Javascript Malware Deobfuscation

Posted on November 23, 2008 by


So it turns out that there is a useful trick when working with and deobfuscating quasi-encrypted and obfuscated Javascript (like that seen in malware). The other Stephen observed that the function “COlescript::Compile()” in JSCRIPT.DLL is basically the place in the javascript interpreter that equates to an eval().

If you break here at runtime (like so) you can grab stuff just before it hits the eval() which is generally after its been “deobfuscated” by the malware’s “loader”. (I use these terms in quotes because the whole idea of people “hiding” stuff in javascript is kinda silly in the first place.) So if you want to see for yourself you can use my Windbg script that does this. Or you can use a tool I wrote called “Mina“.

The Mina Javascript Deobfuscation Helper tool uses the Windows Debug API’s (and is actually a mini debugger) that attach to IE process space and monitors for when that function is called. When that function is hit, Mina catches it, and dumps the javascript to disk. The Mina is fully standalone, so you wont have to use your debugger, it will also automatically download symbols and such, so it should work portably across different versions of Windows (IA32 only).

Here is a screenshot of The Mina in use.

If that’s too small to read, here is high-rez flash video of The Mina in use (dont fret, it starts playing at 10%), and a wmv version also.

As soon as I can finish getting symbol (all, not just EXPORT_TABLE symbols) working in some of the framework debuggers I am very fond of (such as VDB) this will probably get ported… in the meantime you can make fun of how aweful I am at C. Admittedly, the code is an abysmal hack (MSuiche said it made him nauseous :-) but, it might make good reference code for writing debuggers and doing symbol stuff nonetheless…I’ll probably fix it up later sometime…

Source is browsable here.

Binary (.exe) and source is here.

Note: as stated in the README.TXT you will need to have “Debugging Tools For Windows” installed.

if you have problems just email stephen(at)

Posted in: debugging, tools