Example: bachelor of science

자바스크립트 난독화(Javascript Obfuscation) 이해하기

(Javascript obfuscation ) . ASEC . , IT .. , , .. , . ! .. , , .. , .. , . Javascript Javascript . ( , obfuscation ) . , .. 2 , .. , .. SQL. Injection .. : Js iframe link(Encoding ) . Exploit Exploit . , .. [ ] . - 1) SQL Injection . : . : . - 2) SQL Injection . : (DB) / . : iframe Javascript . - 3-5) . , DB .. - 6) ( ). : 9 : .. & , . (Information Stealer) . (Bot Agent) . 9 : iframe . , , . 3 .. - . - . - . 1) (iframe ). - : SQL Injection - . iframe : . iframe : SQL Injector . iframe : html Javascript . iframe : width, height 0 1. iframe : . - Iframe . iframe . 9 . iframe .. () . 9 () , . () . 100 iframe . 9 iframe width height 0 1 .. IFRAME .. 100 .. 9 , .. 2) (Javascript ). - : , ActiveX . - . : , ActiveX . : . : . - .. 9 . , ActiveX .. ActiveX 0-day .. 9 (damage) .. , 6~7 .. [ ] iframe . iframe . width 100 .. 9 .. [ ] . 3) . - : . MS Internet Explorer(IE) .. MS , .. - : ActiveX Control ( ).

자바스크립트 난독화(Javascript Obfuscation) 이해하기 ASEC 김지훈 선임연구원 공기 없이 살 수 있는 생명체가 없듯이, 웹이 없는 IT 인프라를 과연 생각할 수 있을까.

Tags:

  Obfuscation

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of 자바스크립트 난독화(Javascript Obfuscation) 이해하기

1 (Javascript obfuscation ) . ASEC . , IT .. , , .. , . ! .. , , .. , .. , . Javascript Javascript . ( , obfuscation ) . , .. 2 , .. , .. SQL. Injection .. : Js iframe link(Encoding ) . Exploit Exploit . , .. [ ] . - 1) SQL Injection . : . : . - 2) SQL Injection . : (DB) / . : iframe Javascript . - 3-5) . , DB .. - 6) ( ). : 9 : .. & , . (Information Stealer) . (Bot Agent) . 9 : iframe . , , . 3 .. - . - . - . 1) (iframe ). - : SQL Injection - . iframe : . iframe : SQL Injector . iframe : html Javascript . iframe : width, height 0 1. iframe : . - Iframe . iframe . 9 . iframe .. () . 9 () , . () . 100 iframe . 9 iframe width height 0 1 .. IFRAME .. 100 .. 9 , .. 2) (Javascript ). - : , ActiveX . - . : , ActiveX . : . : . - .. 9 . , ActiveX .. ActiveX 0-day .. 9 (damage) .. , 6~7 .. [ ] iframe . iframe . width 100 .. 9 .. [ ] . 3) . - : . MS Internet Explorer(IE) .. MS , .. - : ActiveX Control ( ).

2 ActiveX Control .. 0-day . , .. - : 2008 4 realplayer .. - . Web Browsers: 9 (MS06-014) MS IE (MDAC) Remote Code Execution Exploit 9 (MS07-004) MS IE (VML) Remote Denial of Service Exploit 9 (MS07-017) GDI Remote Code Execution Exploit ActiveX Controls: 9 RealNetworks RealPlayer ActiveX Controls Vulnerability 9 Yahoo! Webcam Image Upload ActiveX Control Vulnerability 9 Baofeng Storm ActiveX Controls Vulnerability ( ). 9 HTTP PPStream PowerPlayer ActiveXControls Vulnerability ( ). Exploit .. , .. , .. ( obfuscation ) .. IDS/IPS .. - iframe width, height 0 1 . - () () . - . - iframe , HTML (iframe) . d() DOM . iframe element . - 8bit ASCII Encoding .. split . Iframe .. () .. ? Javascript . (iframe , ) . ( obfuscation ) . - split ( ). - Javascript escape () . - Javascript eval() . - XOR . - . - 8-bit ASCII . - BASE64 . - / . Javascript escape () . Javascript escape() ISO Latin-1 ASCII.

3 %xx , xx ASCII . ( & ) . %26 , escape( !# ) %21%23 . Javascript unescape() escape ASCII ISO Latin-1 .. unescape( %26 ) & .. %integer hex . Hex 0x00 0xFF . [ ] RealPlayer . [ ] Javascript unescape() . Javascript escape() .. Javascript . - (Shellcode2 EXE). - (BinText). - (OllyDBG).. Javascript C .. iDefense Malcode Analysis Software Tools . Shellcode2 EXE .. BinText Strings URL . , XOR .. , html .. , . , 2 .. , .. [ ] XOR . [ ] OllyDBG URL . %system32% .. - Shellcode2 EXE. iDefense Malcode Analysis Software Tools1. : - BinText FoundStone . 2. - OllyDBG. OllyDbg 32-bit . 3. 1. #more_malcode+analysis+pack 2. 3. Javascript eval () . Javascript eval () Javascript .. Javascript eval () print . , . eval () .. [ ] eval() ( ), ASCII . ( ). eval (jsString).. eval(): ( , ).. jsString: ( ). (argument) .. jsString , undefined .. Javascript .. 1) jsString Javascript . 2) Javascript (Parse) . 3) eval() Javascript.

