Threat Level: green Handler on Duty: Chris Mohan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Deobfuscating javascript

Published: 2007-10-09
Last Updated: 2007-10-10 00:08:43 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Obfuscated javascript is something you run into as soon as you start to look at suspicious websites.

Marco wrote in to suggest an approach with code added to it on how to use javascript itself to change the actions of eval() and document.write() statements we might want to try to replace with a less action minded alert(). Obfuscated scripts often have self referencing code that make the de-obfuscation fail if you touch the code itself.

eval:

/*override eval*/
function eval(st){
  alert(st);
}
/*original code goes below*/

Similarly for document.write(), add the following before the obfuscated script:

/*override document.write*/
document.write=function(st){
  alert(st);
}
/*original code goes below*/

Do take care when playing with potentially malicious javascript that the attacker didn't change alert() to do something else ... so always walk through it all and do this on an expendable machine.

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)
Diary Archives