Deobfuscating JavaScript at the Browser

The Web­sense Secu­rity Labs Blog has an inter­est­ing post up about one method of deob­fus­cat­ing JavaScript. As I’ve eluded to in pre­vi­ous posts, any code thats pushed to the client’s browser must even­tu­ally be under­stand­able by that browser. This is why the mali­cious scripts have to con­tain code to deob­fus­cate them­selves. The trou­ble of course is get­ting the script to run with­out actu­ally run­ning the mali­cious content.

My method has pri­mar­ily been repli­cate the scripts func­tion­al­ity and eval­u­a­tion of code with a perl script on a *nix com­mand line. If every­thing is get­ting printed to STDOUT instead of the source of an html file inside a browser there is no chance that the code could exe­cute. This has worked well be can often be tedious.

The method dis­cussed in the post above involves hook­ing the document.write func­tion of JavaScript inside the mshtml.dll. With this in place an ana­lyst can extract the deob­fus­cated code before it is fully processed by the browser. That’s clever!

Leave a Reply