[File] [PATCH] Magdir/windows for Micosoft Sysinternals Autoruns *.ARN
Jörg Jenderek
joerg.jen.der.ek at gmx.net
Mon Sep 19 00:41:50 UTC 2022
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
Some days ago i run the cleaning tool czkawka found on
https://qarmin.github.io/czkawka/. One menu item concerns bad
extensions. After running tool i looked in saved file list
results_bad_extensions.txt for bad extension examples.
One listed extension is ARN. These file were generated by autorun
tools from Microsoft Sysinternals suite. On windows these are called
"Autoruns Log File" or "Autoruns files" by registry via key
Autoruns.Logfile.1.
When running file command version 5.43 on ARN examples and related
samples i get an output like:
WIN10-17Jul2021.arn: data
WIN10-19Okt2017.arn: data
WIN8-14Jan2016.arn: data
WIN8-14Jan2016.bmp: PC bitmap, Windows 3.x format, 16 x 16 x 1,
image size 64, cbSize 126, bits offset 62
WIN8-17Apr2016.arn: data
WIN8-27Mai2021-2nd.bmp: PC bitmap, Windows 3.x format, 24 x 24 x 32,
image size 2304, cbSize 2358, bits offset 54
WIN8-27Mai2021.arn: data
WIN8-27Mai2021.bmp: PC bitmap, Windows 3.x format, 24 x 24 x 1,
image size 96, cbSize 158, bits offset 62
WIN8-4Dez2019.arn: data
v13.100.arn: data
Furthermore for ARN samples only generic application/octet-stream
mime type is shown with -i option. With option --extension 3 byte
sequence ??? is shown.
For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This recognise most
especially older ARN samples. The samples are described as
"Sysinternals Autoruns data" with ARN suffix by
arn-autoruns.trid.xml (See appended trid-v-arn.txt.gz).
For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/). This
does not recognize the ARN examples.
Unfortunately i find not something like a file format
specification. But a least there exist an official usage page for
autoruns tools.
So that informations are expressed by comment lines inside
Magdir/windows at the end like:
# URL: https://learn.microsoft.com/en-us/sysinternals/
# downloads/autoruns
# Reference: http://mark0.net/download/triddefs_xml.7z
# defs/a/arn-autoruns.trid.xml
According to TrID ARN samples start with 4-byte magic string ARN_
and at offset 28 2 byte string BM is found. So this becomes in
magic lines something like:
0 string ARN_
>28 string BM Microsoft sysinternals AutoRuns data
!:mime application/x-ms-arn
!:ext arn
Instead of generic application/octet-stream i choose an user
defined mime type.
When extracting parts with starting BM string ( for example by dd
command) we get BMP PC bitmaps. So show that information by
indirect directive and show first embedded bitmap information by
help of Magdir/images. So with the help of the image size (cbSize)
i was able to calculate the offset of the possible second image.
Then i also show the information for second embedded image. So this
is done by lines like:
>>28 indirect x \b; at 0x1c
>>30 ulelong+28 x \b; at %#x
#>>(30.l+28) string x 2ND_BITMAP_MAGIC=%-.2s
>>(30.l+28) indirect x
After applying the above mentioned modifications by patch
file-5.43-windows-arn and using Magdir/images then many of
inspected ARN examples are now described correctly. This now looks
like:
WIN10-17Jul2021.arn: Microsoft sysinternals AutoRuns data; at 0x1c
PC bitmap, Windows 3.x format, 16 x 16 x 1,
image size 64, cbSize 126, bits offset 62
; at 0x9a
PC bitmap, Windows 3.x format, 16 x 16 x 32,
image size 1024, cbSize 1078, bits offset 54
WIN10-19Okt2017.arn: Microsoft sysinternals AutoRuns data; at 0x1c
PC bitmap, Windows 3.x format, 16 x 16 x 1,
image size 64, cbSize 126, bits offset 62
; at 0x9a
PC bitmap, Windows 3.x format, 16 x 16 x 32,
image size 1024, cbSize 1078, bits offset 54
WIN8-14Jan2016.arn: Microsoft sysinternals AutoRuns data; at 0x1c
