@jshookmcp/jshook 0.1.6 → 0.1.8

package/dist/native/scripts/windows/enum-windows.ps1

@@ -1,44 +1,44 @@
-param(
-    [int]$TargetPid
-)
-
-Add-Type @"
-  using System;
-  using System.Runtime.InteropServices;
-  public class Win32 {
-    [DllImport("user32.dll")] public static extern IntPtr FindWindowEx(IntPtr parent, IntPtr childAfter, string className, string title);
-    [DllImport("user32.dll")] public static extern int GetWindowThreadProcessId(IntPtr hWnd, out int pid);
-    [DllImport("user32.dll")] public static extern int GetWindowText(IntPtr hWnd, System.Text.StringBuilder text, int count);
-    [DllImport("user32.dll")] public static extern int GetClassName(IntPtr hWnd, System.Text.StringBuilder className, int maxCount);
-    [DllImport("user32.dll")] public static extern bool GetWindowRect(IntPtr hWnd, out RECT rect);
-    [StructLayout(LayoutKind.Sequential)] public struct RECT { public int Left, Top, Right, Bottom; }
-  }
-"@
-
-$windows = @()
-$hwnd = [IntPtr]::Zero
-while ($true) {
-  $hwnd = [Win32]::FindWindowEx([IntPtr]::Zero, $hwnd, $null, $null)
-  if ($hwnd -eq [IntPtr]::Zero) { break }
-  $windowPid = 0
-  [Win32]::GetWindowThreadProcessId($hwnd, [ref]$windowPid) | Out-Null
-  if ($windowPid -eq $TargetPid) {
-    $title = New-Object System.Text.StringBuilder 256
-    $className = New-Object System.Text.StringBuilder 256
-    [Win32]::GetWindowText($hwnd, $title, 256) | Out-Null
-    [Win32]::GetClassName($hwnd, $className, 256) | Out-Null
-    $rect = New-Object Win32+RECT
-    [Win32]::GetWindowRect($hwnd, [ref]$rect) | Out-Null
-    $windows += @{
-      Handle = $hwnd.ToString()
-      Title = $title.ToString()
-      ClassName = $className.ToString()
-      ProcessId = $windowPid
-      Left = $rect.Left
-      Top = $rect.Top
-      Right = $rect.Right
-      Bottom = $rect.Bottom
-    }
-  }
-}
-$windows | ConvertTo-Json -Compress
+param(
+    [int]$TargetPid
+)
+
+Add-Type @"
+  using System;
+  using System.Runtime.InteropServices;
+  public class Win32 {
+    [DllImport("user32.dll")] public static extern IntPtr FindWindowEx(IntPtr parent, IntPtr childAfter, string className, string title);
+    [DllImport("user32.dll")] public static extern int GetWindowThreadProcessId(IntPtr hWnd, out int pid);
+    [DllImport("user32.dll")] public static extern int GetWindowText(IntPtr hWnd, System.Text.StringBuilder text, int count);
+    [DllImport("user32.dll")] public static extern int GetClassName(IntPtr hWnd, System.Text.StringBuilder className, int maxCount);
+    [DllImport("user32.dll")] public static extern bool GetWindowRect(IntPtr hWnd, out RECT rect);
+    [StructLayout(LayoutKind.Sequential)] public struct RECT { public int Left, Top, Right, Bottom; }
+  }
+"@
+
+$windows = @()
+$hwnd = [IntPtr]::Zero
+while ($true) {
+  $hwnd = [Win32]::FindWindowEx([IntPtr]::Zero, $hwnd, $null, $null)
+  if ($hwnd -eq [IntPtr]::Zero) { break }
+  $windowPid = 0
+  [Win32]::GetWindowThreadProcessId($hwnd, [ref]$windowPid) | Out-Null
+  if ($windowPid -eq $TargetPid) {
+    $title = New-Object System.Text.StringBuilder 256
+    $className = New-Object System.Text.StringBuilder 256
+    [Win32]::GetWindowText($hwnd, $title, 256) | Out-Null
+    [Win32]::GetClassName($hwnd, $className, 256) | Out-Null
+    $rect = New-Object Win32+RECT
+    [Win32]::GetWindowRect($hwnd, [ref]$rect) | Out-Null
+    $windows += @{
+      Handle = $hwnd.ToString()
+      Title = $title.ToString()
+      ClassName = $className.ToString()
+      ProcessId = $windowPid
+      Left = $rect.Left
+      Top = $rect.Top
+      Right = $rect.Right
+      Bottom = $rect.Bottom
+    }
+  }
+}
+$windows | ConvertTo-Json -Compress

