4. CLSID


Excerpt from http://msdn.microsoft.com/library/psdk/com/reg_6vjt.htm

"CLSID Key
A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, then you need to register a CLSID for each supported class of objects.

Registry Entry
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID = 

Value Entries
 
Specifies a name that can be displayed in the user interface. 
Remarks
The CLSID key contains information used by the default COM handler to return information about a class when it is in the running state. To obtain a CLSID for your application, you can use the UUIDGEN.EXE found in the \TOOLs directory of the COM Toolkit, or use CoCreateGuid. The CLSID is a 128 bit number, spelled in hex, within a pair of braces."

Shortly after I posted my initial research material, I was contacted by Adam L. Simms about an e-mail thread concerning hidden CLSID extensions. Curious to know more on this topic, he forwarded me a part of the e-mail thread containing information about this. As we have seen at the beginning of this chapter, a CLSID is a unique-number descriptor to register applications in an object liking an embedding scheme. In Windows, applications and the various file extensions they are using are closely related. This is why, for example, a .DOC file is associated to the Word application. Well, as it turns out, you can create a file, and instead of putting a normal file extension as we normally do, we can put the associated CLSID as the file's extension. But what's more interesting, it's that the file will automatically assume the properties of the associated file extension, and the extensions itself will be invisible.

Here are some examples of CLSID:

html application (.HTA) {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
mhtml document {3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
xml {48123bc4-99d9-11d1-a6b3-00c04fd91555}
xsl {48123bc4-99d9-11d1-a6b3-00c04fd91555}
html {25336920-03F9-11cf-8FD0-00AA00686F13}

I made some tests to verify the extent of this "feature", and the results surprised me very much. I created some files using the html_application and html CLSID above. I also created similar files with their associated extensions. I also made some files using randomly chosen CLSID from my registry. While looking at the registry for these extensions and CLSID in [HKEY_CLASSES_ROOT], I also found several descriptors that looked like Access.ShortCut.Macro, Amovie.ActiveMovie Control and CDDBControl.CddbURLManager. Now knowing about the CLSID problem, I found it wise to test a few of these also, just in case ;-)

In DOS, the files looked like

 Volume in drive D is CD         
 Volume Serial Number is 443F-FFED
 Directory of D:\work\temp

.              (DIR)        05-08-01 12:35a .
..             (DIR)        05-08-01 12:35a ..
TEST     HTA             0  05-08-01 12:36a test.hta
TESTTX~1 {25             0  05-08-01 12:37a test.txt.{25336920-03F9-11cf-8FD0-00AA00686F13}
TESTTX~1 HTM             0  05-08-01 12:38a test.txt.html
TEST     PIF             0  05-08-01 12:38a test.pif
TEST~1   PIF             0  05-08-01 12:38a test.piffile
TESTAC~1 APP             0  05-08-01 12:39a test.Access.Application
TESTAC~1 1               0  05-08-01 12:40a test.Access.ShortCut.Macro.1
TEST~1   {9E             0  05-08-01  2:49p test.{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}
TEST~1   {9C             0  05-08-01  2:53p test.{9CBBB803-D654-11D1-8818-C199198E9702}
TEST~1   {94             0  05-08-01  2:55p test.{944d4c00-dd52-11ce-bf0e-00aa0055595a}
TEST~1   {30             0  05-08-01  4:26p test.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
        11 file(s)              0 bytes
         2 dir(s)     580,976,640 bytes free

In Windows Explorer, the file names are displayed as test, test, test, test, test.Access.Application, test.Access.ShortCut.Macro.1, test.hta, test, test.piffile, test.txt and test.txt.html. However, the "Type" column displays the following information (in the same order): HTML Application, DirectDraw Property Page, SwiftSoft MMLEDPanelX Control, {9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}, APPLICATION File, 1 File, HTML Application, Shortcut to MS-DOS Program, PIFFILE File, Microsoft HTML Document 5.0, Microsoft HTML Document 5.0. It should also be noted that the icons associated with these files were the generic file icon, except for the following: test.{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} displays an enveloppe icon; as in an e-mail software, test.pif have a little arrow on its icon, just like any shortcut link; and the two files identified as Microsoft HTML Document 5.0 have the Internet Explorer icon. It should be pointed out that results may vary.

We can see that Windows Explorer assimilates rather easily CLSID extensions, hiding from view in the file name itself, and translating it to it's corresponding file type in the Type column. This makes it even easier than with Shell Scrap to make dangerous files look innocent to the blind-trusting user, who probably have is Windows Explorer display on "Small Icons" instead of "Details", with other configuration by default.

3. The NeverShowExt registry key
 5. The ability to execute code
Table of contents