The Infection-Monkey team for GSoC 2018 wrote this post as a project summary of their GSoC 2018 experience

Team:

Student: Vakaris Žilius

Mentor: Daniel Goldberg

Introduction

During GSOC 2018, Vakaris worked with me on the Infection Monkey.

The Infection Monkey is an open source security tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server.

Our work mainly focuses on DOM simulation. I believe the following is the most important for deobfuscation, but we also do lot more so that our program can handle normal web pages. We will not list them here.

Our code can be found at:

http://code.google.com/p/phoneyc/source/browse/phoneyc#phoneyc/branches/phoneyc_wanggeng

1. DOM tree generation.

We defined a class ‘DOMObject’ in python, it has a list ‘children’ as its member. We use SGMLParser to parse the html document and create a DOMObject when met a start tag. And the DOM tree can be output for further analysis.

The code is like this:

class unknown_obj(object):

    def __call__(self, *arg): return unknown_obj()

    def __getitem__(self, key): return unknown_obj()

    def __getattr__(self, name): return unknown_obj()

The three methods are: __call__ for function calls (*arg means arg is the argument list), __getitem__ for the visit to members using ‘[]’, such as a[3] and 3 is the key, __getattr__ just like we mentioned, for any visit to members using ‘.’. So almost every kind of codes is legal to an object like this. For example:

There are of course more of them, but we only list which will bring
confusion to our code. Note that the current version is based on IE,
not FF, since its more vulnerable.

I don’t know how to write HTML in this blog, so i hope i can make them clear without examples.

1. Both in IE and FF, we can use the ID of a DOM object to call it. But we cannot always use ‘document.id’ to call it. In FF, document.f (f is id of a form) is undefined, but in IE, document.i (i is id of an image) and some other DOMs is undefined.

It seems that there was some problems in this blog system, and i was busy with my final exam, so i haven’t written blog a long time since the project starts.

But the work has been going on. I’ve been spent some time studying on the language faculty of javascript, and comparing it with python. Though this two are both scripting language, python is somehow much stronger. We’ll see this from the differences between the setter/getter function and __setattr__/__getattr__ method in python.