Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > any script to find renamed wmf files?

Reply
Thread Tools

any script to find renamed wmf files?

 
 
~greg
Guest
Posts: n/a
 
      01-02-2006

A whole lot of people right now, running Windows,
need a script to check all the image files already on their
hard drives to see if any of them are actually renamed .wmf files.

It should be trivial to write this,
-if you know what to look for in the files.

Unfortunately, I don't.

~

(i ask this here, because perl is my preferred language,
and because i think perl users in general may be
more familiar with looking inside files
to determine actual file type (?))









 
Reply With Quote
 
 
 
 
~greg
Guest
Posts: n/a
 
      01-02-2006

found a description of Microsoft Windows Metafile format.
here:

http://www.whisqu.se/per/docs/wmf.htm


However I don't know exactly what shimgvw.dll
(or gdi32.dll, or whatever else is inovlved)
is looking for that makes it decide
that a .jpg or .gif is really a .wmf,
and then "run" it.


------------------------------------------


"~greg" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
>
> A whole lot of people right now, running Windows,
> need a script to check all the image files already on their
> hard drives to see if any of them are actually renamed .wmf files.
>
> It should be trivial to write this,
> -if you know what to look for in the files.
>
> Unfortunately, I don't.
>
> ~
>
> (i ask this here, because perl is my preferred language,
> and because i think perl users in general may be
> more familiar with looking inside files
> to determine actual file type (?))
>
>
>
>
>
>
>
>
>



 
Reply With Quote
 
 
 
 
MSG
Guest
Posts: n/a
 
      01-02-2006

~greg wrote:
> found a description of Microsoft Windows Metafile format.
> here:
>
> http://www.whisqu.se/per/docs/wmf.htm
>
>
> However I don't know exactly what shimgvw.dll
> (or gdi32.dll, or whatever else is inovlved)
> is looking for that makes it decide
> that a .jpg or .gif is really a .wmf,
> and then "run" it.
>
>
> ------------------------------------------
>
>
> "~greg" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> >
> > A whole lot of people right now, running Windows,
> > need a script to check all the image files already on their
> > hard drives to see if any of them are actually renamed .wmf files.
> >
> > It should be trivial to write this,
> > -if you know what to look for in the files.
> >
> > Unfortunately, I don't.
> >
> > ~
> >
> > (i ask this here, because perl is my preferred language,
> > and because i think perl users in general may be
> > more familiar with looking inside files
> > to determine actual file type (?))
> >
> >
> >
> >
> >
> >
> >
> >
> >

I am afraid that you have completely missed the point of this whole wmf
issue:
Your existing wmf files are ok if your Windows has not already been
infected. The bad ones come from outside. So the work-around never
calls for renaming files. Instead you unregister the dll file.
Perl won't help you for that matter.

 
Reply With Quote
 
l v
Guest
Posts: n/a
 
      01-02-2006
~greg wrote:
> A whole lot of people right now, running Windows,
> need a script to check all the image files already on their
> hard drives to see if any of them are actually renamed .wmf files.
>
> It should be trivial to write this,
> -if you know what to look for in the files.
>
> Unfortunately, I don't.
>
> ~
>
> (i ask this here, because perl is my preferred language,
> and because i think perl users in general may be
> more familiar with looking inside files
> to determine actual file type (?))


ImageMagick's identify command will list a file's format regardless of
it's name.

Len

 
Reply With Quote
 
Shane
Guest
Posts: n/a
 
      01-02-2006
On Mon, 02 Jan 2006 12:04:00 -0800, MSG wrote:

>
> ~greg wrote:
>> found a description of Microsoft Windows Metafile format. here:
>>
>> http://www.whisqu.se/per/docs/wmf.htm
>>
>>
>> However I don't know exactly what shimgvw.dll (or gdi32.dll, or whatever
>> else is inovlved) is looking for that makes it decide
>> that a .jpg or .gif is really a .wmf, and then "run" it.
>>
>>
>> ------------------------------------------
>>
>>
>> "~greg" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> >
>> > A whole lot of people right now, running Windows, need a script to
>> > check all the image files already on their hard drives to see if any
>> > of them are actually renamed .wmf files.
>> >
>> > It should be trivial to write this,
>> > -if you know what to look for in the files.
>> >
>> > Unfortunately, I don't.
>> >
>> > ~
>> >
>> > (i ask this here, because perl is my preferred language, and because i
>> > think perl users in general may be more familiar with looking inside
>> > files to determine actual file type (?))
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >

> I am afraid that you have completely missed the point of this whole wmf
> issue:
> Your existing wmf files are ok if your Windows has not already been
> infected. The bad ones come from outside. So the work-around never calls
> for renaming files. Instead you unregister the dll file. Perl won't help
> you for that matter.


Ive read today that unregistering what was thought to be the guilty dll
wont save you, and another is under suspicion (gotta love closed source,
feeling round in the dark trying to figure out which file is making you
vulnerable)

http://www.viruslist.com/en/weblog?d...92530&return=1
Going back to the wmf vulnerability itself, we see number of sites mention that
shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll
has been unregistered and deleted. The vulnerability seems to be in
gdi32.dll.

So while unregistering shimgvw.dll may make you less vulnerable, several attack
scenarios come to mind where the system can still be compromised.
It has to be noted that in this case the attack vector of web browsers
seems significantly smaller than that of explorer+third party programs.



--
<Overfiend> penis jokes are okay in mixed company. VMS is NOT!!!

