Hinding hta source
in [VbScript]
|
Prev: wmi monitoring files that are being modified
Next: How to "harvest" the contents of a hidden or "about blank" web
From: Todd Vargo on 6 Aug 2010 18:09 Al Dunbar wrote: > "Todd Vargo" <tlvargo(a)sbcglobal.netz> wrote in message > news:u7zjL3ONLHA.1624(a)TK2MSFTNGP06.phx.gbl... >> Tom Tyson wrote: >>> "Todd Vargo" <tlvargo(a)sbcglobal.netz> wrote in message >>> news:uwqz0BDNLHA.5396(a)TK2MSFTNGP05.phx.gbl... >>>> Tom Tyson wrote: >>>>> Hi again, >>>>> >>>>> I'm looking for a way to hide the HTA / vbscript code I've written >>>>> from users. I basically want to compile my HTA to an exectable, >>>>> pulling in all the resouces (vbs files, graphics etc.) and distribute >>>>> the .exe file. >>>>> >>>>> The best thing I found was ExeScript - but it would still create and >>>>> leave a plain text file with my script code in the users temp folder. >>>>> Is there any on-the-fly compiler that doesn't leave any source code >>>>> behind? >>>> >>>> So the following statement is a lie? >>>> >>>> "Executing the script in computer memory without writing to the disk. >>>> Therefore, the security of the script is enhanced since it is >>>> impossible to see the contents." >>> >>> In my scenario, when I run the executable created from the HTA with >>> ExeScript, it acts just like a self-extracting archive, ie. extracting >>> all resources, including the HTA source, to its working directory. Once >>> the app is closed, it deletes all the resources it created. >> >> That is how I figured it should work. However, your previous post said >> the source code was left behind. I was thinking perhaps the unregistered >> version does not perform cleanup. The best place to get support is by >> asking the source. >> >> OTOH, what if you include code in the HTA code to delete itself once >> loaded into the browser? Would that even work? > > If a file is ever committed to a disk somewhere, it will be retrievable, > whether by looking for the files while the app is still running, or using > an undelete utility. A file can be overwritten with garbage to prevent undelete snooping. However, this did not answer my question though. Besides, OP has not stated the purpose was for high security so lets just keep my part of the discussion to just preventing a casual user from reading the extracted plain text files. Obviously, a copy of the HTA will be created in the browser cache when opened. And since some browsers cache files with random names, it will be difficult to locate itself in the cache, so this must be considered a low security issue. Preventing right clicks to view the source is a simple HTML hack. Getting back to my question: When the HTA is loaded in the browser, is it possible to delete itself once it gets loaded? In essence, would the HTA code loaded in the browser continue to function if the source file was deleted? My limited testing says, yes. The code continues to work with the HTA file deleted. However, there is still the copy created in the browser cache that the OP needs to consider. -- Todd Vargo (Post questions to group only. Remove "z" to email personal messages)
From: Tom Tyson on 10 Aug 2010 14:13 "Todd Vargo" <tlvargo(a)sbcglobal.netz> wrote in message news:enWmMQbNLHA.1868(a)TK2MSFTNGP05.phx.gbl... > Al Dunbar wrote: >> "Todd Vargo" <tlvargo(a)sbcglobal.netz> wrote in message >> news:u7zjL3ONLHA.1624(a)TK2MSFTNGP06.phx.gbl... >>> Tom Tyson wrote: >>>> "Todd Vargo" <tlvargo(a)sbcglobal.netz> wrote in message >>>> news:uwqz0BDNLHA.5396(a)TK2MSFTNGP05.phx.gbl... >>>>> Tom Tyson wrote: >>>>>> Hi again, >>>>>> >>>>>> I'm looking for a way to hide the HTA / vbscript code I've written >>>>>> from users. I basically want to compile my HTA to an exectable, >>>>>> pulling in all the resouces (vbs files, graphics etc.) and distribute >>>>>> the .exe file. >>>>>> >>>>>> The best thing I found was ExeScript - but it would still create and >>>>>> leave a plain text file with my script code in the users temp folder. >>>>>> Is there any on-the-fly compiler that doesn't leave any source code >>>>>> behind? >>>>> >>>>> So the following statement is a lie? >>>>> >>>>> "Executing the script in computer memory without writing to the disk. >>>>> Therefore, the security of the script is enhanced since it is >>>>> impossible to see the contents." >>>> >>>> In my scenario, when I run the executable created from the HTA with >>>> ExeScript, it acts just like a self-extracting archive, ie. extracting >>>> all resources, including the HTA source, to its working directory. Once >>>> the app is closed, it deletes all the resources it created. >>> >>> That is how I figured it should work. However, your previous post said >>> the source code was left behind. I was thinking perhaps the unregistered >>> version does not perform cleanup. The best place to get support is by >>> asking the source. >>> >>> OTOH, what if you include code in the HTA code to delete itself once >>> loaded into the browser? Would that even work? >> >> If a file is ever committed to a disk somewhere, it will be retrievable, >> whether by looking for the