O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Advanced JS
DeObfuscation via AST
Stefano Di Paola CTO + Chief Scientist @MindedSecurity
JS And Obfuscation
❖ JS is super flexible!
❖ 1k+N ways the do the same thing - +N is the JS way
❖ OK from a Dev POV - perf...
Goals of Obfuscation
❖Block-Limit RE
– Intellectual Property preservation
– AV Bypass of Exploits
– WAF Bypass of Cross Si...
JS Obfuscators
❖Several Public Obfuscation techniques:
– Eval Packer: http://dean.edwards.name/packer/
– Metasploit JSObfu...
JSObfu JSF#*k
Output Example
AAEncode
JJEncode
Output Example
Why Do We Want to Deobfuscate?
❖Defense!
❖Mainly to revert the Scope of Obfuscation:
– AV detection of known Exploits
– Pr...
Deobfuscation from P to P1
❖Semantics preservation:
– Semantics preservation is required.
❖Automation:
– P1 is obtained fr...
Deobfuscation Techniques
❖ Easy way:
– Runtime. Sandboxed Environment to execute payload. (PhantomJS, Thug,
JSCli..)
– Pro...
Deobfuscation Via Partial Evaluation
❖ Partial evaluator task is to split a program in two parts
– Static part: precompute...
AST > SubTree Reduction > Deobfuscated code
1.Use JS for JS : Node + Esprima
2.ESPrima Parser > AST > http://esprima.org/d...
Start from Scratch, oh wait ^_^’!
❖ @M1el already wrote some AST Based deobf for JSObfu:
– https://github.com/m1el/esdeobf...
What we want
❖Improve Global Variables management
– "console","window","document","String","Object","Array","eval"...
❖Ope...
Function Evaluation
❖Check for literal returned value
– function xx(){
return String.fromCharCode( 0x61)+"X"
}
– if (retur...
Dealing W/ Complex Data
❖ Hardest task so far
❖ Similar to Variable Substitution but harder
❖ Deal w/ Arrays and Objects
❖...
JStillery
DEMO
Conclusions
 This research aims to prove that although AST based deobfuscation
is not an easy task, it could lead to quit...
Contacts + Q&A
Mail: stefano.dipaola@mindedsecurity.com
Twitter: @wisecwisec
Global Corporate Site: http://www.mindedsecur...
Próximos SlideShares
Carregando em…5
×