 
Reply With Quote
 
Dr.Ruud
Guest
Posts: n/a
 
      01-03-2006
http://www.hexblog.com/2005/12/wmf_vuln.html

--
Affijn, Ruud

"Gewoon is een tijger."
 
Reply With Quote
 
Gerhard Sprenger
Guest
Posts: n/a
 
      01-03-2006

~greg schrieb:

> found a description of Microsoft Windows Metafile format.
> here:
>
> http://www.whisqu.se/per/docs/wmf.htm
>
>
> However I don't know exactly what shimgvw.dll
> (or gdi32.dll, or whatever else is inovlved)
> is looking for that makes it decide
> that a .jpg or .gif is really a .wmf,
> and then "run" it.
>
>
> ------------------------------------------
>


Hello Greg, you may have a look at

http://www.hexblog.com/2006/01/wmf_v...y_checker.html
*** and ***
http://www.hexblog.com/2005/12/wmf_vuln.html

The first one describes a check utility
(http://www.hexblog.com/security/file...er_hexblog.exe)
the second one a hotfix
(http://www.hexblog.com/security/file..._hexblog14.exe).

Highly recommended.
Ilfak Guilfanov is the author of theses tools, he's a renowned windows
expert.

Kind regards - Gerhard Sprenger.

 
Reply With Quote
 
~greg
Guest
Posts: n/a
 
      01-05-2006

"l v" <(E-Mail Removed)> wrote in message news:(E-Mail Removed) oups.com...
> ~greg wrote:
>> A whole lot of people right now, running Windows,
>> need a script to check all the image files already on their
>> hard drives to see if any of them are actually renamed .wmf files.
>>
>> It should be trivial to write this,
>> -if you know what to look for in the files.
>>
>> Unfortunately, I don't.
>>
>> ~
>>
>> (i ask this here, because perl is my preferred language,
>> and because i think perl users in general may be
>> more familiar with looking inside files
>> to determine actual file type (?))

>
> ImageMagick's identify command will list a file's format regardless of
> it's name.
>
> Len


----------------------------------------

Thank you all for your responses.

( Normally I only respond to responses
on the 2nd Tuesday of each month,
but this calls for an exception.)


I see that ImageMagick would do what I asked for. Thank you.
(--I may get around to installing it some day, --even though
there must be some good reason why ActiveState doesn't provide it.
(--maybe something to do with gif-laws?))


I found however that there is (-of course) a module
targeted at the specific task, --namely File::MMagic:

use File::MMagic;
my $MM = new File::MMagic;
print $MM->checktype_filename("Untitled.jpg");

__END__

That printed
"image/gif"
for me, since I'd renamed an "Untitled.gif" to "Untitled.jpg" before running it.

(for Windows Meta Files it responds with:
application/octet-stream

which is good enough for me, although it should probably respond with:
application/x-msmetafile
or
image/x-wmf
or something like that.)


(I changed those file-extensions just to check if MMagic actually looks at the
"magic" header-bytes to determine file-type (as its name - "MMagic" -suggests)
or only looks at file-extensions to determine file type.

This was because something I'd read by someone who'd read the doc
said he was left unsure about that. I think that was because MMagic
*can* consider file-extensions, and because he was using perl on Windows
and "knew" that Windows only ever goes by file-extension.
(Someone more used to shebang (sharp-bang: #!) type environments might
have made the opposite assumption.)


That's the heart of the problem though.

MSG said he was afraid that I
"have completely missed the point of this whole wmf issue:"

And, normally, that'd be a safe assumption about me.
(I know about malware only in principle, not in detail.
My interest has never gone in that direction.

But this case is quite different.
This case is easy to understand.
(Much easier even than buffer-overruns etc)

As everyone should know by now the problem is not in shimgvw.dll.

But neither is it in the archaic 16-bit function in gdi32.dll,
(the heart of windows) that lets arbitrary code run.

And it's not in the Paint program, or any other program that
renders wmf files with the gdi32.dll, and so might render evil.

Because if that was all there was to it, then you'd just treat
wmfs exactly like exes, - with filters and permissions.
Or disabling them altogether.


The real problem is of course that
a wmf --- can be a jpg.
Etc.

The real problem is this:
"MIME Type Detection in Internet Explorer"

http://msdn.microsoft.com/workshop/n...appendix_a.asp

it's Windows going by:
quote:

1) The server-supplied MIME type, if available
2) An examination of the actual contents associated with a downloaded URL
3) The file name associated with the downloaded content (assumed to be derived from the associated URL)
4) Registry settings (file extension/MIME type associations or registered applications) in effect during the download
...
quote:
FindMimeFromData
contains hard-coded tests for (currently 26) separate MIME types
(see Known MIME Types). This means that if a given buffer contains data
in the format of one of these MIME types, a test exists in FindMimeFromData
that is designed (by scanning through the buffer contents) to recognize
the corresponding MIME type.

Etc.

~greg







 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Render WMF, EMF into Raster Graphics Format & Convert WMF to PNG sherazam Java 0 10-21-2010 10:04 AM
501 PIX "deny any any" "allow any any" Any Anybody? Networking Student Cisco 4 11-16-2006 10:40 PM
SVG-WMF or PNG-WMF conversion Ganesh Palaniappan ASP .Net 1 04-13-2006 11:44 AM
New Project as renamed and chaged old one Evgeny Zoldin ASP .Net 4 07-06-2004 12:54 AM
Re: OT-renamed workgroup&computers Sam MCSE 1 07-04-2003 04:12 AM



Advertisments