[File] [PATCH] Magdir/ole2compounddocs for newer Microsoft Sysinternals Autoruns *.ARN

Tue Sep 27 23:47:00 UTC 2022

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Some days ago i run the cleaning tool czkawka found on
https://qarmin.github.io/czkawka/. One menu item concerns bad
extensions. After running tool i looked in saved file list
results_bad_extensions.txt for bad extension examples.
One listed extension is ARN. These file were generated by autorun
tools from Microsoft Sysinternals suite. On windows these are called
"Autoruns Log File" or "Autoruns files" by registry via key
Autoruns.Logfile.1.

Some days ago i send patch for older ARN samples. The ARN examples
produced by version 14.0 and 14.09 use a completely other file format
introduced in the middle of year 2021.

When running file command version 5.43 with -e cdf option on newer
examples i get an output like:

v14.0.arn:           OLE 2 Compound Document, v3.62, SecID 0x1,
		     76 FAT sectors, Mini FAT start sector 0x2,
		     124 Mini FAT sectors : UNKNOWN with names
		     Header Items 0
v14.09.arn:          OLE 2 Compound Document, v3.62, SecID 0x1,
		     102 FAT sectors, Mini FAT start sector 0x2,
		     171 Mini FAT sectors : UNKNOWN with names
		     Header Items 0
win10-10Mar2022.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
		     121 FAT sectors, Mini FAT start sector 0x2,
		     210 Mini FAT sectors, DIFAT start sector 0x27f9,
		     1 DIFAT sectors : UNKNOWN with names
		     Header Items 0
win10-21Sep2021.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
		     5 FAT sectors, Mini FAT start sector 0x2
		     : UNKNOWN with names
		     Header Items 0
win10-Mai2022.arn:   OLE 2 Compound Document, v3.62, SecID 0x1,
		     122 FAT sectors, Mini FAT start sector 0x2,
		     222 Mini FAT sectors, DIFAT start sector 0x2880,
		     1 DIFAT sectors : UNKNOWN with names
		     Header Items 0
win10-Sep2022.arn:   OLE 2 Compound Document, v3.62, SecID 0x1,
		     125 FAT sectors, Mini FAT start sector 0x2,
		     237 Mini FAT sectors, DIFAT start sector 0x29e5,
		     1 DIFAT sectors : UNKNOWN with names
		     Header Items 0

Furthermore for such ARN samples only generic mime type
application/x-ole-storage is shown with -i and -e cdf option. With
option --extension only 3 byte sequence ??? is shown.

When running file command with -e soft or no extra option for
inspected examples i get an output like:

v14.0.arn:           Composite Document File V2 Document,
		     Cannot read section info
v14.09.arn:          Composite Document File V2 Document,
		     Cannot read section info
win10-10Mar2022.arn: Composite Document File V2 Document,
		     Cannot read section info
win10-21Sep2021.arn: Composite Document File V2 Document,
		     Cannot read section info
win10-Mai2022.arn:   Composite Document File V2 Document,
		     Cannot read section info
win10-Sep2022.arn:   Composite Document File V2 Document,
		     Cannot read section info

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This identifies
all feed examples with low priority as "Generic OLE2 / Multistream
Compound" by docfile.trid.xml. The ARN examples are also
described with high rate as "Sysinternals Autoruns data (v14)"
by arn-autoruns-14.trid.xml (See appended trid-v-arn.txt.gz).

For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/). This
identifies the examples generic as "OLE2 Compound Document Format"
by fmt/111 signature.

Unfortunately i found no little hint with information about file
format. All sites show nearly the same information. How to use tool,
but nothing about file format. So that informations are expressed
by comment lines inside Magdir/ole2compounddocs like:

# URL:		https://learn.microsoft.com/en-us/sysinternals/
#		downloads/autoruns
# Reference:	http://mark0.net/download/triddefs_xml.7z/
#		defs/a/arn-autoruns-v14.trid.xml

The examples are recognized as "OLE 2 Compound Document"
by starting bytes (\320\317\021\340\241\261\032\341) at the beginning
inside Magdir/ole2compounddocs. Obviously there exist no code
fragment to do sub class identification.  So the examples are
described as "UNKNOWN". Furthermore the examples have no registered
Root storage object CLSID or this value is nil. In that case file
command would display afterwords this information by a phrase like
", clsid 0xc0c7266eb98cd311a1c800c04f612452". That means that in
branch handling CLSID GUID 0 code must be added.

So second entry for such ARN examples apparently seems to start
always with Header phrase encoded at UTF-16 string after first
directory entry, which is always "Root Entry". Third and forth
directory entries seems to be always Items and 0.

