Windows "Open File - Security Warning" Dialog
Not so long ago, I found one of the most bizzar bugs. It seems there is some kind of bug in the parsing of the command line read from the registry for filetype handled by explorer.exe. This was checked on Windows XP SP3 but I guess it existst in SP2 too. This bug allows controling the icon which appears in the "Open File - Security Warning" Dialog for all the executables downloaded from the internet.
Each time you download a file from the internet/intranet to a drive with NTFS file system an ADS (Alternate Data Stream) ini file which is called "Zone.Identifier" is created. This hidden ini file specifies the zone file came from, this can be the internet or the local network (intranet).
You can see it using the following in cmd:
more < exe_from_internet.exe:Zone.Identifier
The ini will be printed to the screen:
[ZoneTransfer]
ZoneId=3
When you "click" (shellexecute) a file which his handler is explorer.exe then the Zone.Identifier is checked and if the zone is 3 (internet) the following screen appears:
Well it appears that each time you try to open an executable that came from the internet, the icon that will apear in this dialog will be parsed from an executable file called ".exe" or "%1" in any directory of the "PATH" environment variable for the user running explorer.exe, for example:
c:\.exe
c:\windows\.exe
you can create such a file using "cmd /c type c:\windows\system32\calc.exe > c:\windows\.exe"
or write a code to use CreateFile :)
The file request is FASTIO_NETWORK_QUERY_OPEN and the icon is cached in memory until explorer.exe process is terminated. If you want to further explore this case, here is the call stack:
Each time you download a file from the internet/intranet to a drive with NTFS file system an ADS (Alternate Data Stream) ini file which is called "Zone.Identifier" is created. This hidden ini file specifies the zone file came from, this can be the internet or the local network (intranet).
You can see it using the following in cmd:
more < exe_from_internet.exe:Zone.Identifier
The ini will be printed to the screen:
[ZoneTransfer]
ZoneId=3
When you "click" (shellexecute) a file which his handler is explorer.exe then the Zone.Identifier is checked and if the zone is 3 (internet) the following screen appears:
Well it appears that each time you try to open an executable that came from the internet, the icon that will apear in this dialog will be parsed from an executable file called ".exe" or "%1" in any directory of the "PATH" environment variable for the user running explorer.exe, for example:
c:\.exe
c:\windows\.exe
you can create such a file using "cmd /c type c:\windows\system32\calc.exe > c:\windows\.exe"
or write a code to use CreateFile :)
The file request is FASTIO_NETWORK_QUERY_OPEN and the icon is cached in memory until explorer.exe process is terminated. If you want to further explore this case, here is the call stack:
Add a Comment
-
Comment by Der Jäger on May 21, 2009 at 11:10pm - Great post. Thanks.
-
Comment by vnsec on March 2, 2009 at 2:04pm -
Try this, man! http://freereverseip.com
==>The best service to find all websites on a host
And more...
-
Comment by Ryan on February 13, 2009 at 2:53pm - Nice read! Thanks for the post!
-
Comment by boyz27 on December 27, 2008 at 7:21am - which software that you use for make a stack of system proccess..plz tell me where i can download that
-
Comment by root on December 26, 2008 at 4:02pm - Nice read! Thanks for the post!
© 2009 Created by pdp on Ning. Create a Ning Network!
You need to be a member of House of Hackers to add comments!
Join this Ning Network