That will run the variable that was just created as code, so that's where you want to set a breakpoint. Looking at the code, you can see it does something mysterious to define a variable called ptcf. ( Why not?) Find the test file and click on it. In our example, it's called java.php, even though it's neither Java nor PHP. You will see a directory of source files on the left, which in this case will consist just of the test file. On Windows or Linux it's Control + Shift + I. On a Mac you do this with Command + Option + I. Launch Google Chrome, and open the test file. The example we're working with looks like this: The test page will include a button to run the function when you're ready. Include only function definitions, not any code that will run immediately on loading. Extract a function definition which you're suspicious of, and paste it as a script into a test page. If you open an infected page, it may immediately run the malicious JavaScript. This explanation assumes you have some experience working with debuggers. For maximum safety, run the procedure on a quarantined computer, disconnected from the Internet, running a temporary virtual machine. WARNING: Playing with potentially harmful code is dangerous! Be sure to follow every step in order. Here's a quick explanation of what you have to do. If you run into some JavaScript which you think may be malicious, they can help you decipher it. Google Chrome's built-in developer tools give you everything you need to undo some kinds of obfuscation. Obfuscated malicious JavaScript isn't easy to detect, and it's even harder to understand. The malicious code was in an unreadable form that made the problem hard to spot. However, when we ran a manual analysis, we found that their sites were in fact infected. We have found that many site owners insist their site isn't infected, even after ThreatSign determines that it is. "Beautifying" tools make minified code more readable, though it's likely to have short, meaningless functions and variable names even after beautifying. Minifying code uses some of the same techniques, but its object is to make the code as small as possible, so it will load faster. Obfuscation isn't the same as minification. Some code uses custom obfuscation and de-obfuscation functions. They include concatenating strings from decimal character codes, using base64 encoding, and splitting of strings. Encoding tricks make the code virtually unreadable.They also make the code more prone to bugs. Convoluted code structures, such as excessively complicated tests and illogical factoring, likewise impede understanding.The code runs the same whether a variable is called "Filename" or "x80," but the latter makes it harder to tell what it's doing.
0 Comments
Leave a Reply. |