Hello trid users,
some days ago just for interest i inspect efi executables starting with MZ
magic. Afterwards i look for other MZ-executables. Such samples with SCR
file name extension are Windows screen savers. Many are not identified by
scr.trid.xml as Windows screen saver. These samples are only described by
exe-win16.trid.xml as "Win16 NE executable (generic)" and by
exe-generic.trid.xml as "Generic Win/DOS Executable" (see appended
output/trid-v.txt).
So i run tridscan on these samples and i update a trid definition file
scr.trid.xml. All my samples start with typical Windows executable phrase
that is also found in other trid definitions exe-win*.trid.xml. That is
expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
Now Many null pattern at higher offsets now vanished like
<Pattern>
<Bytes>00</Bytes>
<Pos>291</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>302</Pos>
</Pattern>
Also one null pattern at lower offset vanished like:
<Pattern>
<Bytes>00</Bytes>
<Pos>3</Pos>
</Pattern>
Characteristic for screen saver executables seems to be the key word SAVE.
That is still expressed in global strings section by line like:
<String>SAVE</String>
For comparison reasons i also run other identifying tools on such
examples. The file command identifies the screensaver for Windows 3 family
like sample SSFLYWIN.SCR or "Norton Commander Starry Night.Scr" as "MS-DOS
executable, NE for MS Windows 3.x (EXE)" with mime type
application/x-dosexec (see appended output/file-i-5.39.txt) and correct
extension (see appended output/file-extension-5.39.txt). The screen savers
for 32-bit Windows like PhotoScreensaver.scr or folding at home
FAHScreensaver.scr are described by "PE32 executable (GUI) Intel 80386, for
MS Windows" with correct file name extension but wrong mime type. According
to the Wikipedia page about Portable Executable the mime type for such
executable should be application/vnd.microsoft.portable-executable.
So i choose a user defined mime type for screen saver executables. That is
expressed by line like:
<Mime>application/x-screensaver-exec</Mime>
The screen savers for 64-bit Windows like ssText3d.scr or Mystify.scr are
described by file command as "PE32+ executable (GUI) x86-64, for MS Windows"
with correct file name extension.
With the updated definition the unspecific described screen savers are now
described more precisely (see appended output/trid-new-v.txt). TrID
definition, some examples and output are stored in archive scr.zip. I hope
that my XML file can be used in future version of triddefs.
Unfortunately the SCR match is always not the first hit. So maybe it is
advisable to generate 3 TrID definition screen saver variants for 16, 32 and
64 bit Window systems.
With best wishes
Jörg Jenderek