files while the app is still running, or using >> an undelete utility. > > A file can be overwritten with garbage to prevent undelete snooping. > However, this did not answer my question though. Besides, OP has not > stated the purpose was for high security so lets just keep my part of the > discussion to just preventing a casual user from reading the extracted > plain text files. Obviously, a copy of the HTA will be created in the > browser cache when opened. And since some browsers cache files with random > names, it will be difficult to locate itself in the cache, so this must be > considered a low security issue. Preventing right clicks to view the > source is a simple HTML hack. > > Getting back to my question: When the HTA is loaded in the browser, is it > possible to delete itself once it gets loaded? In essence, would the HTA > code loaded in the browser continue to function if the source file was > deleted? My limited testing says, yes. The code continues to work with the > HTA file deleted. However, there is still the copy created in the browser > cache that the OP needs to consider. > > -- > Todd Vargo > > (Post questions to group only. Remove "z" to email personal messages) Todd, the purpose is indeed not for high security. I'm giving this solution to company internal users with limited technical skill to automate some every day tasks. Right now I'm packaging the ExeScript executable containing the HTA and all resources with Inno Setup so desktop and start menu shortcuts are created for the user. So in normal life, they should not even explore the application program files folder and run the exe from there. If they do, however, I wouldn't want them to see the source files. Besides, the HTA application object has a contextmenu property that prevents the right-click -> view source action, so this is not a problem either. The new Exescript feature I mentioned to extract runtime files to the user's %temp% folder works fine. I guess that does the job for me, so I haven't tested your idea to delete the hta file itself at runtime. I'm also not sure how this would affect other resource files I put into the .exe , such as icons, external executables and possibly properties files with UI strings if I need to provide this tool in multiple languages. Thanks again. Tom besides: sorry if my English sucks here and there, it's not my 1st language.
From: Tom Tyson on 10 Aug 2010 14:35 "Al Dunbar" <alandrub(a)hotmail.com> wrote in message news:OIP7%23TSNLHA.5284(a)TK2MSFTNGP05.phx.gbl... > > > "Tom Tyson" <no(a)spam.org> wrote in message > news:i3ec4v$4f1$1(a)newsreader5.netcologne.de... >> >> "Mayayana" <mayayana(a)invalid.nospam> wrote in message >> news:i3eafb$a42$1(a)news.eternal-september.org... >>> | >>> | In my scenario, when I run the executable created from the HTA with >>> | ExeScript, it acts just like a self-extracting archive, ie. extracting >>> all >>> | resources, including the HTA source, to its working directory. Once >>> the >>> app >>> | is closed, it deletes all the resources it created. >>> | >>> >>> That's all it can do. Look up "compile". Look up >>> "interpreted code". Anyone who claims to "compile" >>> script is either lying or doesn't know what they're >>> talking about. That kind of software has to be doing >>> something like an SFX. That's all the more true with >>> a HTA. Mshta.exe has to be given a webpage, which >>> it then loads into an IE window. You can't pass an >>> EXE to mshta!! You might be able to zlib-encode the >>> page. IE should recognize that. But you're really >>> just using the wrong tool for the job you want to do. >>> >> >> >> I understand the concepts you mention and and I'm aware that mshta needs >> a text input file rather than a binary file. I was just hoping for >> someone having used a tool that does the trick a little less obvious than >> temp extracting the files right where the exe is located. My users >> wouldn't notice nor investigate if there are any temp files created in >> some directory. > > If that is actually true, then screnc might provide sufficient security. > But what is the risk and what will it cost you if your code becomes known > by others? > Thanks, I'll give it a try. I have outlined my scenario in the latest response to Todd's post. >> But if they run the exe and see all these files being created, they'd >> probably start looking at them.. > > Perhaps, so it appears you may not know the level of trust you can place > in your users. > This is not a real issue for the moment. If we decide to offer this tool externally, I'll have to rewrite it. I'm aware of that. Its only 2K lines of code so no big deal. >> I just downloaded a trial of the latest exescript version and it seems to >> be able to use the windows temp directory as working directory. I'll see >> what that setting does as its not yet documented in the help files. > > Regardless, if there is someone there with sufficient reason to put some > effort into reverse engineering your script, you are basically hooped if > you leave your security up to SFX tools or screnc. > > /Al See above. Thanks Al.
