Shulou(Shulou.com)06/03 Report--

This article introduces you how JavaScript anti-debugging skills are, the content is very detailed, interested friends can refer to, hope to be helpful to you.

For JavaScript, you only need to spend a little time debugging and analyzing, and you can understand the functional logic of the JavaScript code snippet. What we are going to discuss can make it more difficult for those who want to analyze your JavaScript code. However, our technology has nothing to do with code confusion, we mainly focus on how to make it more difficult for code to actively debug.

1. Function redefinition

This is one of the most basic and most commonly used code anti-debugging techniques. In JavaScript, we can redefine the function used to collect information. For example, the console.log () function can be used to collect information such as functions and variables and display them in the console. If we redefine this function, we can modify its behavior and hide specific information or display bogus information.

We can run this function directly in DevTools to understand its function:

Console.log ("HelloWorld"); var fake = function () {}; window ['console'] [' log'] = fake;console.log ("Youcan't see me!")

After running, we will see:

VM48:1 Hello World

You will find that the second message is not displayed because we have redefined the function to "disable" its original function. But we can also make it display false information. For example:

Console.log ("Normalfunction"); / / First we save a reference to the original console.log functionvar original = window ['console'] [' log']; / / Next we create our fake function//Basicly we check the argument and if match we call original function with otherparam.// If there is no match pass the argument to the original functionvar fake = function (argument) {if (argument = "Ka0labs") {original ("Spoofed!");} else {original (argument) }} / / We redefine now console.log as our fake functionwindow ['console'] [' log'] = fake;//Then we call console.log with any argumentconsole.log ("Thisis unaltered"); / / Now we should see other text in console different to "Ka0labs" console.log ("Ka0labs"); / / Aaaand everything still OKconsole.log ("Byebye!")

If everything is all right:

Normal functionVM117:11 This is unalteredVM117:9 Spoofed!VM117:11 Bye bye!

In fact, in order to control how the code is executed, we can also modify the function of the function in a smarter way. For example, we can build a code snippet based on the above code and redefine the eval function. We can pass the JavaScript code to the eval function, and then the code will be evaluated and executed. If we redefine this function, we can run different code:

/ / Just a normal evaleval ("console.log ('1337')"); / / Now we repat the process...var original = eval;var fake = function (argument) {/ / If the code to be evaluated contains1337... If (argument.indexOf ("1337")! =-1) {/ /. We just execute a different code original ("for (I = 0; I)

< 10;i++) { console.log(i);}"); } else { original(argument); }}eval= fake;eval("console.log('Weshould see this...')");//Now we should see the execution of a for loop instead of what is expectedeval("console.log('Too1337 for you!')"); 运行结果如下： 1337VM146:1We should see this…VM147:10VM147:11VM147:12VM147:13VM147:14VM147:15VM147:16VM147:17VM147:18VM147:19 正如之前所说的那样，虽然这种方法非常巧妙，但这也是一种非常基础和常见的方法，所以比较容易被检测到。 二、断点 为了帮助我们了解代码的功能，JavaScript调试工具（例如DevTools）都可以通过设置断点的方式阻止脚本代码执行，而断点也是代码调试中最基本的了。 如果你研究过调试器或者x86架构，你可能会比较熟悉0xCC指令。在JavaScript中，我们有一个名叫debugger的类似指令。当我们在代码中声明了debugger函数后，脚本代码将会在debugger指令这里停止运行。比如说： console.log("Seeme!");debugger;console.log("Seeme!"); 很多商业产品会在代码中定义一个无限循环的debugger指令，不过某些浏览器会屏蔽这种代码，而有些则不会。这种方法的主要目的就是让那些想要调试你代码的人感到厌烦，因为无限循环意味着代码会不断地弹出窗口来询问你是否要继续运行脚本代码： setTimeout(function(){while (true) {eval("debugger")三、时间差异 这是一种从传统反逆向技术那里借鉴过来的基于时间的反调试技巧。当脚本在DevTools等工具环境下执行时，运行速度会非常慢（时间久），所以我们就可以根据运行时间来判断脚本当前是否正在被调试。比如说，我们可以通过测量代码中两个设置点之间的运行时间，然后用这个值作为参考，如果运行时间超过这个值，说明脚本当前在调试器中运行。 演示代码如下： set Interval(function(){ var startTime = performance.now(), check,diff; for (check = 0; check < 1000; check++){ console.log(check); console.clear(); } diff = performance.now() - startTime; if (diff >

