script to read the Registry in Win32?

Discussion in 'Javascript' started by George Hester, Jul 5, 2004.

  1. This location has a parasite checker using javascript. It is in a js file called parasite.js. It is freely available.

    http://www.doxdesk.com/parasite/

    He\She is the only one I trust on the Net who has such a thing. But their js I believe cannot detect
    coolwebsearch parasites which are the most common such parasites on the Net today.

    So I'd like to incorporate a check for those parasites in the js.

    Any suggestions on how this can be done?

    There is also the Netsky parasite variants. I believe this site suggests how they may be found inspecting the
    registry:

    http://www.us-cert.gov/cas/techalerts/TA04-028A.html

    If I could read the registry value of this location:

    [HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

    and pull out the value there for the (default) key I could determine if Netsky is likely installed on that user's machine.
    So can we read the registry using JavaScript say in this case too? Thanks.

    --
    George Hester
    __________________________________
    George Hester, Jul 5, 2004
    #1
    1. Advertising

  2. "George Hester" <> wrote:

    >This location has a parasite checker using javascript. It is in a js file called parasite.js. It is freely available.
    >
    >http://www.doxdesk.com/parasite/
    >
    >He\She is the only one I trust on the Net who has such a thing. But their js I believe cannot detect
    >coolwebsearch parasites which are the most common such parasites on the Net today.
    >
    >So I'd like to incorporate a check for those parasites in the js.
    >
    >Any suggestions on how this can be done?
    >
    >There is also the Netsky parasite variants. I believe this site suggests how they may be found inspecting the
    >registry:
    >
    >http://www.us-cert.gov/cas/techalerts/TA04-028A.html
    >
    >If I could read the registry value of this location:
    >
    >[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
    >
    >and pull out the value there for the (default) key I could determine if Netsky is likely installed on that user's machine.
    >So can we read the registry using JavaScript say in this case too? Thanks.


    Use the System Registry Provider for WMI to access the registry
    <URL:
    http://msdn.microsoft.com/library/en-us/wmisdk/wmi/modifying_the_system_registry.asp
    />

    Regards,
    Steve
    Steve van Dongen, Jul 6, 2004
    #2
    1. Advertising

  3. OK I will look at that. Did I misunderatnd that the js file that I provided the link to at the top of the op was reading the registry? Thanks.

    --
    George Hester
    __________________________________
    "Steve van Dongen" <> wrote in message news:...
    > "George Hester" <> wrote:
    >
    > >This location has a parasite checker using javascript. It is in a js file called parasite.js. It is freely available.
    > >
    > >http://www.doxdesk.com/parasite/
    > >
    > >He\She is the only one I trust on the Net who has such a thing. But their js I believe cannot detect
    > >coolwebsearch parasites which are the most common such parasites on the Net today.
    > >
    > >So I'd like to incorporate a check for those parasites in the js.
    > >
    > >Any suggestions on how this can be done?
    > >
    > >There is also the Netsky parasite variants. I believe this site suggests how they may be found inspecting the
    > >registry:
    > >
    > >http://www.us-cert.gov/cas/techalerts/TA04-028A.html
    > >
    > >If I could read the registry value of this location:
    > >
    > >[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
    > >
    > >and pull out the value there for the (default) key I could determine if Netsky is likely installed on that user's machine.
    > >So can we read the registry using JavaScript say in this case too? Thanks.

    >
    > Use the System Registry Provider for WMI to access the registry
    > <URL:
    > http://msdn.microsoft.com/library/en-us/wmisdk/wmi/modifying_the_system_registry.asp
    > />
    >
    > Regards,
    > Steve
    George Hester, Jul 8, 2004
    #3
  4. George Hester

    Randy Webb Guest

    George Hester wrote:

    > OK I will look at that. Did I misunderatnd that the js
    > file that I provided the link to at the top of the op
    > was reading the registry? Thanks.


    www.doxdesk.com could not be found. Please check the name and try again
    is what it tells me.



    --
    Randy
    Chance Favors The Prepared Mind
    comp.lang.javascript FAQ - http://jibbering.com/faq/
    Randy Webb, Jul 8, 2004
    #4
  5. George Hester

    Grant Wagner Guest

    George Hester wrote:

    > OK I will look at that. Did I misunderatnd that the js file that I provided the link to at the top of the op was reading the registry? Thanks.
    >
    > --
    > George Hester


    Javascript loaded into the user agent in the default security environment can not read the Registry. Full stop. Do not pass go. Do not collect $200.



