Author Topic: efi-driver-x86_64.trid.xml for Extensible Firmware Interface x86_64 driver *.efi  (Read 1496 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 375
Hello trid users,

some days ago just for interest i inspect files on my efi partition by
running TrID utility. After finding EFI applications for Intel x86-64 and
80386 architectures i also find driver variant examples for Intel x86-64
cpus.

Such files are described exe-win64.trid.xml as "Win64 Executable (generic)"
or by exe-generic.trid.xml as "Generic Win/DOS Executable" (see appended
output/trid-v.txt). This is in principal OK, but extension for such samples
is EFI instead of EXE.

So i search for more such efi samples. Such samples like Fat.efi,
ext4_x64_signed.efi or ntfs_x64_signed.efi are part of Seagate SeaTools or
VirtualBox sources.

For comparison reasons i also run other identifying tools on such
examples. The file command identifies most inspected examples as "PE32+
executable (EFI boot service driver) x86-64, for MS Windows" (see appended
output/file-5.39.txt).

Much information is found on the Wikipedia page about Portable
Executable. That is expressed by reference URL line like:
   <RefURL>
   https://en.wikipedia.org/wiki/Portable_Executable
   </RefURL>

So i run tridscan on these samples and i get a trid definition file
efi-driver-x86_64.trid.xml. All my samples start with typical Windows
executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern blocks like:
   <Bytes>4D5A0000
   <ASCII> M Z</ASCII>
   <Pos>0</Pos>
Furthermore i get many more null patterns like:
   <Bytes>00000000000000000000000000</Bytes>
   <Pos>135</Pos>
I do not know if such pattern are generated by luck circumstances or
necessary.

In global strings section i get obviously non relevant strings like:
   <String>D$PH+</String>
   <String>D$ H</String>
   <String>D$(H</String>
   <String>L$ H</String>
   <String>L$ I</String>
So i delete such lines and keep lines which look reasonably like:
   <String>F'I'L'E' 'S'Y'S'T'E'M' 'D'R'I'V'E'R</String>
   <String>.RELOC</String>
   <String>.TEXT</String>
   <String>PE''D</String>
   <String>DATA</String>
Comparing with the application variant efi-app-x86_64.trid.xml only 1 UTF-16
phrase is unique. That is "FILE SYSTEM DRIVER". Because definition is only
based on 9 examples probably more refinement is needed.

Because such efi file format is extended from DOS MZ executable, the file
command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable Executable
mention another mime type. That is expressed by line like:
   <Mime>application/vnd.microsoft.portable-executable</Mime>

With the new definition the unspecific described EFI drivers are now
described more precisely (see appended output/trid-new-v.txt). TrID
definition, some examples and output are stored in archive
EFI_boot64.zip. I hope that my XML file can be used in future
version of triddefs.

According to file command there still exist other variants of EFI
files.
Then there exist variants for other non Intel CPU types. After installing the
Assessment and Deployment Kit for Windows 10 i also found examples like
bootarm.efi for "ARM Thumb" cpus. Unfortunately i just found only few such
examples. So i can not generate trid definitions for such examples.

On my efi partition inside boot sub directory in Microsoft directory
i found a files like bootmgr.efi or memtest.efi. Such samples are described
by file command as "PE32+ executable x86-64, for MS Windows". So for such
samples another treatment is probably needed.

With best wishes
Jörg Jenderek

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Thanks!