JavaScript Analysis

The upcoming 0.9.5 version of the Profiler introduces tools to interactively analyze JavaScript code. In a few words it adds the capability to execute snippets of code or to debug them. The JavaScript engine used is the one in WebKit.

Let’s take a look at the newly introduced actions:

JavaScript actions

The ‘Execute JavaScript‘ action executes a script and lets the user decided whether to process ‘eval‘ calls or not.

Execute JavaScript

Even when ‘eval‘ calls are not being processed, the argument is still printed out for the user to inspect. And in case ‘eval‘s are performed, then the result (if any) is printed out as well.

Let’s take a look at the same code under the JavaScript debugger. Given the JavaScript debug capabilities already in Qt, it was easy to integrate a full fledged debugger:

JavaScript Debugger

The debugger can be executed as a stand-alone utility (jsdbg.exe) as well.

It shouldn’t take long before the new version is ready and then we’ll see these features in action against some real world samples. Stay tuned!

Entropy

The upcoming version 0.8.0 version of the Profiler features computation of entropy and the representation of it through a graphical plot. The algorithm used for the calculation is the one described by Ero Carrera on his blog.

When foreign data is present in a file, its entropy is automatically calculated. This is very important, because foreign data can be completely harmless and entropic analysis hugely helps evaluating the risk factor of it.

Normal PDF foreign entropy

In this case the analyzed PDF contains 0x0A separators between objects and since it contains many objects, there’s also a lot of foreign data. However, since the entropy is extremely low, it is possible to assume that the foreign data doesn’t have a purpose.

Let’s take a look at a malicious PDF with foreign data. As one can see, the entropy is very high in this case.

Malicious PDF foreign entropy

Of course, it’s also possible to calculate the entropy in any hex view of a custom range of bytes and block size through the action Data->Entropy. This is the entropy for an entire malicious PDF with a block size of 256 bytes.

Malicious PDF entropy

The encrypted malware begins at the position where the entropy raises and remains steady.

In the future the plot control will be exposed to the Python SDK so that plugin writers can use it too.

Enjoy!

XML Indenter

With the release of the 0.7.7 we’ve bundled a new Python action particularly useful when dealing with unformatted XML.

The following is an excerpt of an embedded XML file taken from a malicious PDF document.

XML Indenter

Focusing on security, this beautifier does not try to validate the content of the document, having also the advantage of being faster than other tree-based indenters.
As a side note, this plugin is compatible with any SMGL-based such as HTML and XHTML.

Pastebin plugin

Coming with the new 0.7.4 release, the Pastebin action is a handy tool for easy sharing of text-based content with colleagues and friends.

Pastebin plugin (result)

Thanks to the new property editor, the full feature set has been implemented; amongst the usual options like syntax highlight, title and content, the user will also be able to change the visibility preference and decide for how long the content should be available online.

Pastebin plugin (settings)

A security confirmation check has also been added to avoid unintentional disclosure of information. 🙂