Cscript-wscript

From aldeid
Jump to: navigation, search

Description

  • cscript and wscript are command line (CLI) utilities from Microsoft to analyze JavaScript and VBScript.
  • The only difference is that wscript will output windows whereas cscript is exlusively CLI-based
  • They use Internet Explorer scripting engine
  • The files to analyze must have the proper extension (*.vbs for VBScript and *.js for JavaScript)
  • HTML tags have to be removed from the code prior to analyzing it
  • Specific methods should be used to output variables: use WScript.echo

Usage

Syntax

Usage: CScript scriptname.extension [option...] [arguments...]
Usage: WScript scriptname.extension [option...] [arguments...]

Options

/B
Specifies batch mode, which does not display alerts, scripting errors, or input prompts.
/D
Starts the debugger.
/E:<Engine>
Specifies the engine that is used to run the script.
/H:CScript
Registers Cscript.exe as the default script host for running scripts
/H:WScript
Registers Wscript.exe as the default script host for running scripts. This is the default.
/I
Specifies interactive mode, which displays alerts, scripting errors, and input prompts. This is the default and the opposite of /B.
/Job:<Identifier>
Runs the job identified by Identifier in a .wsf script file.
/Logo
Specifies that the Windows Script Host banner is displayed in the console before the script runs. This is the default and the opposite of /Nologo.
/Nologo
Specifies that the Windows Script Host banner is not displayed before the script runs.
/S
Saves the current command-prompt options for the current user.
/T:<Seconds>
Specifies the maximum time the script can run (in seconds). You can specify up to 32,767 seconds. The default is no time limit.
/U
Specifies Unicode for input and output that is redirected from the console.
/X
Starts the script in the debugger.
/?
Displays available command parameters and provides help for using them. This is the same as typing Cscript.exe with no parameters and no script.

Example

Obfuscated code

Let's analyze the following code:

var enkripsi="'1Aqapkrv'1G'2Cfmawoglv,upkvg'0:'00jgnnm'0A'02umpnf'00'0;'[email protected]'2C'1A-qapkrv'1G";
teks="";
teksasli="";
var panjang;
panjang=enkripsi.length;
for (i=0;i<panjang;i++) {
  teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2)
}
teksasli=unescape(teks);
document.write(teksasli);

Code modification

Notice that we have to replace the document.write method with WScript.echo on the last line:

WScript.echo(teksasli);

If you prefer, you can also use custom functions at the very beginning of the code, as follows:

document = {
  write: function(input_string){
    WScript.echo(input_string);
  }
}

var enkripsi="'1Aqapkrv'1G'2Cfmawoglv,upkvg'0:'00jgnnm'0A'02umpnf'00'0;'[email protected]'2C'1A-qapkrv'1G";
teks="";
teksasli="";
var panjang;
panjang=enkripsi.length;
for (i=0;i<panjang;i++) {
  teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2)
}
teksasli=unescape(teks);
document.write(teksasli);

cscript

Now, let's use cscript to output the value of the teksasli variable:

C:\Documents and Settings\malware\Bureau>cscript example.js

<script>
document.write("hello, world");
</script>

wscript

The same example will be rendered as follows with wscript:

Wscript-example.png

Comments

blog comments powered by Disqus