Creating HTML listeners with JSReg and Hackvertor

JSReg has grown up a bit since I released the first version. You can now use it to monitor malicious javascript. I have a very basic example of this in Hackvertor, at the moment Hackvertor doesn’t support callbacks so it’s a bit of a hack but you will get the idea.

I use __defineSetter__ to monitor the fake document object, you see in JSReg the document object doesn’t exist it becomes $document$ but you can supply your own object in order to create a listener. At the moment the code only works on Firefox, see below for the example:-

var parser = JSReg();
var result;
parser.setDebugObjects({result: function(code){										
						result = code;
						}});
var html = '';
if (window.__defineSetter__) {
	var htmlLog = function(str) {
		html += str;
	}
	var obj = {					
		$write$:htmlLog,
		$body$:htmlLog 						
	}					
	obj.$body$.__defineSetter__('$innerHTML$',htmlLog);
	obj.__defineSetter__('$innerHTML$',htmlLog);
	parser.setDocument(obj);
}
try {				
	parser.runCheck();
	parser.eval(code);
} 
catch (e) {			
	alert(e.description||e);
}
alert('Decoding javascript...');
if(html != '') {
	result += '\nHTML:'+html;
}				
return result;

So “obj” is our fake document object, I just add the properties write and body. Then I use __defineSetter__ to monitor any assignments to innerHTML. You could monitor more of course and even extend the window object to monitor eval. So how does this work in practice? Well take a look below with some fake encoded malicious javascript:-

Encoded fake javascript malware

As you can see JSReg executes the javascript safely and then uses the fake document to monitor document.write which presents you with the HTML output. This is only a basic example of how it could be used, in future I plan to allow Hackvertor to provide more detailed examination of malicious javascript.