2019: unresolved external symbol _snprintf referenced in fu
    nction _obj_eval
    WINNT6.0_DBG.OBJ/js32.dll : fatal error LNK1120: 1 unresolved externals
    make[1]: *** [WINNT6.0_DBG.OBJ/js32.dll] Error 96
    make[1]: Leaving directory `/d/Code/Personal/js-1.7.0-mod/js/src’

    I am using the make file from the python-spidermonkey source in google code (hxxp://code.google.com/p/python-spidermonkey/source/browse/trunk/js/src/config/WINNT6.0.mk).

    I’d appreciate any help.

    Chris

    Comment by Chris Blazek — Friday 16 January 2009 @ 22:16

  11. Looks like you’re not linking the library with snprintf (or it’s not included in the library). You could try to edit the code and replace snprintf with sprintf (remove the length argument).

    Paul Melson has compiled it: http://pmelson.blogspot.com/2007/12/building-didier-stevens-spidermonkey-in.html

    Comment by Didier Stevens — Saturday 17 January 2009 @ 15:28

  12. Have you been able to patch spidermonkey 1.9?

    Comment by Sebastian — Tuesday 26 May 2009 @ 8:34

  13. Not yet, it’s on my todo list.

    Comment by Didier Stevens — Tuesday 26 May 2009 @ 9:49

  14. I know this is an old thread, but a co-worker asked me to build a copy for him today and I discovered something.

    The unresolved _snprintf is due to a couple of calls to snprintf in jsobj.c that should be replaced with JS_snprintf like all of the others. This fixed the unresolved external for me and I was able to compile for Windows the “normal” way.

    Comment by bgh — Wednesday 16 December 2009 @ 21:49

  15. Thanks for the info. What compiler did you use?

    Comment by Didier Stevens — Saturday 19 December 2009 @ 10:31

  16. Hi! I’ve never used JavaScript before. But now i’ve to start learning and using it. I’ve been given a project related to malicious JavaScript and my senior here asked me to begin reading about SpiderMonkey, Libemu, Malzilla, Jsunpack etc. Here i’d like to ask help from you, are there any links on tutorials that are possibly very good for a total beginner like me, that you would suggest?

    Thanks in advance for any help from you.

    Comment by Js.Newbie — Thursday 24 December 2009 @ 8:26

  17. Do you have any programming experience in another language?

    Comment by Didier Stevens — Thursday 24 December 2009 @ 11:18

  18. Yes i do. I use C, C++ and Java. Ah yeah. I now too have to study Ruby. I’ve just understood what my task actually is about. I need to code a program in Ruby of which it can analyze any malicious JavaScript. (Here i still need to learn JavaScript,needn’t i?)

    Comment by Js.Newbie — Thursday 24 December 2009 @ 14:48

  19. @Js.Newbie Yes, but this shouldn’t be a problem as you now several imperative programming languages. And you’ll need to read the JavaScript specification of the engine you want to emulate.

    Comment by Didier Stevens — Friday 1 January 2010 @ 14:13

  20. I may be old, but I’m slow. 😉

    > 15. Thanks for the info. What compiler did you use?

    I used Visual Studio 2008, and used the instructions provided by Mozilla for building in that environment.

    There is a Windows build “package” that includes cygwin and various utilities and configuration batch files. Google “mozillabuild” to find the Windows build instructions and a download link for that package.

    Comment by bgh — Thursday 1 April 2010 @ 17:24

  21. Bootcamp XX: Strona, która coś robi III…

    Z zadaniem dotyczącym analizy obfuskowanego skryptu poradziło sobie już kilka osób. Udało mi się zainspirować tym zadaniem powstanie ciekawego wpisu: Beating JavaScript obfuscators with Firebug. Ja ze swojej strony przygotowałem drobną modyfikację zada…

    Trackback by Wampiryczny blog — Thursday 15 April 2010 @ 15:01

  22. […] what it was doing. To do the deobfuscation, I used Didier Stevens modified version of spidermonkey (https://blog.didierstevens.com/programs/spidermonkey/). Spidermonkey is Mozilla’s C implementation of javascript, and the modified version has some […]

    Pingback by c26labs » Simple javascript deobfuscation — Sunday 18 July 2010 @ 13:08

  23. I’m having problem understanding how to install this. Could anyone help? I’m using Ubuntu 10.04. All the install instructions I can find wants me to run make -f Makefile.ref and then just copy header files. There’s no binary?

