[File] [PATCH] Magdir/ole2compounddocs for newer Microsoft Sysinternals Autoruns *.ARN
Christos Zoulas
christos at zoulas.com
Sun Oct 2 12:48:40 UTC 2022
Committed, thanks!
christos
> On Sep 27, 2022, at 7:47 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> Some days ago i run the cleaning tool czkawka found on
> https://qarmin.github.io/czkawka/. One menu item concerns bad
> extensions. After running tool i looked in saved file list
> results_bad_extensions.txt for bad extension examples.
> One listed extension is ARN. These file were generated by autorun
> tools from Microsoft Sysinternals suite. On windows these are called
> "Autoruns Log File" or "Autoruns files" by registry via key
> Autoruns.Logfile.1.
>
> Some days ago i send patch for older ARN samples. The ARN examples
> produced by version 14.0 and 14.09 use a completely other file format
> introduced in the middle of year 2021.
>
> When running file command version 5.43 with -e cdf option on newer
> examples i get an output like:
>
> v14.0.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 76 FAT sectors, Mini FAT start sector 0x2,
> 124 Mini FAT sectors : UNKNOWN with names
> Header Items 0
> v14.09.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 102 FAT sectors, Mini FAT start sector 0x2,
> 171 Mini FAT sectors : UNKNOWN with names
> Header Items 0
> win10-10Mar2022.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 121 FAT sectors, Mini FAT start sector 0x2,
> 210 Mini FAT sectors, DIFAT start sector 0x27f9,
> 1 DIFAT sectors : UNKNOWN with names
> Header Items 0
> win10-21Sep2021.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 5 FAT sectors, Mini FAT start sector 0x2
> : UNKNOWN with names
> Header Items 0
> win10-Mai2022.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 122 FAT sectors, Mini FAT start sector 0x2,
> 222 Mini FAT sectors, DIFAT start sector 0x2880,
> 1 DIFAT sectors : UNKNOWN with names
> Header Items 0
> win10-Sep2022.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 125 FAT sectors, Mini FAT start sector 0x2,
> 237 Mini FAT sectors, DIFAT start sector 0x29e5,
> 1 DIFAT sectors : UNKNOWN with names
> Header Items 0
>
> Furthermore for such ARN samples only generic mime type
> application/x-ole-storage is shown with -i and -e cdf option. With
> option --extension only 3 byte sequence ??? is shown.
>
> When running file command with -e soft or no extra option for
> inspected examples i get an output like:
>
> v14.0.arn: Composite Document File V2 Document,
> Cannot read section info
> v14.09.arn: Composite Document File V2 Document,
> Cannot read section info
> win10-10Mar2022.arn: Composite Document File V2 Document,
> Cannot read section info
> win10-21Sep2021.arn: Composite Document File V2 Document,
> Cannot read section info
> win10-Mai2022.arn: Composite Document File V2 Document,
> Cannot read section info
> win10-Sep2022.arn: Composite Document File V2 Document,
> Cannot read section info
>
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). This identifies
> all feed examples with low priority as "Generic OLE2 / Multistream
> Compound" by docfile.trid.xml. The ARN examples are also
> described with high rate as "Sysinternals Autoruns data (v14)"
> by arn-autoruns-14.trid.xml (See appended trid-v-arn.txt.gz).
>
> For comparison reason i also run the file format identification
> utility DROID ( See https://sourceforge.net/projects/droid/). This
> identifies the examples generic as "OLE2 Compound Document Format"
> by fmt/111 signature.
