@jshookmcp/jshook 0.1.6 → 0.1.8

package/dist/modules/deobfuscator/webcrack.js

@@ -0,0 +1,164 @@
+import { readdir, rm, stat } from 'node:fs/promises';
+import path from 'node:path';
+import { logger } from '../../utils/logger.js';
+const DEFAULT_OPTIONS = {
+    jsx: true,
+    mangle: false,
+    unminify: true,
+    unpack: true,
+};
+const MAX_BUNDLE_MODULES = 100;
+function normalizeOptions(options) {
+    return {
+        jsx: options.jsx ?? DEFAULT_OPTIONS.jsx,
+        mangle: options.mangle ?? DEFAULT_OPTIONS.mangle,
+        unminify: options.unminify ?? DEFAULT_OPTIONS.unminify,
+        unpack: options.unpack ?? DEFAULT_OPTIONS.unpack,
+    };
+}
+function isSupportedNodeVersion() {
+    const major = Number.parseInt(process.versions.node.split('.')[0] ?? '0', 10);
+    return Number.isFinite(major) && major >= 22;
+}
+function matchesRule(module, rule) {
+    const target = rule.target === 'path' ? module.path : module.code;
+    const matchType = rule.matchType ?? 'includes';
+    if (matchType === 'exact') {
+        return target === rule.pattern;
+    }
+    if (matchType === 'regex') {
+        try {
+            return new RegExp(rule.pattern, 'm').test(target);
+        }
+        catch {
+            return false;
+        }
+    }
+    return target.includes(rule.pattern);
+}
+function applyBundleMappings(bundle, mappings) {
+    const remapped = new Map();
+    if (!mappings || mappings.length === 0) {
+        return remapped;
+    }
+    for (const module of bundle.modules.values()) {
+        for (const rule of mappings) {
+            if (!rule.path || !rule.pattern) {
+                continue;
+            }
+            if (matchesRule(module, rule)) {
+                if (module.path !== rule.path) {
+                    remapped.set(module.id, { fromPath: module.path });
+                    module.path = rule.path;
+                }
+                break;
+            }
+        }
+    }
+    return remapped;
+}
+function summarizeBundle(bundle, options, remapped) {
+    const maxBundleModules = options.maxBundleModules ?? MAX_BUNDLE_MODULES;
+    const modules = Array.from(bundle.modules.values())
+        .sort((left, right) => {
+        if (left.isEntry !== right.isEntry) {
+            return left.isEntry ? -1 : 1;
+        }
+        return left.path.localeCompare(right.path);
+    })
+        .slice(0, maxBundleModules)
+        .map((module) => ({
+        id: module.id,
+        path: module.path,
+        isEntry: module.isEntry,
+        size: module.code.length,
+        code: options.includeModuleCode ? module.code : undefined,
+        mappedPathFrom: remapped.get(module.id)?.fromPath,
+    }));
+    return {
+        type: bundle.type,
+        entryId: bundle.entryId,
+        moduleCount: bundle.modules.size,
+        truncated: bundle.modules.size > maxBundleModules,
+        mappingsApplied: remapped.size,
+        modules,
+    };
+}
+async function collectSavedArtifacts(rootDir, currentDir = rootDir) {
+    const entries = await readdir(currentDir, { withFileTypes: true });
+    const artifacts = [];
+    for (const entry of entries) {
+        const fullPath = path.join(currentDir, entry.name);
+        if (entry.isDirectory()) {
+            artifacts.push(...(await collectSavedArtifacts(rootDir, fullPath)));
+            continue;
+        }
+        if (!entry.isFile()) {
+            continue;
+        }
+        const metadata = await stat(fullPath);
+        artifacts.push({
+            path: path.relative(rootDir, fullPath).replace(/\\/g, '/'),
+            size: metadata.size,
+            type: 'file',
+        });
+    }
+    return artifacts.sort((left, right) => left.path.localeCompare(right.path));
+}
+export async function runWebcrack(code, options) {
+    const optionsUsed = normalizeOptions(options);
+    if (!isSupportedNodeVersion()) {
+        const reason = `webcrack requires Node.js 22+; current runtime is ${process.versions.node}`;
+        logger.warn(reason);
+        return {
+            applied: false,
+            code,
+            optionsUsed,
+            reason,
+        };
+    }
+    try {
+        const { webcrack } = (await import('webcrack'));
+        const result = await webcrack(code, {
+            jsx: optionsUsed.jsx,
+            unpack: optionsUsed.unpack,
+            deobfuscate: true,
+            unminify: optionsUsed.unminify,
+            mangle: optionsUsed.mangle,
+        });
+        const remapped = result.bundle ? applyBundleMappings(result.bundle, options.mappings) : new Map();
+        let savedTo;
+        let savedArtifacts;
+        if (typeof options.outputDir === 'string' && options.outputDir.trim().length > 0) {
+            savedTo = path.resolve(options.outputDir);
+            if (options.forceOutput) {
+                await rm(savedTo, { recursive: true, force: true });
+            }
+            await result.save(savedTo);
+            savedArtifacts = await collectSavedArtifacts(savedTo);
+        }
+        return {
+            applied: true,
+            code: result.code,
+            bundle: result.bundle
+                ? summarizeBundle(result.bundle, {
+                    includeModuleCode: options.includeModuleCode,
+                    maxBundleModules: options.maxBundleModules,
+                }, remapped)
+                : undefined,
+            savedTo,
+            savedArtifacts,
+            optionsUsed,
+        };
+    }
+    catch (error) {
+        const reason = error instanceof Error ? error.message : String(error);
+        logger.warn('webcrack execution failed, falling back to legacy pipeline', error);
+        return {
+            applied: false,
+            code,
+            optionsUsed,
+            reason,
+        };
+    }
+}

