Cscript-wscript
Jump to navigation
Jump to search
Description
- cscript and wscript are command line (CLI) utilities from Microsoft to analyze JavaScript and VBScript.
- The only difference is that wscript will output windows whereas cscript is exlusively CLI-based
- They use Internet Explorer scripting engine
- The files to analyze must have the proper extension (*.vbs for VBScript and *.js for JavaScript)
- HTML tags have to be removed from the code prior to analyzing it
- Specific methods should be used to output variables: use WScript.echo
Usage
Syntax
Usage: CScript scriptname.extension [option...] [arguments...] Usage: WScript scriptname.extension [option...] [arguments...]
Options
- /B
- Specifies batch mode, which does not display alerts, scripting errors, or input prompts.
- /D
- Starts the debugger.
- /E:<Engine>
- Specifies the engine that is used to run the script.
- /H:CScript
- Registers Cscript.exe as the default script host for running scripts
- /H:WScript
- Registers Wscript.exe as the default script host for running scripts. This is the default.
- /I
- Specifies interactive mode, which displays alerts, scripting errors, and input prompts. This is the default and the opposite of /B.
- /Job:<Identifier>
- Runs the job identified by Identifier in a .wsf script file.
- /Logo
- Specifies that the Windows Script Host banner is displayed in the console before the script runs. This is the default and the opposite of /Nologo.
- /Nologo
- Specifies that the Windows Script Host banner is not displayed before the script runs.
- /S
- Saves the current command-prompt options for the current user.
- /T:<Seconds>
- Specifies the maximum time the script can run (in seconds). You can specify up to 32,767 seconds. The default is no time limit.
- /U
- Specifies Unicode for input and output that is redirected from the console.
- /X
- Starts the script in the debugger.
- /?
- Displays available command parameters and provides help for using them. This is the same as typing Cscript.exe with no parameters and no script.
Example
Obfuscated code
Let's analyze the following code:
var enkripsi="'1Aqapkrv'1G'2Cfmawoglv,upkvg'0:'00jgnnm'0A'02umpnf'00'0;'1@'2C'1A-qapkrv'1G";
teks="";
teksasli="";
var panjang;
panjang=enkripsi.length;
for (i=0;i<panjang;i++) {
teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2)
}
teksasli=unescape(teks);
document.write(teksasli);
Code modification
Notice that we have to replace the document.write method with WScript.echo on the last line:
WScript.echo(teksasli);
If you prefer, you can also use custom functions at the very beginning of the code, as follows:
document = {
write: function(input_string){
WScript.echo(input_string);
}
}
var enkripsi="'1Aqapkrv'1G'2Cfmawoglv,upkvg'0:'00jgnnm'0A'02umpnf'00'0;'1@'2C'1A-qapkrv'1G";
teks="";
teksasli="";
var panjang;
panjang=enkripsi.length;
for (i=0;i<panjang;i++) {
teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2)
}
teksasli=unescape(teks);
document.write(teksasli);
cscript
Now, let's use cscript to output the value of the teksasli variable:
C:\Documents and Settings\malware\Bureau>cscript example.js <script> document.write("hello, world"); </script>
wscript
The same example will be rendered as follows with wscript: