-
Notifications
You must be signed in to change notification settings - Fork 86
/
Copy pathflags.json
321 lines (320 loc) · 12.2 KB
/
flags.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
{
"run": [
{
"name": "help",
"alias": "h",
"type": "Boolean",
"description": "Show the help text and quit"
},
{
"name": "version",
"alias": "v",
"type": "Boolean",
"description": "Show the package version and quit"
},
{
"name": "license",
"type": "Boolean",
"description": "Show the license and quit"
},
{
"name": "debug",
"type": "Boolean",
"description": "Die when an emulation error occurs, even in \"batch mode\", and pass on the exit code."
},
{
"name": "loglevel",
"type": "String",
"description": "Logging level (debug, verbose, info, warning, error - default \"info\")"
},
{
"name": "threads",
"type": "Number",
"description": "When running in batch mode, how many analyses to run at the same time (0 = unlimited, default: as many as the number of CPU cores)"
},
{
"name": "download",
"type": "Boolean",
"description": "Actually download the payloads"
},
{
"name": "encoding",
"type": "String",
"description": "Encoding of the input sample (will be automatically detected by default)"
},
{
"name": "timeout",
"type": "Number",
"description": "The script will timeout after this many seconds (default 10)"
},
{
"name": "output-dir",
"type": "String",
"description": "The location on disk to write the results files and folders to (defaults to the current directory)"
},
{
"name": "preprocess",
"type": "Boolean",
"description": "Preprocess the original source code (makes reverse engineering easier, but takes a few seconds)"
},
{
"name": "unsafe-preprocess",
"type": "Boolean",
"description": "More aggressive preprocessing. Often results in better code, but can break on some edge cases (eg. redefining prototypes)"
},
{
"name": "prepended-code",
"type": "String",
"description": "Input file or directory containing code that should be prepended to the JS file(s) we're analyzing. If directory is given, prepends contents of all files in the directory. If 'default' is given use the default boilerplate.js that comes with box-js. if 'show-default' is given just print path of boilerplate.js and exit (useful if you want to copy and modify default boilerplate code)."
},
{
"name": "fake-script-engine",
"type": "String",
"description": "The script engine to report in WScript.FullName and WScript.Name (ex. 'cscript.exe', 'wscript.exe', or 'node'). Default is wscript.exe."
},
{
"name": "fake-cl-args",
"type": "String",
"description": "Fake script command line arguments. In the string these should be comma separated."
},
{
"name": "fake-sample-name",
"type": "String",
"description": "Fake file name to use for the sample being analyzed. Can be a full path or just the file name to use. If you have '\\' in the path escape them as '\\\\' in this command line argument value (ex. --fake-sample-name=C:\\\\foo\\\\bar.js)."
},
{
"name": "fake-language",
"type": "String",
"description": "Specify the language code to return for Win32_OperatingSystem.OSLanguage. Supported values are 'spanish', 'english', and 'portuguese'."
},
{
"name": "fake-domain",
"type": "String",
"description": "Specify the user domain to return for WScript.Network.UserDomain."
},
{
"name": "fake-download",
"type": "Boolean",
"description": "Fake that HTTP requests work and have them return a fake payload"
},
{
"name": "no-kill",
"type": "Boolean",
"description": "Do not kill the application when runtime errors occur"
},
{
"name": "no-echo",
"type": "Boolean",
"description": "When the script prints data, do not print it to the console"
},
{
"name": "no-rewrite",
"type": "Boolean",
"description": "Do not rewrite the source code at all, other than for `@cc_on` support"
},
{
"name": "no-catch-rewrite",
"type": "Boolean",
"description": "Do not rewrite try..catch clauses to make the exception global-scoped"
},
{
"name": "no-cc_on-rewrite",
"type": "Boolean",
"description": "Do not rewrite `/*@cc_on <...>@*/` to `<...>`"
},
{
"name": "no-eval-rewrite",
"type": "Boolean",
"description": "Do not rewrite `eval` so that its argument is rewritten"
},
{
"name": "no-file-exists",
"type": "Boolean",
"description": "Return `false` for Scripting.FileSystemObject.FileExists(x)"
},
{
"name": "limit-file-checks",
"type": "Boolean",
"description": "Switch default value for folder/file exists checks if many checks are performed (try to break infinite file check loops)."
