FTP IDList format addition

[dragokas]

Hi Joachim !

Many thanks for documentation.

I made some research during development of my project Check Browsers' LNK, as a result I have addition to your docs: https://github.com/libyal/libfwsi/blob/master/documentation/Windows%20Shell%20Item%20format.asciidoc

    '-------------
    '3.7. FTP IDList format (must follow after IDList[0] ):
    '
    'Great thanks to Joachim Metz.
    'This specification was appended by Dragokas.
    '
    '2 bytes - size of this ID List
    '1 bytes - type = 0x61 (URI)
    '1 bytes - Flag (0x01, 0x02, 0x80 set if URI in Unicode)
    '2 bytes - *size of URI data (not including this 2 bytes itself)
    '4 bytes - unknown
    '4 bytes - unknown
    '8 bytes - timestamp (FILETIME) - first access time to the server (access != successfull authentification)
    '4 bytes - unknown (seen 0x00000000 and 0xFFFFFFFF)
    '12 bytes - unknown
    '4 bytes - unknown
    '4 bytes - size of actual URL string1 (4-bytes aligned)
    '... bytes - String1 (FTP server)
    '4 bytes - size of string2
    '... bytes - String2 (Login)**
    '4 bytes - size of string3
    '... bytes - String3 (Password)**
    '... bytes - unknown data (possible, string which represents URI protocol).

    '* if size of URI is 0, all next bytes of this ID List represents URL string
    '** result format is: ftp://Login:Password@Server/SubItem

    '3.7.1. FTP IDList sub item
    '
    'offset | bytes count | description
    '
    '00 | 2 bytes - size of sub item (include 2 bytes itself)
    '02 | 1 bytes - class type indicator ? (seen 0x00)
    '03 | 1 bytes - unknown (seen 0x00, 0x06, 0x09)
    '04 | 2 bytes - unknown
    '06 | 2 bytes - unknown (seen 0x05, 0x09)
    '08 | 2 bytes - unknown (seen 0x00, 0x03)
    '0A | 4 bytes - unknown (seen 0xC80, 0xC90, 0x10)
    '0E | 4 bytes - unknown (seen 0x200)
    '12 | 4 bytes - unknown
    '16 | 8 bytes - timestamp (FILETIME) - last modified time of folder on server
    '1E | 4 bytes - unknown (seen 0x0755)
    '22 | 4 bytes - unknown
    '26 | ... bytes - ANSI String (Sub Item value). Ends with 4-bytes NUL terminator
    'xx | ... bytes - Unicode String (Sub Item value). Ends with 4-bytes NUL terminator
    'xx | 2 bytes - TerminalID of IDList (0x00)

Here is a live example: target_-_copy.lnk

WBR, Alex.

[dragokas]

Here is another example: WhiteList.lnk

[joachimmetz]

Thx for sharing I'll have a look as soon as time permits.

[dragokas]

Hi, here is a little update to the end of 3.7.1. about TerminalID:

        '3.7.1. FTP IDList sub item
        '
        'offset | bytes count | description
        '
        '00 | 2 bytes - size of sub item (include 2 bytes itself)
        '02 | 1 bytes - class type indicator ? (seen 0x00)
        '03 | 1 bytes - unknown (seen 0x00, 0x06, 0x09)
        '04 | 2 bytes - unknown
        '06 | 2 bytes - unknown (seen 0x05, 0x09)
        '08 | 2 bytes - unknown (seen 0x00, 0x03)
        '0A | 4 bytes - unknown (seen 0xC80, 0xC90, 0x10)
        '0E | 4 bytes - unknown (seen 0x200)
        '12 | 4 bytes - unknown
        '16 | 8 bytes - timestamp (FILETIME) - last modified time of folder on server
        '1E | 4 bytes - unknown (seen 0x0755)
        '22 | 4 bytes - unknown
        '26 | ... bytes - ANSI String (Sub Item value). Ends with 1-byte NUL terminator
        'xx | 3 bytes - unknown (seen 0x000000, 0xFFFFFF)
        'xx | ... bytes - Unicode String (Sub Item value). Ends with 2-bytes NUL terminator
        'xx | 2 bytes - unknown (seen 0x0000)
        'xx | 2 bytes - TerminalID of IDList (0x00)

Sample: SZ.lnk

[joachimmetz]

@dragokas sorry for the slow reply could you share the samples again.

[dragokas]

Hi, joachimmetz. Sorry for removing. Please, see updated posts above.

[joachimmetz]

thx for re-adding, much appreciated. I was doing work on libfwsi today, so I'll look at them shortly.

[dragokas]

That's interesting. Thanks for letting me know. Maybe will use it later as a database for my lnk parser.

[joachimmetz]

I've integrated your findings into the documentation. Thanks again for sharing.