Hello trid users,
some days ago just for interest i inspect efi executables starting with MZ
magic. Afterwards i look for other MZ-executables on my systems. Such
samples with WFX file name extension are Total Commander File system
plugins.
Many are described correctly by wfx.trid.xml as "Total Commander File system
extension (plugin)".
But 1 example like CPMWFX.wfx is only by described by dll.trid.xml as "Win32
Dynamic Link Library (generic)" (See appended output/trid-v-old.txt). cpmimg
made by Volker Pohlers is a plugin to read and write CP/M formatted floppy
disks and disk images like DSK, teledisk and others. For information look
at:
https://totalcmd.net/plugring/cpmimg.htmlFor comparison reasons i also run other identifying tools on such examples.
The file command identifies these examples as "PE32 executable (DLL)" and
"Intel 80386, for MS Windows" (see appended output/file-5.39.txt).
So i run tridscan on undetected sample and i update a trid definition
file wcx.trid.xml.xml. All my samples still start with typical Windows
executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
Afterwards in global string section one long lines gets splitted. That line
was:
<String>FSGETDEFROOTNAME</String>
Now i get 3 lines with key word parts like:
<String>FSGET</String>
<String>ETDEF</String>
<String>GETDE</String>
<String>TNAME</String>
<String>DEFR</String>
<String>EFRO</String>
Second line is triggered by keyword FsSetDefaultParams. Third line is
triggered by keywords GetDeviceCaps and GetDesktopWindow. Last line is
triggered by VarDateFromStr.
Because such WFX file format is extended from DOS MZ executable, the
file command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable
Executable mention another mime type. That is expressed by line like:
<Mime>application/vnd.microsoft.portable-executable</Mime>
With the updated definition the unspecific described WFX file is
now described more precisely (see appended output/trid-v-new.txt).
When looking in trid definition, i see that only 32-bit variants are
described. According to Portable Executable documentation the COFF header
starts with 4 byte signature "PE\0\0" and typically this signature is still
near the beginning. Afterwards comes 2 byte machine types in little endian
format. For Intel 386 this value is 0x014c. That gives in ASCII the Letter L
after 4 byte signature. That is recognized by line like:
<String>PE''L</String>
So the 64-bit files system plugin for Total Commander are not recognized by
this trid definition. The file command identifies 12 examples as "PE32+
executable (DLL)" and "x86-64, for MS Windows" (see appended
x64/output/file-5.39.txt).
So i run tridscan on undetected samples and i generate trid definition
file wdx-64.trid.xml. All my samples start with typical Windows executable
phrase that is also found in other trid definitions exe-win*.trid.xml. That
is expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
For Intel/AMD x64 CPU type the machine type values is 0x8664. Then we get
letter d after 4 byte signature. So this is expressed by line
<String>PE''D</String>
Instead of WFX file name extension the 64-bit plugins for Total commander
use WFX64. Later i find one plugin ftp.wfx with WFX file name extension (See
appended x64/output/file-5.39.txt). This plugin is used by the 64-bit
variant of the Double Commander. There the 64-bit plugins also have the WFX
extension like in the 32-bit variant. So i mention this fact in a remark
line like:
<Rem>
Extension WFX64 is used by Total Commander,
whereas the Double Commander use WFX
</Rem>
So file name extension is shown by line like:
<Ext>WFX64/WFX</Ext>
Afterwards i delete short null patterns probably triggered by lucky
circumstances like:
<Bytes>0000</Bytes>
<Pos>62</Pos>
And in global string section i delete obviously short garbage patterns like:
<String>JKLMNO</String>
<String>RFORMA</String>
<String>DESTR</String>
<String>TIONF</String>
<String>)''H</String>
<String>AGEB</String>
<String>ANCE</String>
<String>ATEP</String>
<String>WXYZ</String>
<String>YPER</String>
With the additional definition for 64-bit the Total commander content
plugins are now described more precisely. Also the 64-bit plugins for Double
commander are now described more precisely (see appended
x64/output/trid-v-new.txt).
Besides plugins for file systems there exist also other Total/Double
Commander plugins for other purposes the with other file name
extensions. I will try to handle these things in a future session.
TrID definition, some examples and output are stored in archive wfx.zip. I
hope that my 2 XML files can be used in future version of triddefs.
With best wishes
Jörg Jenderek
