Hello trid users,
some days ago i run TrID on hundreds of Mac OS X Mach-O universal
Dynamically linked shared Library (*.dylib). These should be described by
dylib-cafe.trid.xml as "Mac OS X Mach-O universal Dynamically linked shared
Library". Some inspected samples like libasprintf.0.dylib or
libX11-xcb.1.dylib are only described in general by exe-ub.trid.xml as "Mac
OS X Universal Binary executable" (see appended output/trid-v.txt).
The file command {See
https://en.wikipedia.org/wiki/File_(command)}describes most of my inspected examples correctly like "Mach-O universal
binary" with sub type classification "dynamically linked shared library"
(See appended output/file-5.39.txt), because the file command use another
method to detect such libraries archives.
The definition file dylib-cafe.trid.xml does not contain a reference URL.
So i add web page about Mach-O file format on Wikipedia. That is now
expressed by line like:
<RefURL>
https://en.wikipedia.org/wiki/Mach-O</RefURL>
Instead generic application/octet-stream the file command shows a user
defined type (See appended output/file-i-5.39.txt). So i changed in trid
definition file mime type. This is now shown by updated line like:
<Mime>application/x-mach-binary</Mime>
When looking in dylib-cafe.trid.xml i see in global string section lines,
which are obviously generated by lucky circumstances like:
<String>TION</String>
<String>D_INFO</String>
So with the help of the grep command i search on a Mac OS X system for such
dylib libraries without such patterns. When i run tridscan on such samples
many pattern in updated trid definition file vanish.
With the updated trid definition file most Mach-O universal Dynamically
linked shared Library archives are described correctly ( see appended
output/trid-new.txt). TrID definition, some examples and output are stored
in archive dylib.zip. I hope that the updated XML file can be used in
future version of triddefs.
Wikipedia also mention Mach-O formats with file name extension bundle and
o. As far as i can see there exist no trid definition for such variants. I
will try to handle this in a future session.
After looking deeper in documentation it is visible that at offset 12 the
file type is stored as long in big endian format. The value is range from 1
til 11. Value 6 is declared as MH_DYLIB, which is used for dynamically bound
shared library. That method for recognition is used by file command. So
maybe it is better to arrange trid definitions for Mach-O based on this
method, instead on file name extension.
So a few examples like AMDil_r700.dylib are described by file command with
sub type classification "bundle", that is matched by file type value 8
declared as MH_BUNDLE for dynamically bound bundle files.
With best wishes
Jörg Jenderek
