[File] [PATCH] Magdir/windows Explorer Command Shell *.SCF described as Generic INI

Wed Nov 30 20:12:18 UTC 2022

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

some days ago i read an interesting article in German computer
magazine c't in number 24 from 2022. There was described the
efforts and methods of Microsoft to protect their system.
Unfortunately Microsoft is non-transparent like FIFA and do not
exactly explain why something is happing. Luckily in the article 39
file name suffix are listed which considered to be potential
dangerous. One extension is SCF.

So i look on my Systems for such files. When running file command
version 5.43 on SCF samples and related files i get an output like:

Desktop anzeigen.scf: Generic INItialization configuration [Taskbar]
EXPLORER.SCF:         Generic INItialization configuration [Taskbar]
SETUP.SCF:            Generic INItialization configuration [SERVICE]
SPELLER.SCF:          data
channels.scf:         Generic INItialization configuration [IE]
desktop.scf:          Generic INItialization configuration [Taskbar]
hadifix.scf:          data
malicious.scf:        Generic INItialization configuration [Taskbar]
shortcuts.scf:        XML 1.0 document, ASCII text,

With option --extension only 3 byte sequence ??? or wrong ini/inf
is shown and with -i option only generic
application/x-wine-extension-ini or text/xml is shown.

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). The XML based SCF
samples are described correctly as "Double Commander Shortcuts" by
scf-dc.trid.xml. The most other examples are also described with low
rate as "Generic INI configuration" by ini.trid.xml. The SETUP.SCF
example is described with higher rate as "VIA setup configuration
file" by scf-via.trid.xml. The remaining SCF samples are described as
"Windows Explorer Command Shell File" by scf-exp.trid.xml or as
"(alt) variant by scf-exp-old.trid.xml (See appended
trid-v-scf.txt.gz).

For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/).
The XML based SCF is described as "Extensible Markup Language" by
fmt/101	and the other samples are not recognized.

The INI based samples should be recognized by subroutine ini-file
inside Magdir/windows. If the samples are only described as Generic
INItialization configuration that means a suited branch is missing
inside sub routine. So i looked inside TrID definition what is the
characteristic. There i saw that it test for a line which look like:
[Shell]
The samples where this is the first line are described by
scf-exp.trid.xml. In the other case this line occurs as second line
after a first empty line. These samples are described by
scf-exp-old.trid.xml. So inside sub routine after found left bracket
i insert branch looking for section name Shell after Windows codepage
translator branch. The TrID also looks for keyword ICONFILE. When
looking in my examples and samples considered as "bad" these contain
lines like:
IconFile=explorer.exe,3
IconFile=\\10.10.16.2\share\test.ico
In second sample an icon or file from somewhere on the net is loaded
and handled. So this probably why SCF are considered as potentially
dangerous. So shown now these information for such SCF samples by
lines like:
 >>&0	regex/c	\^Shell]\r\n	Windows Explorer Shell Command File
 !:mime	text/x-ms-scf
 !:ext	scf
 >>>1	search/128	IconFile=	\b, icon
 >>>>&0	string		x		"%s"
Instead of generic mime type text/plain i show an user defined one
and add information comment line like:
# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/s/
#		scf-exp.trid.xml,
#		scf-exp-old.trid.xml

Luckily with information given by TrID for VIA examples that
informations are expressed by comment lines inside Magdir/images like
:
# URL:		http://en.wikipedia.org/wiki/VIA_Technologies
# Reference:	http://mark0.net/download/triddefs_xml.7z
#		defs/s/scf-via.trid.xml

So i looked inside TrID definition what is the characteristic.
There i saw that it test for first lines which starts like:
[SCF]
COMPANY=
So inside sub routine after found left bracket i insert branch
looking for section name SCF after Windows Explorer Shell Command
File branch. So shown now these information for such VIA SCF
samples by lines like:
 >>&0	regex/c	\^SCF]\r\n	VIA setup configuration
 !:mime	text/x-via-scf
 !:ext	scf
Instead of generic mime type text/plain i show an user defined one.

