I have searched it from here, here, here but none of them included the avif signature.
I want to determine whether a file is avif or not from bitstream. But document is too complex or cannot be accessed freely. How can I achieve this?
It will be better if answer includes the reason why it can be applied without false positive or false negative.
The file signature for avif file is ftypavif.
You can see a list of sample avif files here:
https://github.com/link-u/avif-sample-images
To check file signatures yourself, download/find a file you want to check, then you can check via any hex viewer.
In Powershell on Windows, you can run this:
format-hex c:\yourfile.someextension
Related
Are there any rules for file extensions? For example, I wrote some code which reads and writes a byte pattern that is only understood by that specific programm. I'm assuming my anti virus programm won't be too happy if I give it the name "pleasetrustme.exe"... Is it gerally allowed to use those extensions? And what about the lesser known ones, like ".arw"?
You can use any file extension you want (or none at all). Using standard extensions that reflect the actual type of the file just makes things more convenient. On Windows, file extensions control stuff like how the files are displayed in Windows Explorer and what happens when you double click on it.
I wrote some code which reads and writes a byte pattern that is only
understood by that specific programm.
A file extension is only an indication of what type of data will be inside, never a guarantee that certain data formatted in a specific way will be inside the file.
For your own specific data structure it is of course always best to choose an extension that is not already in use for other file formats (or use a general extension like .dat or .bin maybe). This also has the advantage of being able to use an own icon without it being overwritten by other software using the same extension - or the other way around.
But maybe even more important when creating a custom (binary?) file format, is to provide a magic number as the first bytes of that file, maybe followed by a file header structure containing a version number etc. That way your own software can first check the header data to make sure it's the right type and version (for example: anyone could rename any file type to your extension, so your program needs to have a way to do some checks inside the file before reading the remaining data).
I have the following two challanges:
I'd like to assert that the filename of an xml file is always equal to a certain string in the file itself
I'd like to assert that in every folder called 'Foo' is a file called 'bar.xml'
How can I do this with sonar? Is there already a plugin for this available?
There's no plugin for that, you will have to write your own.
To do the first point, you can write a sensor that parses the XML files to find if the name of the files exists in the file itself, this should not be complicated.
For the second point, you would have to write a sensor that is executed only on folders.
You can check the "Extension Guide" documentation to find code samples on how to do that.
please consider the microsoft "AVI mux" directshow filter, it have CLSID: {E2510970-F137-11CE-8B67-00AA00A3F1A6}
suppose that, just for an experiment, I want to change this code. I opened the file qcap.dll with WinHex qcap.dll but I can not find this string inside it, then I wonder where is written, if it's written in qcap.dll. Thanks
It is there but it is not a string, it is hardcoded as a binary value. Then you are to consider registration of the DLL, which stands alone from file contents. Whatever you are trying to achieve patching a stock DLL, it is wrong and a no-go for a real task. Not to mention that the file is proceted by System Restore and reversing is likely to be an EULA violation.
Is the ReplaceFile Windows API a convenience function only, or does it achieve anything beyond what could be coded using multiple calls to MoveFileEx?
I'm currently in the situation where I need to
write a temporary file and then
rename this temporary file to the original filename, possibly replacing the original file.
I thought about using MoveFileEx with MOVEFILE_REPLACE_EXISTING (since I don't need a backup or anything) but there is also the ReplaceFile API and since it is mentioned under Alternatives to TxF.
This got me thinking: Does ReplaceFile actually do anything special, or is it just a convenience wrapper for MoveFile(Ex)?
I think the key to this can be found in this line from the documentation (my emphasis):
The replacement file assumes the name of the replaced file and its identity.
When you use MoveFileEx, the replacement file has a different identity. Its creation date is not preserved, the creator is not preserved, any ACLs are not preserved and so on. Using ReplaceFile allows you to make it look as though you opened the file, and modified its contents.
The documentation says it like this:
Another advantage is that ReplaceFile not only copies the new file data, but also preserves the following attributes of the original file:
Creation time
Short file name
Object identifier
DACLs
Security resource attributes
Encryption
Compression
Named streams not already in the replacement file
For example, if the replacement file is encrypted, but the
replaced file is not encrypted, the resulting file is not
encrypted.
Any app that wants to update a file by writing to a temp and doing the rename/rename/delete dance (handling all the various failure scenarios correctly), would have to change each time a new non-data attribute was added to the system. Rather than forcing all apps to change, they put in an API that is supposed to do this for you.
So you could "just do it yourself", but why? Do you correctly cover all the failure scenarios? Yes, MS may have a bug, but why try to invent the wheel?
NB, I have a number of issues with the programming model (better to do a "CreateUsingTemplate") but it's better than nothing.
It looks like all EXE files begin with MZ when they are opened in ASCII mode, is there an ASCII identified for vbs, com and bat files as well? i can't seem to find a pattern...
Or maybe there's another way to identify them? aside from just the extension...
No, not really (Windows executables can have PE or PK at the beginning instead of MZ - see this for other possible formats).
For other types of files, there are certain heuristics you can use (e.g. GIF files start with "GIF89", Bash shell scripts usually start with #!/bin/bash, BAT files often execute #echo off at the beginning, VBS scripts use apostrophe at the start of line as a comment marker), but they aren't always 100% reliable (a file can be both a BAT script and a Bash shell script; or a file that's both a valid ZIP archive and a valid GIF image (like that stegosaurus image), for example).
See e.g. this article for further reading.
TrID seems to have a "standalone" application you could probably use and pass the file in and read the contents out and see what file it is. It prides itself on the ability to pass it a generic file (extension or without) and it uses the headers of the file to discover what file type it actually is.
See if this tutorial is helpful (How to detect the types of executable files 3 part series). He has even presented a step by step algorithm on how to do this.
Also see this post: How to determine if a file is executable?