mandiant
GootLoaderAutoJsDecode passing directory as parameter?
Hello,
First of all, thanks for sharing this tool!
I would like to ask if there any way to execute the "GootLoaderAutoJsDecode.py" but instead of passing as parameter a particular file like "evil.js" giving a directory with multiple files like "/path/to/evilsamples" to try bulk deobfuscation?
Something like that:
Thanks in advance.
Regards.
That might be something I can add later on. For now you can replace line 485-end with this and it will print them all to console.
import os
directory = os.fsencode(args.jsFilePath)
for fileName in os.listdir(directory):
filePath = os.path.join(directory, fileName)
goot3detected = False
gootDecode(filePath)
if goot3detected:
gootDecode('GootLoader3Stage2.js_')
Might not be perfect since DecodedJsPayload.js_, FileAndTaskData.txt, and GootLoader3Stage2.js_ will get constantly over written, but you'll at least get the C2.
That might be something I can add later on. For now you can replace line 485-end with this and it will print them all to console.
import os directory = os.fsencode(args.jsFilePath) for fileName in os.listdir(directory): filePath = os.path.join(directory, fileName) goot3detected = False gootDecode(filePath) if goot3detected: gootDecode('GootLoader3Stage2.js_')Might not be perfect since
DecodedJsPayload.js_,FileAndTaskData.txt, andGootLoader3Stage2.js_will get constantly over written, but you'll at least get the C2.
Thanks for the feedback! I will be testing that :)