Thursday, December 27, 2007

Building Didier Stevens' SpiderMonkey in Cygwin

Here's one for your malware analysis toolkit. For some time now, I've been using Rhino, Mozilla's Java implementation of JavaScript, to help automate deobfuscation. SpiderMonkey is Mozilla's C implementation of JavaScript, including a shell much like Rhino's.

There are a couple of things that Mozilla's engine doesn't do when it comes to deobfuscating JavaScript. Specifically, you're left to manually convert eval and document.* calls yourself. That's where this really smart guy Didier Stevens comes in. He has a modified SpiderMonkey that solves both of these issues.

So you already know that I like Cygwin for lots of things, including malware analysis. Unfortunately, SpiderMonkey is really only intended to build on Win32 with Visual Studio. However, there are a couple of quick shortcuts you can take to get it to build with gcc in Cygwin. So here we go.

1. Install Cygwin with gcc and standard C libraries.
2. Download and untar Stevens' SpiderMonkey source tarball.
3. In js/src/config/Linux_All.mk find the line that begins with MKSHLIB and change the ld linker syntax by replacing '-shared' with '-r':

$ grep -n MKSHLIB config/Linux_All.mk
50:MKSHLIB = $(LD) -shared $(XMKSHLIBOPTS)

4. Build using make with the following syntax:

$ make -f Makefile.ref OS_ARCH='Linux'

We're essentially lying to make to get it to build as if our Cygwin environment is a Linux box. This is why shared linking breaks. But it should be a non-issue.

5. The make will exit with errors, but if all went well, the JavaScript shell, js.exe, has already been built:

$ cd Linux_All_DBG.OBJ
$ ls -l js.exe
-rwxr-xr-x 1 nobody None 1493267 Dec 27 17:40 js.exe
$ cd
$ cp js/src/Linux_All_DBG.OBJ/js.exe $HOME

$ ./js.exe
js> document.write("oh word!");
js> ^C
$ cat write.log
oh word!

And that's it. Make a copy of the binary for future use and clean up.

8 comments:

Didier Stevens said...

Thanks for the Cygwin HOWTO. I build SpiderMonkey on Red Hat, and I think I also compiled it with the free Borland C++ compiler.

PaulM said...

Acutally, thank you for creating the mod in the first place.

Tarmik said...

Hi !

Can you explain the difference between -r and -shared - apparently I have similar problem with another package.

chris blazek said...

Thanks a ton for this instructional!

R said...

Thanks. These same instructions worked with js-1.7.0 as well. :)

stan said...

Thanks, very useful.

Hari Gaire said...

I tried the things in windows, i got following error:
error on line 176 : expecting target : dependencies

The same error occurs while i try to run python-spidermonkey in python.

Are there any dependencies that should be downloaded?
Plz reply soon

PaulM said...

Hari,

I just tried this with the latest version of Cygwin on Windows 7 32-bit with the default gcc and glibc packages installed. I used the latest version from Didier's web site, js-1.7.0-mod, and the directions above. It builds and runs without issue. I'm not able to recreate the error you're having, sorry.