4 , 4) , (return).. jsString Javascript , (object) . (property) . Javascript .. Javascript eval () .. eval () . ( ). [ ] ( ). \ddd: 8 (ddd) Latin-1 . \xdd: 16 (dd) Latin-1 . \udddd: 16 (dddd) .. eval () , 8 .. iframe .. iframe 8 , i \151, f \146, r \162, a \141, m . \155, e \145 . eval () , iframe (8 , \146\162\141\155\145) .. escape () eval () 2 .. XOR . XOR / .. XOR (Symmetric Key) . ( . / KEY ). XOR ( , ^ ) . - : A ^ B = B ^ A. - : (A ^ B) ^ C = A ^ (B ^ C). - : A ^ 0 = A. - : A ^ A = 0. XOR , XORKEY, .. - ^ XORKEY = . - ^ XORKEY = ( ^ XORKEY) ^ XORKEY. = ^ (XORKEY ^ XORKEY) ; , . = ^ (0) ; . = . ( , : [1 ^ 0 = 1, 1 ^ 0 = 1], [0 ^ 0 = 0, 1 ^ 1 = 0]). Example : : < s c r i p t (dec) 60 115 99 114 105 112 116. XORKEY: (dec) 112 112 112 112 112 112 112. : (dec) 76 .. (dec) 60 (bin) 0 0 1 1 1 1 0 0. XOR (dec) 112 (bin) 0 1 1 1 0 0 0 0. ---------------------------------------- ----------- (dec) 76 (bin) 01001100.

5 / XORKEY XOR .. [ ] XOR Encrypt ( = ^ XORKEY 112). [ ] XOR Decrypt ( = ^ XORKEY 112).. , .. , .. psw() .. [ ] psw() .. rechange() .. ! - ($) array . - array ASCII . - ASCII . [ ] recharge() .. , / .. , / , /. , . A ------------- / A. B ------------- / B.. 8-bit ASCII . 8-bit ASCII .. , ( ). ASCII 8 , 1 7 .. , 1 ASCII .. ASCII 8-bit ASCII . 8-bit 1 . 1 . 0 1 . 8-bit HTML charset US- ASCII HTML 1 .. , . html . (0x68746d6c) , . 0x68746d6c 0xE8F4 EdEc , .. [ ] 7-bit ASCII 8bit . 1 0 1 . 8-to-7 ASCII . - ASCII exploit / . , - PERL . : $cat | perl -pe 's/(.)/chr(ord($1)&127)/ge'. : SANS, Decoding Diyer's Ascii bypass 9 [ ] 8-bit ( ), 8-bit ( ). [ ] Ascii . ASCII 7 (0x00-0x7F) .. BASE64 . BASE64 / .. BASE64 .. - BASE64 .. [ ] BASE64 ( ), BASE64 ( ). MS06-014, RealPlayer BASE64 . [ ] BASE64 Javascript (.js) .. BASE64 4. BASE64 64 (2^6, 6 ) .. , 8 . , 6 8 . 24 . 24 BASE64 . 6 4 , . 8 3 . , BASE64 3-to-4.

6 , KIM BASE64 . KIM 2 .. KIM HEX 4B(K) 49(I) 4D(M) , 2 0100. 1011 (K) 0100 1001 (I) 0100 1101 (D) . - KIM(16) 4B 49 4D. - KIM (2) 0100 1011 0100 1001 0100 1101. KIM 2 6 , BASE64 .. KIM BASE64 S0lN . - KIM (6) 010010 110100 100101 001101. - KIM (6) 18 52 37 13. - KIM (BASE64) S 0 l N. [ ] BASE64 . 4. (=) . , BASE64 / 24 . (6 . * 4 , 8 * 3 ). 3 .. (=) .. / . , / . , . (Packer) . , . - Dean Edwards's JavascriptObfuscator & Compressor - Windows JavascriptEncoder Dean Edwards's JavascriptCompressor .. , .. function(p,a,c,k,e,d) iframe .. Dean Edwards's JavascriptObfuscator & Compressor .. Dean Edwards / .. , / .. Dean Edwards's codes: - Using function(p,a,c,k,e,d), - Using Function(p,a,c,k,e,r), [ ] . [ ] Iframe . Windows JavascriptEncoder 2007 .. - - MS . / .. - Windows Script Encoder: -c447-4873-b1b0-21f0626a6329&displaylang =ko - Windows Script Decoder: - GreyMagic Online Script Decoder ( ): (Encode).

7 - : #@~^ (4 ). - : 32 , Base64 . - . - : 32 , Base64 . - : ^#~@ (4 ). Example: ( ) . - : - : vAMAAA==. - : ( ). - : vfsAAA===. - : [ ] ( ), ( ).. , (JavascriptObfuscation) .. , / .. - : alert () msgbox() : 9 () eval() javascript:alert() . vbscript:msgbox() .. [ ] () alert () . [ ] alert . <xmp> : 9 <xmp> </xmp> . ( . ). [ ] <xmp> . [ ] <xmp> . <textarea> : 9 <textarea> . [ ] <textarea> . [ ] <textarea> . - . : 9 NJS JavascriptInterpreter, 9 Spider Monkey, 9 Rhino, - . Reverse Engineering Malicious Javascript 9 . IDS/IPS . (JavascriptObfuscation) .. vs.. / .. , .. , .. [ ] ASEC ( ).


Related search queries