After applying the above mentioned modifications by patch
file-5.43-windows-scf.diff then most SCF samples are
now described with more detail and correct name suffix.
This now then looks like:

Desktop anzeigen.scf: Windows Explorer Shell Command File, icon
		      "explorer.exe,3"
EXPLORER.SCF:         Windows Explorer Shell Command File, icon
		      "explorer.exe,1"
SETUP.SCF:            Generic INItialization configuration [SERVICE]
SPELLER.SCF:          data
channels.scf:         Windows Explorer Shell Command File, icon
		      "shdocvw.dll,-118"
desktop.scf:          Windows Explorer Shell Command File, icon
		      "explorer.exe,3"
hadifix.scf:          data
malicious.scf:        Windows Explorer Shell Command File, icon
		      "\\10.10.16.2\share\test.ico"
shortcuts.scf:        ASCII text, with CRLF line terminators

I hope my diff file can be applied in future version of file
utility.

I would like to add magic for Double Commander Shortcuts, but
in Magdir/sgml exist "many" fragments for XML based files. So some
times an XML type is missed or i must use -k option and get more
describing text like "XML 1.0 document text" and "XML document" for
shortcuts.scf example which is confusing "normal" users and me too.
So the Magdir/sgml needs some updates that unifies the fragments.

Then there exist samples like SPELLER.SCF and hadifix.scf with
other file format.

With best wishes,
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCY4e5IgAKCRCv8rHJQhrU
1tseAJ93w1W86nvHLCo/3GGCdG/3p1ES3QCcDQ7OYmA/vM64LbPEuED8jY712GY=
=UrGj
-----END PGP SIGNATURE-----
-------------- next part --------------
-- 
File mailing list
File at astron.com
https://mailman.astron.com/mailman/listinfo/file

-------------- next part --------------

--- file-5.43/magic/Magdir/windows.old	2022-07-06 20:56:40.000000000 +0200
+++ file-5.43/magic/Magdir/windows	2022-11-30 16:01:55.827507400 +0100
@@ -749,12 +749,33 @@
 >>&0	regex/c		\^Windows\ (Latin|Cyrillic)			Windows codepage translator
 #!:mime	text/plain
 !:mime	text/x-ms-cpx
 # like: 12510866.CPX 
 !:ext	cpx
 # From:		Joerg Jenderek
+# URL:		https://en.wikipedia.org/wiki/File_Explorer
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/s/scf-exp.trid.xml,scf-exp-old.trid.xml
+# Note:		called "Windows Explorer Command Shell File" by TrID and "File Explorer Command" by Windows via SHCmdFile
+>>&0	regex/c		\^Shell]\r\n					Windows Explorer Shell Command File
+#!:mime	text/plain
+!:mime	text/x-ms-scf
+# like: channels.scf desktop.scf explorer.scf "Desktop anzeigen.scf"
+!:ext	scf
+# look for icon file directive maybe pointing to malicious file
+>>>1		search/128	IconFile=				\b, icon
+>>>>&0		string		x					"%s"
+# From:		Joerg Jenderek
+# URL:		http://en.wikipedia.org/wiki/VIA_Technologies
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/s/scf-via.trid.xml
+# Note:		called "VIA setup configuration file" by TrID
+>>&0	regex/c		\^SCF]\r\n					VIA setup configuration
+#!:mime	text/plain
+!:mime	text/x-via-scf
+# like: SETUP.SCF
+!:ext	scf
+# From:		Joerg Jenderek
 # URL:		https://en.wikipedia.org/wiki/InstallShield
 # Reference:	http://mark0.net/download/triddefs_xml.7z/defs/l/lid-is.trid.xml
 # Note:		contain also 3 keywords like: count Default key0
 >>&0	regex/c		\^Languages]					InstallShield Language Identifier
 #!:mime	text/plain
 !:mime	text/x-installshield-lid
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.43-windows-scf.diff.sig
Type: application/octet-stream
Size: 902 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221130/5d1d987a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-scf.txt.gz
Type: application/x-gzip
Size: 407 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221130/5d1d987a/attachment.bin>
