Evasion techniques allow malicious code to never be observed. This impacts significantly the detection capabilities of tools that rely on either dynamic or static analysis, as they never get to process the malicious code. The dynamic nature of JavaScript, where code is often injected dynamically, makes evasions particularly effective. Yet, we lack tools that can detect evasive techniques in a challenging environment such as JavaScript. In this paper, we present FV8, a modified V8 JavaScript engine designed to identify evasion techniques in JavaScript code. FV8 selectively enforces code execution on APIs that conditionally inject dynamic code, thus enhancing code coverage and consequently improving visibility into malicious code. We integrate our tool in both the Node.js engine and the Chromium browser, compelling code execution in npm packages and Chrome browser extensions. Our tool increases code coverage by 11% compared to default V8 and detects 28 unique evasion categories, including five previously unreported techniques. In data confirmed as malicious from both ecosystems, our tool identifies 1,443 (14.6%) npm packages and 164 (82%) extensions containing at least one type of evasion. In previously unexamined extensions (39,592), our tool discovered 16,471 injected third-party scripts, and a total of 8,732,120 lines of code executed due to our forced execution instrumentation. Furthermore, it tagged a total of 423 extensions as both evasive and malicious and we manually verify 110 extensions (26%) to actually be malicious, impacting two million users. Our tool is open-source and serves both as an in-browser and standalone dynamic analysis tool, capable of detecting evasive code, bypassing obfuscation in certain cases, offering improved access to malicious code, and supporting recursive analysis of dynamic code injections

翻译：规避技术使得恶意代码永远不会被观察到。这严重影响了依赖动态或静态分析工具的检测能力，因为它们永远无法处理恶意代码。JavaScript的动态特性（代码通常被动态注入）使得规避技术尤为有效。然而，我们缺乏能够在JavaScript等挑战性环境中检测规避技术的工具。本文提出FV8，一种经过修改的V8 JavaScript引擎，旨在识别JavaScript代码中的规避技术。FV8选择性地强制执行为有条件注入动态代码的API设计的代码执行，从而提高了代码覆盖率，进而增强了对恶意代码的可见性。我们将工具集成到Node.js引擎和Chromium浏览器中，强制在npm包和Chrome浏览器扩展中执行代码。与默认V8相比，我们的工具将代码覆盖率提高了11%，并检测到28种独特的规避类别，其中包括五种先前未报告的技术。在来自两个生态系统的已确认恶意数据中，我们的工具识别出1,443个（14.6%）npm包和164个（82%）扩展至少包含一种规避类型。在先前未经检查的扩展（39,592个）中，我们的工具发现了16,471个被注入的第三方脚本，以及由于我们的强制执行插装而执行的总计8,732,120行代码。此外，它标记了总共423个扩展为既具有规避性又具有恶意性，我们手动验证了其中110个扩展（26%）确实为恶意，影响了200万用户。我们的工具是开源的，既可作为浏览器内也可作为独立的动态分析工具使用，能够检测规避代码，在某些情况下绕过混淆，提供对恶意代码的改进访问，并支持对动态代码注入的递归分析。