Hello trid users,
some days ago just for interest i inspect files on my efi partition by
running TrID utility. Inside boot sub directory in Microsoft directory
i found a file named bootmgfw.efi. That file is described by
exe-win64.trid.xml as "Win64 Executable (generic)" or by
exe-generic.trid.xml as "Generic Win/DOS Executable" (see appended
output/trid-v.txt). This is in principal OK, but extension for such
executable is EFI instead of EXE.
So i search for more such executables. From Acronis the boot wizard
executable is found as bootwiz.efi, bootwiz64.efi or tnd.x64.efi.
From memtest86 the memory diagnostics executable is found as
memtest.efi. The UEFI shell executable is found as shellx64.efi or
shell.v2.1-X64.efi. The commands of the shell are are also available
as separate modules like eficompress.efi, timezone.efi, Ping.efi as
part of tianocore environment development KIT (EDK).
For comparison reasons i also run other identifying tools in such
examples. The file command identifies my inspected examples as "PE32+
executable (DLL) (EFI application) x86-64, for MS Windows" (see
appended output/file-5.39.txt).
Much information is found on the Wikipedia page about Portable
Executable. That is expressed by reference URL line like:
<RefURL>
https://en.wikipedia.org/wiki/Portable_Executable </RefURL>
So i run tridscan on these samples and i get a trid definition file
efi-app-x86_64.trid.xml All my samples start with typical Windows
executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
Furthermore i get many null patterns like:
<Bytes>00000000000000</Bytes>
<Pos>17</Pos>
I do not know if such pattern are generated by luck circumstances or
necessary.
In global strings section i get obviously non relevant strings like:
<String>%'0'4</String>
<String>('%'D</String>
<String>D' 'B</String>
So i delete such lines and keep lines which look like reasonably like:
<String>P'A'R'A'M'E'T'E'R</String>
<String>F'U'N'C'T'I'O'N</String>
<String>I'N'T'E'R'N'A'L</String>
<String>V'E'R'S'I'O'N</String>
<String>L'O'A'D'E'R</String>
<String>D'E'B'U'G</String>
<String>D'R'I'V'E</String>
<String>P'O'R'T</String>
<String>.RELOC</String>
<String>.TEXT</String>
Because such efi file format is extended from DOS MZ executable, the
file command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable
Executable mention another mime type. That is expressed by line like:
<Mime>application/vnd.microsoft.portable-executable</Mime>
With the new definition the unspecific described EFI applications are
now described more precisely (see appended
output/trid-new-v.txt). TrID definition, some examples and output are
stored in archive EFI_app.zip. I hope that my XML file can be used in
future version of triddefs.
According to file command there also exist other variants of EFI
files. One variant is described by additional phrase "(stripped to
external PDB)". In this category i found other boot loaders like
syslinux.efi, grubx64.efi, shim.efi or partitioning tool like
gdisk_x64.efi.
Then there exist variants for other CPU types. Some are described by
file command by phrase "Intel 80386" instead of "x86-64". Typical
samples i found are bootwiz32.efi and tnd.x32.efi
After installing the Assessment and Deployment Kit for Windows 10 i
also found examples like bootarm.efi for "ARM Thumb" cpus.
Furthermore i also found EFI samples, which are not application, but
are described as "EFI boot service driver" by file command. Such
samples like ext4_x64_signed.efi and ntfs_x64_signed.efi are part of
Seagate SeaTools or VirtualBox sources.
I will try to handle these other variants in a future session.
With best wishes
Jörg Jenderek
