deepspider 0.1.0

package/src/analyzer/CallStackAnalyzer.js

@@ -0,0 +1,379 @@
+/**
+ * DeepSpider - 调用栈分析器
+ * 入口点识别、函数调用图、数据流分析、参数追踪
+ */
+
+import { parse } from '@babel/parser';
+import traverse from '@babel/traverse';
+
+export class CallStackAnalyzer {
+  constructor() {
+    this.ast = null;
+    this.code = '';
+    this.callGraph = new Map();
+    this.funcMap = new Map();
+  }
+
+  parse(code) {
+    this.code = code;
+    this.ast = parse(code, {
+      sourceType: 'unambiguous',
+      plugins: ['jsx', 'typescript', 'decorators-legacy'],
+      errorRecovery: true,
+    });
+    return this.ast;
+  }
+
+  // 识别入口点
+  findEntryPoints(code) {
+    const ast = this.parse(code);
+    const entries = [];
+
+    traverse.default(ast, {
+      CallExpression: (path) => {
+        const node = path.node;
+        // IIFE
+        if (node.callee.type === 'FunctionExpression' ||
+            node.callee.type === 'ArrowFunctionExpression') {
+          entries.push({
+            type: 'iife',
+            start: node.start,
+            loc: node.loc,
+            code: this.code.slice(node.start, Math.min(node.start + 50, node.end)) + '...'
+          });
+        }
+        // 常见入口调用
+        if (node.callee.type === 'Identifier') {
+          const name = node.callee.name;
+          if (['main', 'init', 'start', 'run', 'bootstrap', 'setup'].includes(name)) {
+            entries.push({ type: 'call', name, start: node.start, loc: node.loc });
+          }
+        }
+        // DOMContentLoaded / onload
+        if (node.callee.type === 'MemberExpression') {
+          const memberPath = this._getMemberPath(node.callee);
+          if (memberPath.includes('addEventListener') || memberPath.includes('onload')) {
+            entries.push({ type: 'event', path: memberPath, start: node.start, loc: node.loc });
+          }
+        }
+      },
+      ExpressionStatement: (path) => {
+        const node = path.node;
+        if (node.expression.type === 'CallExpression') {
+          const callee = node.expression.callee;
+          if (callee.type === 'Identifier') {
+            entries.push({
+              type: 'toplevel-call',
+              name: callee.name,
+              start: node.start,
+              loc: node.loc
+            });
+          }
+        }
+      }
+    });
+
+    return entries;
+  }
+
+  // 构建完整调用图（带调用者追踪）
+  buildCallGraph(code) {
+    const ast = this.parse(code);
+    this.callGraph.clear();
+    this.funcMap.clear();
+    const self = this;
+
+    // 单次遍历：收集函数定义并分析内部调用
+    traverse.default(ast, {
+      FunctionDeclaration(path) {
+        const node = path.node;
+        if (node.id) {
+          const funcName = node.id.name;
+          self.funcMap.set(funcName, {
+            node,
+            type: 'declaration',
+            params: node.params.map(p => self._getParamName(p))
+          });
+
+          // 收集函数内的调用
+          const calls = [];
+          path.traverse({
+            CallExpression(innerPath) {
+              const callNode = innerPath.node;
+              const callee = self._getCalleeName(callNode.callee);
+              if (callee) {
+                calls.push({
+                  callee,
+                  args: callNode.arguments.length,
+                  argValues: callNode.arguments.map(a => self.code.slice(a.start, a.end)),
+                  start: callNode.start,
+                  loc: callNode.loc
+                });
+              }
+            }
+          });
+          self.callGraph.set(funcName, calls);
+        }
+      },
+      VariableDeclarator(path) {
+        const node = path.node;
+        if (node.id.type === 'Identifier' &&
+            (node.init?.type === 'FunctionExpression' ||
+             node.init?.type === 'ArrowFunctionExpression')) {
+          const funcName = node.id.name;
