Wednesday, October 10, 2012

WinDbg way to decrypt Obfuscated JS

Microsoft's powerful debugger WinDbg can be put into use easily while decrypting malicious Javascript. The function that responsible for evaluating (eval) javascript inside jscript.dll is "COleScript::Compile". Using WinDbg we can set breakpoint at this specific function and extract the data passed to this function. When we hit the breakpoint we can grab the decrypted stuff of malicious Javascript that's passed for evaluation.

A simple breakpoint at the beginning would be like,

bu jscript!COleScript::Compile

This sets a simple unresolved breakpoint at the function COleScript::Compile inside jscript module. So to set things right, attach the debugger to a running "iexplore.exe" process or open "iexplore.exe" in WinDbg. The debugger hits at stops at "ntdll!DbgBreakPoint" (first chance). During this time we can set the unresolved breakpoint at discussed above. Let the debugger run and direct the browser to a site that serves Javascript. This will make the debugger halt on the breakpoint set previously. Analyzing the stack reveals that esp+8 has the decrypted version of the obfuscated Javascript that's passed to function. And hence to print that decrypted data out we could use the below one-liner that sets a unresolved breakpoint first and then goes onto print the decrypted Javascript passed to the function.

bu jscript!COleScript::Compile "dt wchar_t* esp+8; gc"

dt - display type which helps refine the output based on its type (in this case wide character pointer )
gc - go from conditional breakpoint which resumes execution from a conditional breakpoint
esp+8 - Is a wide character pointer that holds the decrypted Javascript (which we are printing out to the commandline using 'dt')

This is the simplest way of printing out all data (presumably the decrypted Javascript) passed to the function for evaluation. Below figure will give you an idea of how this works.

No comments:

Post a Comment