PC bitmap, Windows 3.x format, 16 x 16 x 1,
image size 64, cbSize 126, bits offset 62
; at 0x9a
PC bitmap, Windows 3.x format, 16 x 16 x 32
image size 1024, cbSize 1078, bits offset 54
WIN8-14Jan2016.bmp: PC bitmap, Windows 3.x format, 16 x 16 x 1,
image size 64, cbSize 126, bits offset 62
WIN8-17Apr2016.arn: Microsoft sysinternals AutoRuns data
; at 0x1c
PC bitmap, Windows 3.x format, 16 x 16 x 1,
image size 64, cbSize 126, bits offset 62
; at 0x9a
PC bitmap, Windows 3.x format, 16 x 16 x 32,
image size 1024, cbSize 1078, bits offset 54
WIN8-27Mai2021-2nd.bmp: PC bitmap, Windows 3.x format, 24 x 24 x 32,
image size 2304, cbSize 2358, bits offset 54
WIN8-27Mai2021.arn: Microsoft sysinternals AutoRuns data; at 0x1c
PC bitmap, Windows 3.x format, 24 x 24 x 1,
image size 96, cbSize 158, bits offset 62
; at 0xba
PC bitmap, Windows 3.x format, 24 x 24 x 32,
image size 2304, cbSize 2358, bits offset 54
WIN8-27Mai2021.bmp: PC bitmap, Windows 3.x format, 24 x 24 x 1,
image size 96, cbSize 158, bits offset 62
WIN8-4Dez2019.arn: Microsoft sysinternals AutoRuns data; at 0x1c
PC bitmap, Windows 3.x format, 24 x 24 x 1,
image size 96, cbSize 158, bits offset 62
; at 0xba
PC bitmap, Windows 3.x format, 24 x 24 x 32,
image size 2304, cbSize 2358, bits offset 54
v13.100.arn: Microsoft sysinternals AutoRuns data; at 0x1c
PC bitmap, Windows 3.x format, 24 x 24 x 1,
image size 96, cbSize 158, bits offset 62
; at 0xba
PC bitmap, Windows 3.x format, 24 x 24 x 32,
image size 2304, cbSize 2358, bits offset 54
I hope my diff file can be applied in future version of file
utility.
Unfortunately newer ARN examples (about middle of year 2021) use
another file format. I will try to do this in a future session.
With best wishes,
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYye6zgAKCRCv8rHJQhrU
1rFpAJsFlUw7R02nzdOC+mZvCLVgDDbvgwCfWTdlPIUA/gDGFSHXQk8SbzqsgVw=
=I7ou
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-arn.txt.gz
Type: application/x-gzip
Size: 810 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220919/7a62b8db/attachment.bin>
-------------- next part --------------
--- file-5.43/magic/Magdir/windows.old 2022-07-06 20:56:40.000000000 +0200
+++ file-5.43/magic/Magdir/windows 2022-09-19 02:03:15.795713700 +0200
@@ -1370,3 +1370,35 @@
# ... LOGHANDLE
>0 ubelong x ...
#
+
+# From: Joerg Jenderek
+# URL: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/arn-autoruns.trid.xml
+# Note: older variant til about 2021 called "Sysinternals Autoruns data" by TrID and
+# "Autoruns Log File" by Windows registry via key Autoruns.Logfile.1
+0 string ARN_
+>28 string BM Microsoft sysinternals AutoRuns data
+#!:mime application/octet-stream
+!:mime application/x-ms-arn
+# like: MyHOSTNAME.arn
+!:ext arn
+# # unknown4 like: 0600000014000000
+# >>4 ubequad !0x0600000014000000 \b, at 4 %#16.16llx
+# # unknown12 like: 1b 1c 1d 20 26 27 28 29 2a 2b 2d 4f
+# >>12 ubyte x \b, at 12 %#2.2x
+# # unknown16 like: 010000000
+# >>16 ubelong !0x01000000 \b, at 16 %#8.8x
+# # unknown20 like: 08000000 0c00000
+# #>>20 ubelong x \b, at 20 %#8.8x
+# >>20 ubyte x \b, at 20 %#2.2x
+# # unknown24 like: 08000000 0c000000
+# #>>24 ubelong !0x08000000 \b, at 24 %#8.8x
+# >>24 ubyte x \b, at 24 %#2.2x
+# embedded PC bitmaps handled by ./images
+>>28 indirect x \b; at 0x1c
+# cbSize of 1st PC bitmap determines offset of 2nd PC bitmap
+#>>30 ulelong x \b, CBSIZE=%u
+>>30 ulelong+28 x \b; at %#x
+#>>(30.l+28) string x 2ND_BITMAP_MAGIC=%-.2s
+# second PC bitmap handled by ./images
+>>(30.l+28) indirect x
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.43-windows-arn.diff.sig
Type: application/octet-stream
Size: 963 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220919/7a62b8db/attachment.obj>
More information about the File
mailing list