Hello,
when i run TrID on on hundreds of AUTORUN*.INF files dozens are misidentified
( "Generic INI configuration" see appended output/trid-old.txt ).
The newest file(1) command version (
http://darwinsys.com/file/) identifies most
of these examples correct as "Microsoft Windows Autorun file"
( see appended output/file-new.txt ).
After updating definition file autorun.trid.xml by tridscan i manually fine
tuned XML file.
Unfortunately Microsoft still has not registered an official mime by IANA for their
own file types. Because these files are just simple text files, "text/plain"
could be used, but this is too general. Maybe "text/x-autorun" would be sufficient.
But finally i use type find for WINE emulator on Linux by line:
<Mime>application/x-wine-extension-inf</Mime>
Furthermore i add Wikipedia page about Autorun as reference URL.
<RefURL>
https://en.wikipedia.org/wiki/AutoRun</RefURL>
Most autorun examples ( see examples in directory OK_AUTORUN) start with text lines like
[autorun]
open=notepad readme.txt
or
[autorun]
icon=\FREEDOS\FREEDOS.ICO,0
This give in old definition file for offset 15 a pattern construct:
<Pattern>
<Bytes>3D</Bytes>
<ASCII> =</ASCII>
<Pos>15</Pos>
</Pattern>
This is not always true. The section can start with another directive like
"action" found in BitLocker file autorun-bitlocker.inf for example. Equal sign
is also at other position if variable assignment is white space padded found
on Norton product DVD (see AUTORUN-norton.INF) like:
[autorun]
open = NCDStart.EXE
So above mentioned pattern vanish.
In most autorun files after the right bracket "]" a DOS line feed "CRLF ~ 0D0A"
is found. This is expressed by XML pattern like
<Pattern>
<Bytes>5B6175746F72756E5D0D0A</Bytes>
<ASCII> [ a u t o r u n ]</ASCII>
<Pos>0</Pos>
</Pattern>
Unfortunately this is not always true. Autorun files created on UNIX system sometimes
use "LF ~ 0A" as end of line ( See example autorun-kalilinux.inf ).
I also found examples (autorun-garmin.inf, Autorun-becker.inf) on some
navigation software CD-ROM where additional space is behind right bracket.
So XML construct must be reduced like:
<Pattern>
<Bytes>5B6175746F72756E5D</Bytes>
<ASCII> [ a u t o r u n ]</ASCII>
<Pos>0</Pos>
</Pattern>
Some autorun start with directive for 64 bit systems, found for example on
Windows 10 install medium. This looks like:
[autorun.Amd64]
So XML construct must be more reduced like:
<Pattern>
<Bytes>5B6175746F72756E</Bytes>
<ASCII> [ a u t o r u n</ASCII>
<Pos>0</Pos>
</Pattern>
In most cases the section name is in low case like "[autorun]", but i found
examples with mixed case name "[AutoRun]" found on Windows XP CD ( see
AUTORUN-xp.INF ) or Lenovo PC ( see AUTORUN-lenovo.INF )
So above pattern is finally replaced by 3 new sub part patterns like
<Pattern>
<Bytes>5B</Bytes>
<ASCII> [</ASCII>
<Pos>0</Pos>
</Pattern>
<Pattern>
<Bytes>75746F</Bytes>
<ASCII> u t o</ASCII>
<Pos>2</Pos>
</Pattern>
<Pattern>
<Bytes>756E</Bytes>
<ASCII> u n</ASCII>
<Pos>6</Pos>
</Pattern>
and a new string in global strings section like:
<GlobalStrings>
<String>AUTORUN</String>
</GlobalStrings>
Like other INI configuration files lines starting with semicolon are comment
lines. Unfortunately some AUTORUN files contains comments at the beginning.
Such example is found on Virtualbox VBoxGuestAdditions CD ( See file
no-bracket/AUTORUN-VBoxGuestAdditions.INF). It looks like:
;
; Copyright (C) 2006-2016 Oracle Corporation
;
[autorun]
open=VBoxWindowsAdditions.exe
So this file is still classified by TrID as "plain text/ASCII" ( See
no-bracket/output/trid-new.txt).
So i generate a variant autorun-comment.trid.xml with new pattern like:
<Pattern>
<Bytes>3B</Bytes>
<ASCII> ;</ASCII>
<Pos>0</Pos>
</Pattern>
Assuming that at least 2 directive are used to give data medium an other label
and an own icon this results in a global string section like:
<GlobalStrings>
<String>AUTORUN</String>
<String>LABEL</String>
<String>ICON</String>
</GlobalStrings>
With this second definition file such autorun examples are now recognized as
"Autorun.inf file (
". (see no-bracket/output/trid-v-newer.txt)
TrID definitions, some examples and output are stored in archive inf_autorun.zip.
I hope that my two XML files can be used in future version of triddefs.
With best wishes
J?rg Jenderek