package/dist/modules/detector/ObfuscationDetector.d.ts

@@ -4,12 +4,18 @@ export interface DetectionResult {
     confidence: Record<ObfuscationType, number>;
     features: string[];
     recommendations: string[];
+    toolRecommendations: Array<{
+        tool: string;
+        reason: string;
+        suggestedArgs?: Record<string, unknown>;
+    }>;
     vmFeatures?: VMFeatures;
 }
 export declare class ObfuscationDetector {
     private jsvmpDetector;
     constructor();
     detect(code: string): DetectionResult;
+    private buildToolRecommendations;
     private detectVMProtectionDetailed;
     private detectJavaScriptObfuscator;
     private detectWebpack;

package/dist/modules/detector/ObfuscationDetector.js

@@ -16,13 +16,13 @@ export class ObfuscationDetector {
             confidence['javascript-obfuscator'] = 0.9;
             features.push('String array with rotation');
             features.push('Control flow flattening');
-            recommendations.push('Use webcrack or restringer for deobfuscation');
+            recommendations.push('Use deobfuscate/advanced_deobfuscate with webcrack enabled');
         }
         if (this.detectWebpack(code)) {
             types.push('webpack');
             confidence['webpack'] = 0.85;
             features.push('__webpack_require__');
-            recommendations.push('Use webpack-bundle-analyzer');
+            recommendations.push('Use deobfuscate/advanced_deobfuscate with unpack=true to recover modules');
         }
         if (this.detectUglify(code)) {
             types.push('uglify');
@@ -140,9 +140,51 @@ export class ObfuscationDetector {
             confidence: confidence,
             features,
             recommendations,
+            toolRecommendations: this.buildToolRecommendations(types, code),
             vmFeatures,
         };
     }
+    buildToolRecommendations(types, code) {
+        const recommendations = new Map();
+        const addRecommendation = (tool, reason, suggestedArgs) => {
+            if (!recommendations.has(tool)) {
+                recommendations.set(tool, { tool, reason, suggestedArgs });
+            }
+        };
+        if (types.includes('webpack') || types.includes('packer')) {
+            addRecommendation('webcrack_unpack', 'Bundle or wrapper markers detected; unpacking modules is likely the highest-value first step.', { code, unpack: true, unminify: true });
+        }
+        if (types.some((type) => [
+            'javascript-obfuscator',
+            'string-array-rotation',
+            'hex-encoding',
+            'base64-encoding',
+            'urlencoded',
+            'unknown',
+        ].includes(type))) {
+            addRecommendation('deobfuscate', 'Static cleanup is likely sufficient; start with the standard webcrack-backed deobfuscation path.', { code, unminify: true });
+        }
+        if (types.some((type) => [
+            'vm-protection',
+            'control-flow-flattening',
+            'dead-code-injection',
+            'opaque-predicates',
+            'invisible-unicode',
+            'jscrambler',
+            'jsfuck',
+            'aaencode',
+            'jjencode',
+        ].includes(type))) {
+            addRecommendation('advanced_deobfuscate', 'Complex protections detected; use the advanced webcrack-backed flow for deeper cleanup.', { code, detectOnly: false, unminify: true });
+        }
+        if (types.includes('eval-obfuscation') || types.includes('self-modifying')) {
