Merge pull request #79 from kirk-sayre-work/master

8/24/2022 changes from the kirk-sayre-work dev fork of box-js.

Author: kirk-sayre-work

README.md

@@ -46,6 +46,10 @@ Box.js will emulate a Windows JScript environment, print a summary of the emulat
 
  >If you wish to automate the analysis, you can use the return codes - documented in `integrations/README.md` - to distinguish between different types of errors.
 
+## Analysis Fails Due to Missing 'document' Object
+
+The box-js repository from git includes a `boilerplate.js` file. This file defines some stubbed versions of common browser objects such as document. Try rerunning your analysis with the `--prepended-code=DIR/boilerplate.js` option, where `DIR` is the directory of the cloned box-js repository. The `--prepended-code` option tells box-js to prepend the JavaScript in the given file to the sample being analyzed.
+
 ## Batch usage
 
 While box.js is typically used on single files, it can also run batch analyses. You can simply pass a list of files or folders to analyse:
@@ -83,6 +87,7 @@ cat ./*.results/active_urls.json | sort | uniq
                            current directory)                                                              
     --preprocess           Preprocess the original source code (makes reverse engineering easier, but takes
                            a few seconds)                                                                  
+    --prepended-code       Prepend the JavaScript in the given file to the sample prior to sandboxing
     --unsafe-preprocess    More aggressive preprocessing. Often results in better code, but can break on   
                            some edge cases (eg. redefining prototypes)                                     
     --no-kill              Do not kill the application when runtime errors occur                           

analyze.js

@@ -60,6 +60,18 @@ function lacksBinary(name) {
 }
 
 function rewrite(code) {
+
+    // box-js is assuming that the JS will be run on Windows with cscript or wscript.
+    // Neither of these engines supports strict JS mode, so remove those calls from
+    // the code.
+    code = code.replace(/"use strict"/g, '"STRICT MODE NOT SUPPORTED"');
+
+    // Some samples (for example that use JQuery libraries as a basis to which to
+    // add malicious code) won't emulate properly for some reason if there is not
+    // an assignment line at the start of the code. Add one here (this should not
+    // change the behavior of the code).
+    code = "__bogus_var_name__ = 12;\n\n" + code;
+    
     if (code.match("@cc_on")) {
         lib.debug("Code uses conditional compilation");
         if (!argv["no-cc_on-rewrite"]) {
@@ -444,6 +456,7 @@ const sandbox = {
     //Blob : Blob,
     logJS: lib.logJS,
     logIOC: lib.logIOC,
+    logUrl: lib.logUrl,
     ActiveXObject,
     dom,
     alert: (x) => {},