package/dist/native/scripts/windows/inject-dll.ps1

@@ -1,21 +1,21 @@
-param(
-    [int]$TargetPid,
-    [string]$DllPath
-)
-
-Add-Type @"
-  using System;
-  using System.Runtime.InteropServices;
-  public class Injector {
-    [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(int access, bool inherit, int pid);
-    [DllImport("kernel32.dll")] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr addr, int size, int alloc, int protect);
-    [DllImport("kernel32.dll")] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr addr, byte[] buffer, int size, out int written);
-    [DllImport("kernel32.dll")] public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr attr, int stack, IntPtr start, IntPtr param, int flags, out int threadId);
-    [DllImport("kernel32.dll")] public static extern IntPtr GetModuleHandle(string name);
-    [DllImport("kernel32.dll")] public static extern IntPtr GetProcAddress(IntPtr hModule, string name);
-    [DllImport("kernel32.dll")] public static extern bool CloseHandle(IntPtr handle);
-  }
-"@
-
-# Injection requires elevated privileges and is disabled for safety
-Write-Output "DLL injection is disabled for safety in this implementation. PID: $TargetPid, DLL: $DllPath"
+param(
+    [int]$TargetPid,
+    [string]$DllPath
+)
+
+Add-Type @"
+  using System;
+  using System.Runtime.InteropServices;
+  public class Injector {
+    [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(int access, bool inherit, int pid);
+    [DllImport("kernel32.dll")] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr addr, int size, int alloc, int protect);
+    [DllImport("kernel32.dll")] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr addr, byte[] buffer, int size, out int written);
+    [DllImport("kernel32.dll")] public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr attr, int stack, IntPtr start, IntPtr param, int flags, out int threadId);
+    [DllImport("kernel32.dll")] public static extern IntPtr GetModuleHandle(string name);
+    [DllImport("kernel32.dll")] public static extern IntPtr GetProcAddress(IntPtr hModule, string name);
+    [DllImport("kernel32.dll")] public static extern bool CloseHandle(IntPtr handle);
+  }
+"@
+
+# Injection requires elevated privileges and is disabled for safety
+Write-Output "DLL injection is disabled for safety in this implementation. PID: $TargetPid, DLL: $DllPath"

