AV detection (issue #27)
Angelo Dell'Aera
I was playing with AV detection code (issue #27) but I fear there's no easy
solution about it because it seems to me onerror handler is absolutely
ignored. Moreover while playing, I realized a strange thing. I tried
removing Image() declaration in PageParser.py (see below)
buffer@alnitak ~/phoneyc/DOM $ svn diff
Index: PageParser.py
=============================
--- PageParser.py (revision 1551)
+++ PageParser.py (working copy)
@@ -18,7 +18,6 @@
self.script = """
window.eval = eval;
function CollectGarbage() {};
- function Image() {};
[..]
and modified the script posted in issue #27 this way
[..]
for (i = 0; i< jc_list.length; i++) {
ischeck = 1;
alert(Image);
x = Image();
[..]
and executed it
buffer@alnitak ~/phoneyc $ python phoneyc.py -v file://AV.html
[ALERT] <class 'DOM.Window.Image'>
Traceback (most recent call last):
File "/home/buffer/phoneyc/DOM/PageParser.py", line 184, in end_script
self.__last_try(traceback.format_exc())
File "/home/buffer/phoneyc/DOM/PageParser.py", line 179, in end_script
self.__dict__['__window'].__dict__['__cx'].execute(self.script+';') #
execute script here File "<JavaScript>", line 25, in Error: Failed to
construct object. TypeError: __init__() takes at least 3 arguments (1 given)
The alert shows the object is still there and it requires 3 arguments. I
investigated this result. Trying adding two random arguments to Image
instance
x = new Image(1, 2);
and showing x.src and the function result it seems to work.
buffer@alnitak ~/phoneyc $ python phoneyc.py -v file://AV.html
[ALERT] <class 'DOM.Window.Image'>
[ALERT] res://C:\Program%20Files\Rising\Rav\rssafety.exe/PNG/123
[ALERT] 1
Seems the problem lies here...
71 for clsname in dataetc.classlist:
72 exec 'class ' + clsname + '(DOMObject):\n\t'\
73 + '\t' + 'def __init__(self, window,clsname,parser= None):\n\t'\
74 + '\t\t' + 'self.tagName ="'+dataetc.classtotag(clsname) + '"'
75 exec 'context.add_global("' + clsname + '",' + clsname + ')
since in our case it translates to
class Image(DOMObject):
def __init__(self, window, clsname, parser = None):
self.tagName = 'img'
and this breaks Javascript instantiation. Maybe it's worth avoiding code
lines 71-75 defining a class for each dataetc.classlist but I have no clear
idea about how to solve such issue.
Ideas?
--
Angelo Dell'Aera 'buffer'
Antifork Research, Inc. http://buffer.antifork.org
Metro Olografix
Joyan
27 (details of my experiments are appended to this mail), and now you
discovered it's root cause.:)
I made a simple bugfix of this issue (revision 1555), but it's very
naive and didn't fix the bug from it's root cause. Actually I think the code
71 for clsname in dataetc.classlist:
72 exec 'class ' + clsname + '(DOMObject):\n\t'\
73 + '\t' + 'def __init__(self, window,clsname,parser= None):\n\t'\
74 + '\t\t' + 'self.tagName ="'+dataetc.classtotag(clsname) + '"'
75 exec 'context.add_global("' + clsname + '",' + clsname + ')
is wrong. Most of the DOM objects in the JS context are instantiated
without any arguments, I think (and I'll confirm it by experiments).
Thus those class should have an __init__ method with no arguments.
Following this idea, I tried to revise this code snippet by eliminating
it's arguments, but this solution raise new problems: the instantiate of
DOMObject classes need 3 arguments, but I can't find any reference to
the current window object when I'm in the Image class... Any ideas to
get the window object from within the __init__ method of Image class?
Regards,
Zhijie
PS: Details of my experiments days ago:
When I made the following modification:
Index: DOM/PageParser.py
===================================================================
--- DOM/PageParser.py (revision 1554)
+++ DOM/PageParser.py (working copy)
@@ -18,7 +18,6 @@
self.script = """
window.eval = eval;
function CollectGarbage() {};
- function Image() {};
function quit() {};
function prompt() {};
"""
Index: DOM/Window.py
===================================================================
--- DOM/Window.py (revision 1554)
+++ DOM/Window.py (working copy)
@@ -18,6 +18,11 @@
if config.verboselevel >= config.VERBOSE_ALERT:
print '[ALERT] '+x
+class Image(object):
+ def __init__(self):
+ config.VERBOSE(config.VERBOSE_DEBUG, "[DEBUG] in Window.py: New
Image() object.")
