script to read the Registry in Win32?

G

George Hester

This location has a parasite checker using javascript. It is in a js file called parasite.js. It is freely available.

http://www.doxdesk.com/parasite/

He\She is the only one I trust on the Net who has such a thing. But their js I believe cannot detect
coolwebsearch parasites which are the most common such parasites on the Net today.

So I'd like to incorporate a check for those parasites in the js.

Any suggestions on how this can be done?

There is also the Netsky parasite variants. I believe this site suggests how they may be found inspecting the
registry:

http://www.us-cert.gov/cas/techalerts/TA04-028A.html

If I could read the registry value of this location:

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

and pull out the value there for the (default) key I could determine if Netsky is likely installed on that user's machine.
So can we read the registry using JavaScript say in this case too? Thanks.
 
S

Steve van Dongen

George Hester said:
This location has a parasite checker using javascript. It is in a js file called parasite.js. It is freely available.

http://www.doxdesk.com/parasite/

He\She is the only one I trust on the Net who has such a thing. But their js I believe cannot detect
coolwebsearch parasites which are the most common such parasites on the Net today.

So I'd like to incorporate a check for those parasites in the js.

Any suggestions on how this can be done?

There is also the Netsky parasite variants. I believe this site suggests how they may be found inspecting the
registry:

http://www.us-cert.gov/cas/techalerts/TA04-028A.html

If I could read the registry value of this location:

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

and pull out the value there for the (default) key I could determine if Netsky is likely installed on that user's machine.
So can we read the registry using JavaScript say in this case too? Thanks.

Use the System Registry Provider for WMI to access the registry
<URL:
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/modifying_the_system_registry.asp
/>

Regards,
Steve
 
G

George Hester

OK I will look at that. Did I misunderatnd that the js file that I provided the link to at the top of the op was reading the registry? Thanks.

--
George Hester
__________________________________
Steve van Dongen said:
George Hester said:
This location has a parasite checker using javascript. It is in a js file called parasite.js. It is freely available.

http://www.doxdesk.com/parasite/

He\She is the only one I trust on the Net who has such a thing. But their js I believe cannot detect
coolwebsearch parasites which are the most common such parasites on the Net today.

So I'd like to incorporate a check for those parasites in the js.

Any suggestions on how this can be done?

There is also the Netsky parasite variants. I believe this site suggests how they may be found inspecting the
registry:

http://www.us-cert.gov/cas/techalerts/TA04-028A.html

If I could read the registry value of this location:

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

and pull out the value there for the (default) key I could determine if Netsky is likely installed on that user's machine.
So can we read the registry using JavaScript say in this case too? Thanks.

Use the System Registry Provider for WMI to access the registry
<URL:
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/modifying_the_system_registry.asp
/>

Regards,
Steve
 
R

Randy Webb

George said:
OK I will look at that. Did I misunderatnd that the js
file that I provided the link to at the top of the op
was reading the registry? Thanks.

www.doxdesk.com could not be found. Please check the name and try again
is what it tells me.
 
G

Grant Wagner

George said:
OK I will look at that. Did I misunderatnd that the js file that I provided the link to at the top of the op was reading the registry? Thanks.

Javascript loaded into the user agent in the default security environment can not read the Registry. Full stop. Do not pass go. Do not collect $200.



That site <url: http://www.doxdesk.com/parasite/ />) "checks the Registry" by attempting to construct <object> tags using classid="" attribute
values of known malware. It calls "new ActiveXObject()" when it does not have a CLSID for the malware control.

It then checks the state of those generated <object> tags and constructed ActiveXObjects() to determine if they were successfully created.

I can duplicate the "trick" and "read your Registry" to tell you if you have the Adobe Acrobat ActiveX object installed too:

<script type="text/javascript">
testForAdobeAcrobat();
function testForAdobeAcrobat() {
document.write(
'<object id="A"' +
' classid="CLSID:CA8A9780-280D-11CF-A24D-444553540000">' +
'</object>'
);
var a = document.all['A'];
if (a && a.readyState != 0) {
alert('Your Registry was read and you have the Adobe Acrobat ActiveX control installed.');
} else {
alert('Your Registry was read and you do not have the Adobe Acrobat ActiveX control installed.');
}
}
</script>
 
G

George Hester

Ah thanks Grant.

--
George Hester
__________________________________
Grant Wagner said:
George said:
OK I will look at that. Did I misunderatnd that the js file that I provided the link to at the top of the op was reading the registry? Thanks.

Javascript loaded into the user agent in the default security environment can not read the Registry. Full stop. Do not pass go. Do not collect $200.



That site <url: http://www.doxdesk.com/parasite/ />) "checks the Registry" by attempting to construct <object> tags using classid="" attribute
values of known malware. It calls "new ActiveXObject()" when it does not have a CLSID for the malware control.

It then checks the state of those generated <object> tags and constructed ActiveXObjects() to determine if they were successfully created.

I can duplicate the "trick" and "read your Registry" to tell you if you have the Adobe Acrobat ActiveX object installed too:

<script type="text/javascript">
testForAdobeAcrobat();
function testForAdobeAcrobat() {
document.write(
'<object id="A"' +
' classid="CLSID:CA8A9780-280D-11CF-A24D-444553540000">' +
'</object>'
);
var a = document.all['A'];
if (a && a.readyState != 0) {
alert('Your Registry was read and you have the Adobe Acrobat ActiveX control installed.');
} else {
alert('Your Registry was read and you do not have the Adobe Acrobat ActiveX control installed.');
}
}
</script>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top