2

I create a ShellLink Shortcut from a 64-bit program:

program ShellLinkShortcutHashTest;

{$APPTYPE CONSOLE}

{$R *.res}

uses
  Winapi.Windows,
  JclShell,
  Winapi.ActiveX,
  IdHashMessageDigest,
  System.Classes, System.SysUtils;

const
  ShortcutFile = 'R:\myshortcut.lnk';
  ShortcutTarget = 'C:\Windows\System32\notepad.exe';

function GetHashFromFile(const AFileToHash: string): string;
var
  IdMD5: TIdHashMessageDigest5;
  FS: TFileStream;
begin
  IdMD5 := TIdHashMessageDigest5.Create;
  FS := TFileStream.Create(AFileToHash, fmOpenRead or fmShareDenyWrite);
  try
    Result := IdMD5.HashStreamAsHex(FS);
  finally
    FS.Free;
    IdMD5.Free;
  end;
end;

function SaveShortcutShellLink(const AFile: string): string;
var
  SL: JclShell.TShellLink;
  HR: Integer;
begin
  Result := 'error';

  SL.Target := ShortcutTarget;
  SL.Description := 'My description';
  HR := JclShell.ShellLinkCreate(SL, AFile);

  if HR = Winapi.Windows.S_OK then
    Result := 'OK - this is the shortcut file hash: ' + GetHashFromFile(AFile)
  else
    Result := 'Error: ' + IntToStr(HR);
end;

begin
  try
    Winapi.ActiveX.OleInitialize(nil);
    try
      Writeln(SaveShortcutShellLink(ShortcutFile));
    finally
      Winapi.ActiveX.OleUninitialize;
    end;
    Readln;
  except
    on E: Exception do
    begin
      Writeln(E.ClassName, ': ', E.Message);
      Readln;
    end;
  end;
end.

The MD5 file hash from the shortcut file is: 4113F96CD9D6D94EB1B93D03B9604FFA.

I then build a 32-bit version of the SAME program. But the hash of the shortcut file created with the 32 bit program is different: 6512AB03F39307D9F7E3FC129140117A.

I have tested the MD5 hash of the shortcut file also with other external tools not related to Delphi. They also confirm the 64/32-bit difference.

Does this mean that shortcuts are binary-different if they have been created from a 64-bit program or from a 32-bit program? What is the difference? Could this be a security problem?

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
user1580348
  • 5,721
  • 4
  • 43
  • 105
  • "*Does this mean that shortcuts are binary-different if they have been created from a 64-bit program or from a 32-bit program?*" - yes, obviously, if you are getting different hashs. "*What is the difference?*" - use a hex editor and view the byte differences for yourself. If you want to know what the different bytes actually represent, you will have to find the Shortcut file format spec online somewhere. "*Could this be a security problem?*" - no. – Remy Lebeau Jan 08 '20 at 23:01
  • @RemyLebeau "yes, obviously, if you are getting different hashs" You have misinterpreted a general question as a specific question. Is this the reason for downvoting my question? – user1580348 Jan 09 '20 at 10:56
  • If what @J... says is true, you will get a different shortcut (hash) every time. Have you at least created two shortcuts for the same executable, to check whether they are the same? – GolezTrol Jan 09 '20 at 12:59
  • 1
    @GolezTrol I take it back - it's not that. See my answer. – J... Jan 09 '20 at 13:25
  • +1 Just for the MCVE. – J... Jan 09 '20 at 13:37
  • 1
    @user1580348 I didn't downvote – Remy Lebeau Jan 09 '20 at 16:03

1 Answers1

3

You're falling victim to the WOW64 filesystem redirector.

When your 64-bit application attempts to access :

C:\Windows\System32\notepad.exe

everything is normal you get a shortcut to the 64-bit notepad application in System32. When you attempt to access the same path from a 32-bit application, however, the redirector silently substitutes the WOW64 path in its place, to :

C:\Windows\SysWOW64\notepad.exe

and your application instead creates a shortcut to the 32-bit notepad application in SysWOW64. So these hash differently because they are shortcuts to two different programs.

The filesystem redirector is well documented and understood. While that doesn't preclude it having some security vulnerabilities, the redirector itself, and its documented behaviours, should not generally be considered a security risk.

J...
  • 30,968
  • 6
  • 66
  • 143