[File] [PATCH] Magdir/windows for Remote Desktop Protocol connection *.rdp

Christos Zoulas christos at zoulas.com
Mon Feb 20 15:28:26 UTC 2023

Committed, thanks!


> On Feb 18, 2023, at 5:30 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
> Hash: SHA1
> Hello,
> some days ago i read an interesting article in German computer
> magazine c't in number 24 from 2022. There was described the
> efforts and methods of Microsoft to protect their system.
> Unfortunately Microsoft is non-transparent like FIFA and do not
> exactly explain why something is happing. Luckily in the article 39
> file name suffix are listed which considered to be potential
> dangerous. One extension is RDP.
> So i look on my Systems for such files. When running file command
> version 5.44 on such samples i get an output like:
> Default-1.rdp: ASCII text, with CRLF line terminators
> Default.rdp:   ASCII text, with CRLF line terminators
> With option --extension only 3 byte sequence ??? is shown and with -i
> option only generic text/plain is shown.
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). My ASCII like
> examples are described correctly as "Remote Desktop Connection
> Settings" by rdp.trid.xml (See appended trid-v-rdp.txt.gz).
> For comparison reason i also run the file format identification
> utility DROID ( See https://sourceforge.net/projects/droid/).
> This does not recognize the samples.
> With the help of output of TrID i find a page about Supported RDP
> properties with Remote Desktop Services on Microsoft server. So that
> informations are expressed inside Magdir/windows by comment lines lik
> e:
> # URL:		https://learn.microsoft.com/en-us/windows-server/
> #		remote/remote-desktop-services/clients/rdp-files
> # Reference:	http://mark0.net/download/triddefs_xml.7z
> #		defs/r/rdp.trid.xml
> Apparently the RDP files contain instructions for Remote Desktop
> connection in text form, where every line contains a variable value
> relation. According to TrID the screen mode instruction comes always
> first. According to documentation 2 values occur. The value 1 means
> session appear in a window mode and 2 means session appear full
> screen mode. So this is used as recognition inside Magdir/windows by
> new lines like:
> 0 string screen\040mode\040id:i: Remote Desktop Protocol connection
> !:mime	text/x-ms-rdp
> !:ext	rdp
>> 17	string	1			\b, window mode
>> 17	string	2			\b, full screen mode
> Instead of generic text/plain i choose an user defined one, because
> on Windows the standard to handle "such" text file is the Microsoft
> Terminal Services Client mstsc.exe. I believe that this is the reason
> why this is considered by Microsoft itself as dangerous.
> After applying the above mentioned modifications by patch
> file-5.44-windows-rdp.diff then my RDP samples are
> now described. This now then looks like:
> Default-1.rdp: Remote Desktop Protocol connection, full screen mode
> Default.rdp:   Remote Desktop Protocol connection, full screen mode
> I hope my diff file can be applied in future version of file
> utility.
> According to TrID there exist also a variant using UTF-16, but i
> found no such samples on my systems.
> With best wishes,
> Jörg Jenderek
> - --
> Jörg Jenderek
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 1ns0AKDVKBGqfAcV5ucKioNQgf+1jvCOzgCeOX86VDiCqNThbo1/y5x4B5spt40=
> =I/0h
> <trid-v-rdp.txt.gz><file-5_44-windows-rdp_diff.DEFANGED-144196><file-5_44-windows-rdp_diff_sig.DEFANGED-144197>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20230220/155c9b60/attachment.asc>

More information about the File mailing list