[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::hackers_v1

Title:-={ H A C K E R S }=-
Notice:Write locked - see NOTED::HACKERS
Moderator:DIEHRD::MORRIS
Created:Thu Feb 20 1986
Last Modified:Mon Aug 03 1992
Last Successful Update:Fri Jun 06 1997
Number of topics:680
Total number of notes:5456

252.0. "is this file an image?" by USHS01::MALLORY (Cluster Killer) Fri Jun 06 1986 14:14

	There has been quite a discussion about this in vmsnotes but most
    of it centering around WHY and not an answer... someone suggested
    posting it here ,so here goes...
    
              <<< VAXWRK::WRKD$:[NOTES$LIBRARY]VMSNOTES.NOTE;1 >>>
================================================================================
Note 936.0                  is this file an image?                    21 replies
USHS01::MALLORY "Cluster Killer"                     20 lines   4-JUN-1986 19:43
--------------------------------------------------------------------------------

    What is the correct way to find out if a file is an image?
    
    I have a customer in a hostile environment who has users that hide
    images in files like x.txt.  
    
    My approach is to:
    
    1) see if the file has a 512 byte record if so if not next file
    
    2) open the file
    	read block 1 as if it were an IHD
    	check ihd$w_imgidoff to see if it is gt 5 and lt 500
    		(got these values from IMAGEINFO tool on toolshed)
    

    don't have a fiche reader handy, someone with source code on-line
    handy look at ana/image and send me a code segment mabey?
    
    adv<thanks>ance
T.RTitleUserPersonal
Name		DateLines
252.1Your test will get you passed round one...TLE::BRETTFri Jun 06 1986 22:0716
    
    If the environment is that hostile, and all he does is look for 512
    byte fixed length files, he has a shock coming.
    
    All the people have to do is modify the record attributes from FIX
    to VAR and your program won't find the hidden .exe's; furthermore
    a trivial "encryption" (eg: xor'ing with a fixed key) will conceal
    any other attributes of a file header.             
    
    A better approach would be to raise a flag about any file whose
    contents aren't obviously text.
    
    An even better question is "why" - but if that's being addressed
    in VMSNOTES...
    
    /Bevin
252.2There's a command to do it.DELNI::CANTORDave CantorSat Jun 07 1986 00:484
      How about a simple ANAL/IMAGE filename.typ and check the $STATUS
      for success?
      
      Dave C.
252.3takes too longUSHS01::MALLORYCluster KillerSat Jun 07 1986 08:555
    RE .2 this too was discussed in vmsnotes... there are 48 ra81's
    worth of data to look on (on a *regular* basis) ana/image would
    take weeks!