Hello trid users,
some days ago just for interest i inspect efi executables starting
with MZ magic. Afterwards i look for other MZ-executables on my
systems. Such samples with WCX file name extension are Total Commander
Packer plugins.
Many like bzip2dll.wcx are described by wcx-far.trid.xml as "FAR
TC.Packer PlugIn". So these samples are recognized as packer plugins
but for the FAR file manager. A few like 7zip.wcx are only decried as
"Win32 Dynamic Link Library (generic)" by dll.trid.xml (See appended
output/trid-v-old.txt). A few like TotalISO.wcx are described
correctly by wcx.trid.xml as "Total Commander Packer extension
(plugin)"
For comparison reasons i also run other identifying tools on such
examples. The file command identifies these examples as "PE32
executable (DLL)" and "Intel 80386, for MS Windows" (see appended
output/file-5.39.txt).
So i run tridscan on 9 undetected samples and i update a trid definition
file wcx.trid.xml.xml. All my samples still start with typical Windows
executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
Afterwards in global string section one long lines gets splitted. That
line was:
<String>PROCESSFILE'READHEADER'SETCHANGEVOLPROC'SETPROCESSDATAPROC</String>
Now i get 4 lines with for key word parts like:
<String>PROCESSFILE</String>
<String>READHEADER</String>
<String>SETCHANGEVOLPROC</String>
<String>SETPROCESSDATAPROC</String>
And i also get 2 additional lines with text fragments like:
<String>PROF'S</String>
<String>ER'S</String>
I do not know if these 2 lines are necessary. So i keep these
lines. Or maybe the string handling in program handling is not
perfect. The old trid definition was generated by "TrIDScan32 v1.56"
whereas the updated definition is generated by "TrIDScan/Py v2.02".
Because such WCX file format is extended from DOS MZ executable, the
file command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable
Executable mention another mime type. That is expressed by line like:
<Mime>application/vnd.microsoft.portable-executable</Mime>
With the updated definitions the 9 unspecific described WCX files are
now described more precisely (see appended output/trid-v-new.txt).
The 64-bit Packer extensions for Total Commander are not recognized by
this trid definition. The file command identifies these examples as
"PE32+ executable (DLL)" and "x86-64, for MS Windows" (see appended
x64/output/file-5.39.txt).
So i run tridscan on 9 undetected samples and i generate trid
definition file wcx-64.trid.xml. All my samples start with typical
Windows executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern blocks like:
<Bytes>4D5A90000300000004000000FFFF
<ASCII> M Z . . . . . . . . . . . .
<Pos>0</Pos>
Instead of WCX file name extension the 64-bit plugins for Total
commander use WCX64. Later i find 2 more plugins (7zip.wcx64 and
TotalISO.wcx64 see appended x64/more/output/file-5.39.txt). So i
update wcx-64.trid.xml. Some short null patterns now vanish like:
<Pattern>
<Bytes>0000</Bytes>
<Pos>224</Pos>
</Pattern>
<Pattern>
<Bytes>00000000</Bytes>
<Pos>228</Pos>
</Pattern>
Furthermore in global string section some lines vanish or become
shorter like:
<String>TEFILEA</String>
<String>W''H</String>
The Double Commander can also use the plugins of the Total
Commander. But there the 64-bit plugins also have the WCX extension.
So i mention this fact in a remark line like:
<Rem>
Extension WCX64 is used by Total Commander,
whereas the Double Commander use WCX
</Rem>
So file name extension is shown by line like:
<Ext>WCX64/WCX</Ext>
So i update wcx-64.trid.xml by 4 Double Commander 64-bit plugins
(rpm.wcx sevenzip.wcx unrar.wcx zip.wcx See
x64/DoubleCommander/output/file-5.39.txt). Afterwards i delete short
null patterns. And in global string section i delete obviously short
garbage patterns like:
<String>D$ A</String>
<String>D$ H</String>
<String>D$ L</String>
<String>D$(D</String>
<String>D$(H</String>
With the additional definition for 64-bit the Total commander plugins
are now described more precisely (see appended
x64/output/trid-v-new.txt and x64/more/output/trid-v-new.txt). Also
the 64-bit plugins for Double commander are now described more
precisely (see appended x64/DoubleCommander/output/trid-v-new.txt).
Besides plugins for packed files there exist also other Total/Double
Commander plugins for other purposes the with other file name
extension. I will try to handle these things in a future session.
TrID definition, some examples and output are stored in archive
wcx.zip. I hope that my 2 XML files can be used in future version of
triddefs.
With best wishes
Jörg Jenderek
