Mark0's Forum
		Software => TrID File Identifier => Topic started by: jenderek on November 22, 2020, 09:18:36 PM
		
			
			- 
				Hello trid users,
 
 some days ago just for interest i inspect efi executables starting with MZ
 magic. Afterwards i look for other MZ-executables. Such samples with IME
 file name extension are Microsoft Input Method Editor files. These samples
 are often described by dll.trid.xml as "Win32 Dynamic Link Library
 (generic)" or by exe-generic.trid.xml as "Generic Win/DOS Executable" (see
 appended output/trid-v.txt).
 
 For comparison reasons i also run other identifying tools on such
 examples. The file command identifies my inspected examples as "PE32
 executable (DLL)" for Microsoft Windows (see appended
 output/file-5.39.txt). It also display correct file name extension ime for
 such special DLL (see appended output/file-extension-5.39.txt).
 
 A little bit of information is found on fileinfo.com web page.  That is
 expressed by reference URL line like:
 <RefURL>https://fileinfo.com/extension/ime</RefURL>
 
 According to that site i found my examples in system32 or SysWOW64 sub
 directory inside windows directory. On my modern Windows system i only found
 1 example. That is msctfime.ime. So i mention this fact in the remark line.
 On an older XP system i found more examples inside dllcache sub directory.
 
 Because such IME file format is extended from DOS MZ executable, the file
 command use mime type "application/x-dosexec" (see appended
 output/file-i-5.39.txt), but the Wikipedia page about Portable Executable
 mention another mime type. That is expressed by line like:
 <Mime>application/vnd.microsoft.portable-executable</Mime>
 
 Such IME files seems to be part of Windows system or Microsoft Office suite,
 but on my systems this file type is not registered. What an annoyance of
 Microsoft. Putting their own file types on my systems without links in
 registry or information about IME file format.
 
 So i run tridscan on my samples and i get trid definition file
 ime-ms.trid.xml. All my samples start with typical Windows Dynamic Link
 Library phrase that is also found in other trid definitions like
 dll.trid.xml and exe-win*.trid.xml. That is expressed by XML pattern block
 like:
 <Bytes>4D5A90000
 <ASCII> M Z . .
 <Pos>0</Pos>
 Furthermore i get many null patterns like:
 <Bytes>000000</Bytes>
 <Pos>446</Pos>
 I do not know if such pattern are generated by luck circumstances or
 necessary.
 
 In global strings section i get lines like:
 <String>C'O'M'P'A'N'Y'N'A'M'E'''''M'I'C'R'O'S'O'F'T' 'C'O'R'P'O'R'A'T'I'O'N</String>
 <String>THIS PROGRAM CANNOT BE RUN IN DOS MODE.</String>
 These are typical for Microsoft Windows exectables, but are probably not
 required. For me i see only 1 characteristic line that refers to file name
 extension. That is:
 <String>.'I'M'E</String>
 There exist many lines which seem to be garage like:
 <String>ANCE</String>
 <String>IMEA</String>
 <String>NTER</String>
 <String>ONFI</String>
 I kept these lines. First i start with 5 examples with many lines. Later i
 finally get 43 examples. So when i run tridscan on more and more examples
 many lines in string section vanish or become shorter.
 
 With the new definition the unspecific described Input Method Editor files
 are now described more precisely (see appended output/trid-new-v.txt). TrID
 definition, some examples and output are stored in archive ime.zip. I hope
 that my XML file can be used in future version of triddefs.
 
 With best wishes
 Jörg Jenderek
 
- 
				Thanks!