FALSE JPG,TXT,LOG or Microsoft sucks.
Hi I found something curious in windows (XP,W7,W2003) I don't know if already exist or if somebody more already has tries with this but I'm going to try to explain it.
If we change the extension of the some executable of windows, for example :
C:\windows\notepad.exe to C:\Windows\notepad.pmp
And we tried to execute it from the explorer doesn't happen nothing, but if we open a prompt (cmd) and type
C:\Windows\notepad.pmp and press enter
EUREKA the executable is open so may be you could think well is a executable in windows folder… but if you try with any other executable out of windows folder going to have the same behavior.
I tried too changes the same with AcrobatReader.exe I have changed for : troyano.jpg, troyano.mdd, troyano.txt, troyano.log and it has the same behavior.
Additionally I though in something more and I put the path in the RUN key of REGISTRY to try but doesn't work, but if we create a bat file that call the executable doesn't have problems.
Example : copy con troyano.bat C:\Windows\notepad.pmp
I think that is a good idea if you have imagination and I would like to help with something.
Interesting. I'd bet it has something to do with environment variables in CMD and explorer being different. Running from explorer shell and running from prompt are two distinctly different things. Here's the list of CMD vars:
and this CMD tutorial seems to describe it best:
The key text here being "Cmd.exe recognizes files with .com, .exe, .bat, .cmd, .vbs, .js, and .ws extensions, and any other extensions that are defined by the PATHEXT environment variable as executable files, but it can also run files without these known extensions if the file's binary image contains an executable header."
It seems CMD views extensions as arbitrary as long as the necessary header info is contained inside the file.
That being said, I'm no Windows expert and these are only suggestions. Hit up the DOS team members or the IRC for more info.
Thanks and I already knew that.. but seemed to me interesting because we can change too the extension of the jpg or other files and we can have a similar behavior for example :
c:\windows\Azteca.bmp c:\windows\Azteca.log
If we give double click from explorer it tries to open as log file but if we open with mspaint from prompt, it works.
c:\mspaint c:\windows\Azteca.log
I just tried to explain something that could help someone to hide or to explore options in MSwindows.
Thanks…
CMD reads the header of a file before executing. If it finds the file is an executable binary, it will execute it. Also, CMD knows how to open different file extensions based on settings provided in explorer. If you right-click a file and tell explorer to always open files of that extension with a specific program, CMD will open it with the specified program.
If you type "set" into CMD, you will see that environment variables don't define which programs handle specific file extensions. If you check the registry, HKEY_LOCAL_MACHINE\SOFTWARE\Classes tells explorer which programs handle which extensions. CMD reads this so it can know how to open the file. CMD reads the header of an unknown file and if it matches a definition in the HKEY_LOCAL_MACHINE\SOFTWARE\Classes, it will try to open it with that program.
EDIT: Fixed a grammatical error.
Because the metadata/file date is still the same and visible in plain text, you're not really too secure. It's still going to hash out the same, so you're not protected against signature based detection or forensic analysis.
It's still a neat idea tho. I've also heard about shrinking an image to 1pixel by 1pixel, and store it as a period in a word document. You can even go to the trouble of making a semicolon with a comma/pic so that it doesn't set off the spell check. You could also make a file a shortcut to control panel - so when you run it control panel actually opens.
But they are still plain text…