The Un-Official Proxomitron Forum / Proxomitron Filters / FIP / Remove Obfuscated Code [20081221b]


Post Reply 
Remove Obfuscated Code [20081221b]
Dec. 21, 2008, 12:10 PM
Post: #25
DarthTrader Offline
Member
*
 		Posts: 68
Joined: Aug 2008
RE: Remove Obfuscated Code [20081221a]
(Dec. 21, 2008 03:28 AM)Kye-U Wrote:  Thanks for the additional testbed! I'm working on having a filter general enough to match both (and the IE PoC) while having minimal false positives.

EDIT: Updated. I decided to implement lnminente's "open script/closed script" variable, and also decided to not kill the rest of the page, but remove as much obfuscated code as possible (limited to 32767 bytes) and allow the page to still load.

If you're already using your own "open script/closed script" filter, feel free to modify this filter.

Thanks, KyeU. Your new filter seems to be working fine, although the coding is a bit over my head now. Smile! Here's what I came up with last night:
Code:
[Patterns]
Name = "<script>: Remove Obfuscated Code [20081220b dt]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Bounds = "$NEST(<script,</script*>)"
Limit = 32767
Match = "*(\\([0-7]+{1,3}&&[#000:377])"
        "|(%|\\x)([a-f0-9])+{2}"
        "|(%|\\)u([a-f0-9])+{4}"
        ")+{5,*}*"
Replace = "$ALERT(Script with obfuscated code surgically removed from:\r\n\r\n\u\r\n\r\n)"
Add Thank You Quote this message in a reply
Post Reply 


Messages In This Thread
Remove Obfuscated Code [20081221b] - Kye-U - Dec. 17, 2008, 03:30 AM
RE: Remove Obfuscated Code [20081216] - Kye-U - Dec. 17, 2008, 06:11 PM
RE: Remove Obfuscated Code [20081216] - z12 - Dec. 20, 2008, 12:53 PM
RE: Remove Obfuscated Code [20081216] - Kye-U - Dec. 20, 2008, 07:06 PM
RE: Remove Obfuscated Code [20081220a] - Kye-U - Dec. 20, 2008, 10:34 PM
RE: Remove Obfuscated Code [20081220a] - Kye-U - Dec. 20, 2008, 11:05 PM
RE: Remove Obfuscated Code [20081220b] - z12 - Dec. 21, 2008, 12:50 AM
RE: Remove Obfuscated Code [20081220b] - Kye-U - Dec. 21, 2008, 03:28 AM
RE: Remove Obfuscated Code [20081221a] - DarthTrader - Dec. 21, 2008 12:10 PM
RE: Remove Obfuscated Code [20081221b] - Kye-U - Dec. 21, 2008, 08:32 PM
RE: Remove Obfuscated Code [20081221b] - Kye-U - Dec. 22, 2008, 03:39 AM
RE: Remove Obfuscated Code [20081221b] - z12 - Dec. 22, 2008, 10:58 AM

Forum Jump:


Contact Us | The Un-Official Proxomitron Site | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication