[File] [PATCH] Magdir/windows for Remote Desktop Protocol connection *.rdp

Jörg Jenderek joerg.jen.der.ek at gmx.net
Sat Feb 18 22:30:09 UTC 2023


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

some days ago i read an interesting article in German computer
magazine c't in number 24 from 2022. There was described the
efforts and methods of Microsoft to protect their system.
Unfortunately Microsoft is non-transparent like FIFA and do not
exactly explain why something is happing. Luckily in the article 39
file name suffix are listed which considered to be potential
dangerous. One extension is RDP.

So i look on my Systems for such files. When running file command
version 5.44 on such samples i get an output like:

Default-1.rdp: ASCII text, with CRLF line terminators
Default.rdp:   ASCII text, with CRLF line terminators

With option --extension only 3 byte sequence ??? is shown and with -i
option only generic text/plain is shown.

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). My ASCII like
examples are described correctly as "Remote Desktop Connection
Settings" by rdp.trid.xml (See appended trid-v-rdp.txt.gz).

For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/).
This does not recognize the samples.

With the help of output of TrID i find a page about Supported RDP
properties with Remote Desktop Services on Microsoft server. So that
informations are expressed inside Magdir/windows by comment lines lik
e:
# URL:		https://learn.microsoft.com/en-us/windows-server/
#		remote/remote-desktop-services/clients/rdp-files
# Reference:	http://mark0.net/download/triddefs_xml.7z
#		defs/r/rdp.trid.xml

Apparently the RDP files contain instructions for Remote Desktop
connection in text form, where every line contains a variable value
relation. According to TrID the screen mode instruction comes always
first. According to documentation 2 values occur. The value 1 means
session appear in a window mode and 2 means session appear full
screen mode. So this is used as recognition inside Magdir/windows by
new lines like:
 0 string screen\040mode\040id:i: Remote Desktop Protocol connection
 !:mime	text/x-ms-rdp
 !:ext	rdp
 >17	string	1			\b, window mode
 >17	string	2			\b, full screen mode

Instead of generic text/plain i choose an user defined one, because
on Windows the standard to handle "such" text file is the Microsoft
Terminal Services Client mstsc.exe. I believe that this is the reason
why this is considered by Microsoft itself as dangerous.

After applying the above mentioned modifications by patch
file-5.44-windows-rdp.diff then my RDP samples are
now described. This now then looks like:

Default-1.rdp: Remote Desktop Protocol connection, full screen mode
Default.rdp:   Remote Desktop Protocol connection, full screen mode

I hope my diff file can be applied in future version of file
utility.

According to TrID there exist also a variant using UTF-16, but i
found no such samples on my systems.

With best wishes,
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCY/FRcQAKCRCv8rHJQhrU
1ns0AKDVKBGqfAcV5ucKioNQgf+1jvCOzgCeOX86VDiCqNThbo1/y5x4B5spt40=
=I/0h
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-rdp.txt.gz
Type: application/x-gzip
Size: 453 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230218/221416c0/attachment.bin>
-------------- next part --------------
--- file-5.44/magic/Magdir/windows.old	2022-12-02 17:18:19.000000000 +0100
+++ file-5.44/magic/Magdir/windows	2023-02-18 23:17:24.117989200 +0100
@@ -1434,3 +1434,17 @@
 # ... LOGHANDLE
 >0		ubelong		x	...
 #
+
+# Summary:	Microsoft Remote Desktop Protocol connection
+# From:		Joerg Jenderek
+# URL:		https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/r/rdp.trid.xml
+# Note:		called "Remote Desktop Connection Settings" by TrID
+0	string		screen\040mode\040id:i:	Remote Desktop Protocol connection
+#!:mime	text/plain
+!:mime	text/x-ms-rdp
+!:ext	rdp
+# Screen mode: 1~session appear in a window 2~session appear full screen
+>17	string		1			\b, window mode
+>17	string		2			\b, full screen mode
+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.44-windows-rdp.diff.sig
Type: application/octet-stream
Size: 637 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230218/221416c0/attachment.obj>


More information about the File mailing list