Add cursed VBS

content/cfb.md

@@ -11,9 +11,36 @@ Compound File Binary (CFB) is a file format designed by Microsoft as part of the
 * [Python package][olefile] to read and write those files, as well as some Office-specific metadata
 * [7-Zip][7zip], a file archiver that can extract CFB files
 
+## Detector script
+
+I wrote a VBScript script to look for any file starting with the CFB file signature in a Windows 98SE virtual machine:
+
+```vbs
+On Error Resume Next
+
+header = Chr(&HD0) & Chr(&HCF) & Chr(&H11) & Chr(&HE0) & Chr(&HA1) & Chr(&HB1) & Chr(&H1A) & Chr(&HE1)
+
+Sub CFBFinder(folder)
+    For Each subfolder In folder.SubFolders
+        CFBFinder folder
+    Next
+    For Each file In folder.Files
+        If file.Size > 19 Then
+            Set stream = file.OpenAsTextStream(1, 0) 'open for reading in ASCII
+            'handle possible permission errors
+            If Err.Number = 0 Then
+                If stream.Read(Len(header)) = header Then
+                    WScript.Echo file.Path
+                End If
+            End If
+        End If
+    Next
+End Sub
+```
+
 ## Extractor script
 
-I wrote a smol Python script to extract a CFB file into a directory structure, to make inspection easier.
+I wrote a smol Python script to extract a CFB file into a directory structure, to make inspection easier on Linux.
 
 ```python
 #!/usr/bin/env python