Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Quick BHO enumeration
Posted by: rsnake
Date: April 30, 2007 10:42AM

Anyone have any clever thoughts in how to enumerate through a lot of BHOs? In looking at this list it would be good to know how to do it, but I can't think of a super clever way to hit all of them at any significant speed: http://www.castlecops.com/clsid.php?type=5

This kinda reminds me of this thread but I don't think a browser could handle several thousand of those, and it's lacking the programattic quick-ness that I'm thinking about.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Quick BHO enumeration
Posted by: rsnake
Date: April 30, 2007 10:47AM

I found this on the web, anyone have any experience with it:

var detectWM = 1;
var detectWM2 = 1;
var detectDisabled = 1;
function detect()
{
document.writeln('<div id="detect" style="display: none;">');
detectWrite('40AC4D2D-491D-11D4-AAF2-0008C75DCD2B', 'WM');
detectWrite('D14641FA-445B-448E-9994-209F7AF15641', 'WM2');
detectWrite('FFFFEEEE-DDDD-CCCC-BBBB-AAAA99998888', 'Disabled');
document.writeln("</div>");
window.setTimeout(detectCheck, 250);
}
function detectWrite(clsid, name)
{
document.writeln('<object classid="clsid:' + clsid + '" codebase="javascript:detect' + name + '=0;"></object>');
}
function detectCheck()
{
if (!detectDisabled)
{
if (detectWM) document.location = "/detect.html";
if (detectWM2) document.location = "/detect.html";
}
}
if (window.clientInformation)
if (window.clientInformation.platform=='Win32')
detect();

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Quick BHO enumeration
Posted by: humble
Date: July 28, 2007 12:10PM

Well - laterally-thinking - maybe you don't have to? What are you trying to do?
Perhaps this might work - assuming it takes classIDs, or assuming you can get the ProgID for the classID you're looking at


<script language="VBScript">

Dim o,s
s="DRM.GetLicense"
Set o = CreateObject(s)
if isObject(o) then
msgbox "Yes " + s
else
msgbox "No " + s
end if

</script>


You could also use the <img src=c:...> trick on any related files too perhaps

Options: ReplyQuote
Re: Quick BHO enumeration
Posted by: humble
Date: July 28, 2007 12:18PM

This might be fun too add to your list too:

Step 1,
(on as many different windows PCs as you can find)
regedit -he C:\fred.reg

Step 2, (on linux)
cat fred.reg | perl -n -e 'while ($_=~/\{([^\-]+\-[^\}]+)\}(.*)/) { print "$1\n"; $_=$2; }' | uniq | sort | uniq >allclsids

FYI - I just ran all my registries and the BHO list through the clientcaps "getComponentVersion", and it detected only the dozen it's supposed to, so you're correct that some other enumeration method is needed.

Does res:// work on class IDs maybe? Where else can these things be used I wonder...

Options: ReplyQuote
Re: Quick BHO enumeration
Posted by: humble
Date: July 29, 2007 02:10AM

With the right MIME type, a .MHT file happens to display properly in IE6/IE7 (.MHT is like an email format - lots of MIME-Encoded base64 files concatentated into one file). This (or another technique) might be able to trick IE into changing it's security restrictions to a *higher* level, thus blocking the popups that we don't want to see? Anyhow - the .MHT format would allow one file to serve hundreds or even thousands of tiny HTML fragments that each get "rendered" in separate places of the main doc, which could reduce the number of popups ot just 1 ? Worth a try if you've got time to play with this?

Options: ReplyQuote
Re: Quick BHO enumeration
Posted by: Anonymous User
Date: July 29, 2007 04:18AM

Sounds pretty cool!

Options: ReplyQuote
Re: Quick BHO enumeration
Posted by: humble
Date: July 29, 2007 12:02PM

Damn - sorry to keep posting to this thread over-and-over!! The Googlepack ( http://pack.google.com/intl/en-gb/pack_installer.html?hl=en-gb&gl=au ) web page seems to detect upto 10 things, and un-checks the boxes so you don't download things you've already got. That code might give clues...

Options: ReplyQuote
Re: Quick BHO enumeration
Posted by: rsnake
Date: July 30, 2007 02:52PM

Ew, you use JS on Google. :(

Just kidding... anyway, what I wanted to do was enumerate everything on the drive and/or uniquely fingerprint the user. Ten apps is fine - I can do that now. I think I'll have better luck using the res:// trick to be honest. But it's still lacking the quickness because I have to iterate over hundreds or thousands of requests to get a "feel" for what is on the remote computer.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.