Author Topic: efi-app-x86_64-stripped.trid.xmlw for Extensible Firmware Interface stripped app  (Read 1508 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 375
Hello trid users,

some days ago just for interest i inspect files on my efi partition by
running TrID utility. Inside EFI sub directory
i found a file named grubx64.efi. That file is described by
exe-win64.trid.xml as "Win64 Executable (generic)" or by
exe-generic.trid.xml as "Generic Win/DOS Executable" (see appended
output/trid-v.txt). This is in principal OK, but extension for such
executable is EFI instead of EXE.
So i search for more such executables. I found also other boot loaders like
syslinux.efi, shim.efi, drivedroid.efi, Seagate SeaTools bootx64.efi
or partitioning tool like gdisk_x64.efi.

For comparison reasons i also run other identifying tools in such
examples. The file command identifies my inspected examples as "PE32+
executable (EFI application) x86-64 (stripped to external PDB)"
(see appended output/file-5.39.txt).

Much information is found on the Wikipedia page about Portable
Executable. That is expressed by reference URL line like:
   <RefURL>
   https://en.wikipedia.org/wiki/Portable_Executable
   </RefURL>

So i run tridscan on these samples and i get a trid definition file
efi-app-x86_64-stripped.trid.xml. All my samples start with typical Windows
executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern blocks like:
   <Bytes>4D5A</Bytes>
   <ASCII> M Z</ASCII>
   <Pos>0</Pos>
Furthermore i get many null patterns like:
   <Bytes>0000000000</Bytes>
   <Pos>163</Pos>
I do not know if such pattern are generated by lucky circumstances or
necessary.
In global strings section i get obviously non relevant strings like:
   <String>IN D</String>
   <String>N IN</String>
   <String>S MOD</String>
So i delete such lines and keep lines which look like reasonably like:
   <String>.TEXT</String>
   <String>PE''D</String>
   <String>RELOC</String>
   <String>DATA</String>
Comparing with the non stripped variant efi-app-x86_64.trid.xml now
all UTF-16 strings like LOADER, FUNCTION, VERSION and PORT are vanished.

Because such efi file format is extended from DOS MZ executable, the
file command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable
Executable mention another mime type. That is expressed by line like:
   <Mime>application/vnd.microsoft.portable-executable</Mime>

With the new definition the unspecific described EFI applications are
now described more precisely (see appended
output/trid-v-new.txt). TrID definition, some examples and output are
stored in archive EFI_stripped.zip. I hope that my XML file can be used in
future version of triddefs.

According to file command there still exist other variants of EFI
files.

Then there exist variants for other CPU types. Some are described by
file command by phrase "Intel 80386" instead of "x86-64". Typical
samples i found are bootwiz32.efi and tnd.x32.efi
After installing the Assessment and Deployment Kit for Windows 10 i
also found examples like bootarm.efi for "ARM Thumb" cpus.
Furthermore i also found EFI samples, which are not application, but
are described as "EFI boot service driver" by file command. Such
samples like ext4_x64_signed.efi and ntfs_x64_signed.efi are part of
Seagate SeaTools or VirtualBox sources.
I will try to handle these other variants in a future session.

With best wishes
Jörg Jenderek

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Thanks!