Skip to content

Commit

Permalink
Add support for augmented proxied array function replacements (#3)
Browse files Browse the repository at this point in the history
* Add detector for augmented proxied array function replacements

* Add sample for testing

* Refactor imports do be dynamic with less repetition;
Add new augmentedProxiedArrayFunctionReplacements detector;

* Update dependencies

* 1.1.0
  • Loading branch information
BenBaryoPX authored Oct 5, 2022
1 parent 86f8401 commit addaf18
Show file tree
Hide file tree
Showing 5 changed files with 12,034 additions and 40 deletions.
44 changes: 22 additions & 22 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "obfuscation-detector",
"version": "1.0.3",
"version": "1.1.0",
"description": "Javascript obfuscation detector",
"main": "src/index.js",
"directories": {
Expand Down
31 changes: 31 additions & 0 deletions src/detectors/augmentedProxiedArrayFunctionReplacements.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
const obfuscationName = 'augmented_proxied_array_function_replacements';

/**
* Augmented Proxied Array-Function Replacements obfuscation type has the following characteristics:
* - Has at least 3 root nodes - the last one containing the actual obfuscated code and the rest are obfuscation code.
* - Has a function that assigns an array full of strings to itself, and then returns itself.
* - Has an anonymous IIFE that is called with the array function as one of its arguments.
* @param {ASTNode[]} flatTree
* @return {string} The obfuscation name if detected; empty string otherwise.
*/
function detectAugmentedProxiedArrayFunctionReplacements(flatTree) {
const roots = flatTree.filter(n => n.parentNode?.type === 'Program');
if (roots.length > 3) {
const arrFunc = roots.find(n => n.type === 'FunctionDeclaration' &&
n.body?.body?.length &&
n.body.body.slice(-1)[0]?.argument?.callee?.name === n?.id?.name);
if (arrFunc) {
const augFunc = roots.find(n => n.type === 'ExpressionStatement' &&
n.expression.type === 'CallExpression' &&
n.expression.arguments.find(a => a?.name === arrFunc.id.name));
if (augFunc) {
return obfuscationName;
}
}
}
return '';
}

try {
module.exports = detectAugmentedProxiedArrayFunctionReplacements;
} catch {}
31 changes: 14 additions & 17 deletions src/index.js
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
const {generateFlatAST} = require('flast');
const detectCaesarPlus = require(__dirname + '/detectors/caesarp');
const detectObfuscatorIo = require(__dirname + '/detectors/obfuscator-io');
const detectArrayReplacements = require(__dirname + '/detectors/arrayReplacements');
const detectArrayFunctionReplacements = require(__dirname + '/detectors/arrayFunctionReplacements');
const detectAugmentedArrayReplacements = require(__dirname + '/detectors/augmentedArrayReplacements');
const detectFunctionToArrayReplacemets = require(__dirname + '/detectors/functionToArrayReplacements');
const detectAugmentedArrayFunctionReplacements = require(__dirname + '/detectors/augmentedArrayFunctionReplacements');

const availableDetectors = [];
// Dynamically import available detectors
[
'arrayReplacements',
'functionToArrayReplacements',
'augmentedArrayReplacements',
'arrayFunctionReplacements',
'augmentedArrayFunctionReplacements',
'obfuscator-io',
'caesarp',
'augmentedProxiedArrayFunctionReplacements',
].forEach(detName => availableDetectors.push(require(__dirname + `/detectors/${detName}`)));

/**
* @param {string} code
Expand All @@ -15,18 +21,9 @@ const detectAugmentedArrayFunctionReplacements = require(__dirname + '/detectors
*/
function detectObfuscation(code, stopAfterFirst = true) {
const detectedObfuscations = [];
const detectors = [
detectArrayReplacements,
detectFunctionToArrayReplacemets,
detectAugmentedArrayReplacements,
detectArrayFunctionReplacements,
detectAugmentedArrayFunctionReplacements,
detectObfuscatorIo,
detectCaesarPlus,
];
try {
const tree = generateFlatAST(code);
for (const detection of detectors) {
for (const detection of availableDetectors) {
try {
const detectionType = detection(tree, detectedObfuscations);
if (detectionType) detectedObfuscations.push(detectionType);
Expand Down
Loading

0 comments on commit addaf18

Please sign in to comment.