The last similar entry was Microsoft old Systeminfo (*.nfo).
So i add afterwards lines for my inspected examples. That looks like:
 >>>>128 lestring16 Header : Microsoft sysinternals AutoRuns data,
 !:mime	application/x-ms-arn
 !:ext	arn
Instead of generic application/x-ole-storage i choose an user
defined mime type.

Because ARN-ms are OLE2 Compound container we can inspect such
examples by suited tools like Michal Mutl Structured Storage Viewer
for example. There we see that such examples contain at 4 main
streams. Two (Header Items ) mentioned by file commands and two
others with names LargeIcons and SmallIcons. The 0-entry was the
first sub directory of Items entry. There exist more hundreds
numbered entries (increased by one). The Header entry consist mainly
of the string Autoruns encoded as UTF-16.

After applying the above mentioned modifications by patch
file-5.43-ole2compounddocs-arn.diff then all my newer inspected
Sysinternals Autoruns samples are now described with more details.
This now looks with option -e cdf like:

v14.0.arn:           OLE 2 Compound Document, v3.62, SecID 0x1,
		     76 FAT sectors, Mini FAT start sector 0x2,
		     124 Mini FAT sectors
		     : Microsoft sysinternals AutoRuns data
		     , version 14
v14.09.arn:          OLE 2 Compound Document, v3.62, SecID 0x1,
		     102 FAT sectors, Mini FAT start sector 0x2,
		     171 Mini FAT sectors
		     : Microsoft sysinternals AutoRuns data
		     , version 14
win10-10Mar2022.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
		     121 FAT sectors, Mini FAT start sector 0x2,
		     210 Mini FAT sectors, DIFAT start sector 0x27f9,
		     1 DIFAT sectors
		     : Microsoft sysinternals AutoRuns data
		     , version 14
win10-21Sep2021.arn: OLE 2 Compound Document, v3.62, SecID 0x1,
		     5 FAT sectors, Mini FAT start sector 0x2
		     : Microsoft sysinternals AutoRuns data
		     , version 14
win10-Mai2022.arn:   OLE 2 Compound Document, v3.62, SecID 0x1,
		     122 FAT sectors, Mini FAT start sector 0x2,
		     222 Mini FAT sectors, DIFAT start sector 0x2880,
		     1 DIFAT sectors
		     : Microsoft sysinternals AutoRuns data
		     , version 14
win10-Sep2022.arn:   OLE 2 Compound Document, v3.62, SecID 0x1,
		     125 FAT sectors, Mini FAT start sector 0x2,
		     237 Mini FAT sectors, DIFAT start sector 0x29e5,
		     1 DIFAT sectors
		     : Microsoft sysinternals AutoRuns data
		     , version 14

I hope my diff file can be applied in future version of file
utility.

With best wishes,
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYzOLdAAKCRCv8rHJQhrU
1hJOAJ4nGvewmAkMA8AnkMBkTgBbWm+u9gCgtxr5RaN225JSf0M8irCN1HXflg8=
=XzhD
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-arn.txt.gz
Type: application/x-gzip
Size: 654 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220928/5120d558/attachment.bin>
-------------- next part --------------

--- file-5.43/magic/Magdir/ole2compounddocs.old	2022-09-13 20:05:40.000000000 +0200
+++ file-5.43/magic/Magdir/ole2compounddocs	2022-09-27 21:38:55.398018400 +0200
@@ -198,12 +198,24 @@
 >>>>128 	lestring16	Control000		: Microsoft old Systeminfo
 #!:mime	application/x-ole-storage
 !:mime	application/x-ms-info
 !:ext	nfo
 #
 # From:		Joerg Jenderek
+# URL:		https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/a/arn-autoruns-v14.trid.xml
+# Note:		older versions til 13 about middle 2021 handled by ./windows
+#		called "Sysinternals Autoruns data (v14)" by TrID
+# second, third and fourth directory entry name like Header Items 0
+>>>>128 	lestring16	Header		: Microsoft sysinternals AutoRuns data, version 14
+#!:mime	application/x-ole-storage
+!:mime		application/x-ms-arn
+# like: MyHOSTNAME.arn
+!:ext		arn
+#
+# From:		Joerg Jenderek
 # URL:		https://en.wikipedia.org/wiki/Microsoft_Access
 # Reference:	http://mark0.net/download/triddefs_xml.7z/defs/m/mdz.trid.xml
 #		http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File
 # Note:		only version foo tested and called "Microsoft Access Wizard template" by TrID
 # Fourth directory entry name TemplateID
 >>>>384 	lestring16	TemplateID		: Microsoft Access wizard template
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.43-ole2compounddocs-arn.diff.sig
Type: application/octet-stream
Size: 821 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220928/5120d558/attachment.obj>