From: Tom Tyson on 10 Aug 2010 14:52 "Dave "Crash" Dummy" <invalid(a)invalid.invalid> wrote in message news:%23y2IzpKNLHA.5776(a)TK2MSFTNGP06.phx.gbl... > Tom Tyson wrote: >> Hi again, >> >> I'm looking for a way to hide the HTA / vbscript code I've written from >> users. I basically want to compile my HTA to an exectable, pulling in all >> the resouces (vbs files, graphics etc.) and distribute >> the .exe file. >> >> The best thing I found was ExeScript - but it would still create and >> leave a plain text file with my script code in the users temp folder. >> Is there any on-the-fly compiler that doesn't leave any source code >> behind? > > Why? What do you want to hide? Anything you can put in script is hardly > proprietary code. Anyway, you ask the impossible. As Mayayana > points out, as soon as the program is rendered in a window, the code is > just two clicks away. > > -- > Crash > > Atheism is a matter of faith, too. Thanks, please also see my other responses.
From: Todd Vargo on 10 Aug 2010 18:55
Tom Tyson wrote: > Todd Vargo wrote: .... >> A file can be overwritten with garbage to prevent undelete snooping. >> However, this did not answer my question though. Besides, OP has not >> stated the purpose was for high security so lets just keep my part of the >> discussion to just preventing a casual user from reading the extracted >> plain text files. Obviously, a copy of the HTA will be created in the >> browser cache when opened. And since some browsers cache files with >> random names, it will be difficult to locate itself in the cache, so this >> must be considered a low security issue. Preventing right clicks to view >> the source is a simple HTML hack. >> >> Getting back to my question: When the HTA is loaded in the browser, is it >> possible to delete itself once it gets loaded? In essence, would the HTA >> code loaded in the browser continue to function if the source file was >> deleted? My limited testing says, yes. The code continues to work with >> the HTA file deleted. However, there is still the copy created in the >> browser cache that the OP needs to consider. >> > > Todd, > > the purpose is indeed not for high security. I'm giving this solution to > company internal users with limited technical skill to automate some every > day tasks. Right now I'm packaging the ExeScript executable containing the > HTA and all resources with Inno Setup so desktop and start menu shortcuts > are created for the user. So in normal life, they should not even explore > the application program files folder and run the exe from there. If they > do, however, I wouldn't want them to see the source files. > > Besides, the HTA application object has a contextmenu property that > prevents the right-click -> view source action, so this is not a problem > either. > > The new Exescript feature I mentioned to extract runtime files to the > user's %temp% folder works fine. I guess that does the job for me, so I > haven't tested your idea to delete the hta file itself at runtime. I'm > also not sure how this would affect other resource files I put into the > .exe , such as icons, external executables and possibly properties files > with UI strings if I need to provide this tool in multiple languages. > > Thanks again. > Tom > > besides: sorry if my English sucks here and there, it's not my 1st > language. Thanks for posting back Tom. Your English is fine by me. Good luck with your testing. -- Todd Vargo (Post questions to group only. Remove "z" to email personal messages) |