The Script Tool comprises two parts:

a simple string searching application – SCRIPT.EXE; and the INI file containing the search strings. It must be emphasized that script.exe knows nothing of VBScript or JavaScript commands, ActiveX controls or anything else for that matter, other than the structure of the INI file and how to search for strings. We must build the ‘intelligence’ into the contents of the INI file and can then apply the tool to a very broad range of string searching tasks.

 

A few example applications include detection of:

 

<typolist>

Hyperlinks in HTML (Text Analysis detects the viewable text)

Embedded objects in RTF

Attempts to write to the file system or the registry

Calls to MAPI or the Outlook Address Book

Use of COM to interact with Microsoft Office applications

Exploitable ActiveX control

Malformed HTML tags and attempts at obfuscation

Detection of known constant values in ContentIDs of mail headers

</typolist>

 

to name just a few of the possibilities. Where the unexpected crops up, for example RFC non-compliance, as with Sircam, or maliciously malformed mail constructs, the tool may prove a godsend, because of its simplicity and versatility, as a means of tackling new problems in innovative and generic ways.

 

How does it work?

 

SCRIPT.EXE can be called from an Executable Scenario. The search strings are stored in SCRIPT.INI, which has a two-tier structure. At the top level is the MAIN section containing any number of values for the first string to be searched for. Any number of second level sections may contain values for a second string to be matched. If any one string from the main section is found AND any string from any of the second level sections is also found then SCRIPT.EXE returns a True (1) value. That is to say, it has detected the combination of those two strings and therefore found whatever condition that combination is intended to represent.

 

Back