[File] [PATCH] Magdir/windows for Remote Desktop Protocol connection *.rdp
christos at zoulas.com
Mon Feb 20 15:28:26 UTC 2023
> On Feb 18, 2023, at 5:30 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> some days ago i read an interesting article in German computer
> magazine c't in number 24 from 2022. There was described the
> efforts and methods of Microsoft to protect their system.
> Unfortunately Microsoft is non-transparent like FIFA and do not
> exactly explain why something is happing. Luckily in the article 39
> file name suffix are listed which considered to be potential
> dangerous. One extension is RDP.
> So i look on my Systems for such files. When running file command
> version 5.44 on such samples i get an output like:
> Default-1.rdp: ASCII text, with CRLF line terminators
> Default.rdp: ASCII text, with CRLF line terminators
> With option --extension only 3 byte sequence ??? is shown and with -i
> option only generic text/plain is shown.
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). My ASCII like
> examples are described correctly as "Remote Desktop Connection
> Settings" by rdp.trid.xml (See appended trid-v-rdp.txt.gz).
> For comparison reason i also run the file format identification
> utility DROID ( See https://sourceforge.net/projects/droid/).
> This does not recognize the samples.
> With the help of output of TrID i find a page about Supported RDP
> properties with Remote Desktop Services on Microsoft server. So that
> informations are expressed inside Magdir/windows by comment lines lik
> # URL: https://learn.microsoft.com/en-us/windows-server/
> # remote/remote-desktop-services/clients/rdp-files
> # Reference: http://mark0.net/download/triddefs_xml.7z
> # defs/r/rdp.trid.xml
> Apparently the RDP files contain instructions for Remote Desktop
> connection in text form, where every line contains a variable value
> relation. According to TrID the screen mode instruction comes always
> first. According to documentation 2 values occur. The value 1 means
> session appear in a window mode and 2 means session appear full
> screen mode. So this is used as recognition inside Magdir/windows by
> new lines like:
> 0 string screen\040mode\040id:i: Remote Desktop Protocol connection
> !:mime text/x-ms-rdp
> !:ext rdp
>> 17 string 1 \b, window mode
>> 17 string 2 \b, full screen mode
> Instead of generic text/plain i choose an user defined one, because
> on Windows the standard to handle "such" text file is the Microsoft
> Terminal Services Client mstsc.exe. I believe that this is the reason
> why this is considered by Microsoft itself as dangerous.
> After applying the above mentioned modifications by patch
> file-5.44-windows-rdp.diff then my RDP samples are
> now described. This now then looks like:
> Default-1.rdp: Remote Desktop Protocol connection, full screen mode
> Default.rdp: Remote Desktop Protocol connection, full screen mode
> I hope my diff file can be applied in future version of file
> According to TrID there exist also a variant using UTF-16, but i
> found no such samples on my systems.
> With best wishes,
> Jörg Jenderek
> - --
> Jörg Jenderek
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> -----END PGP SIGNATURE-----
> File mailing list
> File at astron.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 235 bytes
Desc: Message signed with OpenPGP
More information about the File