i need figure out how detect obfuscated javascript purely on static analysis.
here example of piece of obfuscated javascript need detect static analysis.
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,string)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new regexp('\b'+e(c)+'\b','g'),k[c])}}return p}('0.1("2");',3,3,'document|write|test'.split('|'),0,{}))
i guessing can check amount of key characters, such (, ), , | within amount of characters. if possible, characters important?
you should rather count percentage of whitespace: spaces/tabs, newslines, comments etc.
also can analyze function , variable names detect strange names, eg. lrn2fl4ncew, g0034 etc. non-dictionary based.
third possible way detect absence of typical keywords, eg. eval, regexp etc. in rogue scripts such keywords hidden in various ways prevent easy detection.
counting percentage of key characters or short function/variable names not enough, way many false posivites "compressed" scripts (without obfuscation).
Comments
Post a Comment