Add support for augmented proxied array function replacements (#3)

* Add detector for augmented proxied array function replacements

* Add sample for testing

* Refactor imports do be dynamic with less repetition;
Add new augmentedProxiedArrayFunctionReplacements detector;

* Update dependencies

* 1.1.0

Author: BenBaryoPX

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "obfuscation-detector",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "description": "Javascript obfuscation detector",
   "main": "src/index.js",
   "directories": {

package.json

@@ -0,0 +1,31 @@
+const obfuscationName = 'augmented_proxied_array_function_replacements';
+
+/**
+ * Augmented Proxied Array-Function Replacements obfuscation type has the following characteristics:
+ * - Has at least 3 root nodes - the last one containing the actual obfuscated code and the rest are obfuscation code.
+ * - Has a function that assigns an array full of strings to itself, and then returns itself.
+ * - Has an anonymous IIFE that is called with the array function as one of its arguments.
+ * @param {ASTNode[]} flatTree
+ * @return {string} The obfuscation name if detected; empty string otherwise.
+ */
+function detectAugmentedProxiedArrayFunctionReplacements(flatTree) {
+	const roots = flatTree.filter(n => n.parentNode?.type === 'Program');
+	if (roots.length > 3) {
+		const arrFunc = roots.find(n => n.type === 'FunctionDeclaration' &&
+			n.body?.body?.length &&
+			n.body.body.slice(-1)[0]?.argument?.callee?.name === n?.id?.name);
+		if (arrFunc) {
+			const augFunc = roots.find(n => n.type === 'ExpressionStatement' &&
+				n.expression.type === 'CallExpression' &&
+				n.expression.arguments.find(a => a?.name === arrFunc.id.name));
+			if (augFunc) {
+				return obfuscationName;
+			}
+		}
+	}
+	return '';
+}
+
+try {
+	module.exports = detectAugmentedProxiedArrayFunctionReplacements;
+} catch {}

src/detectors/augmentedProxiedArrayFunctionReplacements.js

@@ -1,11 +1,17 @@
 const {generateFlatAST} = require('flast');
-const detectCaesarPlus = require(__dirname + '/detectors/caesarp');
-const detectObfuscatorIo = require(__dirname + '/detectors/obfuscator-io');
-const detectArrayReplacements = require(__dirname + '/detectors/arrayReplacements');
-const detectArrayFunctionReplacements = require(__dirname + '/detectors/arrayFunctionReplacements');
-const detectAugmentedArrayReplacements = require(__dirname + '/detectors/augmentedArrayReplacements');
-const detectFunctionToArrayReplacemets = require(__dirname + '/detectors/functionToArrayReplacements');
-const detectAugmentedArrayFunctionReplacements = require(__dirname + '/detectors/augmentedArrayFunctionReplacements');
+
+const availableDetectors = [];
+// Dynamically import available detectors
+[
+	'arrayReplacements',
+	'functionToArrayReplacements',
+	'augmentedArrayReplacements',
+	'arrayFunctionReplacements',
+	'augmentedArrayFunctionReplacements',
+	'obfuscator-io',
+	'caesarp',
+	'augmentedProxiedArrayFunctionReplacements',
+].forEach(detName => availableDetectors.push(require(__dirname + `/detectors/${detName}`)));
 
 /**
  * @param {string} code
@@ -15,18 +21,9 @@ const detectAugmentedArrayFunctionReplacements = require(__dirname + '/detectors
  */
 function detectObfuscation(code, stopAfterFirst = true) {
 	const detectedObfuscations = [];
-	const detectors = [
-		detectArrayReplacements,
-		detectFunctionToArrayReplacemets,
-		detectAugmentedArrayReplacements,
-		detectArrayFunctionReplacements,
-		detectAugmentedArrayFunctionReplacements,
-		detectObfuscatorIo,
-		detectCaesarPlus,
-	];
 	try {
 		const tree = generateFlatAST(code);
-		for (const detection of detectors) {
+		for (const detection of availableDetectors) {
 			try {
 				const detectionType = detection(tree, detectedObfuscations);
 				if (detectionType) detectedObfuscations.push(detectionType);