package/dist/server/domains/analysis/definitions.js

@@ -138,7 +138,7 @@ export const coreTools = [
     },
     {
         name: 'deobfuscate',
-        description: 'Run LLM-assisted JavaScript deobfuscation.',
+        description: 'Run webcrack-powered JavaScript deobfuscation with bundle unpacking support.',
         inputSchema: {
             type: 'object',
             properties: {
@@ -157,6 +157,75 @@ export const coreTools = [
                     description: 'Enable aggressive deobfuscation strategy',
                     default: false,
                 },
+                unpack: {
+                    type: 'boolean',
+                    description: 'Use webcrack to unpack webpack/browserify bundles when possible',
+                    default: true,
+                },
+                unminify: {
+                    type: 'boolean',
+                    description: 'Use webcrack to reformat and unminify code before post-processing',
+                    default: true,
+                },
+                jsx: {
+                    type: 'boolean',
+                    description: 'Ask webcrack to decompile React.createElement trees back to JSX when supported',
+                    default: true,
+                },
+                mangle: {
+                    type: 'boolean',
+                    description: 'Rename obfuscated identifiers using webcrack mangle pass',
+                    default: false,
+                },
+                outputDir: {
+                    type: 'string',
+                    description: 'Optional directory where webcrack should save the deobfuscated code and extracted bundle',
+                },
+                forceOutput: {
+                    type: 'boolean',
+                    description: 'Remove outputDir before saving webcrack artifacts',
+                    default: false,
+                },
+                includeModuleCode: {
+                    type: 'boolean',
+                    description: 'Include unpacked module source in bundle output when returning bundle details',
+                    default: false,
+                },
+                maxBundleModules: {
+                    type: 'number',
+                    description: 'Maximum number of bundle modules to return in the response',
+                    default: 100,
+                },
+                mappings: {
+                    type: 'array',
+                    description: 'Optional remapping rules applied to unpacked bundle module paths. Each rule can match against module code or current path.',
+                    items: {
+                        type: 'object',
+                        properties: {
+                            path: {
+                                type: 'string',
+                                description: 'New module path to assign when the rule matches',
+                            },
+                            pattern: {
+                                type: 'string',
+                                description: 'Text or regex used to match module code/path',
+                            },
+                            matchType: {
+                                type: 'string',
+                                enum: ['includes', 'regex', 'exact'],
+                                description: 'How to interpret pattern',
+                                default: 'includes',
+                            },
+                            target: {
+                                type: 'string',
+                                enum: ['code', 'path'],
+                                description: 'Whether to match against module source code or the current module path',
+                                default: 'code',
+                            },
+                        },
+                        required: ['path', 'pattern'],
+                    },
+                },
             },
             required: ['code'],
         },
@@ -258,7 +327,7 @@ export const coreTools = [
     },
     {
         name: 'advanced_deobfuscate',
-        description: 'Run advanced deobfuscation with VM-oriented strategies.',
+        description: 'Run advanced deobfuscation with webcrack backend (deprecated legacy flags ignored).',
         inputSchema: {
             type: 'object',
             properties: {
@@ -286,6 +355,158 @@ export const coreTools = [
                     description: 'Operation timeout in milliseconds',
                     default: 60000,
                 },
+                unpack: {
+                    type: 'boolean',
+                    description: 'Use webcrack to unpack webpack/browserify bundles before advanced cleanup',
+                    default: true,
+                },
+                unminify: {
+                    type: 'boolean',
+                    description: 'Use webcrack unminify pass before VM and AST-oriented cleanup',
+                    default: true,
+                },
+                jsx: {
+                    type: 'boolean',
+                    description: 'Allow webcrack to decompile React.createElement back to JSX when supported',
+                    default: true,
+                },
+                mangle: {
+                    type: 'boolean',
+                    description: 'Rename obfuscated identifiers during the webcrack phase',
+                    default: false,
+                },
+                outputDir: {
+                    type: 'string',
+                    description: 'Optional directory where webcrack should save the deobfuscated code and extracted bundle',
+                },
+                forceOutput: {
+                    type: 'boolean',
+                    description: 'Remove outputDir before saving webcrack artifacts',
+                    default: false,
+                },
+                includeModuleCode: {
+                    type: 'boolean',
+                    description: 'Include unpacked module source in bundle output when returning bundle details',
+                    default: false,
+                },
+                maxBundleModules: {
+                    type: 'number',
+                    description: 'Maximum number of bundle modules to return in the response',
+                    default: 100,
+                },
+                mappings: {
+                    type: 'array',
+                    description: 'Optional remapping rules applied to unpacked bundle module paths. Each rule can match against module code or current path.',
+                    items: {
+                        type: 'object',
+                        properties: {
+                            path: {
+                                type: 'string',
+                                description: 'New module path to assign when the rule matches',
+                            },
+                            pattern: {
+                                type: 'string',
+                                description: 'Text or regex used to match module code/path',
+                            },
+                            matchType: {
+                                type: 'string',
+                                enum: ['includes', 'regex', 'exact'],
+                                description: 'How to interpret pattern',
+                                default: 'includes',
+                            },
+                            target: {
+                                type: 'string',
+                                enum: ['code', 'path'],
+                                description: 'Whether to match against module source code or the current module path',
+                                default: 'code',
+                            },
+                        },
+                        required: ['path', 'pattern'],
+                    },
+                },
+            },
+            required: ['code'],
+        },
+    },
+    {
+        name: 'webcrack_unpack',
+        description: 'Run webcrack bundle unpacking directly and return extracted module graph details.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                code: {
+                    type: 'string',
+                    description: 'Bundled or obfuscated JavaScript source',
+                },
+                unpack: {
+                    type: 'boolean',
+                    description: 'Extract modules from the bundle when supported',
+                    default: true,
+                },
+                unminify: {
+                    type: 'boolean',
+                    description: 'Unminify the code before extracting bundle modules',
+                    default: true,
+                },
+                jsx: {
+                    type: 'boolean',
+                    description: 'Decompile React.createElement trees back to JSX when supported',
+                    default: true,
+                },
+                mangle: {
+                    type: 'boolean',
+                    description: 'Rename obfuscated identifiers during the webcrack pass',
+                    default: false,
+                },
+                outputDir: {
+                    type: 'string',
+                    description: 'Optional directory where webcrack should save the extracted bundle files',
+                },
+                forceOutput: {
+                    type: 'boolean',
+                    description: 'Remove outputDir before saving webcrack artifacts',
+                    default: false,
+                },
+                includeModuleCode: {
+                    type: 'boolean',
+                    description: 'Include unpacked module source in bundle output',
+                    default: false,
+                },
+                maxBundleModules: {
+                    type: 'number',
+                    description: 'Maximum number of bundle modules to return in the response',
+                    default: 100,
+                },
+                mappings: {
+                    type: 'array',
+                    description: 'Optional remapping rules applied to unpacked bundle module paths. Each rule can match against module code or current path.',
+                    items: {
+                        type: 'object',
+                        properties: {
+                            path: {
+                                type: 'string',
+                                description: 'New module path to assign when the rule matches',
+                            },
+                            pattern: {
+                                type: 'string',
+                                description: 'Text or regex used to match module code/path',
+                            },
+                            matchType: {
+                                type: 'string',
+                                enum: ['includes', 'regex', 'exact'],
+                                description: 'How to interpret pattern',
+                                default: 'includes',
+                            },
+                            target: {
+                                type: 'string',
+                                enum: ['code', 'path'],
+                                description: 'Whether to match against module source code or the current module path',
+                                default: 'code',
+                            },
+                        },
+                        required: ['path', 'pattern'],
+                    },
+                },
             },
             required: ['code'],
         },

