The following is a list of tools covered in this video:
Part One: Online “Beautifier” + Firebug debugger
|JS Beautifier (Web)||Lielmanis & Newman||http://jsbeautifier.org/||Available in non-Web formats; see site|
|FireFox||Mozilla||https://www.mozilla.org/en-US/firefox/all/||Offline installers for the most current localized versions of Firefox|
|FireBug||Mozilla||https://getfirebug.com/||FireFox add-in that adds many features, including a handy JS debugger|
- I happened to be using FireFox 31 in the video
- I was using FireBug v2.0.2, which is compatible with FF 30-32
Part Two: Windows Tools
|Revelo||Kahu Security||http://www.kahusecurity.com/tools/||Kahu makes some amazing tools, check them all out!|
|Malzilla||Boban Spasic (a.k.a bobby)||http://malzilla.sourceforge.net/||Last release: 2008/11/02 (Nov 2008) <– reaching EOL|
|PDF Stream Dumper||David Zimmer||http://sandsprite.com/blogs/index.php?uid=7&pid=57||Fantastic PDF stream dumping + JS/shellcode analysis tool|
Part Three: Linux Tools
|js-beautify||Lielmanis & Sanfilippo||https://github.com/beautify-web/js-beautify||Installed in REMnux: Simply run
|SpiderMonkey||Mozilla||https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey||Installed in REMnux: Simply run
|vi||Bill Joy et al.||http://en.wikipedia.org/wiki/Vi||While not technically a coreutil, vi is bundled with and/or is available for most *nix-based systems|
|REMnux||Lenny Zeltser||http://zeltser.com/remnux/||I used REMnux 5 under VMware Fusion in the video, but Oracle VirtualBox works great too|
- I got the idea of using an array to override
- Replace document.write with print manually, or check here for alternatives: http://www.aldeid.com/wiki/SpiderMonkey#Modified_versions
OK, now that you have the links, check out the video!
I look forward to any and all feedback, so please do not hesitate to drop a comment!
Also, stay tuned for Part II, in which I will cover analyzing the shellcode that we find in Part I! Part II will focus on understanding the intent of the deobfuscated attack script and will include a few different ways to debug the identified shellcode.