tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
36 lines
1.2 KiB
Plaintext
36 lines
1.2 KiB
Plaintext
# SpiderMonkey
|
|
# Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser
|
|
# FOR610 Labs: 3.6, 3.7, 4.5 | Sections: 3, 4
|
|
# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts
|
|
|
|
% javascript, deobfuscation, execution
|
|
|
|
# Basic usage
|
|
js -f malicious.js
|
|
|
|
# Process input file
|
|
js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js
|
|
|
|
|
|
# --- Recipes (multi-tool chains) ---
|
|
|
|
# >> Deobfuscate JavaScript with SpiderMonkey
|
|
# Beautify compressed JavaScript
|
|
js-beautify <malicious.js> > readable.js
|
|
# Execute with objects.js to simulate browser/WScript APIs
|
|
js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js
|
|
# If script expects location.href, edit objects.js first:
|
|
cp /usr/share/remnux/objects.js .
|
|
# Edit objects.js to set: location = { href: 'http://expected-url' }
|
|
js -f objects.js -f <malicious.js> > decoded.js
|
|
|
|
# >> Clean Null Bytes from UTF-16 JavaScript
|
|
# Check for null bytes (look for 00 in hex)
|
|
xxd <script.js> | head -2
|
|
# Remove null bytes
|
|
cat <script.js> | tr -d '\00' > clean.js
|
|
# Then deobfuscate
|
|
js -f /usr/share/remnux/objects.js -f clean.js > decoded.js
|
|
# Beautify the result
|
|
js-beautify decoded.js > final.js
|