Program Information File

Apr 18, 2024

Security professionals do not trust Windows Explorer when it comes to the drive content. And for a reason.

Since Windows 95, Explorer was designed to be a GUI and/or Shell, not a tool for browsing files and folders. There are many reasons why the folder content in the Explorer may differ from the result of 'dir /a', 'Get-Content' or FindFirstFileW()/FindNextFileW() API calls.

By default, Explorer hides files with Hidden and System attributes. Sometimes, the result may be altered by desktop.ini references, etc. Not to mention simple 'on the fly' name changes making Desktop name follow the current language settings. One of the things Explorer hides by default is obviously the file extension for well-known files. It may fool some end-users, but most of professionals simply enable 'real' extensions in Explorer options. Document.pdf.exe looks better than document.pdf for the same file on the drive.

To make it even more interesting, enabling file extensions does not enable them all. During one of my research projects, I have identified 16 extensions Explorer ignores regardless of the settings. Some of these extensions are relatively harmless, but one of them seems to be a real gem: pif. The PIF (Program Information File) was designed in the Windows 3.x era as a way of providing a launching shortcut, giving not only the path but also a metadata such as an icon, parameters, etc.

It was later replaced with .lnk files, which are well known for their malicious potential, but Microsoft rarely forgets old stuff, which means .pif files still work very well. If we connect the dots, we can see a nice picture: an executable file hiding its real extension. What could possibly go wrong...?

If you want to try it yourself, it’s really simple: copy your executable file, rename it changing .exe to .docx.pif and observe how it works. I know the icon may not be very pretty, but trust me, users click everything sooner or later.

¯\_(ツ)_/¯

[©] Copyright 2024

GT

Program Information File

Apr 18, 2024

Security professionals do not trust Windows Explorer when it comes to the drive content. And for a reason.

Since Windows 95, Explorer was designed to be a GUI and/or Shell, not a tool for browsing files and folders. There are many reasons why the folder content in the Explorer may differ from the result of 'dir /a', 'Get-Content' or FindFirstFileW()/FindNextFileW() API calls.

By default, Explorer hides files with Hidden and System attributes. Sometimes, the result may be altered by desktop.ini references, etc. Not to mention simple 'on the fly' name changes making Desktop name follow the current language settings. One of the things Explorer hides by default is obviously the file extension for well-known files. It may fool some end-users, but most of professionals simply enable 'real' extensions in Explorer options. Document.pdf.exe looks better than document.pdf for the same file on the drive.

To make it even more interesting, enabling file extensions does not enable them all. During one of my research projects, I have identified 16 extensions Explorer ignores regardless of the settings. Some of these extensions are relatively harmless, but one of them seems to be a real gem: pif. The PIF (Program Information File) was designed in the Windows 3.x era as a way of providing a launching shortcut, giving not only the path but also a metadata such as an icon, parameters, etc.

It was later replaced with .lnk files, which are well known for their malicious potential, but Microsoft rarely forgets old stuff, which means .pif files still work very well. If we connect the dots, we can see a nice picture: an executable file hiding its real extension. What could possibly go wrong...?

If you want to try it yourself, it’s really simple: copy your executable file, rename it changing .exe to .docx.pif and observe how it works. I know the icon may not be very pretty, but trust me, users click everything sooner or later.

¯\_(ツ)_/¯

[©] Copyright 2024

GT