package/dist/server/domains/analysis/handlers.impl.d.ts

@@ -3,7 +3,6 @@ import { CodeCollector } from '../../domains/shared/modules.js';
 import { ScriptManager } from '../../domains/shared/modules.js';
 import { Deobfuscator } from '../../domains/shared/modules.js';
 import { AdvancedDeobfuscator } from '../../domains/shared/modules.js';
-import { ASTOptimizer } from '../../domains/shared/modules.js';
 import { ObfuscationDetector } from '../../domains/shared/modules.js';
 import { CodeAnalyzer } from '../../domains/shared/modules.js';
 import { CryptoDetector } from '../../domains/shared/modules.js';
@@ -13,7 +12,6 @@ interface CoreAnalysisHandlerDeps {
     scriptManager: ScriptManager;
     deobfuscator: Deobfuscator;
     advancedDeobfuscator: AdvancedDeobfuscator;
-    astOptimizer: ASTOptimizer;
     obfuscationDetector: ObfuscationDetector;
     analyzer: CodeAnalyzer;
     cryptoDetector: CryptoDetector;
@@ -24,13 +22,13 @@ export declare class CoreAnalysisHandlers {
     private readonly scriptManager;
     private readonly deobfuscator;
     private readonly advancedDeobfuscator;
-    private readonly astOptimizer;
     private readonly obfuscationDetector;
     private readonly analyzer;
     private readonly cryptoDetector;
     private readonly hookManager;
     constructor(deps: CoreAnalysisHandlerDeps);
     private requireCodeArg;
+    private extractWebcrackArgs;
     handleCollectCode(args: ToolArgs): Promise<ToolResponse>;
     handleSearchInScripts(args: ToolArgs): Promise<ToolResponse>;
     handleExtractFunctionTree(args: ToolArgs): Promise<ToolResponse>;
@@ -40,6 +38,7 @@ export declare class CoreAnalysisHandlers {
     handleManageHooks(args: ToolArgs): Promise<ToolResponse>;
     handleDetectObfuscation(args: ToolArgs): Promise<ToolResponse>;
     handleAdvancedDeobfuscate(args: ToolArgs): Promise<ToolResponse>;
+    handleWebcrackUnpack(args: ToolArgs): Promise<ToolResponse>;
     handleWebpackEnumerate(args: ToolArgs): Promise<ToolResponse>;
     handleSourceMapExtract(args: ToolArgs): Promise<ToolResponse>;
     handleClearCollectedData(): Promise<ToolResponse>;

