search

mrpapercut / wscript

MIT License
80 stars 21 forks source link

Provide a CLI version #5

Open mrpapercut opened 7 years ago

mrpapercut commented 7 years ago

Create a version of the emulator that can be run on command line.

Example usage: wscript -i inputscript.js -o outfilename which will then generate the files outfilename-tracer.js and outfilename-vfs.json

Possible options:

Perhaps an option that does actually download files if the script asks for it? Would have to be a very explicit flag that isn't accidentally used

CaledoniaProject commented 7 years ago

Hey there, any updates?

mrpapercut commented 7 years ago

Working on it! Hoping to have something to show soon. Quick update: I made progress with binary-handling, which is needed if we actually want to download files. Currently I'm working on running it command-line with options. My preference is that I can combine both features for the next update, but if implementing downloads takes too long I might push that back to a later date

mrpapercut commented 7 years ago

Just a quick update: I've added CLI support on the cli branch. I still need to test it against a larger set of files, so I'm not sure yet if there are unexpected issues. If you want to try it out, set it up like so:

git clone https://github.com/mrpapercut/wscript.git
cd wscript
git checkout cli
npm install

The CLI script is located at lib/index-cli.js:

$ node lib/index-cli.js -h
Usage: node lib\index-cli.js [ -i script.js ] [ -o <output file> ][options]

Run a script against the WScript emulator.

Running with a specified output filename, it will create 2 scripts:
 - filename.tracer.json
 - filename.vfs.json

If no output is specified, output filename is same as input filename.

WARNING: This software does not protect you against malware in any way.
Only run malware against the emulator in protected environments.

Options:
  -i, --input             input file
  -o, --output            output filename.
  -t, --disable-tracer    do not output tracer
  -v, --disable-vfs       do not output vfs

Once I'm confident it works as the webinterface does I will merge branch cli into master. Binary downloading/extraction will be added later

CaledoniaProject commented 6 years ago

Is there any requirements on nodejs?

%> node lib/index-cli.js -i /tmp/test.js -o abc.txt
/private/tmp/wscript/vendor/ProxyGenerator.js:1
(function (exports, require, module, __filename, __dirname) { class ProxyGenerator {
                                                              ^^^^^

SyntaxError: Block-scoped declarations (let, const, function, class) not yet supported outside strict mode
    at exports.runInThisContext (vm.js:53:16)
    at Module._compile (module.js:387:25)
    at Object.Module._extensions..js (module.js:422:10)
    at Module.load (module.js:357:32)
    at Function.Module._load (module.js:314:12)
    at Module.require (module.js:367:17)
    at require (internal/module.js:20:19)
    at Object.<anonymous> (/private/tmp/wscript/lib/WshNamed.js:50:24)
    at Module._compile (module.js:413:34)
    at Object.Module._extensions..js (module.js:422:10)
mrpapercut commented 6 years ago

Yes, you need at least Node 6.4 because it uses quite a few new features. If you're on Windows, get the latest "Current" version (8.1.x right now). If you're on Linux, you're better off building Node from source with this guide: https://github.com/nodejs/node/blob/master/BUILDING.md#building-nodejs-on-supported-platforms because most packages from package-managers are a bit out-of-date

CaledoniaProject commented 6 years ago

Thanks, I'll try a newer version. I'm on Mac, installed nodejs with homebrew

CaledoniaProject commented 6 years ago

It works, but for scripts like this,

WScript.Echo ("Hello")

Will there be actual output?

So far the output looks like what a disassembler does,

%> cat abc.txt.tracer.json
> CONSTRUCT new WshNamed({0: {}})
> CONSTRUCT new WshUnnamed({0: {}})
> CONSTRUCT new WshArguments({})
> CONSTRUCT new WScript()
> CALL WScript.CreateObject("Scripting.FileSystemObject")
> CONSTRUCT new Drives()
> CONSTRUCT new ScriptingFileSystemObject()
> CALL WScript.Echo("Hello")
mrpapercut commented 6 years ago

That is what the output for the tracer should look like. It traces all function calls, as well as getting and setting values. (Note: the first 7 lines are always the same because of initializing WScript).

It emulates its behaviour, but it is not a port of WScript. Objects and methods take the same arguments, return the expected value, throw the same errors etc as the original would. In addition to that, filesystem operations work as expected as well, but with a fake filesystem.

The intended use-case is that you have a heavily obfuscated script, and instead of de-obfuscating it to see what it does (which can take quite a while even for experienced javascript deobfuscators), you simply run it against the emulator to see what is going on inside.

In your example WScript.Echo takes arguments and returns undefined which is exactly what happens in original WScript, but it doesn't show a popup window (or log to console, if you used CScript). When analysing scripts it is not important that it actually shows a popup - it is important to see which functions are called and with what arguments. By reading the tracer you can see what would've happened if you ran the script against the original WScript.

For a more complete example, run the file called 'malwareExample.js' in the testfiles folder. This is a full de-obfuscated malware-downloader with its URLs removed, so it won't infect your machine but it shows exactly what the emulator is made to do.

CaledoniaProject commented 6 years ago

Thanks, I see why created this tool. I'll do more tests :-)