    That site <url: http://www.doxdesk.com/parasite/ />) "checks the Registry" by attempting to construct <object> tags using classid="" attribute
    values of known malware. It calls "new ActiveXObject()" when it does not have a CLSID for the malware control.

    It then checks the state of those generated <object> tags and constructed ActiveXObjects() to determine if they were successfully created.

    I can duplicate the "trick" and "read your Registry" to tell you if you have the Adobe Acrobat ActiveX object installed too:

    <script type="text/javascript">
    testForAdobeAcrobat();
    function testForAdobeAcrobat() {
    document.write(
    '<object id="A"' +
    ' classid="CLSID:CA8A9780-280D-11CF-A24D-444553540000">' +
    '</object>'
    );
    var a = document.all['A'];
    if (a && a.readyState != 0) {
    alert('Your Registry was read and you have the Adobe Acrobat ActiveX control installed.');
    } else {
    alert('Your Registry was read and you do not have the Adobe Acrobat ActiveX control installed.');
    }
    }
    </script>

    --
    Grant Wagner <>
    comp.lang.javascript FAQ - http://jibbering.com/faq
    Grant Wagner, Jul 8, 2004
    #5
  6. Wow works OK here:

    http://www.doxdesk.com/parasite/

    Remember it loads a js file 2 in fact. One called parasite.js this is the link for that:

    http://www.doxdesk.com/file/software/js/parasite.js

    and another called report.js which is here:

    http://www.doxdesk.com/script/report.js

    If you do a whois search you ought to find it is a legitimate site.
    Maybe it was just down when you tried.

    --
    George Hester
    __________________________________
    "Randy Webb" <> wrote in message news:...
    > George Hester wrote:
    >
    > > OK I will look at that. Did I misunderatnd that the js
    > > file that I provided the link to at the top of the op
    > > was reading the registry? Thanks.

    >
    > www.doxdesk.com could not be found. Please check the name and try again
    > is what it tells me.
    >
    >
    >
    > --
    > Randy
    > Chance Favors The Prepared Mind
    > comp.lang.javascript FAQ - http://jibbering.com/faq/
    George Hester, Jul 9, 2004
    #6
  7. Ah thanks Grant.

    --
    George Hester
    __________________________________
    "Grant Wagner" <> wrote in message news:...
    > George Hester wrote:
    >
    > > OK I will look at that. Did I misunderatnd that the js file that I provided the link to at the top of the op was reading the registry? Thanks.
    > >
    > > --
    > > George Hester

    >
    > Javascript loaded into the user agent in the default security environment can not read the Registry. Full stop. Do not pass go. Do not collect $200.
    >
    >
    >
    > That site <url: http://www.doxdesk.com/parasite/ />) "checks the Registry" by attempting to construct <object> tags using classid="" attribute
    > values of known malware. It calls "new ActiveXObject()" when it does not have a CLSID for the malware control.
    >
    > It then checks the state of those generated <object> tags and constructed ActiveXObjects() to determine if they were successfully created.
    >
    > I can duplicate the "trick" and "read your Registry" to tell you if you have the Adobe Acrobat ActiveX object installed too:
    >
    > <script type="text/javascript">
    > testForAdobeAcrobat();
    > function testForAdobeAcrobat() {
    > document.write(
    > '<object id="A"' +
    > ' classid="CLSID:CA8A9780-280D-11CF-A24D-444553540000">' +
    > '</object>'
    > );
    > var a = document.all['A'];
    > if (a && a.readyState != 0) {
    > alert('Your Registry was read and you have the Adobe Acrobat ActiveX control installed.');
    > } else {
    > alert('Your Registry was read and you do not have the Adobe Acrobat ActiveX control installed.');
    > }
    > }
    > </script>
    >
    > --
    > Grant Wagner <>
    > comp.lang.javascript FAQ - http://jibbering.com/faq
    >
    >
    George Hester, Jul 9, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. HK
    Replies:
    1
    Views:
    3,600
    Cowboy \(Gregory A. Beamer\)
    Apr 1, 2004
  2. Replies:
    0
    Views:
    728
  3. Leny
    Replies:
    3
    Views:
    16,900
    Daniel
    Feb 1, 2005
  4. benjamin schollnick

    Remote Win32 Registry confusion?

    benjamin schollnick, Oct 25, 2003, in forum: Python
    Replies:
    1
    Views:
    388
    Bjorn Pettersen
    Oct 25, 2003
  5. Collin Miller
    Replies:
    10
    Views:
    572
    Roger Pack
    Jul 9, 2010
Loading...

Share This Page