Skip to content

tinysec/jsrt

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
bin
 
 
example/batch_update_symbols
 
 
img
 
 
src/jsrt_modules
 
 
test
 
 
LICENSE
 
 
README.md
 
 
clean.bat
 
 
the javascript runtime ( JSRT ) project DOCUMENTS host type notice that , all other dll files under i386/amd64 is just optional just compatible to my first version. native support feature todolist usage xp ~ win10 rs2 support real multi thread support visual studio debug support( need windows 10 ) example history the pre-version is used for kernel fuzz ( self use , not-published)

README.md

the javascript runtime ( JSRT ) project

  • javascript runtime for windows , based on chakra
  • author: TinySec( @TinySecEx )
  • JSRT is friend for binary hacker , special for windows.
  • this version is a public new version , feel free to open issue.
  • always download the latest version.

DOCUMENTS

https://github.com/tinysec/jsrt/wiki

host type

filename host arch usage
js.exe console i386 js.exe [options] [--eval script or script.js] [arguments]
js64.exe console amd64 js64.exe [options] [--eval script or script.js] [arguments]
jsw.exe window i386 jsw.exe [options] [--eval script or script.js] [arguments]
jsw64.exe window amd64 jsw64.exe [options] [--eval script or script.js] [arguments]
jsida.plw IDA i386 [options] [--eval script or script.js] [arguments]
jsida.p64 IDA amd64 [options] [--eval script or script.js] [arguments]
jswd.dll windbg i386 !js [options] [--eval script or script.js] [arguments]
jswd64.dll windbg amd64 !js [options] [--eval script or script.js] [arguments]
jsk.sys kernel i386 TODO , support kernel access
jsk64.sys kernel amd64 TODO , support kernel access

notice that , all other dll files under i386/amd64 is just optional

just compatible to my first version.

native support feature

  • real native multi-thread support
  • 64-bit number
  • Buffer
  • host full memory access , and support both GC and manual memory manager.
  • c-like printf and sprintf
  • ffi , support some windows type , full windows api access
  • serialize and unserialize
  • re-entry support for windbg and ida mode
  • portable from windows xp ~ windows 10 rs2
  • small dist.
  • anything you want for binary hack.

todolist

  • firefox style ctypes
  • c-style struct and union handle
  • kernel support
  • more documents.

usage

Usage: js [options] [--eval script or script.js] [arguments]

Options: 
 --version	show version
 --verbose	verbose mode
 --help		show help
 --eval		eval mode


Environment: 
JSRT_SYSTEM_MODULE_PATH		system jsrt module search path
JSRT_MODULE_PATH		common jsrt module search path
JSRT_IDA_MODULE_PATH		jsrt-ida module search path
JSRT_WINDBG_MODULE_PATH		jsrt-windbg module search path


more info is at https://github.com/tinysec/jsrt

jsrt

xp ~ win10 rs2 support

xp_support

real multi thread support

thread_support

visual studio debug support( need windows 10 )

visual_stduio_support

example

enum windows

const ffi = require("ffi");

const printf = require("cprintf").printf;
const sprintf = require("cprintf").sprintf;
const KdPrint = require("cprintf").KdPrint;

var hUser32 = ffi.loadLibrary( "user32.dll" );
var fnEnumWindows = ffi.bindModule( hUser32 ,  "BOOL WINAPI EnumWindows(_In_ void* lpEnumFunc,_In_ LPARAM      lParam); "  );
var fnGetClassNameA = ffi.bindModule( hUser32 ,  "int WINAPI GetClassNameA(_In_  HWND   hWnd,_Out_ LPTSTR lpClassName,_In_  int    nMaxCount);"  );

// BOOL CALLBACK EnumWindowsProc(_In_ HWND   hwnd,_In_ LPARAM lParam);
function enumRoutine( hWnd , lParam )
{
	var lpClassNameA = Buffer.alloc( 250 ).fill( 0 );

	var nRet = 0;
	
	nRet = fnGetClassNameA( hWnd , lpClassNameA , 250 );
	
	printf("0x%p -> %s|\n" , hWnd  , lpClassNameA.toString() );
	
	lpClassNameA.free();

	return true;
}

function main(  )
{
	var lpEnumFunc = ffi.thunk( enumRoutine , "BOOL CALLBACK EnumWindowsProc(_In_ HWND   hwnd,_In_ LPARAM lParam);"   );

	fnEnumWindows( lpEnumFunc  , 0 );

	lpEnumFunc.free();
	
	return 0;
}

if ( !module.parent )
{
	main();
}

and you will got

0x0001014A -> ForegroundStaging|
0x00010176 -> ForegroundStaging|
0x000100FC -> tooltips_class32|
0x00010100 -> tooltips_class32|
0x002F0A7E -> Net UI Tool Window|
0x01840922 -> Net UI Tool Window|
0x02A50EF4 -> tooltips_class32|
0x016D0E1A -> UIRibbonStdCompMgr|
0x02A00DCC -> tooltips_class32|
0x010C0DA4 -> tooltips_class32|
0x00890D2E -> tooltips_class32|
0x0001041A -> Chrome_SystemMessageWindow|
0x00010414 -> Base_PowerMessageWindow|
0x00010180 -> IME|
0x00010148 -> IME|
0x0001011C -> IME|
0x02630B5A -> IME|
0x015A074C -> IME|
..........

history

JSRT project had two version ,

  • the pre-version is self use , not-published , it was written between 2015-07 ~ 2016-09
  • the current version is going to public release , support some compatible to other bindings.

the pre-version is used for kernel fuzz ( self use , not-published)

javascript kernel fuzz

About

javascript runtime ( JSRT ) project for windows , based on chakra

github.com/tinysec/jsrt

Topics

javascript windows js runtime chakra jsrt javascript-runtime kernel-fuzz

Resources

Readme

License

BSD-3-Clause license

Stars

62 stars

Watchers

10 watching

Forks

22 forks

Releases

No releases published

Packages

No packages published

Languages