+          self.funcMap.set(funcName, {
+            node: node.init,
+            type: node.init.type === 'ArrowFunctionExpression' ? 'arrow' : 'expression',
+            params: node.init.params.map(p => self._getParamName(p))
+          });
+
+          // 收集函数内的调用
+          const calls = [];
+          path.traverse({
+            CallExpression(innerPath) {
+              const callNode = innerPath.node;
+              const callee = self._getCalleeName(callNode.callee);
+              if (callee) {
+                calls.push({
+                  callee,
+                  args: callNode.arguments.length,
+                  argValues: callNode.arguments.map(a => self.code.slice(a.start, a.end)),
+                  start: callNode.start,
+                  loc: callNode.loc
+                });
+              }
+            }
+          });
+          self.callGraph.set(funcName, calls);
+        }
+      },
+      AssignmentExpression(path) {
+        const node = path.node;
+        if (node.left.type === 'Identifier' &&
+            (node.right.type === 'FunctionExpression' ||
+             node.right.type === 'ArrowFunctionExpression')) {
+          const funcName = node.left.name;
+          self.funcMap.set(funcName, {
+            node: node.right,
+            type: 'assigned',
+            params: node.right.params.map(p => self._getParamName(p))
+          });
+
+          // 收集函数内的调用
+          const calls = [];
+          path.traverse({
+            CallExpression(innerPath) {
+              const callNode = innerPath.node;
+              const callee = self._getCalleeName(callNode.callee);
+              if (callee) {
+                calls.push({
+                  callee,
+                  args: callNode.arguments.length,
+                  argValues: callNode.arguments.map(a => self.code.slice(a.start, a.end)),
+                  start: callNode.start,
+                  loc: callNode.loc
+                });
+              }
+            }
+          });
+          self.callGraph.set(funcName, calls);
+        }
+      }
+    });
+
+    // 分析全局作用域的调用
+    const globalCalls = [];
+    traverse.default(ast, {
+      CallExpression: (path) => {
+        const node = path.node;
+        // 检查是否在函数内
+        let inFunction = false;
+        for (const [, funcInfo] of this.funcMap) {
+          if (node.start >= funcInfo.node.start && node.end <= funcInfo.node.end) {
+            inFunction = true;
+            break;
+          }
+        }
+        if (!inFunction) {
+          const callee = this._getCalleeName(node.callee);
+          if (callee) {
+            globalCalls.push({
+              callee,
+              args: node.arguments.length,
+              start: node.start,
+              loc: node.loc
+            });
+          }
+        }
+      }
+    });
+
+    if (globalCalls.length > 0) {
+      this.callGraph.set('__global__', globalCalls);
+    }
+
+    return this.callGraph;
+  }
+
+  _getCalleeName(callee) {
+    if (callee.type === 'Identifier') return callee.name;
+    if (callee.type === 'MemberExpression') return this._getMemberPath(callee);
+    return null;
+  }
+
+  _getMemberPath(node) {
+    if (!node) return '';
+    if (node.type === 'Identifier') return node.name;
+    if (node.type === 'ThisExpression') return 'this';
+    if (node.type === 'MemberExpression') {
+      const obj = this._getMemberPath(node.object);
+      const prop = node.computed
+        ? `[${node.property.name || node.property.value || '?'}]`
+        : (node.property.name || node.property.value);
+      return obj ? `${obj}.${prop}` : String(prop);
+    }
+    return '';
+  }
+
+  _getParamName(param) {
+    if (param.type === 'Identifier') return param.name;
+    if (param.type === 'RestElement') return `...${param.argument?.name || 'rest'}`;