+            addRecommendation('manage_hooks', 'Runtime-generated code is present; capture or hook execution points before static cleanup if analysis stalls.', { action: 'create', target: 'eval', type: 'function' });
+        }
+        if (recommendations.size === 0) {
+            addRecommendation('deobfuscate', 'No strong signature matched; start with the standard webcrack-backed path.', { code });
+        }
+        return Array.from(recommendations.values());
+    }
     detectVMProtectionDetailed(code) {
         try {
             const detector = this.jsvmpDetector;
@@ -273,6 +315,15 @@ export class ObfuscationDetector {
         result.recommendations.forEach((rec) => {
             report += `  - ${rec}\n`;
         });
+        if (result.toolRecommendations.length > 0) {
+            report += `\nSuggested Tools:\n`;
+            result.toolRecommendations.forEach((item) => {
+                report += `  - ${item.tool}: ${item.reason}\n`;
+                if (item.suggestedArgs) {
+                    report += `    args: ${JSON.stringify(item.suggestedArgs)}\n`;
+                }
+            });
+        }
         return report;
     }
 }

package/dist/modules/hook/AIHookGenerator.js

@@ -61,7 +61,7 @@ export class AIHookGenerator {
     generateFunctionHook(request, hookId) {
         const { target, behavior, condition, customCode } = request;
         const functionName = target.name || target.pattern || 'unknownFunction';
-        let code = `
+        const code = `
 (function() {
   const originalFunction = window.${functionName};
   

package/dist/modules/process/MacProcessManager.js

@@ -103,31 +103,31 @@ export class MacProcessManager {
             if (!process) {
                 return [];
             }
-            const appleScript = `
-        tell application "System Events"
-          set processList to {}
-          try
-            set targetProcess to first process whose unix id is ${pid}
-            set procName to name of targetProcess
-            set windowList to {}
-
-            tell targetProcess
-              repeat with win in windows
-                set winInfo to {|
-                  title:name of win,
-                  className:procName,
-                  processId:${pid},
-                  handle:"applescript-window"
-                |}
-                set end of windowList to winInfo
-              end repeat
-            end tell
-
-            return windowList
-          on error
-            return {}
-          end try
-        end tell
+            const appleScript = `
+        tell application "System Events"
+          set processList to {}
+          try
+            set targetProcess to first process whose unix id is ${pid}
+            set procName to name of targetProcess
+            set windowList to {}
+
+            tell targetProcess
+              repeat with win in windows
+                set winInfo to {|
+                  title:name of win,
+                  className:procName,
+                  processId:${pid},
+                  handle:"applescript-window"
+                |}
+                set end of windowList to winInfo
+              end repeat
+            end tell
+
+            return windowList
+          on error
+            return {}
+          end try
+        end tell
       `;
             const { stdout } = await execAsync(`osascript -e '${appleScript.replace(/'/g, "'\"'\"'")}' 2>/dev/null || echo "[]"`, { timeout: 5000 });
             const windows = [];

