摘要 |
PURPOSE: Methods for automatically decrypting obfuscated java scripts based on a hooking scheme and for detecting malicious web sites are provided to increase detection rate and to reduce the generation of error. CONSTITUTION: Hypertext markup language(HTML) documents containing obfuscated java script codes are input(S100). An inline hooking scheme is applied to the evaluation function of jscript.dll and the element.appendChild function and the element.appendChild function of mshtml.dll(S110). The existence of a Hidden Iframe code is confirmed on a hooking result(S120). A web server with the HTML documents is detected as a malicious code waypoint(S130). The source address of the Hidden Iframe code is executed on a browser based on CoCreateInstance functional hooking scheme(S140). The generation of Active X objects is confirmed(S150). |