Hello trid users,
some days ago just for interest i inspect efi executables starting with MZ
magic. Afterwards i look for other MZ-executables. Such samples with IME
file name extension are Microsoft Input Method Editor files. These samples
are often described by dll.trid.xml as "Win32 Dynamic Link Library
(generic)" or by exe-generic.trid.xml as "Generic Win/DOS Executable" (see
appended output/trid-v.txt).
For comparison reasons i also run other identifying tools on such
examples. The file command identifies my inspected examples as "PE32
executable (DLL)" for Microsoft Windows (see appended
output/file-5.39.txt). It also display correct file name extension ime for
such special DLL (see appended output/file-extension-5.39.txt).
A little bit of information is found on fileinfo.com web page. That is
expressed by reference URL line like:
<RefURL>
https://fileinfo.com/extension/ime</RefURL>
According to that site i found my examples in system32 or SysWOW64 sub
directory inside windows directory. On my modern Windows system i only found
1 example. That is msctfime.ime. So i mention this fact in the remark line.
On an older XP system i found more examples inside dllcache sub directory.
Because such IME file format is extended from DOS MZ executable, the file
command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable Executable
mention another mime type. That is expressed by line like:
<Mime>application/vnd.microsoft.portable-executable</Mime>
Such IME files seems to be part of Windows system or Microsoft Office suite,
but on my systems this file type is not registered. What an annoyance of
Microsoft. Putting their own file types on my systems without links in
registry or information about IME file format.
So i run tridscan on my samples and i get trid definition file
ime-ms.trid.xml. All my samples start with typical Windows Dynamic Link
Library phrase that is also found in other trid definitions like
dll.trid.xml and exe-win*.trid.xml. That is expressed by XML pattern block
like:
<Bytes>4D5A90000
<ASCII> M Z . .
<Pos>0</Pos>
Furthermore i get many null patterns like:
<Bytes>000000</Bytes>
<Pos>446</Pos>
I do not know if such pattern are generated by luck circumstances or
necessary.
In global strings section i get lines like:
<String>C'O'M'P'A'N'Y'N'A'M'E'''''M'I'C'R'O'S'O'F'T' 'C'O'R'P'O'R'A'T'I'O'N</String>
<String>THIS PROGRAM CANNOT BE RUN IN DOS MODE.</String>
These are typical for Microsoft Windows exectables, but are probably not
required. For me i see only 1 characteristic line that refers to file name
extension. That is:
<String>.'I'M'E</String>
There exist many lines which seem to be garage like:
<String>ANCE</String>
<String>IMEA</String>
<String>NTER</String>
<String>ONFI</String>
I kept these lines. First i start with 5 examples with many lines. Later i
finally get 43 examples. So when i run tridscan on more and more examples
many lines in string section vanish or become shorter.
With the new definition the unspecific described Input Method Editor files
are now described more precisely (see appended output/trid-new-v.txt). TrID
definition, some examples and output are stored in archive ime.zip. I hope
that my XML file can be used in future version of triddefs.
With best wishes
Jörg Jenderek
