This directory contains all the detection logic for identifying different types of JavaScript obfuscation. Each detector is a self-contained module that analyzes the AST (Abstract Syntax Tree) of JavaScript code for patterns characteristic of a specific obfuscation technique.
Detectors are modular and easy to extend.
| Detector Name | What It Detects | Implementation File |
|---|---|---|
| Array Replacements | Large arrays of strings used as lookup tables | arrayReplacements.js |
| Augmented Array Replacements | Array replacements with IIFE wrappers | augmentedArrayReplacements.js |
| Array Function Replacements | Functions that return values from obfuscated arrays | arrayFunctionReplacements.js |
| Augmented Array Function Replacements | Array function replacements with IIFE wrappers | augmentedArrayFunctionReplacements.js |
| Augmented Proxied Array Function Replacements | Obfuscation using proxies and function arrays | augmentedProxiedArrayFunctionReplacements.js |
| Function To Array Replacements | Variables assigned to function calls, used as objects | functionToArrayReplacements.js |
| Obfuscator.io | Patterns from the obfuscator.io tool | obfuscatorIo.js |
| Caesar Plus | Caesar cipher-like obfuscation with 3-letter IDs | caesarPlus.js |
- File: arrayReplacements.js
- Description: Detects large arrays of strings used as lookup tables for obfuscated code.
- File: augmentedArrayReplacements.js
- Description: Like array replacements, but the array is passed to an IIFE (Immediately Invoked Function Expression).
- File: arrayFunctionReplacements.js
- Description: Detects functions that return values from an obfuscated array, often used to hide string literals.
- File: augmentedArrayFunctionReplacements.js
- Description: Like array function replacements, but with IIFE wrappers for added obfuscation.
- File: augmentedProxiedArrayFunctionReplacements.js
- Description: Uses proxies and function arrays to further complicate deobfuscation.
- File: functionToArrayReplacements.js
- Description: Variables assigned to function calls, then used as objects of member expressions.
- File: obfuscatorIo.js
- Description: Detects patterns generated by the obfuscator.io tool, including debug protection and trap functions.
- Example: See the detailed explanation and code sample below.
- File: caesarPlus.js
- Description: Detects Caesar cipher-like obfuscation, typically with 3-letter function names and specific identifier usage.
- Create a new file in this directory, e.g.,
myNewDetector.js. - Export a function named
detectMyNewDetectorthat takes the AST (flatTree) as input and returns the obfuscation name (or''if not detected). - Add your detector to
index.jsusingexport * from './myNewDetector.js';. - Document your detector in this README (add a row to the table above and a short description).
- Add tests in the
tests/directory to ensure your detector works as expected.
For questions or contributions, see the main README and CONTRIBUTING.md.