Hello trid users,
some days ago after handling some OS/2 files i looked for comparison reasons
at DOS device drivers. Many are found as part of the FreeDOS system ( See
https://www.freedos.org/)
None driver of my 100 inspected samples is recognized. Most are misidentified
as "Atari XE Executable" by exe-xex.trid.xml and "MP3 audio" by
audio-mp3.trid.xml (see appended output/trid-v.txt).
For comparison reason i run the file command. This describes the samples
correctly as DOS executable device driver (see appended
output/file-5.39.txt).
Eight samples like lbacache.sys are described as UPX compressed. When i
tried to run tridscan on these samples then i get a no trid definition file.
So i run tridscan first on 2 examples and refined definition file manually.
In the end i create sys-upx.trid.xml and try to do it in same manner as in
sys-syspack.trid.xml for SYSPACK compressed DOS SYS driver.
Characteristic for such compressed files is the 4 byte magic string UPX!. That
is expressed in global string section by line like:
<String>UPX!</String>
This was not detected by tridscan. Maybe this pattern was too short.
Information about that compression method can be found on Wikipedia. This is
shown by reference line like:
<RefURL>
https://en.wikipedia.org/wiki/UPX</RefURL>
At the beginning a 4 byte pointer to next driver is stored. For most (about
94% for my inspected samples) DOS device drivers this value is
0xffffffff. This is expressed by XML construct:
<Bytes>FFFFFFFF</Bytes>
<Pos>0</Pos>
Unfortunately this is not a strict condition. Some examples like Uwe Sieber
echo.sys, CMD640X.SYS or DC2975.SYS use other values. So the 2 later samples
have such different pointer value like 0x12 that are not even misidentified
as "Atari XE Executable" or "MP3 audio".
To recognize also most of the non compressed DOS drivers i create a trid
definition file sys-dosdriver.trid.xml which contains only that one pattern.
The file command displays instead generic application/octet-stream mime
type another on (See appended output/file-i-5.39.txt). This is now expressed
by line:
<Mime>application/x-dosdriver</Mime>
Some information about DOS driver file format can now be found on file
formats archive team web site. This is now expressed by
reference URL line like:
<RefURL>
http://fileformats.archiveteam.org/wiki/DOS_device_driver </RefURL>
The mostly used filename extension is SYS. The filename extension DEV is
used by the FreeDOS printer driver tool SPOOL. For the block device driver
of the compression software Stacker the filename extension BIN is used.
According to reference also DOS is used as file name extension. So i found
on OS/2 disc samples like IBM Token-Ring adapter driver IBMTOK.DOS. I found
no explanation why and when DOS file name extension instead SYS is used.
Maybe to explicitly distinguish such drivers from drivers or executables for
the OS/2 system like IBMTOK.OS2. The EBD extension like in samples
display.ebd and HIMEM.EBD is used for driver variants for an emergency boot
disc. So file name extension is shown by line like:
<Ext>SYS/BIN/DEV/DOS/EBD</Ext>
I listed all 5 possible file name extensions, even when i found only 1
example, because for me it is irritating if trid list only SYS extension for
samples with other extensions. Then my first thought is that identification is
wrong. I my self did not know before some days that also DOS extension is
used. So when searching for some file types i normally do this by searching
for the expected name extension. So i nearly missed the IBM Token-Ring
adapter driver IBMTOK.DOS. Only by lucky circumstances i catch this unusual
extension when looking on some OS/2 discs.
With the new 2 definitions nearly all unrecognized DOS device drivers are
now described ( see appended output/trid-new-v.txt). TrID definitions, some
examples and output are stored in archive dosdriver.zip. I hope that my 2
XML files can be used in future version of triddefs.
With best wishes
Jörg Jenderek
