GootLoaderAutoJsDecode passing directory as parameter?

[dr4lekhine]

Hello,

First of all, thanks for sharing this tool!

I would like to ask if there any way to execute the "GootLoaderAutoJsDecode.py" but instead of passing as parameter a particular file like "evil.js" giving a directory with multiple files like "/path/to/evilsamples" to try bulk deobfuscation?

Something like that:

Thanks in advance.

Regards.

[andy2002a]

That might be something I can add later on. For now you can replace line 485-end with this and it will print them all to console.

import os
directory = os.fsencode(args.jsFilePath)

for fileName in os.listdir(directory):
    filePath = os.path.join(directory, fileName)

    goot3detected = False

    gootDecode(filePath)

    if goot3detected:
        gootDecode('GootLoader3Stage2.js_')

Might not be perfect since DecodedJsPayload.js_, FileAndTaskData.txt, and GootLoader3Stage2.js_ will get constantly over written, but you'll at least get the C2.

[dr4lekhine]

That might be something I can add later on. For now you can replace line 485-end with this and it will print them all to console.

import os
directory = os.fsencode(args.jsFilePath)

for fileName in os.listdir(directory):
    filePath = os.path.join(directory, fileName)

    goot3detected = False

    gootDecode(filePath)

    if goot3detected:
        gootDecode('GootLoader3Stage2.js_')

Might not be perfect since DecodedJsPayload.js_, FileAndTaskData.txt, and GootLoader3Stage2.js_ will get constantly over written, but you'll at least get the C2.

Thanks for the feedback! I will be testing that :)