    Comment by William — Saturday 20 November 2010 @ 13:37

  24. @William Correct, there’s no binary, you’ve to build with make. After that, you’ll find file js somewhere in the subdirectories, can’t remember which exactly.

    Comment by Didier Stevens — Saturday 20 November 2010 @ 19:36

  25. Hey There,

    I built the conventional release of 1.8 spidermonkey .. do I need to rebuild your own version or can I just patch the current build of my spidermonkey ??

    Do you have only 1.7 .. or 1.8 is available ?..
    thanks in advance
    [patc0m]

    Comment by Patc0m — Thursday 23 December 2010 @ 11:41

  26. ho.. ops .. sorry I forgot to mention .. I build in UBUNTU .. 10.0.4 (64bits)

    😉
    thanks again

    Comment by Patc0m — Thursday 23 December 2010 @ 11:42

  27. @Patc0m You need to build my version. And I’ve not updated to 1.8 yet, but I list the changed source files, so you can diff and apply your own on 1.8.

    Comment by Didier Stevens — Saturday 25 December 2010 @ 11:38

  28. okidok .. this is what I thought .. 🙂

    thanks Didier .. as a researcher I must tell you that, your work is always appreciated and super-useful !!!!

    Comment by Patc0m — Monday 27 December 2010 @ 9:29

  29. […] SpiderMonkey […]

    Pingback by Malicious PDF Analysis Workshop Screencasts « Didier Stevens — Wednesday 25 May 2011 @ 15:59

  30. I tried to build using make -f Makefile.ref and I get the following error:
    config.mk:150: config/WINNT6.1-WOW64.mk: No such file or directory
    cat: ../../dist/WINNT6.1-WOW64_DBG.OBJ/nspr/Version: No such file or directory
    make: *** No rule to make target `config/WINNT6.1-WOW64.mk’. Stop.

    I don’t know what to do next.

    Comment by cashcashjonny — Friday 20 April 2012 @ 10:50

  31. @cachcashjonny What environment?

    Comment by Didier Stevens — Saturday 21 April 2012 @ 10:19

  32. @ Comment 31. by Didier Stevens — Saturday 21 April 2012 @ 10:19

    I am using windows 7 home premium with cygwin, I also tried: mingw32-make -f Makefile.ref (on another machine with windows 7 home premium with codeblocks & MingW) which failed.

    I also put Visual C++ 2010 in the path and ran nmake -f Makefile.ref resulting in the following error:

    config.mk(40) : fatal error U1034: syntax error : separator missing
    Stop.

    Thank you.

    Comment by cashcashjonny — Sunday 22 April 2012 @ 0:46

  33. @cashcashjonny I’ve done that myself. Have you tried to compile the unpatched SM following their instructions for Windows?

    Comment by Didier Stevens — Monday 23 April 2012 @ 19:22

  34. Hi, can you help me to implement your spidermonkey engine in Links 2.9 browser?
    I’m A VERY BEGINNER IN USE OF DJGPP (Gcc for DOS).

    Thanks

    Roberto iw2evk

    Comment by Roberto Perotti — Saturday 3 January 2015 @ 12:33

  35. Sorry, I don’t know DJGPP

    Comment by Didier Stevens — Saturday 3 January 2015 @ 13:26

  36. […] SpiderMonkey […]

    Pingback by Deobfuskacja JavaScript – część trzecia — Wednesday 9 September 2015 @ 7:54

  37. Additional functionality:

    document.write
    eval(arg) writes arg to a file
    window.navigate

    Could you also add and make them to output the contents to a file?
    window.location
    window.location.*
    document.location
    self.location

    Comment by ico — Tuesday 14 March 2017 @ 14:52

  38. […] then on use SpiderMonkey and Didier Stevens’ extension, jsunpack-n (not an engine) or whatever JavaScript engines you can find. For SWF files use a tool […]

    Pingback by (Not) All She Wrote: Rigged PDFs | Security Over Simplicity — Thursday 28 September 2017 @ 17:18

  39. […] was showing a colleague how to use my patched SpiderMonkey to analyze obfuscated JavaScript, when I realized I had not yet released my latest […]

    Pingback by Update: Patched SpiderMonkey | Didier Stevens — Thursday 19 April 2018 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.