boilerplate.js

@@ -0,0 +1,236 @@
+const parse = require("node-html-parser").parse;
+
+function extractJSFromHTA(s) {
+    const root = parse("" + s);
+    items = root.querySelectorAll('script');
+    r = "";
+    var chunkNum = 0;
+    for (let i1 = 0; i1 < items.length; ++i1) {
+        item = items[i1];
+        for (let i2 = 0; i2 < item.childNodes.length; ++i2) {
+            chunkNum += 1;
+            child = item.childNodes[i2]
+            attrs = ("" + child.parentNode.rawAttrs).toLowerCase();
+            if (!attrs.includes("vbscript")) {
+                r += "// Chunk #" + chunkNum + "\n" + child._rawText + "\n\n";
+            }
+        }
+    }
+    return r;
+}
+
+var location = {
+    
+    /*
+      Location.ancestorOrigins
+      Is a static DOMStringList containing, in reverse order, the origins
+      of all ancestor browsing contexts of the document associated with
+      the given Location object.
+    */
+    ancestorOrigins: '',
+    
+    /* 
+       Location.href
+       Is a stringifier that returns a USVString containing the entire
+       URL. If changed, the associated document navigates to the new
+       page. It can be set from a different origin than the associated
+       document.
+    */
+    href: 'http://mylegitdomain.com:2112/and/i/have/a/path.php',
+
+    /* 
+       Location.protocol
+       Is a USVString containing the protocol scheme of the URL, including
+       the final ':'.
+    */
+    protocol: 'http:',
+
+    /* 
+       Location.host
+       Is a USVString containing the host, that is the hostname, a ':', and
+       the port of the URL.
+    */
+    host: 'mylegitdomain.com:2112',
+
+    /* 
+       Location.hostname
+       Is a USVString containing the domain of the URL.
+    */
+    hostname: 'mylegitdomain.com',
+
+    /* 
+       Location.port
+       Is a USVString containing the port number of the URL.
+    */
+    port: '2112',
+
+    /* 
+       Location.pathname
+       Is a USVString containing an initial '/' followed by the path of the URL.
+    */
+    pathname: '/and/i/have/a/path.php',
+
+    /* 
+       Location.search
+       Is a USVString containing a '?' followed by the parameters or
+       "querystring" of the URL. Modern browsers provide URLSearchParams
+       and URL.searchParams to make it easy to parse out the parameters
+       from the querystring.
+    */
+    search: '',
+
+    /* 
+       Location.hash
+       Is a USVString containing a '#' followed by the fragment identifier
+       of the URL.
+    */
+    hash: '',
+
+    /* 
+       Location.origin Read only
+       Returns a USVString containing the canonical form of the origin of
+       the specific location.
+    */
+    origin: 'http://mylegitdomain.com:2112',
+
+    replace: function (url) {
+        logIOC('Window Location', {url}, "The script changed the window location URL.");
+	logUrl('Window Location', {url});
+    },
+
+    // The location.reload() method reloads the current URL, like the Refresh button.
+    reload: function() {},
+};
+
+var window = {
+    eval: function(cmd) { eval(cmd); },
+    resizeTo: function(a,b){},
+    moveTo: function(a,b){},
+    close: function(){},
+    atob: function(s){
+        return new Buffer(s, 'base64').toString('ascii');
+    },
+    setTimeout: function(f, i) {},
+    location: location,
+    localStorage: {
+        // Users and session to distinguish and generate statistics about website traffic. 
+        "___utma" : undefined,
+        // Users and session to distinguish and generate statistics about website traffic. 
+        "__utma" : undefined,
+        // Determine new sessions and visits and generate statistics about website traffic. 
+        "__utmb" : undefined,
+        // Determine new sessions and visits and generate statistics about website traffic. 
+        "__utmc" : undefined,
+        // Process user requests and generate statistics about the website traffic. 
+        "__utmt" : undefined,
+        // Store customized variable data at visitor level and generate statistics about the website traffic. 
+        "__utmv" : undefined,
+        // To record the traffic source or campaign how users ended up on the website. 
+        "__utmz" : undefined,
+    },
+};
+
+var document = {
+    documentMode: 8, // Fake running in IE8
+    referrer: 'https://bing.com/',
+    location: location,
+    //parentNode: window.document.parentNode,
+    getElementById : function(id) {
+
+        var char_codes_to_string = function (str) {
+            var codes = ""
+            for (var i = 0; i < str.length; i++) {
+                codes += String.fromCharCode(str[i])
+            }
+            return codes
+        }
+
+        /* IDS_AND_DATA */
+
+        for (var i = 0; i < ids.length; i++) {
+            if (char_codes_to_string(ids[i]) == id) {
+                return {
+                    innerHTML: char_codes_to_string(data[i])
+                }
+            }
+        }
+
+        // got nothing to return
+        return {
+            innerHTML: ""
+        }
+    },
+    write: function (content) {
+        logIOC('DOM Write', {content}, 'The script wrote to the DOM')
+        eval.apply(null, [extractJSFromHTA(content)]);
+    },
+    appendChild: function(node) {
+        logIOC('DOM Append', {node}, "The script appended an HTML node to the DOM")
+        eval(extractJSFromHTA(node));
+    },
+    insertBefore: function(node) {
+	logIOC('DOM Insert', {node}, "The script inserted an HTML node on the DOM")
+        eval(extractJSFromHTA(node));
+    },
+    getElementsByTagName: function(tag) {
+        var func = function(item) {
+            logIOC('DOM Append', {item}, "The script added a HTML node to the DOM");
+            return "";
+        };
+
+        // Return a dict that maps every tag name to the same fake element.
+        fake_dict = {};
+        fake_dict = new Proxy(fake_dict, {
+            get(target, phrase) { // intercept reading a property from dictionary
+                return {
+                    "appendChild" : func,
+                    "insertBefore" : func,
+                    "parentNode" : {
+                        "appendChild" : func,
+                        "insertBefore" : func,
+                    },
+                };
+            }
+        });
+        return fake_dict;
+    },
+    createElement: function(tag) {
+        var fake_elem = {
+            set src(url) {
+                logIOC('Remote Script', {url}, "The script set a remote script source.");
+                logUrl('Remote Script', {url});
+            },
+            log: []
+        };
+        return fake_elem;
+    },
+    createTextNode: function(text) {
+	    //return window.document.createTextNode(text)
+    },
+    addEventListener: function(tag, func) {}
+};
+
+function atob(s) {
+    var b = new Buffer(s, 'base64');
+    return b.toString();
+};
+
+class _WidgetInfo {
+    constructor(a1, a2, a3, a4, a5) {}
+}
+
+var _WidgetManager = {
+    _Init: function(a1, a2, a3) {},
+    _SetDataContext: function(a1) {},
+    _RegisterWidget: function(a1, a2) {}
+}
+
+var navigator = {
+    userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0; InfoPath.3)'
+}
+
+// We are acting like cscript when emulating. JS in cscript does not
+// implement Array.reduce().
+Array.prototype.reduce = function(a, b) {
+    throw "CScript JScript has no Array.reduce() method."
+};