+    if (param.type === 'AssignmentPattern') return param.left?.name || 'default';
+    return 'param';
+  }
+
+  // 追踪参数传递（向上追溯）
+  traceParameter(code, funcName, paramIndex) {
+    this.buildCallGraph(code);
+    const traces = [];
+
+    // 找到所有调用该函数的地方
+    for (const [caller, calls] of this.callGraph) {
+      for (const call of calls) {
+        if (call.callee === funcName && call.argValues[paramIndex]) {
+          traces.push({
+            caller,
+            argValue: call.argValues[paramIndex],
+            start: call.start,
+            loc: call.loc
+          });
+        }
+      }
+    }
+
+    return traces;
+  }
+
+  // 反向追踪：找到谁调用了指定函数
+  findCallers(code, targetFunc) {
+    this.buildCallGraph(code);
+    const callers = [];
+
+    for (const [caller, calls] of this.callGraph) {
+      for (const call of calls) {
+        if (call.callee === targetFunc) {
+          callers.push({
+            caller,
+            args: call.argValues,
+            start: call.start,
+            loc: call.loc
+          });
+        }
+      }
+    }
+
+    return callers;
+  }
+
+  // 正向追踪：找到指定函数调用了谁
+  findCallees(code, sourceFunc) {
+    this.buildCallGraph(code);
+    return this.callGraph.get(sourceFunc) || [];
+  }
+
+  // 构建完整调用链（从入口到目标）
+  buildCallChain(code, targetFunc) {
+    this.buildCallGraph(code);
+    const chains = [];
+
+    const dfs = (current, path, visited) => {
+      if (visited.has(current)) return;
+      visited.add(current);
+
+      const calls = this.callGraph.get(current) || [];
+      for (const call of calls) {
+        const newPath = [...path, { from: current, to: call.callee, args: call.argValues }];
+
+        if (call.callee === targetFunc) {
+          chains.push(newPath);
+        } else if (this.funcMap.has(call.callee)) {
+          dfs(call.callee, newPath, new Set(visited));
+        }
+      }
+    };
+
+    // 从全局和所有入口开始
+    dfs('__global__', [], new Set());
+    for (const [funcName] of this.funcMap) {
+      dfs(funcName, [], new Set());
+    }
+
+    return chains;
+  }
+
+  // 数据流分析：追踪变量在函数间的传递
+  traceDataFlow(code, varName) {
+    const ast = this.parse(code);
+    const flow = [];
+
+    traverse.default(ast, {
+      VariableDeclarator: (path) => {
+        const node = path.node;
+        if (node.id.type === 'Identifier' && node.id.name === varName && node.init) {
+          flow.push({
+            type: 'declaration',
+            value: this.code.slice(node.init.start, node.init.end),
+            start: node.start,
+            loc: node.loc
+          });
+        }
+      },
+      AssignmentExpression: (path) => {
+        const node = path.node;
+        const left = node.left.type === 'Identifier'
+          ? node.left.name
+          : this._getMemberPath(node.left);
+
+        if (left === varName || left.startsWith(varName + '.')) {
+          flow.push({
+            type: 'assignment',
+            target: left,
+            value: this.code.slice(node.right.start, node.right.end),
+            start: node.start,
+            loc: node.loc
+          });
+        }
+      },
+      CallExpression: (path) => {
+        const node = path.node;
+        // 检查变量是否作为参数传递
+        node.arguments.forEach((arg, idx) => {
+          if (arg.type === 'Identifier' && arg.name === varName) {
+            const callee = this._getCalleeName(node.callee);
+            flow.push({
+              type: 'passed-to',
+              callee,
+              argIndex: idx,
+              start: node.start,
+              loc: node.loc
+            });
+          }
+        });
+      }
+    });
+
+    return flow;
+  }
+}
+
+export default CallStackAnalyzer;

package/src/analyzer/Deobfuscator.js

@@ -0,0 +1,289 @@
+/**
+ * DeepSpider - 反混淆器
+ * 支持：obfuscator.io、sojson、JShaman 等常见混淆器