+
+
class Window(object):
def __init__(self, root, url, referrer = False):
self.__dict__['__root'] = root
@@ -61,6 +66,7 @@
context.add_global("setInterval" , self.setInterval)
context.add_global("SetInterval" , self.setInterval)
context.add_global("ActiveXObject", ActiveXObject)
+ context.add_global("Image", Image)
context.add_global("navigator" , Navigator())
context.add_global("screen" , unknown())
context.add_global("eval" , self.eval)
and run it on this av-detection snippet, I got the following error:
Traceback (most recent call last):
File "/home/joyan/code/phoneyc-all/trunk/DOM/PageParser.py", line
184, in end_script
self.__last_try(traceback.format_exc())
File "/home/joyan/code/phoneyc-all/trunk/DOM/PageParser.py", line
179, in end_script
self.__dict__['__window'].__dict__['__cx'].execute(self.script+';')
# execute script here
File "<JavaScript>", line 13, in Error: Failed to construct object.
TypeError: __init__() takes at least 3 arguments (1 given)
And if I made the following modification:
Index: DOM/PageParser.py
===================================================================
--- DOM/PageParser.py (revision 1554)
+++ DOM/PageParser.py (working copy)
@@ -16,11 +16,6 @@
self.current = 0
self.text = ''
self.script = """
- window.eval = eval;
- function CollectGarbage() {};
- function Image() {};
- function quit() {};
- function prompt() {};
"""
self.in_Script = False
self.endearly = False # for some cases, such as location is
changed, the parser will stop early.
Index: DOM/Window.py
===================================================================
--- DOM/Window.py (revision 1554)
+++ DOM/Window.py (working copy)
@@ -67,6 +67,11 @@
context.execute("Event = function(){}")
+ context.execute("function CollectGarbage() {};")
+ context.execute("function Image() {};")
+ context.execute("function quit() {};")
+ context.execute("function prompt() {};")
+
for clsname in dataetc.classlist:
exec 'class ' + clsname + '(DOMObject):\n\t'\
+ '\t' + 'def __init__(self, window, clsname,
parser = None):\n\t'\
@@ -76,6 +81,7 @@
self.__dict__['__cx'] = context
self.__dict__['__sl'] = []
self.__dict__['__fl'] = [document]
+ context.execute("window.eval = eval;")
def __init_html(self):
scheme = self.__dict__['__scheme']
The run on av-detection code raises error like this (seems it's the same
error):
Traceback (most recent call last):
File "/home/joyan/code/phoneyc-all/trunk/DOM/PageParser.py", line
180, in end_script
self.__last_try(traceback.format_exc())
File "/home/joyan/code/phoneyc-all/trunk/DOM/PageParser.py", line
175, in end_script
self.__dict__['__window'].__dict__['__cx'].execute(self.script+';')
# execute script here
File "<JavaScript>", line 9, in Error: Failed to construct object.
TypeError: __init__() takes at least 3 arguments (1 given)
Angelo Dell'Aera
I'm replying directly from holidays so no guarantee about what I write :))
Well done Angelo! This is exactly what I meant in my comment 2 of issue 27
(details of my experiments are appended to this mail), and now you discovered it's root cause.:)
I made a simple bugfix of this issue (revision 1555), but it's very naive and didn't fix the bug from it's root cause. Actually I think the codeis wrong. Most of the DOM objects in the JS context are instantiated without any arguments, I think (and I'll confirm it by experiments). Thus those class should have an __init__ method with no arguments.
71 for clsname in dataetc.classlist:
72 exec 'class ' + clsname + '(DOMObject):\n\t'\
73 + '\t' + 'def __init__(self, window,clsname,parser= None):\n\t'\
74 + '\t\t' + 'self.tagName ="'+dataetc.classtotag(clsname) + '"'
75 exec 'context.add_global("' + clsname + '",' + clsname + ')
This is the same idea I thought about the new DOM objects __init__ method but I think doing it in a "dynamic" manner the same way the code is currently doing is quite hard...
Following this idea, I tried to revise this code snippet by eliminating it's arguments, but this solution raise new problems: the instantiate of DOMObject classes need 3 arguments, but I can't find any reference to the current window object when I'm in the Image class... Any ideas to get the window object from within the __init__ method of Image class?
My idea is to avoid dynamic declaration at all by simply declaring Image (and other Window objects) as a
Window object attribute. It should lead to both a clear design and the possibility to easily refer the
Window object which it belongs to. I'm writing this email on my sister computer which is not exactly a
perfect envorinment for testing so I think I will test it on the next Monday :)
This error is due to how Image object is instantiated. This code
71 for clsname in dataetc.classlist:
72 exec 'class ' + clsname + '(DOMObject):\n\t'\
73 + '\t' + 'def __init__(self, window,clsname,parser= None):\n\t'\
74 + '\t\t' + 'self.tagName ="'+dataetc.classtotag(clsname) + '"'
class Image(DOMObject):
def __init__(self, window, clsname, parser=None):
self.tagName = 'img'
you need to remove Image from dataetc.classlist.
Ciao,
Angelo