package/dist/server/domains/analysis/handlers.impl.js

@@ -1,12 +1,12 @@
 import { logger } from '../../../utils/logger.js';
 import { asJsonResponse, asTextResponse, serializeError } from '../../domains/shared/response.js';
 import { runSourceMapExtract, runWebpackEnumerate } from '../../domains/analysis/handlers.web-tools.js';
+import { runWebcrack } from '../../../modules/deobfuscator/webcrack.js';
 export class CoreAnalysisHandlers {
     collector;
     scriptManager;
     deobfuscator;
     advancedDeobfuscator;
-    astOptimizer;
     obfuscationDetector;
     analyzer;
     cryptoDetector;
@@ -16,7 +16,6 @@ export class CoreAnalysisHandlers {
         this.scriptManager = deps.scriptManager;
         this.deobfuscator = deps.deobfuscator;
         this.advancedDeobfuscator = deps.advancedDeobfuscator;
-        this.astOptimizer = deps.astOptimizer;
         this.obfuscationDetector = deps.obfuscationDetector;
         this.analyzer = deps.analyzer;
         this.cryptoDetector = deps.cryptoDetector;
@@ -30,6 +29,33 @@ export class CoreAnalysisHandlers {
         }
         return code;
     }
+    extractWebcrackArgs(args) {
+        const extracted = {};
+        if (typeof args.unpack === 'boolean')
+            extracted.unpack = args.unpack;
+        if (typeof args.unminify === 'boolean')
+            extracted.unminify = args.unminify;
+        if (typeof args.jsx === 'boolean')
+            extracted.jsx = args.jsx;
+        if (typeof args.mangle === 'boolean')
+            extracted.mangle = args.mangle;
+        if (typeof args.outputDir === 'string' && args.outputDir.trim().length > 0) {
+            extracted.outputDir = args.outputDir;
+        }
+        if (typeof args.forceOutput === 'boolean')
+            extracted.forceOutput = args.forceOutput;
+        if (typeof args.includeModuleCode === 'boolean')
+            extracted.includeModuleCode = args.includeModuleCode;
+        if (typeof args.maxBundleModules === 'number')
+            extracted.maxBundleModules = args.maxBundleModules;
+        if (Array.isArray(args.mappings)) {
+            extracted.mappings = args.mappings.filter((item) => typeof item === 'object' &&
+                item !== null &&
+                typeof item.path === 'string' &&
+                typeof item.pattern === 'string');
+        }
+        return extracted;
+    }
     async handleCollectCode(args) {
         const returnSummaryOnly = args.returnSummaryOnly ?? false;
         let smartMode = args.smartMode;
@@ -200,6 +226,7 @@ export class CoreAnalysisHandlers {
             code,
             llm: args.llm,
             aggressive: args.aggressive,
+            ...this.extractWebcrackArgs(args),
         });
         return asJsonResponse(result);
     }
@@ -280,24 +307,42 @@ export class CoreAnalysisHandlers {
                 error: 'code is required and must be a non-empty string',
             });
         }
-        const detectOnly = args.detectOnly ?? false;
-        const aggressiveVM = args.aggressiveVM ?? false;
-        const useASTOptimization = args.useASTOptimization ?? true;
-        const timeout = args.timeout ?? 60000;
         const result = await this.advancedDeobfuscator.deobfuscate({
             code,
-            detectOnly,
-            aggressiveVM,
-            timeout,
+            ...this.extractWebcrackArgs(args),
+            ...(typeof args.detectOnly === 'boolean' ? { detectOnly: args.detectOnly } : {}),
+            ...(typeof args.aggressiveVM === 'boolean' ? { aggressiveVM: args.aggressiveVM } : {}),
+            ...(typeof args.useASTOptimization === 'boolean'
+                ? { useASTOptimization: args.useASTOptimization }
+                : {}),
+            ...(typeof args.timeout === 'number' ? { timeout: args.timeout } : {}),
         });
-        let finalCode = result.code;
-        if (useASTOptimization && !detectOnly) {
-            finalCode = this.astOptimizer.optimize(finalCode);
+        return asJsonResponse(result);
+    }
+    async handleWebcrackUnpack(args) {
+        const code = this.requireCodeArg(args, 'webcrack_unpack');
+        if (!code) {
+            return asJsonResponse({
+                success: false,
+                error: 'code is required and must be a non-empty string',
+            });
         }
+        const result = await runWebcrack(code, {
+            unpack: args.unpack ?? true,
+            unminify: args.unminify ?? true,
+            jsx: args.jsx ?? true,
+            mangle: args.mangle ?? false,
+            ...this.extractWebcrackArgs(args),
+        });
         return asJsonResponse({
-            ...result,
-            code: finalCode,
-            astOptimized: useASTOptimization && !detectOnly,
+            success: result.applied,
+            code: result.code,
+            bundle: result.bundle,
+            savedTo: result.savedTo,
+            savedArtifacts: result.savedArtifacts,
+            optionsUsed: result.optionsUsed,
+            warning: result.reason,
+            engine: 'webcrack',
         });
     }
     async handleWebpackEnumerate(args) {

