Hello trid users,
some days ago just for interest i inspect efi executables starting with MZ
magic. Afterwards i look for other MZ-executables on my systems. Such
samples with BPL file name extension are Borland Package Library.
Some examples are described correctly by bpl.trid.xml as "Borland Package
Library" (See appended output/trid-v-old.txt). But 12 examples like
rtl100.bpl, vcl160.bpl and AxComponents20.bpl are only described by
exe-win.trid.xml as "Win32 Executable (generic)" or by dll.trid.xml as
"Win32 Dynamic Link Library (generic)" (See appended
bpl_new/output/trid-v-old.txt).
For comparison reasons i also run other identifying tools on such examples.
The file command identifies these examples as "PE32 executable (DLL)" and
"Intel 80386, for MS Windows" (See appended bpl_new/output/file-5.39.txt).
So i run tridscan on these undetected samples and i update a trid definition
file bpl.trid.xml. All my samples still start with typical Windows
executable phrase that is also found in other trid definitions
exe-win*.trid.xml. That is expressed by XML pattern block like:
<Bytes>4D5A50000200000004000F00FFFF0000B80000000000000040001A
<ASCII> M Z P . . . . . . . . . . . . . . . . . . . . . @ . .
<Pos>0</Pos>
Now in global strings section some pattern vanish like:
<String>O'R'I'G'I'N'A'L'F'I'L'E'N'A'M'E</String>
<String>F'I'L'E'D'E'S'C'R'I'P'T'I'O'N</String>
<String>F'I'L'E'V'E'R'S'I'O'N</String>
<String>B'O'R'L'A'N'D</String>
Unfortunately the last line seems to be a hint for Borland package
libraries. But hint for file name extension still survive by line like:
<String>0.BPL</String>
The inspected BPL samples are portable executable (PE) container for Intel
80386. According to Portable Executable documentation the COFF header
starts with 4 byte signature "PE\0\0" and typically this signature is still
near the beginning. Afterwards comes 2 byte machine types in little endian
format. For Intel 386 this value is 0x014c. That gives in ASCII the Letter L
after 4 byte signature. That is expressed in trid definition by line like:
<String>$7'''''' PE''L</String>
Because such BPL file format is extended from DOS MZ executable, the file
command use mime type "application/x-dosexec" (see appended
bpl_new/output/file-i-5.39.txt), but portable executable get their own mime
type. That is now expressed by line:
<Mime>application/vnd.microsoft.portable-executable</Mime>
Unfortunately i found no official or good file format documentation. So i
use file name extension as hint. That reference URL is now expressed by line
like:
<RefURL>
https://www.filesuffix.com/en/extension/bpl</RefURL>
With the updated definition my BPL samples are now described (See appended
bpl_new/output/trid-v-new.txt).
TrID definition, some examples and output are stored in archive bpl.zip. I
hope that my XML file can be used in future version of triddefs.
With best wishes
Jörg Jenderek
