Hello trid users,
some days ago just for interest i inspect efi executables starting with MZ
magic. Afterwards i look for other MZ-executables on my systems. Such
samples with WDX file name extension are Total Commander Content plugins.
Many are described correctly by wdx.trid.xml as "Total Commander Content
plugin". But 3 examples like ExeFormat.wdx, audioinfo.wdx and deb_wdx.wdx
are only by described by dll.trid.xml as "Win32 Dynamic Link Library
(generic)" (See appended output/trid-v-old.txt)
For comparison reasons i also run other identifying tools on such examples.
The file command identifies these examples as "PE32 executable (DLL)" and
"Intel 80386, for MS Windows" (see appended output/file-5.39.txt).
So i run tridscan on 3 undetected samples and i update a trid definition
file wcx.trid.xml.xml. All my samples still start with typical Windows
executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
Afterwards in global string section one lines vanished. That line was:
<String>OPEN</String>
Afterwards in global string section one long lines gets splitted. That line
was:
<String>LOADLIBRARYA</String>
Now i get 3 lines with key word parts like:
<String>LOAD</String>
<String>LIBRARY</String>
<String>ADLI</String>
Last line is triggered by keyword TThreadList in audioinfo.wdx.
Furthermore example ExeFormat.wdx.wdx does not depend on library USER32.DLL,
but is does contains keyword GetUserObjectInformation. So the following
lines becomes short:
<String>USER32.DLL</String>
This now becomes like:
<String>USER</String>
Because such WDX file format is extended from DOS MZ executable, the
file command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable
Executable mention another mime type. That is expressed by line like:
<Mime>application/vnd.microsoft.portable-executable</Mime>
With the updated definition the 3 unspecific described WDX files are
now described more precisely (see appended output/trid-v-new.txt).
When looking in trid definition, i see that only 32-bit variants are
described According to Portable Executable documentation the COFF header
starts with 4 byte signature "PE\0\0" and typically this signature is still
near the beginning. Afterwards comes 2 byte machine types in little endian
format. For Intel 386 this value is 0x014c. That gives in ASCII the Letter L
after 4 byte signature. That is recognized by line like:
<String>PE''L</String>
So the 64-bit content plugin extensions for Total Commander are not
recognized by this trid definition. The file command identifies 10 examples
as "PE32+ executable (DLL)" and "x86-64, for MS Windows" (see appended
x64/output/file-5.39.txt).
So i run tridscan on 17 undetected samples and i generate trid definition
file wdx-64.trid.xml. All my samples start with typical Windows executable
phrase that is also found in other trid definitions exe-win*.trid.xml. That
is expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
For Intel/AMD x64 CPU type the machine type values is 0x8664. Then we get
letter d after 4 byte signature. So this is expressed by line
<String>PE''D</String>
Instead of WDX file name extension the 64-bit plugins for Total commander
use WDX64. Later i find 5 more plugins with WDX file name extension( see
appended x64/output/file-5.39.txt).
These Plugins are used by the 64-bit variant of the Double Commander. There
the 64-bit plugins also have the WDX extension like in the 32-bit variant.
So i mention this fact in a remark line like:
<Rem>
Extension WDX64 is used by Total Commander,
whereas the Double Commander use WDX
</Rem>
So file name extension is shown by line like:
<Ext>WDX64/WDX</Ext>
Afterwards i delete short null patterns probably trigger d by lucky
circumstances like:
<Bytes>0000</Bytes>
<Pos>62</Pos>
And in global string section i delete obviously short garbage patterns like:
<String>D$ H</String>
<String>D$(H</String>
<String>D$0H</String>
<String>D$HH</String>
<String>ETEN</String>
<String>ETTI</String>
<String>GETT</String>
<String>INGS</String>
With the additional definition for 64-bit the Total commander content
plugins are now described more precisely. Also the 64-bit plugins for Double
commander are now described more precisely (see appended
x64/output/trid-v-new.txt).
Besides plugins for packed files there exist also other Total/Double
Commander plugins for other purposes the with other file name
extensions. I will try to handle these things in a future session.
TrID definition, some examples and output are stored in archive wdx.zip. I
hope that my 2 XML files can be used in future version of triddefs.
With best wishes
Jörg Jenderek
