Search code examples
delphimd5delphi-10.3-rioshortcut-file

Different file hash of shortcut file when shortcut created from 32-bit or 64-bit program

I create a ShellLink Shortcut from a 64-bit program:

program ShellLinkShortcutHashTest;

{$APPTYPE CONSOLE}

{$R *.res}

uses
  Winapi.Windows,
  JclShell,
  Winapi.ActiveX,
  IdHashMessageDigest,
  System.Classes, System.SysUtils;

const
  ShortcutFile = 'R:\myshortcut.lnk';
  ShortcutTarget = 'C:\Windows\System32\notepad.exe';

function GetHashFromFile(const AFileToHash: string): string;
var
  IdMD5: TIdHashMessageDigest5;
  FS: TFileStream;
begin
  IdMD5 := TIdHashMessageDigest5.Create;
  FS := TFileStream.Create(AFileToHash, fmOpenRead or fmShareDenyWrite);
  try
    Result := IdMD5.HashStreamAsHex(FS);
  finally
    FS.Free;
    IdMD5.Free;
  end;
end;

function SaveShortcutShellLink(const AFile: string): string;
var
  SL: JclShell.TShellLink;
  HR: Integer;
begin
  Result := 'error';

  SL.Target := ShortcutTarget;
  SL.Description := 'My description';
  HR := JclShell.ShellLinkCreate(SL, AFile);

  if HR = Winapi.Windows.S_OK then
    Result := 'OK - this is the shortcut file hash: ' + GetHashFromFile(AFile)
  else
    Result := 'Error: ' + IntToStr(HR);
end;

begin
  try
    Winapi.ActiveX.OleInitialize(nil);
    try
      Writeln(SaveShortcutShellLink(ShortcutFile));
    finally
      Winapi.ActiveX.OleUninitialize;
    end;
    Readln;
  except
    on E: Exception do
    begin
      Writeln(E.ClassName, ': ', E.Message);
      Readln;
    end;
  end;
end.

The MD5 file hash from the shortcut file is: 4113F96CD9D6D94EB1B93D03B9604FFA.

I then build a 32-bit version of the SAME program. But the hash of the shortcut file created with the 32 bit program is different: 6512AB03F39307D9F7E3FC129140117A.

I have tested the MD5 hash of the shortcut file also with other external tools not related to Delphi. They also confirm the 64/32-bit difference.

Does this mean that shortcuts are binary-different if they have been created from a 64-bit program or from a 32-bit program? What is the difference? Could this be a security problem?

Solution

  • You're falling victim to the WOW64 filesystem redirector.

    When your 64-bit application attempts to access :

    C:\Windows\System32\notepad.exe

    everything is normal you get a shortcut to the 64-bit notepad application in System32. When you attempt to access the same path from a 32-bit application, however, the redirector silently substitutes the WOW64 path in its place, to :

    C:\Windows\SysWOW64\notepad.exe

    and your application instead creates a shortcut to the 32-bit notepad application in SysWOW64. So these hash differently because they are shortcuts to two different programs.

    The filesystem redirector is well documented and understood. While that doesn't preclude it having some security vulnerabilities, the redirector itself, and its documented behaviours, should not generally be considered a security risk.