+ * 流程：字符串解码 → 控制流还原 → 死代码删除 → 变量重命名
+ */
+
+export class Deobfuscator {
+  constructor() {
+    this.pipeline = [
+      'unicode',
+      'hex-string',
+      'base64',
+      'string-array',
+      'control-flow',
+      'deadcode',
+      'simplify',
+      'rename'
+    ];
+
+    // 常见混淆器特征
+    this.obfuscatorSignatures = {
+      'obfuscator.io': [
+        /var _0x[a-f0-9]+\s*=\s*\[/,
+        /function _0x[a-f0-9]+\(_0x[a-f0-9]+,\s*_0x[a-f0-9]+\)/
+      ],
+      'sojson': [
+        /sojson\.v\d/i,
+        /jsjiami\.com/i
+      ],
+      'jshaman': [
+        /_\$_[a-zA-Z0-9]+/,
+        /\['\\x/
+      ],
+      'jsfuck': [
+        /^\s*\[\]\[/,
+        /\(!?\[\]\+\[\]\)/
+      ]
+    };
+  }
+
+  // 标准化流程执行
+  runPipeline(code, steps = this.pipeline) {
+    let result = code;
+    const applied = [];
+
+    for (const step of steps) {
+      const before = result;
+      result = this._applyStep(result, step);
+      if (result !== before) {
+        applied.push(step);
+      }
+    }
+
+    return { code: result, applied };
+  }
+
+  _applyStep(code, step) {
+    switch (step) {
+      case 'unicode':
+        return this._deobfuscateUnicode(code).code;
+      case 'hex-string':
+        return this._deobfuscateHexStrings(code).code;
+      case 'base64':
+        return this._deobfuscateBase64(code).code;
+      case 'string-array':
+        return this._deobfuscateStringArray(code).code;
+      case 'control-flow':
+        return this._deobfuscateControlFlow(code).code;
+      case 'deadcode':
+        return this._removeDeadCode(code);
+      case 'simplify':
+        return this._simplifyCode(code);
+      case 'rename':
+        return this._renameVariables(code).code;
+      default:
+        return code;
+    }
+  }
+
+  // 识别混淆器类型
+  detectObfuscator(code) {
+    for (const [name, patterns] of Object.entries(this.obfuscatorSignatures)) {
+      if (patterns.some(p => p.test(code))) {
+        return name;
+      }
+    }
+    return 'unknown';
+  }
+
+  deobfuscate(code, type = 'auto') {
+    if (type === 'auto') {
+      type = this._detectType(code);
+    }
+
+    switch (type) {
+      case 'eval':
+        return this._deobfuscateEval(code);
+      case 'string-array':
+        return this._deobfuscateStringArray(code);
+      case 'hex-string':
+        return this._deobfuscateHexStrings(code);
+      case 'unicode':
+        return this._deobfuscateUnicode(code);
+      default:
+        return { code, type: 'unknown' };
+    }
+  }
+
+  _detectType(code) {
+    if (/eval\s*\(/.test(code)) return 'eval';
+    if (/\\x[0-9a-f]{2}/i.test(code)) return 'hex-string';
+    if (/\\u[0-9a-f]{4}/i.test(code)) return 'unicode';
+    if (/\[['"][^'"]+['"]\]/.test(code) && /0x[0-9a-f]+/i.test(code)) {
+      return 'string-array';
+    }
+    return 'unknown';
+  }
+
+  _deobfuscateEval(code) {
+    // 替换 eval 为返回内容
+    const replaced = code.replace(
+      /eval\s*\(([^)]+)\)/g,
+      '(function(){return $1})()'
+    );
+    return { code: replaced, type: 'eval' };
+  }
+
+  // Base64 解码
+  _deobfuscateBase64(code) {
+    let result = code;
+    // atob('xxx') 形式
+    result = result.replace(/atob\s*\(\s*['"]([A-Za-z0-9+/=]+)['"]\s*\)/g, (m, b64) => {
+      try {
+        return `"${Buffer.from(b64, 'base64').toString()}"`;
+      } catch { return m; }
+    });
+    return { code: result, type: 'base64' };
+  }
+
+  // 字符串数组还原（obfuscator.io 风格）
+  _deobfuscateStringArray(code) {
+    // 提取字符串数组
+    const arrayMatch = code.match(/var\s+(_0x[a-f0-9]+)\s*=\s*\[([\s\S]*?)\];/);
+    if (!arrayMatch) {
+      return { code, type: 'string-array', note: '未找到字符串数组' };
+    }
+
+    const arrayName = arrayMatch[1];
+    const arrayContent = arrayMatch[2];
+
+    // 解析数组内容
+    const strings = [];
+    const strRegex = /['"]([^'"]*)['"]/g;