>
> Unfortunately i found no little hint with information about file
> format. All sites show nearly the same information. How to use tool,
> but nothing about file format. So that informations are expressed
> by comment lines inside Magdir/ole2compounddocs like:
>
> # URL: https://learn.microsoft.com/en-us/sysinternals/
> # downloads/autoruns
> # Reference: http://mark0.net/download/triddefs_xml.7z/
> # defs/a/arn-autoruns-v14.trid.xml
>
> The examples are recognized as "OLE 2 Compound Document"
> by starting bytes (\320\317\021\340\241\261\032\341) at the beginning
> inside Magdir/ole2compounddocs. Obviously there exist no code
> fragment to do sub class identification. So the examples are
> described as "UNKNOWN". Furthermore the examples have no registered
> Root storage object CLSID or this value is nil. In that case file
> command would display afterwords this information by a phrase like
> ", clsid 0xc0c7266eb98cd311a1c800c04f612452". That means that in
> branch handling CLSID GUID 0 code must be added.
>
> So second entry for such ARN examples apparently seems to start
> always with Header phrase encoded at UTF-16 string after first
> directory entry, which is always "Root Entry". Third and forth
> directory entries seems to be always Items and 0.
>
> The last similar entry was Microsoft old Systeminfo (*.nfo).
> So i add afterwards lines for my inspected examples. That looks like:
>>>>> 128 lestring16 Header : Microsoft sysinternals AutoRuns data,
> !:mime application/x-ms-arn
> !:ext arn
> Instead of generic application/x-ole-storage i choose an user
> defined mime type.
>
> Because ARN-ms are OLE2 Compound container we can inspect such
> examples by suited tools like Michal Mutl Structured Storage Viewer
> for example. There we see that such examples contain at 4 main
> streams. Two (Header Items ) mentioned by file commands and two
> others with names LargeIcons and SmallIcons. The 0-entry was the
> first sub directory of Items entry. There exist more hundreds
> numbered entries (increased by one). The Header entry consist mainly
> of the string Autoruns encoded as UTF-16.
>
> After applying the above mentioned modifications by patch
> file-5.43-ole2compounddocs-arn.diff then all my newer inspected
> Sysinternals Autoruns samples are now described with more details.
> This now looks with option -e cdf like:
>
> v14.0.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 76 FAT sectors, Mini FAT start sector 0x2,
> 124 Mini FAT sectors
> : Microsoft sysinternals AutoRuns data
> , version 14
> v14.09.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 102 FAT sectors, Mini FAT start sector 0x2,
> 171 Mini FAT sectors
> : Microsoft sysinternals AutoRuns data
> , version 14
> win10-10Mar2022.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 121 FAT sectors, Mini FAT start sector 0x2,
> 210 Mini FAT sectors, DIFAT start sector 0x27f9,
> 1 DIFAT sectors
> : Microsoft sysinternals AutoRuns data
> , version 14
> win10-21Sep2021.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 5 FAT sectors, Mini FAT start sector 0x2
> : Microsoft sysinternals AutoRuns data
> , version 14
> win10-Mai2022.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 122 FAT sectors, Mini FAT start sector 0x2,
> 222 Mini FAT sectors, DIFAT start sector 0x2880,
> 1 DIFAT sectors
> : Microsoft sysinternals AutoRuns data
> , version 14
> win10-Sep2022.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
> 125 FAT sectors, Mini FAT start sector 0x2,
> 237 Mini FAT sectors, DIFAT start sector 0x29e5,
> 1 DIFAT sectors
> : Microsoft sysinternals AutoRuns data
> , version 14
>
> I hope my diff file can be applied in future version of file
> utility.
>
> With best wishes,
> Jörg Jenderek
> - --
> Jörg Jenderek
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYzOLdAAKCRCv8rHJQhrU
> 1hJOAJ4nGvewmAkMA8AnkMBkTgBbWm+u9gCgtxr5RaN225JSf0M8irCN1HXflg8=
> =XzhD
> -----END PGP SIGNATURE-----
> <trid-v-arn.txt.gz><file-5_43-ole2compounddocs-arn_diff.DEFANGED-194><file-5_43-ole2compounddocs-arn_diff_sig.DEFANGED-195>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20221002/aadc1ecf/attachment.asc>
More information about the File
mailing list