},
{
"name": "no-folder-exists",
"type": "Boolean",
"description": "Return `false` for Scripting.FileSystemObject.FileExists(x)"
},
{
"name": "function-rewrite",
"type": "Boolean",
"description": "Rewrite function calls in order to catch eval calls"
},
{
"name": "no-rewrite-prototype",
"type": "Boolean",
"description": "Do not rewrite expressions like `function A.prototype.B()` as `A.prototype.B = function()`"
},
{
"name": "no-hoist-prototype",
"type": "Boolean",
"description": "Do not hoist expressions like `function A.prototype.B()` (implied by no-rewrite-prototype)"
},
{
"name": "no-shell-error",
"type": "Boolean",
"description": "Do not throw a fake error when executing `WScriptShell.Run` (it throws a fake error by default to pretend that the distribution sites are down, so that the script will attempt to poll every site)"
},
{
"name": "no-typeof-rewrite",
"type": "Boolean",
"description": "Do not rewrite `typeof` (e.g. `typeof ActiveXObject`, which must return 'unknown' in the JScript standard and not 'object')"
},
{
"name": "proxy",
"type": "String",
"description": "[experimental] Use the specified proxy for downloads. This is not relevant if the --download flag is not present."
},
{
"name": "windows-xp",
"type": "Boolean",
"description": "Emulate Windows XP (influences the value of environment variables)"
},
{
"name": "dangerous-vm",
"type": "Boolean",
"description": "Use the `vm` module, rather than `vm2`. This sandbox can be broken, so **don't use this** unless you're 100% sure of what you're doing. Helps with debugging by giving correct stack traces."
},
{
"name": "rewrite-loops",
"type": "Boolean",
"description": "Rewrite some types of loops to make analysis faster"
},
{
"name": "throttle-writes",
"type": "Boolean",
"description": "Throttle reporting and data tracking of file writes that write a LOT of data"
},
{
"name": "throttle-commands",
"type": "Boolean",
"description": "Stop the analysis if a LOT of the same commands have been run"
},
{
"name": "extract-conditional-code",
"type": "Boolean",
"description": "Pull the actual code to analyze from JScript conditional comments (/*@if(...)."
},
{
"name": "loose-script-name",
"type": "Boolean",
"description": "Rewrite == checks so that comparisons of the current script name to a hard coded script name always return true."
},
{
"name": "real-script-name",
"type": "Boolean",
"description": "Return the real file name of the currently analyzed script rather than a fake name."
},
{
"name": "activex-as-ioc",
"type": "Boolean",
"description": "Logs All ActiveX calls as IOC's and tries to determine if the call is obfuscated in the JS source."
},
{
"name": "ignore-wscript-quit",
"type": "Boolean",
"description": "Ignore calls to WSCript.Quit() and continue execution."
},
{
"name": "ignore-rewrite-errors",
"type": "Boolean",
"description": "Analyze original sample if any sample rewrites fail."
}
],
"export": [
{
"name": "help",
"alias": "h",
"type": "Boolean",
"description": "Show the help text and quit"
},
{
"name": "version",
"alias": "v",
"type": "Boolean",
"description": "Show the package version and quit"
},
{
"name": "license",
"type": "Boolean",
"description": "Show the license and quit"
},
{
"name": "loglevel",
"type": "String",
"description": "Logging level (debug, verbose, info, warning, error - default \"info\")"
},
{
"name": "cuckoo-address",
"type": "String",
"description": "Address of the Cuckoo API (format: host:port, eg. localhost:8000)"
},
{
"name": "cuckoo-all-files",
"type": "Boolean",
"description": "Submit all files written to disk to a Cuckoo sandbox"
},
{
"name": "cuckoo-executables",
"type": "Boolean",
"description": "Submit all executables written to disk to a Cuckoo sandbox. Has no effect when used with --cuckoo-all-files."
},
{
"name": "cuckoo-urls",
"type": "Boolean",
"description": "Submit URLs to a Cuckoo sandbox"
},
{
"name": "malwr-key",
"type": "String",
"description": "Malwr API key"
},
{
"name": "malwr-all-files",
"type": "Boolean",
"description": "Submit all files written to disk to Malwr"
},
{
"name": "malwr-executables",
"type": "Boolean",
"description": "Submit all executables written to disk to Malwr. Has no effect when used with --malwr-all-files."
},
{
"name": "malwr-private",
"type": "Boolean",
"description": "Mark Malwr samples as private (not to be shared with the community)"
},
{
"name": "vt-key",
"type": "String",
"description": "VirusTotal API key"
},
{
"name": "vt-all-files",
"type": "Boolean",
"description": "Submit all files written to disk to VirusTotal"
},
{
"name": "vt-executables",
"type": "Boolean",
"description": "Submit all executables written to disk to VirusTotal. Has no effect when used with --vt-all-files."
},
{
"name": "vt-rate-limit",
"type": "Number",
"description": "Rate limit (in requests per minute) against the VirusTotal API (default 4)"
},
{
"name": "vt-urls",
"type": "Boolean",
"description": "Submit URLs to VirusTotal"
}
]
}