Hello trid users,
some days ago just for interest i inspect efi executables starting with MZ
magic. Afterwards i look for other MZ-executables on my systems. Such
samples with WLX file name extension are Total Commander Lister plugins.
Many are described correctly by wlx.trid.xml as "Total Commander Lister
extension (plugin)" extension (plugin)". But 2 examples like xBaseView.wlx
and jpegthumbs.wlx are only described by dll.trid.xml as "Win32 Dynamic
Link Library (generic)" (See appended output/trid-v-old.txt).
For comparison reasons i also run other identifying tools on such examples.
The file command identifies these examples as "PE32 executable (DLL)" and
"Intel 80386, for MS Windows" (see appended output/file-5.39.txt).
So i run tridscan on these 2 undetected samples and i update a trid
definition file wcx.trid.xml.xml. All my samples still start with typical
Windows executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
Afterwards in global string section one long line gets shorter. That line
was:
<String>LISTSENDCOMMAND</String>
Now i get one line with key word parts like:
<String>COMMAND</String>
When looking again for my WLX samples i found 4 examples (arcview.wlx
factory.wlx HPG_ed.wlx SynUs.wlx) that are obviously compressed by UPX. So
these examples are also described by upx-win32.trid.xml as "UPX compressed
Win32 Executable" (See appended UPX/output/trid-v-old.txt). And the file
command described the examples with an additional "UPX compressed" phrase
(See appended UPX/output/file-5.39.txt). One example like factory.wlx (part
of Multimedia Factory Plugin archive wlx_mmfactory.zip) is not described by
wlx.trid.xml. So i update trid definition again by this example. Now the
above mentioned line gets more shorter like:
<String>COMM</String>
Because such WLX file format is extended from DOS MZ executable, the file
command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt), but the Wikipedia page about Portable Executable
mention another mime type. That is now expressed by line like:
<Mime>application/vnd.microsoft.portable-executable</Mime>
With the updated definition the 3 unspecific described WLX files are
now described more precisely (see appended output/trid-v-new.txt
and UPX/output/trid-v-new.txt).
When looking in trid definition, i see that only 32-bit variants are
described. According to Portable Executable documentation the COFF header
starts with 4 byte signature "PE\0\0" and typically this signature is still
near the beginning. Afterwards comes 2 byte machine types in little endian
format. For Intel 386 this value is 0x014c. That gives in ASCII the Letter L
after 4 byte signature. That is recognized by line like:
<String>PE''L</String>
So the 64-bit lister plugins for Total Commander are not recognized by this
trid definition. The file command identifies such 9 examples as "PE32+
executable (DLL)" and "x86-64, for MS Windows" (see appended
x64/output/file-5.39.txt).
So i run tridscan on undetected samples and i generate trid definition file
wlx-64.trid.xml. All my samples start with typical Windows executable phrase
that is also found in other trid definitions exe-win*.trid.xml. That is
expressed by XML pattern blocks like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
For Intel/AMD x64 CPU type the machine type value is 0x8664. Then we get
letter d after 4 byte signature. So this is expressed by line:
<String>PE''D</String>
For 64-bit plugins i found no Double Commander Lister extension. So only one
file name extension is here used. So file name extension is shown by line
like:
<Ext>WLX64</Ext>
Afterwards i delete short null patterns probably triggered by lucky
circumstances like:
<Pattern>
<Bytes>0000</Bytes>
<Pos>62</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>263</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>291</Pos>
</Pattern>
And in global string section i delete obviously short garbage patterns like:
<String>CTIONEN</String>
<String>ECTIONA</String>
<String>TURECON</String>
<String>Y'''''M</String>
<String>$8H3</String>
<String>$H'T</String>
<String>$P'T</String>
<String>$X'T</String>
<String>+''H</String>
<String>7''H</String>
With the additional definition for 64-bit the Total commander lister plugins
are now described more precisely. (See appended x64/output/trid-v-new.txt).
The extensions for the Linux variant of the Double Commander still use the same
file name extensions as for the Windows variant. But instead of portable
executable (PE) file format there the ELF file format seems to be used. So
for the plugins for Linux additional trid definitions are needed.
TrID definition, some examples and output are stored in archive wlx.zip. I
hope that my 2 XML files can be used in future version of triddefs.
With best wishes
Jörg Jenderek
