the javascript runtime ( JSRT ) project

• javascript runtime for windows , based on chakra
• author: TinySec( @TinySecEx )
• JSRT is friend for binary hacker , special for windows.
• this version is a public new version , feel free to open issue.
• always download the latest version.

DOCUMENTS

https://github.com/tinysec/jsrt/wiki

host type

notice that , all other dll files under i386/amd64 is just optional

just compatible to my first version.

native support feature

• real native multi-thread support
• 64-bit number
• Buffer
• host full memory access , and support both GC and manual memory manager.
• c-like printf and sprintf
• ffi , support some windows type , full windows api access
• serialize and unserialize
• re-entry support for windbg and ida mode
• portable from windows xp ~ windows 10 rs2
• small dist.
• anything you want for binary hack.

todolist

• firefox style ctypes
• c-style struct and union handle
• kernel support
• more documents.

usage

Usage: js [options] [--eval script or script.js] [arguments]

Options: 
 --version	show version
 --verbose	verbose mode
 --help		show help
 --eval		eval mode


Environment: 
JSRT_SYSTEM_MODULE_PATH		system jsrt module search path
JSRT_MODULE_PATH		common jsrt module search path
JSRT_IDA_MODULE_PATH		jsrt-ida module search path
JSRT_WINDBG_MODULE_PATH		jsrt-windbg module search path


more info is at https://github.com/tinysec/jsrt

xp ~ win10 rs2 support

real multi thread support

visual studio debug support( need windows 10 )

example

enum windows

const ffi = require("ffi");

const printf = require("cprintf").printf;
const sprintf = require("cprintf").sprintf;
const KdPrint = require("cprintf").KdPrint;

var hUser32 = ffi.loadLibrary( "user32.dll" );
var fnEnumWindows = ffi.bindModule( hUser32 ,  "BOOL WINAPI EnumWindows(_In_ void* lpEnumFunc,_In_ LPARAM      lParam); "  );
var fnGetClassNameA = ffi.bindModule( hUser32 ,  "int WINAPI GetClassNameA(_In_  HWND   hWnd,_Out_ LPTSTR lpClassName,_In_  int    nMaxCount);"  );

// BOOL CALLBACK EnumWindowsProc(_In_ HWND   hwnd,_In_ LPARAM lParam);
function enumRoutine( hWnd , lParam )
{
	var lpClassNameA = Buffer.alloc( 250 ).fill( 0 );

	var nRet = 0;
	
	nRet = fnGetClassNameA( hWnd , lpClassNameA , 250 );
	
	printf("0x%p -> %s|\n" , hWnd  , lpClassNameA.toString() );
	
	lpClassNameA.free();

	return true;
}

function main(  )
{
	var lpEnumFunc = ffi.thunk( enumRoutine , "BOOL CALLBACK EnumWindowsProc(_In_ HWND   hwnd,_In_ LPARAM lParam);"   );

	fnEnumWindows( lpEnumFunc  , 0 );

	lpEnumFunc.free();
	
	return 0;
}

if ( !module.parent )
{
	main();
}

and you will got

0x0001014A -> ForegroundStaging|
0x00010176 -> ForegroundStaging|
0x000100FC -> tooltips_class32|
0x00010100 -> tooltips_class32|
0x002F0A7E -> Net UI Tool Window|
0x01840922 -> Net UI Tool Window|
0x02A50EF4 -> tooltips_class32|
0x016D0E1A -> UIRibbonStdCompMgr|
0x02A00DCC -> tooltips_class32|
0x010C0DA4 -> tooltips_class32|
0x00890D2E -> tooltips_class32|
0x0001041A -> Chrome_SystemMessageWindow|
0x00010414 -> Base_PowerMessageWindow|
0x00010180 -> IME|
0x00010148 -> IME|
0x0001011C -> IME|
0x02630B5A -> IME|
0x015A074C -> IME|
..........

history

JSRT project had two version ,

• the pre-version is self use , not-published , it was written between 2015-07 ~ 2016-09
• the current version is going to public release , support some compatible to other bindings.

the pre-version is used for kernel fuzz ( self use , not-published)

javascript kernel fuzz