Author Topic: TrID update of autorun.trid.xml + variant for Autorun.inf file  (Read 3888 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 361
Hello,

when i run TrID on on hundreds of AUTORUN*.INF files dozens are misidentified
( "Generic INI configuration" see appended output/trid-old.txt ).

The newest file(1) command version (http://darwinsys.com/file/) identifies most
of these examples correct as "Microsoft Windows Autorun file"
( see appended output/file-new.txt ).

After updating definition file autorun.trid.xml by tridscan i manually fine
tuned XML file.

Unfortunately Microsoft still has not registered an official mime by IANA for their
own file types. Because these files are just simple text files, "text/plain"
could be used, but this is too general. Maybe "text/x-autorun" would be sufficient.
But finally i use type find for WINE emulator on Linux by line:
      <Mime>application/x-wine-extension-inf</Mime>

Furthermore i add Wikipedia page about Autorun as reference URL.
      <RefURL>https://en.wikipedia.org/wiki/AutoRun</RefURL>

Most autorun examples ( see examples in directory OK_AUTORUN) start with text lines like
[autorun]
open=notepad readme.txt
        or
[autorun]
icon=\FREEDOS\FREEDOS.ICO,0

This give in old definition file for offset 15 a pattern construct:
      <Pattern>
         <Bytes>3D</Bytes>
         <ASCII> =</ASCII>
         <Pos>15</Pos>
      </Pattern>

This is not always true. The section can start with another directive like
"action" found in BitLocker file autorun-bitlocker.inf for example. Equal sign
is also at other position if variable assignment is white space padded found
on Norton product DVD (see AUTORUN-norton.INF) like:
[autorun]
open = NCDStart.EXE
So above mentioned pattern vanish.

In most autorun files after the right bracket "]" a DOS line feed "CRLF ~ 0D0A"
is found. This is expressed by XML pattern like
      <Pattern>
         <Bytes>5B6175746F72756E5D0D0A</Bytes>
         <ASCII> [ a u t o r u n ]</ASCII>
         <Pos>0</Pos>
      </Pattern>
Unfortunately this is not always true. Autorun files created on UNIX system sometimes
use "LF ~ 0A" as end of line ( See example autorun-kalilinux.inf ).
I also found examples (autorun-garmin.inf, Autorun-becker.inf) on some
navigation software CD-ROM where additional space is behind right bracket.
So XML construct must be reduced like:
      <Pattern>
         <Bytes>5B6175746F72756E5D</Bytes>
         <ASCII> [ a u t o r u n ]</ASCII>
         <Pos>0</Pos>
      </Pattern>

Some autorun start with directive for 64 bit systems, found for example on
Windows 10 install medium. This looks like:
[autorun.Amd64]
So XML construct must be more reduced like:
      <Pattern>
         <Bytes>5B6175746F72756E</Bytes>
         <ASCII> [ a u t o r u n</ASCII>
         <Pos>0</Pos>
      </Pattern>

In most cases the section name is in low case like "[autorun]", but i found
examples with mixed case name "[AutoRun]" found on Windows XP CD ( see
AUTORUN-xp.INF ) or Lenovo PC ( see AUTORUN-lenovo.INF )
So above pattern is finally replaced by 3 new sub part patterns like
      <Pattern>
         <Bytes>5B</Bytes>
         <ASCII> [</ASCII>
         <Pos>0</Pos>
      </Pattern>
      <Pattern>
         <Bytes>75746F</Bytes>
         <ASCII> u t o</ASCII>
         <Pos>2</Pos>
      </Pattern>
      <Pattern>
         <Bytes>756E</Bytes>
         <ASCII> u n</ASCII>
         <Pos>6</Pos>
      </Pattern>
and a new string in global strings section like:
   <GlobalStrings>
      <String>AUTORUN</String>
   </GlobalStrings>

Like other INI configuration files lines starting with semicolon are comment
lines. Unfortunately some AUTORUN files contains comments at the beginning.
Such example is found on Virtualbox VBoxGuestAdditions CD ( See file
no-bracket/AUTORUN-VBoxGuestAdditions.INF). It looks like:
;
; Copyright (C) 2006-2016 Oracle Corporation
;
[autorun]
open=VBoxWindowsAdditions.exe
So this file is still classified by TrID as "plain text/ASCII" ( See
no-bracket/output/trid-new.txt).
So i generate a variant autorun-comment.trid.xml with new pattern like:
      <Pattern>
         <Bytes>3B</Bytes>
         <ASCII> ;</ASCII>
         <Pos>0</Pos>
      </Pattern>
Assuming that at least 2 directive are used to give data medium an other label
and an own icon this results in a global string section like:
   <GlobalStrings>
      <String>AUTORUN</String>
      <String>LABEL</String>
      <String>ICON</String>
   </GlobalStrings>

With this second definition file such autorun examples are now recognized as
"Autorun.inf file (;)". (see no-bracket/output/trid-v-newer.txt)

TrID definitions, some examples and output are stored in archive inf_autorun.zip.
I hope that my two XML files can be used in future version of triddefs.

With best wishes
J?rg Jenderek

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2667
    • Mark0's Home Page
Re: TrID update of autorun.trid.xml + variant for Autorun.inf file
« Reply #1 on: July 19, 2017, 01:27:53 AM »
Hi Joerg!

Thanks for the new/updated defs.
I think I'll go with "text/inf" for the mime type.