News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Anyone ever use AssocIsDangerous?

Started by Gunner, November 29, 2009, 07:06:25 PM

Previous topic - Next topic

Gunner

Doesn't seem to work...

QuoteAssocIsDangerous Function

--------------------------------------------------------------------------------

Determines whether a file type is considered a potential security risk.

Syntax

BOOL AssocIsDangerous(          LPCWSTR pszAssoc
);
Parameters

pszAssoc
[in] Pointer to a string that contains the type of file in question. This may be either an extension such as ".exe" or a progid such as "exefile".
Return Value

Returns TRUE if the file type is considered dangerous, FALSE otherwise.

Remarks

Files that are determined to be potentially dangerous, such as .exe files, should be handled with more care than other files. For instance, Microsoft Internet Explorer version 6.01 or later uses AssocIsDangerous to determine whether it should issue stronger warning language in its download dialog box. ShellExecuteEx uses AssocIsDangerous to trigger zone checking using the methods of the IInternetSecurityManager Interface interface in conjuction with the URLACTION_SHELL_SHELLEXECUTE flag.

The determination of a file's potential risk is made by checking its type against several sources, including a list of known dangerous types and the presence of the FTA_AlwaysUnsafe flag in the registry. On systems running Microsoft Windows XP Service Pack 1 (SP1) or later or Windows Server 2003, it also uses the SaferiIsExecutableFileType function to determine whether a file type is executable.

Applications that can take advantage of AssocIsDangerous include e-mail programs, browsers, chat clients capable of downloading files, and any application that moves files or data from one zone of trust to another.

Ok so to test it to see if I could use it in program and how well it works I created to test vars in the data section:

GoodExt             BYTE    '.txt',0
BadExt              BYTE    '.exe',0
    push    offset GoodExt
    call    AssocIsDangerous
    PrintDec eax
   
    push    offset BadExt
    call    AssocIsDangerous
    PrintDec eax


I would assume that an exe file would be dangerous...  even tried it with every extension in my registry and they all return false!

Am I missing something?
~Rob (Gunner)
- IE Zone Editor
- Gunners File Type Editor
http://www.gunnerinc.com

dedndave

well - kinda obvious it doesn't work too well - lol
IE is not the most secure browser around - always susceptible to viruses, etc
but, i don't think you are hitting it with enough stuff to make it do anything
read the notes carefully - it merely says exe files should be handled more carefully
not that all exe files will raise a flag
i would think you need to give it a file to work on - not just an extension

Gunner

eh tried a valid exe file and nothing... Yeah, ms probably forgot to finish this function  :toothy
~Rob (Gunner)
- IE Zone Editor
- Gunners File Type Editor
http://www.gunnerinc.com

dedndave

after reading further, it appears you do have the right info
i have never tried to use anything from the shlwapi.lib/dll
i assume you got those listed in the include's
it does say XP sp1 or better is required...
perhaps your internet zone settings are affecting the return values
or - the current zone setting is considered safe

drizz

AssocIsDangerous haha funny function, they better make GetUserStupidity function
which would return a value between 0.0 and 1.0

some heuristics like:
- user has tons of files in root C:\
- user has tons of files in \Desktop folder
- user has only one partition
- user has millions of apps on startup

hey... i might write that one... ::)



The truth cannot be learned ... it can only be recognized.

dedndave

Quotewhich would return a value between 0.0 and 1.0
don't forget good ole' -1 - user is a complete moron and meets all of the above - lol

we could combine the two functions - UserIsDangerous - lol

drizz

LOL  :bdg

yeah UserIsDangerous sounds more professional :)
The truth cannot be learned ... it can only be recognized.

sinsi

It does work but you need to use unicode strings (LPCWSTR).
Light travels faster than sound, that's why some people seem bright until you hear them.

Gunner

Quote from: sinsi on November 29, 2009, 09:16:11 PM
It does work but you need to use unicode strings (LPCWSTR).


Ya know, I totally missed that!  Thanks.
~Rob (Gunner)
- IE Zone Editor
- Gunners File Type Editor
http://www.gunnerinc.com