Advanced JS Deobfuscation

20.678 visualizações

Publicada em

Advanced JS Deobfuscation via AST and Partial Evaluation

Publicada em: Software
  • Seja o primeiro a comentar

Advanced JS Deobfuscation

  1. 1. Advanced JS DeObfuscation via AST Stefano Di Paola CTO + Chief Scientist @MindedSecurity
  2. 2. JS And Obfuscation ❖ JS is super flexible! ❖ 1k+N ways the do the same thing - +N is the JS way ❖ OK from a Dev POV - performances apart ❖ Not Always OK for readability. ❖ SUPER OK for Obfuscation!
  3. 3. Goals of Obfuscation ❖Block-Limit RE – Intellectual Property preservation – AV Bypass of Exploits – WAF Bypass of Cross Site Scripting Payload 3
  4. 4. JS Obfuscators ❖Several Public Obfuscation techniques: – Eval Packer: http://dean.edwards.name/packer/ – Metasploit JSObfu: https://github.com/rapid7/jsobfu – JSFuck (From Slackers): http://www.jsfuck.com/ – JJEncode : http://utf-8.jp/public/jjencode.html – AAEncode: http://utf-8.jp/public/aaencode.html – Node-Obf: https://github.com/wearefractal/node-obf – https://github.com/search?p=2&q=obfuscator+JavaScript&type=Repositories&utf8=% E2%9C%93 – On the wild ...  Some commercial Obfuscator & Malware Obfuscator
  5. 5. JSObfu JSF#*k Output Example
  6. 6. AAEncode JJEncode Output Example
  7. 7. Why Do We Want to Deobfuscate? ❖Defense! ❖Mainly to revert the Scope of Obfuscation: – AV detection of known Exploits – Precise WAF identification of Cross Site Scripting Payload – Intellectual property (yeah that too)  The Final Goal is to create a "Normalized" version of the code that will allow easier comparison and analysis
  8. 8. Deobfuscation from P to P1 ❖Semantics preservation: – Semantics preservation is required. ❖Automation: – P1 is obtained from P without the need for hand work (Ideally). ❖Robustness: – All code valid to the interpreter should be parsable by the deobfuscator. ❖Readability: – P1 is easy to adapt and analyze. ❖Efficiency: – Program P1 should not be much slower or larger than P.
  9. 9. Deobfuscation Techniques ❖ Easy way: – Runtime. Sandboxed Environment to execute payload. (PhantomJS, Thug, JSCli..) – Pro : Easy – Cons: behavior based. Can't classify by source code. Hard to analyze what's going on. Possible Auto Pwnage. ❖ Harder Way: – By hand (!!!) – Pro: Human brain can be used. – Cons: Human brain MUST be used. Slow, High Expertise… A Lot. ❖ Hard/Easy Way: – Runtime + Static Analysis -> Hybrid approach via Partial Evaluation. – Pro: Leads to interesting results. – Cons: Hard to implement. Not trivial to cover all techniques.
  10. 10. Deobfuscation Via Partial Evaluation ❖ Partial evaluator task is to split a program in two parts – Static part: precomputed by the partial evaluator. (reduced to lowest terms) – Dynamic part: executed at runtime. (dependent on runtime environment)  Two possible approaches: – Online: all evaluations are made on-the-fly. – Offline: Multipass. Performs binding time analysis to classify expressions as static or dynamic, according to whether their values will be fully determined at specialisation time.
  11. 11. AST > SubTree Reduction > Deobfuscated code 1.Use JS for JS : Node + Esprima 2.ESPrima Parser > AST > http://esprima.org/demo/parse.html# 3.Traverse AST (Tree Walking) as the interpreter would 4.Reduce Sub trees by applying: – Constant folding – Encapsulation – Virtual dispatch – ... 5.Rewrite the Code w/ escodegen 6.Hopefully Enjoy the new code
  12. 12. Start from Scratch, oh wait ^_^’! ❖ @M1el already wrote some AST Based deobf for JSObfu: – https://github.com/m1el/esdeobfuscate https://github.com/m1el/esdeobfuscate/blob/master/esdeobfuscate.js#L109  Super Cool! Alas, is strictly related to JSObfu. We have: – Constant folding w binary ops: +,-,*,/,^ and partial unary ops ~ - .. (On simple types) – String.fromCharCode execution – function returning constants are “evaluated” and Reduced to their return value – Partial “scope wise” implementation. ❖A very good starting point!
  13. 13. What we want ❖Improve Global Variables management – "console","window","document","String","Object","Array","eval"... ❖Operations on Native Data (JSFuck … ) +[] .. ❖Global functions execution – escape, unescape, String.*,Array.*.. ❖Variable Substitution w/ constants or globals – var win=window; …. t=win > var win=window; …. t=window ❖Scoping and Function Evaluation – Function evaluation according to variable scoping.  Objects Management: – var t={a:2}; var b=t.a; Possibly Deobfuscate all known obfuscators
  14. 14. Function Evaluation ❖Check for literal returned value – function xx(){ return String.fromCharCode( 0x61)+"X" } – if (return val is constant ) substitute the value to the whole sub tree. – (JSObf DEMO) ❖Check for independent scope (Closed scope) – If function is a closure > execute function in a JS environment. – ( Fun.js DEMO)
  15. 15. Dealing W/ Complex Data ❖ Hardest task so far ❖ Similar to Variable Substitution but harder ❖ Deal w/ Arrays and Objects ❖ Deal with dynamic properties ---------------------------- ❖ Ended up creating a scope wise state machine. :O ❖ Partially implemented var h={w:2}; var t="a"; h[t]=3; var b=h.w+h[t]
  16. 16. JStillery DEMO
  17. 17. Conclusions  This research aims to prove that although AST based deobfuscation is not an easy task, it could lead to quite interesting results. ❖ Offline approach (multi pass + time analysis) could solve particular anti deobfuscation techniques. ❖ BTW Function Hoisting was not covered! In case someone wondered. ❖ Does it work? Depends on the goals, of course ;) ❖ ActionScript would be mostly covered (as ECMAScript compatible)
  18. 18. Contacts + Q&A Mail: stefano.dipaola@mindedsecurity.com Twitter: @wisecwisec Global Corporate Site: http://www.mindedsecurity.com Blog: http://blog.mindedsecurity.com Twitter: http://www.twitter.com/mindedsecurity YouTube: http://www.youtube.com/user/mindedsecurity Thanks!

×