{alert ("Debugger detected!");}}, 500); IV. DevTools testing (Chrome)

This technique takes advantage of the id attribute in the div element, and when the div element is sent to the console (such as console.log (div)), the browser automatically attempts to get the element id. If the code calls the getter method after calling console.log, the console is currently running.

The simple proof-of-concept code is as follows:

Let div = document.createElement ('div'); let loop = setInterval (() = > {console.log (div); console.clear ();}); Object.defineProperty (div, "id", {get: () = > {clearInterval (loop); alert ("Dev Tools detected!");}}); 5. Implicit flow integrity control

When we try to anti-obfuscate the code, we first try to rename some functions or variables, but in JavaScript we can detect whether the function name has been modified, or we can get its original name or call order directly through the stack trace.

Arguments.callee.caller can help us create a stack trace to store previously executed functions, as shown in the following code:

Function getCallStack () {var stack = "#", total = 0, fn = arguments.callee; while ((fn = fn.caller)) {stack = stack + "" + fn.name; total++} return stack} function test1 () {console.log (getCallStack ();} function test2 () {test1 ();} function test3 () {test2 ();} function test4 () {test3 ();} test4 ()

Note: the more confusing the source code, the better the effect of this technique.

VI. Agent object

Proxy object is one of the most useful tools in JavaScript, which can help us understand other objects in the code, including modifying their behavior and triggering object activity in a specific environment. For example, we can create a cute object and track every document.createElemen call, and then record the relevant information:

Const handler = {/ / Our hook to keep the track apply: function (target, thisArg, args) {console.log ("Intercepted a call tocreateElement with args:" + args); return target.apply (thisArg, args)}} document.createElement= new Proxy (document.createElement, handler) / / Create our proxy object withour hook ready to interceptdocument.createElement ('div')

Next, we can record the relevant parameters and information in the console:

VM64:3 Intercepted a call to createElement with args: div

We can use this information to debug code by intercepting specific functions, but the main purpose of this article is to introduce anti-debugging techniques, so how do we detect whether the "other party" uses a proxy object? In fact, this is a cat-and-mouse game. For example, we can use the same code snippet and then try to call the toString method and catch the exception:

/ / Call a "virgin" createElement:try {document.createElement.toString ();} catch (e) {console.log ("I saw your proxy!");}

The information is as follows:

"function createElement () {[native code]}"

But when we use the proxy:

/ / Then apply the hookconsthandler = {apply: function (target, thisArg, args) {console.log ("Intercepted a call tocreateElement with args:" + args); return target.apply (thisArg, args)}} document.createElement= new Proxy (document.createElement, handler); / / Callour not-so-virgin-after-that-party createElementtry {document.createElement.toString ();} catch (e) {console.log ("I saw your proxy!");}

Yes, we can detect proxies:

VM391:13 I saw your proxy!

We can also add the toString method:

Const handler = {apply: function (target, thisArg, args) {console.log ("Intercepted a call tocreateElement with args:" + args); return target.apply (thisArg, args)}} document.createElement= new Proxy (document.createElement, handler); document.createElement= Function.prototype.toString.bind (document.createElement); / / Add toString//Callour not-so-virgin-after-that-party createElementtry {document.createElement.toString () } catch (e) {console.log ("I saw your proxy!");}

Now we can't detect it:

"function createElement () {[native code]}"

Like I said, this is a cat-and-mouse game.

About how JavaScript anti-debugging skills are shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.