+    let match;
+    while ((match = strRegex.exec(arrayContent)) !== null) {
+      strings.push(match[1]);
+    }
+
+    if (strings.length === 0) {
+      return { code, type: 'string-array', note: '数组为空' };
+    }
+
+    // 替换数组访问
+    let result = code;
+    const accessPattern = new RegExp(`${arrayName}\\[(0x[a-f0-9]+|\\d+)\\]`, 'gi');
+    result = result.replace(accessPattern, (m, idx) => {
+      const index = parseInt(idx, idx.startsWith('0x') ? 16 : 10);
+      if (index < strings.length) {
+        return `"${strings[index]}"`;
+      }
+      return m;
+    });
+
+    return { code: result, type: 'string-array', stringsFound: strings.length };
+  }
+
+  _deobfuscateHexStrings(code) {
+    const result = code.replace(/\\x([0-9a-f]{2})/gi, (m, hex) => {
+      return String.fromCharCode(parseInt(hex, 16));
+    });
+    return { code: result, type: 'hex-string' };
+  }
+
+  _deobfuscateUnicode(code) {
+    const result = code.replace(/\\u([0-9a-f]{4})/gi, (m, uni) => {
+      return String.fromCharCode(parseInt(uni, 16));
+    });
+    return { code: result, type: 'unicode' };
+  }
+
+  decodeStrings(code) {
+    const decoded = [];
+
+    // 解码 hex 字符串
+    code.replace(/\\x([0-9a-f]{2})/gi, (m, hex) => {
+      decoded.push({ type: 'hex', value: String.fromCharCode(parseInt(hex, 16)) });
+      return m;
+    });
+
+    // 解码 unicode
+    code.replace(/\\u([0-9a-f]{4})/gi, (m, uni) => {
+      decoded.push({ type: 'unicode', value: String.fromCharCode(parseInt(uni, 16)) });
+      return m;
+    });
+
+    return decoded;
+  }
+
+  // 删除死代码（冗余的 switch-case 结构）
+  _removeDeadCode(code) {
+    // 移除空的 switch 语句
+    let result = code.replace(
+      /switch\s*\([^)]+\)\s*\{\s*\}/g,
+      ''
+    );
+    // 移除连续空行
+    result = result.replace(/\n{3,}/g, '\n\n');
+    return result;
+  }
+
+  // 简化代码
+  _simplifyCode(code) {
+    let result = code;
+    // 简化 void 0 为 undefined
+    result = result.replace(/void\s+0/g, 'undefined');
+    // 简化 !0 为 true, !1 为 false
+    result = result.replace(/!0\b/g, 'true');
+    result = result.replace(/!1\b/g, 'false');
+    // 简化 1 == 1 为 true
+    result = result.replace(/1\s*===?\s*1/g, 'true');
+    result = result.replace(/0\s*===?\s*0/g, 'true');
+    // 简化字符串拼接
+    result = result.replace(/['"]\s*\+\s*['"]/g, '');
+    return result;
+  }
+
+  // 控制流平坦化还原
+  _deobfuscateControlFlow(code) {
+    // 检测 switch-case 控制流
+    const switchMatch = code.match(
+      /while\s*\(\s*!!\[\]\s*\)\s*\{\s*switch\s*\(\s*(\w+)\[(\w+)\+\+\]\s*\)/
+    );
+    if (!switchMatch) {
+      return { code, type: 'control-flow', note: '未检测到控制流平坦化' };
+    }
+    return { code, type: 'control-flow', note: '检测到控制流平坦化，需要动态分析' };
+  }
+
+  // 变量重命名（将 _0x 开头的变量重命名为可读名称）
+  _renameVariables(code) {
+    const varMap = new Map();
+    let counter = { var: 0, func: 0, param: 0 };
+
+    // 收集所有 _0x 开头的标识符
+    const pattern = /_0x[a-f0-9]+/gi;
+    const matches = code.match(pattern) || [];
+    const unique = [...new Set(matches)];
+
+    for (const name of unique) {
+      if (!varMap.has(name)) {
+        // 根据上下文推断类型
+        if (new RegExp(`function\\s+${name}`).test(code)) {
+          varMap.set(name, `func_${counter.func++}`);
+        } else {
+          varMap.set(name, `var_${counter.var++}`);
+        }
+      }
+    }
+
+    let result = code;
+    for (const [old, newName] of varMap) {
+      result = result.replace(new RegExp(old, 'g'), newName);
+    }
+
+    return { code: result, type: 'rename', renamed: varMap.size };
+  }
+
+  // 提取函数（按名称）
+  extractFunction(code, funcName) {
+    const pattern = new RegExp(
+      `function\\s+${funcName}\\s*\\([^)]*\\)\\s*\\{[^}]*\\}`,
+      'g'
+    );
+    const matches = code.match(pattern);
+    return matches || [];
+  }
+}
+
+export default Deobfuscator;