Sure, it might work on "normal" LNK files but we're dealing with malware and intentionally modified files here. He just reads all the fields one after another and expects that the length of all the fields will be equal to the size of structure ( LinkInfoSize). His implementation of LinkInfo structure looks like this: NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP) managed to mess up his template. Stevens (proudly calling himself Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD. It's very easy to process, just look at the size, read the appropriate number of bytes, process them. Right after it there's a next size and next data. There's always size of the structure, followed by data. LNK file consists of sequence of structures of variable size. So, I got an official Shell Link (.LNK) Binary File Format specification by Microsoft and started reading. And it looks like malware authors somehow managed to put the real command-line "/c copy *.jpg.lnk." outside the defined structures, right? How's that possible? Marked in blue is the final structure of LNK file, as per 010Editor Template.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |