Here's one for your malware analysis toolkit. For some time now, I've been using Rhino, Mozilla's Java implementation of JavaScript, to help automate deobfuscation. SpiderMonkey is Mozilla's C implementation of JavaScript, including a shell much like Rhino's.
There are a couple of things that Mozilla's engine doesn't do when it comes to deobfuscating JavaScript. Specifically, you're left to manually convert eval and document.* calls yourself. That's where this really smart guy Didier Stevens comes in. He has a modified SpiderMonkey that solves both of these issues.
So you already know that I like Cygwin for lots of things, including malware analysis. Unfortunately, SpiderMonkey is really only intended to build on Win32 with Visual Studio. However, there are a couple of quick shortcuts you can take to get it to build with gcc in Cygwin. So here we go.
1. Install Cygwin with gcc and standard C libraries.
2. Download and untar Stevens' SpiderMonkey source tarball.
3. In js/src/config/Linux_All.mk find the line that begins with MKSHLIB and change the ld linker syntax by replacing '-shared' with '-r':
$ grep -n MKSHLIB config/Linux_All.mk
50:MKSHLIB = $(LD) -shared $(XMKSHLIBOPTS)
4. Build using make with the following syntax:
$ make -f Makefile.ref OS_ARCH='Linux'
We're essentially lying to make to get it to build as if our Cygwin environment is a Linux box. This is why shared linking breaks. But it should be a non-issue.
5. The make will exit with errors, but if all went well, the JavaScript shell, js.exe, has already been built:
$ cd Linux_All_DBG.OBJ
$ ls -l js.exe
-rwxr-xr-x 1 nobody None 1493267 Dec 27 17:40 js.exe
$ cd
$ cp js/src/Linux_All_DBG.OBJ/js.exe $HOME
$ ./js.exe
js> document.write("oh word!");
js> ^C
$ cat write.log
oh word!
And that's it. Make a copy of the binary for future use and clean up.
Thanks for the Cygwin HOWTO. I build SpiderMonkey on Red Hat, and I think I also compiled it with the free Borland C++ compiler.
ReplyDeleteAcutally, thank you for creating the mod in the first place.
ReplyDeleteHi !
ReplyDeleteCan you explain the difference between -r and -shared - apparently I have similar problem with another package.
Thanks a ton for this instructional!
ReplyDeleteThanks. These same instructions worked with js-1.7.0 as well. :)
ReplyDeleteThanks, very useful.
ReplyDeleteI tried the things in windows, i got following error:
ReplyDeleteerror on line 176 : expecting target : dependencies
The same error occurs while i try to run python-spidermonkey in python.
Are there any dependencies that should be downloaded?
Plz reply soon
Hari,
ReplyDeleteI just tried this with the latest version of Cygwin on Windows 7 32-bit with the default gcc and glibc packages installed. I used the latest version from Didier's web site, js-1.7.0-mod, and the directions above. It builds and runs without issue. I'm not able to recreate the error you're having, sorry.