# VBS-JS Polyglot

While messing around with some JavaScript and VBS samples I stumbled across cscript's help page. Looking at the output one of the arguments looked very interesting to me, the "//E" option.

<figure><img src="/files/goZI229F9w6UIeZ3eYZx" alt=""><figcaption></figcaption></figure>

When cscript or wscript are run they normally parse the file name to determine what engine to run the file with, for example .js for JavaScript or .vbs for visual basic. But, with the "//E" option this can be skipped and the scripting engine can be passed as an argument.

<div><figure><img src="/files/Gb5Rze1orCMbzMAF21w0" alt=""><figcaption></figcaption></figure> <figure><img src="/files/A9wCgIsahmSmyHLBWFzO" alt=""><figcaption></figcaption></figure></div>

&#x20;This in itself could be very useful for bypassing command line detections looking for a specific extension, but another layer can be added to the script to further extend this technique. By abusing the way JavaScript and VBS handle comments we can create a sortof polyglot, allowing the file to be executed with the JavaScript engine or the VBS engine.

<figure><img src="/files/8p2ALCRQCJcUDovLpmh8" alt=""><figcaption></figcaption></figure>

As you can see the sample's behavior changed from when it was run with the JavaScript engine and the VBS engine. Some ideas that I've had that could use this technique are; a sample that changes what payload is executed based on what engine it is run with, or a sample that can modify itself at execution and change languages at runtime. I created a sample that starts by running in vbs, searches for the JavaScript comment strings, XORs all the bytes in the string with 0x1, replaces them, then executes the next stage, executes calc.exe while deleting itself and it's parent.

<div><figure><img src="/files/zLVz8JvipRlmunLueTUl" alt=""><figcaption></figcaption></figure> <figure><img src="/files/IC2xA3ftTVFTCZdkzQrD" alt=""><figcaption></figcaption></figure></div>

While it's not the most elegant sample, it's sufficent for a proof of concept


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0x.b4dc0.de/malware-writeups/development/vbs-js-polyglot.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.