Hello trid users,
some days ago just for interest i inspect files on my efi partition by
running TrID utility. After finding EFI samples for Intel x86-64 and 80386
architectures i also find variant examples for Intel 80386 cpus.
Such files are described by exe-win.trid.xml as "Win32 Executable (generic)"
or by exe-generic.trid.xml as "Generic Win/DOS Executable" (see appended
output/trid-v.txt). This is in principal OK, but extension for such
executable is EFI instead of EXE.
So i search for more such executables. Unfortunately if found only a few
samples. These are different variants of the GRUB boot loader like
grub-tpm.efi or the SYSLINUX loader like syslinux-6.04.efi.
For comparison reasons i also run other identifying tools on such
examples. The file command identifies my inspected examples as "PE32
executable (EFI application) Intel 80386 (stripped to external PDB), for MS
Windows" (see appended output/file-5.39.txt).
Much information is found on the Wikipedia page about Portable
Executable. That is expressed by reference URL line like:
<RefURL>
https://en.wikipedia.org/wiki/Portable_Executable </RefURL>
So i run tridscan on these samples and i get a trid definition file
efi-app-386-stripped.trid.xml. All my samples start with typical Windows
executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
Furthermore i get many null patterns like:
<Bytes>0000</Bytes>
<Pos>14</Pos>
I do not know if such pattern are generated by luck circumstances or
necessary.
In global strings section i get obviously non relevant strings like:
<String>E'''L</String>
<String>BLE'F</String>
<String>F SYM</String>
<String>8J'J</String>
So i delete such lines and keep lines which look reasonably like:
<String>READ FAILED</String>
<String>INVALID</String>
<String>FIRMWARE</String>
<String>_CMDLINE</String>
<String>REALLOC</String>
<String>(NULL)</String>
<String>DEVICE</String>
<String>MEMCPY</String>
<String>.TEXT</String>
Comparing with the non stripped variant efi-app-386.trid.xml now all UTF-16
strings like LOADER, FUNCTION, VERSION and PORT are vanished. Because
definition is only based on 9 examples probably more refinement is needed.
Because such efi file format is extended from DOS MZ executable, the file
command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable Executable
mention another mime type. That is expressed by line like:
<Mime>application/vnd.microsoft.portable-executable</Mime>
With the new definition the unspecific described EFI applications are now
described more precisely (see appended output/trid-new-v.txt). TrID
definition, some examples and output are stored in archive
EFI_app386-stripped.zip. I hope that my XML file can be used in future
version of triddefs.
According to file command there still exist other variants of EFI
files.
Then there exist variants for other CPU types. After installing the
Assessment and Deployment Kit for Windows 10 i also found examples like
bootarm.efi for "ARM Thumb" cpus. Furthermore i also found EFI samples,
which are not application, but are described as "EFI boot service driver" by
file command. Such samples like ext4_x64_signed.efi and ntfs_x64_signed.efi
are part of Seagate SeaTools or VirtualBox sources.
I will try to handle these other variants in a future session.
With best wishes
Jörg Jenderek