emulator/ADODBConnection.js

@@ -0,0 +1,41 @@
+const lib = require("../lib");
+const iconv = require("iconv-lite");
+
+function ADODBConnection() {
+
+    this.open = function(query, conn) {
+        console.log("adodb.connection open()");
+        console.log(query);
+        console.log(conn);
+    };
+    
+    this.cursorlocation1 = function(arg) {
+        console.log("adodb.connection cursorlocation()");
+        console.log(arg);
+    };
+
+    this.close = () => {};
+}
+
+module.exports = function() {
+    return new Proxy(new ADODBConnection(), {
+	get: function(target, name) {
+	    name = name.toLowerCase();
+	    switch (name) {
+	    case "size":
+	    case "length":
+		return target.buffer.length;
+	    case "readtext":
+		return target.buffer;
+	    default:
+		if (name in target) return target[name];
+		lib.kill(`ADODBConnection.${name} not implemented!`);
+	    }
+	},
+	set: function(a, b, c) {
+	    b = b.toLowerCase();
+	    a[b] = c;
+	    return true;
+	},
+    });
+};

emulator/ADODBStream.js

@@ -42,9 +42,9 @@ function ADODBStream() {
         return this.buffer;
     };
     this.write = this.writetext = function(text) {
-        if (this.charset)
+        if (this.charset) {
             this.buffer = iconv.encode(text, this.charset);
-        else
+        } else
             this.buffer = text;
     };
     this.loadfromfile = function(filename) {
@@ -56,7 +56,8 @@ function ADODBStream() {
     this.tojson = function(data) {
         console.log(data);
         return "[1]";
-    }
+    };
+    this.flush = function() {};
     this.copyto = (target) => target.write(this.buffer);
 }
 
@@ -69,6 +70,7 @@ module.exports = function() {
             case "length":
                 return target.buffer.length;
             default:
+                lib.info(`Script called ADODBStream.${name}`);
                 if (name in target) return target[name];
                 lib.kill(`ADODBStream.${name} not implemented!`);
             }

emulator/WMI.js

@@ -360,11 +360,16 @@ module.exports.GetObject = function(name) {
 		lib.kill(`Not implemented: WMI.Get(${className})`);
 	    return _class;
 	},
+        Run: command => {
+            lib.logIOC("WMI.GetObject.Run", command, "The script executed a command.");
+	    lib.logSnippet(lib.getUUID(), {as: "command"}, command);
+	    return "";
+	},
     }, {
 	get(target, name) {
-            console.log("^^^^^^^^^^^");
-            console.log(target);
-            console.log(name);
+            //console.log("^^^^^^^^^^^");
+            //console.log(target);
+            //console.log(name);
 	    if (name in target) return target[name];
 	    lib.kill(`WMI.GetObject.${name} not implemented!`);
 	},

emulator/WScriptShell.js

@@ -82,10 +82,10 @@ function WScriptShell() {
 	    StdOut: new TextStream(`<output of ${cmd}>`),
 	};
     };
-    
+
     if (!this._reg_entries) {
 	this._reg_entries = require("system-registry");
-
+        
 	// lacks the HKEY_CURRENT_USER reg key by default (y tho?)
 	this._reg_entries["HKEY_CURRENT_USER"] = {}
     }
@@ -139,7 +139,8 @@ function WScriptShell() {
 	}
 	else {
 	    lib.warning(`Unknown registry key ${key}!`);
-	    return "";
+	    //return "";
+            throw("Registry key not found.");
 	}
     };