irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/javascript-deobfuscation-workflow.md
+57
View File
@@ -0,0 +1,57 @@
# JavaScript Deobfuscation
> Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros.
**FOR610 Labs:** 3.6, 3.7
## Steps
### Step 1: Beautification
**Tools:** [[tools/js-beautify|js-beautify]]
Format minified/compressed JavaScript for readability. Look for: eval() calls, document.write(), String.fromCharCode(), unescape(), atob().
```bash
js-beautify malicious.js > beautified.js
```
### Step 2: Static Review
**Tools:** [[tools/visual-studio-code|visual-studio-code]]
Identify obfuscation layers. Search for: eval/Function constructor (code execution), long encoded strings, variable name patterns (single chars = likely obfuscated).
```bash
code filename.js
```
### Step 3: Safe Execution (SpiderMonkey)
**Tools:** [[tools/spidermonkey|spidermonkey]]
Execute outside browser with objects.js to simulate browser/WScript APIs. Command: js -f /usr/share/remnux/objects.js -f <script.js>. Captures eval'd code without running it.
```bash
js -f malicious.js
```
### Step 4: Environment Tuning
**Tools:** [[tools/visual-studio-code|visual-studio-code]]
If script expects specific environment (location.href, navigator.userAgent): edit objects.js to provide expected values. Re-run SpiderMonkey.
```bash
code filename.js
```
### Step 5: Alternative Analysis
**Tools:** [[tools/box-js|box-js]], [[tools/jstillery|jstillery]]
box-js: Node.js sandbox with WScript emulation. JStillery: AST-based deobfuscation. Use when SpiderMonkey can't handle the obfuscation.
```bash
box-js --output-dir=/tmp suspicious.js
```
### Step 6: Payload Identification
What does the deobfuscated JS do? Common patterns: download & execute (dropper), redirect to exploit kit, credential harvesting. Extract all URLs, IPs, file paths.
#javascript #deobfuscation #spidermonkey #box-js #web #workflow