Didier Stevens

Saturday 3 November 2007

Quickpost: Scanning Scripts

Filed under: Quickpost — Didier Stevens @ 10:32

After reading my zero byte padding post, someone asked me how McAfee intercepted scripts.

The Microsoft VB script and JS script engines are COM objects. Looking at the CLSID registry data for these COM objects, you’ll find this info (Windows XP SP2):

VB Script Language
HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
InprocServer32 -> C:\WINDOWS\system32\VBScript.dll

JScript Language
HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
InprocServer32 -> C:\WINDOWS\system32\JScript.dll

When McAfee VirusScan with ScriptScan is installed, the InprocServer32 reference for both COM objects is modified: C:\Program Files\Network Associates\VirusScan\scriptproxy.dll

This is how VirusScan intercepts script execution. They install a “proxy” (scriptproxy.dll) that will scan the scripts before they are passed on to the appropriate scripting engine (VBScript.dll or JScript.dll).

One important implication of this mechanism, is that ScriptScan will only protect script execution when the scripts are executed with the MS COM objects, like IE does. But Firefox doesn’t work with COM, it has its own JS engine (SpiderMonkey), so ScriptScan does not scan scripts executed by Firefox.

There are documented cases where scriptscan causes problems on servers, the proposed solution is to remove the proxy: regsvr32 /u scriptproxy.dll

I wonder if there is malware out there using this trick? And one can also write his own proxy DLL to intercept scripts.

Of course, McAfee VirusScan is not the only AV providing protection against malicious scripts, most modern AV provide this. For example, Kaspersky’s Anti-Virus uses the same technique, but their proxy DLL is scrchpg.dll.

Blog at WordPress.com.