If you were to use the WScript Emulator to analyse WScript-based malware downloaders, take all necessary precautions as you would for any other analysis. The emulator does not execute any HTTP-requests, registry changes or filesystem modifications, but you are still running a malicious file. Use only if you are confident (or confidently suspect) that the file is a WScript file, and always at your own risk.
The WScript Emulator contains a full code tracer, listing every class-construct, function call, getters & setters that occur while running a script. Even when the original script is 100% triple-obfuscated with JSFuck, it will trace all functions as if it weren't obfuscated at all.
In order to track creating/modifying/deleting files that would normally occur on the filesystem, the emulator contains a mock filesystem. This helps to easily see what the script would do to your filesystem if it was running in the normal WScript environment.
- ApplicationObject (Couldn't find documentation)
The emulator does not download any files when the original script calls for it. This is done for security reasons. It does show which URL is being requested and where the file would've been saved to in the VFS (but without the file's contents).
In addition to this, the emulator page removes
fetch from the global
window-object. It is easily replacable with other JS functionality though
Not every script returns useful results. Commonly there can be 4 reasons for this:
- The emulator doesn't support or incorrectly supports one of the objects called in the script
- The script gets stuck in an infinite loop when emulating downloads. See issue #1 for a more detailed explanation
- The file is not JScript (but VBscript or something else)
- The malware is badly written and wouldn't run in a normal WScript environment either
In any of these cases, the malware will have to be reversed manually to figure out why it didn't run correctly. I don't claim every script will run because of the limitations of emulation, but if even 50% of the scripts runs, it can save a lot of time.
If you find a bug in the emulator, please open an Issue and provide sample code explaining where it went wrong. If you cannot provide the sample because it is actual malware, please send an email to
mischa [a] mrpapercut.com.
JScript is Microsoft's flavour of the ECMAscript standard. This means that most ECMAscript rules still apply, but JScript's implementation in WScript is a bit different:
JScript in WScript is case-insensitive.
Regular JScript, like all ECMAscript variants, is case-sensitive (there is a difference between
true === -1
In WScript, false === 0, but true === ~false (-1). Because we cannot redefine
true === -1, please let me know.
- For use: any recent browser that supports the ES6 syntax and Proxy & Reflect objects. (Chrome >= 49.0, Firefox >= 42, Edge >= 14, Safari >= 10)
- For development: NodeJS >= 6.4
This package contains a full emulated version of WScript with 100% test coverage. Every file has been named as expected, every documented method has a link to the official WScript documentation describing what the feature should do. If you want to contribute to this project, please keep the following in mind:
- Every method should behave as identical as possible to original WScript code. See Microsoft's documentation for this
- Everything must be covered by tests
git clone https://github.com/mrpapercut/wscript.git cd wscript npm install npm run test-coverage npm run build
The HTML emulator can then be found in /dist/