package/dist/modules/process/memory/availability.js

@@ -103,55 +103,55 @@ export async function checkDebugPort(platform, pid) {
         return { success: false, error: 'Debug port check currently only implemented for Windows' };
     }
     try {
-        const psScript = `
-Add-Type @"
-using System;
-using System.Runtime.InteropServices;
-using System.ComponentModel;
-
-public class DebugChecker {
-    [DllImport("ntdll.dll")]
-    public static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, out IntPtr processInformation, int processInformationLength, out int returnLength);
-
-    [DllImport("kernel32.dll", SetLastError = true)]
-    public static extern IntPtr OpenProcess(int access, bool inherit, int pid);
-
-    [DllImport("kernel32.dll", SetLastError = true)]
-    public static extern bool CloseHandle(IntPtr handle);
-
-    const int PROCESS_QUERY_INFORMATION = 0x0400;
-    const int ProcessDebugPort = 7;
-
-    public static object Check(int pid) {
-        IntPtr hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, pid);
-        if (hProcess == IntPtr.Zero) {
-            int error = Marshal.GetLastWin32Error();
-            throw new Win32Exception(error, "Failed to open process");
-        }
-
-        try {
-            IntPtr debugPort;
-            int returnLength;
-            int status = NtQueryInformationProcess(hProcess, ProcessDebugPort, out debugPort, IntPtr.Size, out returnLength);
-
-            if (status != 0) {
-                return new { success = false, error = "NtQueryInformationProcess failed with status: 0x" + status.ToString("X") };
-            }
-
-            return new { success = true, isDebugged = debugPort != IntPtr.Zero };
-        } finally {
-            CloseHandle(hProcess);
-        }
-    }
-}
-"@
-
-try {
-    $result = [DebugChecker]::Check(${pid})
-    $result | ConvertTo-Json -Compress
-} catch {
-    @{ success = $false; error = $_.Exception.Message } | ConvertTo-Json -Compress
-}
+        const psScript = `
+Add-Type @"
+using System;
+using System.Runtime.InteropServices;
+using System.ComponentModel;
+
+public class DebugChecker {
+    [DllImport("ntdll.dll")]
+    public static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, out IntPtr processInformation, int processInformationLength, out int returnLength);
+
+    [DllImport("kernel32.dll", SetLastError = true)]
+    public static extern IntPtr OpenProcess(int access, bool inherit, int pid);
+
+    [DllImport("kernel32.dll", SetLastError = true)]
+    public static extern bool CloseHandle(IntPtr handle);
+
+    const int PROCESS_QUERY_INFORMATION = 0x0400;
+    const int ProcessDebugPort = 7;
+
+    public static object Check(int pid) {
+        IntPtr hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, pid);
+        if (hProcess == IntPtr.Zero) {
+            int error = Marshal.GetLastWin32Error();
+            throw new Win32Exception(error, "Failed to open process");
+        }
+
+        try {
+            IntPtr debugPort;
+            int returnLength;
+            int status = NtQueryInformationProcess(hProcess, ProcessDebugPort, out debugPort, IntPtr.Size, out returnLength);
+
+            if (status != 0) {
+                return new { success = false, error = "NtQueryInformationProcess failed with status: 0x" + status.ToString("X") };
+            }
+
+            return new { success = true, isDebugged = debugPort != IntPtr.Zero };
+        } finally {
+            CloseHandle(hProcess);
+        }
+    }
+}
+"@
+
+try {
+    $result = [DebugChecker]::Check(${pid})
+    $result | ConvertTo-Json -Compress
+} catch {
+    @{ success = $false; error = $_.Exception.Message } | ConvertTo-Json -Compress
+}
     `;
         const { stdout } = await executePowerShellScript(psScript, { maxBuffer: 1024 * 1024, timeout: 10000 });
         const _trimmed = stdout.trim();