|
Microsoft Security -- Installment One
9/7/99
Krale
[Editorīs Note: OSAll has received comments from several individuals claiming that parts of this article are plagiarized. One even asked if we "hired JP as editor." Weīre looking into these accusations and will have a verdict -- and possibly an apology -- shortly.]
First letīs talk about Windows 95 (specifically Win 95, not Win 98). It seems kind of stable (other than the many general protection faults and blue screens of death). But something is fishy. You feel it somewhere. I felt it too and researched until I found many concealed files and behaviors. The first one I found is the mm256.dat and mm2048.dat:
mm256.DAT and mm2048.DAT
I was snooping on my computer with some programs called filemon.exe , regmon.exe , and vxdmon.exe . Filemon reports all files accessed and tells what and where accessed them. Regmon does the same with the registry. Vxdmon does the same for VXD calls. I kept filemon running for about three hours and saw nothing out of the ordinary...then comes a file (mm256.dat) accessed by wininet.dll . At this time Iīm doing absolutely nothing. I just left my computer on and logged all the file reads and writes. All others (file logs) were acceses from the Explorer shell. After finding this file (in very hidden directories) and did the normal double click and it denied me from even opening it. This is how it all started...
Lets first start out from a quote from MS headquarters themselves:
"The mm256.dat and mm2048.dat files are cache files used by Internet Explorer. When you visit a Web page, Internet Explorer assigns the Web address a unique identification number and searches the mm256.dat and mm2048.dat files for that identification number. If the Web page's identification number is found, the contents of the Web page are stored locally on your computer's hard disk and Internet Explorer uses the locally stored content instead of downloading the information from the Internet. If the Web page's identification number is not found, the contents of the Web page must be downloaded from the Internet. This occurs if you have not visited the Web page before, the Web page has changed, or the Web page's identification number has expired. When the Web page's content has been downloaded to the hard disk, the mm256.dat or mm2048.dat file is updated with the Web page's identification number.
The mm256.dat file is used to store the identification numbers of Web pages whose Web addresses are equal to or less than 256 characters. The mm2048.dat is used to store the identification numbers of Web pages whose Web addresses are between 257 and 2048 characters.
First, assuming you know nothing about this, letīs gather the information we DO know of these files. Now lets go what MS said and lets take off Intenet Explorer. They say itīs just cache files -- so if we take off IE, theyll just go away. If you went to the trouble to take it off, youll notice they are still there. Hmmm... Just try running your non-IE browser and opening it as a ascii file. It wont let you. Try doing other tests of calling these files from other programs. Try copying and pasting it. It still wonīt work. Since we cant open them, lets see where the files are kept and how big they are. So I used a non-Microsoft file finder, since MS cannot be trusted (or at least until they prove they can be trusted), we cant use thier programs to snoop their os.
FF-File Find, ZauberEdition 0.50
C:\WINDOWS\TEMPOR~1\CACHE1 mm256.dat 32.768 bytes 16:16 Fri27Aug99 -medium
C:\WINDOWS\TEMPOR~1\CACHE2 mm256.dat 40.960 bytes 16:16 Fri27Aug99 -medium
C:\WINDOWS\TEMPOR~1\CACHE3 mm256.dat 32.768 bytes 16:16 Fri27Aug99 -medium
C:\WINDOWS\TEMPOR~1\CACHE4 mm256.dat 32.768 bytes 16:16 Fri27Aug99 -medium
C:\WINDOWS\HISTORY mm256.dat 180.224 bytes 16:16 Fri27Aug99 -big
C:\WINDOWS\COOKIES mm256.dat 8.192 bytes 16:17 Fri27Aug99 -small
6 files found oh great master!
FF-File Find, ZauberEdition 0.50
C:\WINDOWS\TEMPOR~1\CACHE1 mm2048.dat 1.310.720 bytes 16:17 Fri27Aug99 -huge
C:\WINDOWS\TEMPOR~1\CACHE2 mm2048.dat 1.253.376 bytes 16:17 Fri27Aug99 -huge
C:\WINDOWS\TEMPOR~1\CACHE3 mm2048.dat 1.269.760 bytes 16:17 Fri27Aug99 -huge
C:\WINDOWS\TEMPOR~1\CACHE4 mm2048.dat 1.187.840 bytes 16:17 Fri27Aug99 -huge
C:\WINDOWS\HISTORY mm2048.dat 532.480 bytes 16:17 Fri27Aug99 -medium
C:\WINDOWS\COOKIES mm2048.dat 8.192 bytes 16:17 Fri27Aug99 -small
6 files found oh great master!
As I found out, the files come in 3 distinct sizes. Now search the directories in the "My Computer" icon. Evidently you cant see the directories so go turn off the "hide system files and folders". WHAT?!? You still canīt see them? Now go through DOS and search "dir/w or /p" .. This is assuming you know how to use DOS. It will give you the directories hidden. Evidently MS didnt want you to even know of these directories. Now try to think of a way to see the contents of these files. Windows wonīt let you get near them. What about DOS? We cant go through the normal Windows start up then F8 'it to dos because we dont know what happens before that.
So go ahead and make a dos disk with a format on your disk drive. Select "copy system files" and make your dos disk. Now restart your computer and boot up with dos. Go to the locations where your files youre trying to see and copy them to a different directory and rename them. If you dont, Windows could take over those files and your work getting those would be in vain. Go back to Windows and them view them with text viewer. It has ALL my urls in it. Yep it has all sites with cookie information in it. On the big mm2048.dat, it even holds your whole directory structure in it. Now go back to dos and delete all of the mm2048.dat and mm256.dat files . Then go back to Windows then search for them. Theyīre still there! So they are also regenerative. So lets sum all of the info on these files:
1) They have multiple copies of themselves
2) They are called by WININET.DLL for some reason
3) They are IMPOSSIBLE to get in to inside Windows
4) They hold all URL's and youre file structure inside
5) Each comes in 3 distinct sizes
6) They are regenerative if erased
7) They are hidden inside nearly impossible to find parts of your drive
8) They dont go away if IE is uninstalled (totally contradictory of what MS said)
Why is there soo much secretiness surrounding these files and why did MS lie? Possibly MS calls them up when you go to their websites (due to the name of the calling file; wininet.dll) or if you register MS products. I have not confirmed these possibilities but it might be true. Another file like these is index.dat . It holds most (but not all) URL's that you've gone to. It seems to be regenerative but not as jealously guarded by Windows. You can actually copy and paste this file to another directory and then view the contents. I would like all facts and opionions sent to me at raistlin_majere@altavista.net . Keep on cracking the secrets of Windows!!!
Krale
Note: OSAll staff has independantly reproduced the results of Kraleīs work using similiar methods. We contacted Microsoft for comment but they didnīt return our calls on this issue. |