package/dist/server/domains/analysis/manifest.js

@@ -3,7 +3,6 @@ import { coreTools } from '../../domains/analysis/definitions.js';
 import { CoreAnalysisHandlers } from '../../domains/analysis/index.js';
 import { Deobfuscator } from '../../domains/shared/modules.js';
 import { AdvancedDeobfuscator } from '../../domains/shared/modules.js';
-import { ASTOptimizer } from '../../domains/shared/modules.js';
 import { ObfuscationDetector } from '../../domains/shared/modules.js';
 import { CodeAnalyzer } from '../../domains/shared/modules.js';
 import { CryptoDetector } from '../../domains/shared/modules.js';
@@ -17,9 +16,7 @@ function ensure(ctx) {
     if (!ctx.deobfuscator)
         ctx.deobfuscator = new Deobfuscator(ctx.llm);
     if (!ctx.advancedDeobfuscator)
-        ctx.advancedDeobfuscator = new AdvancedDeobfuscator(ctx.llm);
-    if (!ctx.astOptimizer)
-        ctx.astOptimizer = new ASTOptimizer();
+        ctx.advancedDeobfuscator = new AdvancedDeobfuscator();
     if (!ctx.obfuscationDetector)
         ctx.obfuscationDetector = new ObfuscationDetector();
     if (!ctx.analyzer)
@@ -34,7 +31,6 @@ function ensure(ctx) {
             scriptManager: ctx.scriptManager,
             deobfuscator: ctx.deobfuscator,
             advancedDeobfuscator: ctx.advancedDeobfuscator,
-            astOptimizer: ctx.astOptimizer,
             obfuscationDetector: ctx.obfuscationDetector,
             analyzer: ctx.analyzer,
             cryptoDetector: ctx.cryptoDetector,
@@ -60,6 +56,7 @@ const manifest = {
         { tool: t('manage_hooks'), domain: DOMAIN, bind: b((h, a) => h.handleManageHooks(a)) },
         { tool: t('detect_obfuscation'), domain: DOMAIN, bind: b((h, a) => h.handleDetectObfuscation(a)) },
         { tool: t('advanced_deobfuscate'), domain: DOMAIN, bind: b((h, a) => h.handleAdvancedDeobfuscate(a)) },
+        { tool: t('webcrack_unpack'), domain: DOMAIN, bind: b((h, a) => h.handleWebcrackUnpack(a)) },
         { tool: t('clear_collected_data'), domain: DOMAIN, bind: b((h) => h.handleClearCollectedData()) },
         { tool: t('get_collection_stats'), domain: DOMAIN, bind: b((h) => h.handleGetCollectionStats()) },
         { tool: t('webpack_enumerate'), domain: DOMAIN, bind: b((h, a) => h.handleWebpackEnumerate(a)) },