Hello trid users,
some days ago just for interest i inspect files on my efi partition by
running TrID utility. After finding EFI samples for Intel x86-64
architecture i also find examples for Intel 80386 cpus.
Such files are described by exe-win.trid.xml as "Win32 Executable (generic)"
or by exe-generic.trid.xml as "Generic Win/DOS Executable" (see appended
output/trid-v.txt). This is in principal OK, but extension for such
executable is EFI instead of EXE.
So i search for more such executables. Comparing with EFI variants for Intel
x86-64 architecture instead phrase like x64 or 64 in file name often a
phrase like x32 or 32 is used.
From Acronis the boot wizard executable is found as bootwiz32.efi or
tnd.x32.efi. The UEFI shell executable is found as Shell.efi or
Shell_Full.efi. The commands of the shell are also available as separate
modules like eficompress.efi, SmbiosView.efi, timezone.efi, Ping.efi as part
of tianocore environment development KIT (EDK). A flash utility for AMI
BIOS is named AfuEfi.efi.
For comparison reasons i also run other identifying tools in such
examples. The file command identifies my inspected examples as "PE32
executable (DLL) (EFI application) Intel 80386, for MS Windows" (see
appended output/file-5.39.txt).
Much information is found on the Wikipedia page about Portable
Executable. That is expressed by reference URL line like:
<RefURL>
https://en.wikipedia.org/wiki/Portable_Executable </RefURL>
So i run tridscan on these samples and i get a trid definition file
efi-app-386.trid.xml. All my samples start with typical Windows executable
phrase that is also found in other trid definitions exe-win*.trid.xml. That
is expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
Furthermore i get many null patterns like:
<Bytes>00000000000000</Bytes>
<Pos>17</Pos>
I do not know if such pattern are generated by luck circumstances or
necessary.
In global strings section i get obviously non relevant strings like:
<String>)'''F</String>
<String>D' 'I</String>
<String>D'''I</String>
<String>A'R'A</String>
So i delete such lines and keep lines which look like reasonably like:
<String>V'E'R'S'I'O'N</String>
<String>E'R'R'O'R</String>
<String>.RELOC</String>
<String>.TEXT</String>
<String>M'E'M</String>
<String>N'U'L</String>
<String>O'U'T</String>
Because such efi file format is extended from DOS MZ executable, the file
command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable Executable
mention another mime type. That is expressed by line like:
<Mime>application/vnd.microsoft.portable-executable</Mime>
With the new definition the unspecific described EFI applications are now
described more precisely (see appended output/trid-new-v.txt). TrID
definition, some examples and output are stored in archive EFI_app386.zip.
I hope that my XML file can be used in future version of triddefs.
Some samples like bootia32.efi and Shell_Full.efi are also described as
x86-64 variant. So i seems to be not clear how to distinguish between 386
and x86-64 CPU variants. So maybe the TrID definitions need some
refinements.
When starting to generate trid definition file with just few examples i get
negative percentage values like -24.2% (see appended output/trid-new.tmp).
This should not happen, but i do not know what was going on there.
According to file command there stille exist other variants of EFI
files. One variant is described by additional phrase "(stripped to external
PDB)". In this category i found other boot loaders like syslinux.efi,
grub.efi.
Then there exist variants for other CPU types. After installing the
Assessment and Deployment Kit for Windows 10 i also found examples like
bootarm.efi for "ARM Thumb" cpus. Furthermore i also found EFI samples,
which are not application, but are described as "EFI boot service driver" by
file command. Such samples like ext4_x64_signed.efi and ntfs_x64_signed.efi
are part of Seagate SeaTools or VirtualBox sources.
I will try to handle these other variants in a future session.
With best wishes
Jörg Jenderek
