[File] [PATCH] Support ARM64 Linux vmlinux files
John Villalovos
john at sodarock.com
Fri Oct 4 20:45:30 UTC 2019
Support ARM64 Linux vmlinux files
Currently 'file' says that the ARM64 Linux vmlinux files are MS-DOS
executables. They are in fact PE files that are used to boot via
UEFI.
Here is a before and after showing the difference with and without the patch.
$ file vmlinux
linux: MS-DOS executable
$ file -m msdos vmlinux
linux: MS-DOS executable PE PE32+ executable (EFI application) ARM64
(stripped to external PDB), for MS Windows
Info of the vmlinux file:
$ head -c 256 vmlinux | xxd
00000000: 4d5a 0091 ffbf 2d14 0000 0800 0000 0000 MZ....-.........
00000010: 0020 2601 0000 0000 0a00 0000 0000 0000 . &.............
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 4152 4d64 4000 0000 ........ARMd at ...
00000040: 5045 0000 64aa 0200 0000 0000 0000 0000 PE..d...........
00000050: 0000 0000 a000 0602 0b02 0214 0010 c300 ................
00000060: 0000 6300 0000 0000 e85a b700 0010 0000 ..c......Z......
00000070: 0000 0000 0000 0000 0010 0000 0002 0000 ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090: 0020 2601 0010 0000 23a2 1d01 0a00 0000 . &.....#.......
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000c0: 0000 0000 0600 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0032 1d01 7005 0000 .........2..p...
000000f0: 0000 0000 0000 0000 2e74 6578 7400 0000 .........text...
In the patch I duplicated the check for PE\0\0 twice as removing the
old check and then having to de-dent everything by one '<' seemed very
intrusive of a patch.
Also added the code to identify ARM64 CPU code.
$ git diff
diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos
index 5ed6d633..70f835a4 100644
--- a/magic/Magdir/msdos
+++ b/magic/Magdir/msdos
@@ -61,11 +61,8 @@
#>>0x18 leshort 0x1c (Borland compiler)
#>>0x18 leshort 0x1e (MS compiler)
-# If the relocation table is 0x40 or more bytes into the file, it's definitely
-# not a DOS EXE.
->0x18 leshort >0x3f
-
# Maybe it's a PE?
+>(0x3c.l) string PE\0\0 PE
>>(0x3c.l) string PE\0\0 PE
!:mime application/x-dosexec
>>>(0x3c.l+24) leshort 0x010b \b32 executable
@@ -129,6 +126,7 @@
>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU
>>>(0x3c.l+4) leshort 0xebc EFI byte code
>>>(0x3c.l+4) leshort 0x8664 x86-64
+>>>(0x3c.l+4) leshort 0xaa64 ARM64
>>>(0x3c.l+4) leshort 0xc0ee MSIL
>>>(0x3c.l+4) default x Unknown processor type
>>>>&0 leshort x 0x%x
More information about the File
mailing list