[File] [PATCH] Support ARM64 Linux vmlinux files
John Villalovos
john at sodarock.com
Thu Oct 17 16:27:44 UTC 2019
Any feedback on this patch? Is there something else I should do?
Thanks,
John
On Fri, Oct 4, 2019 at 1:45 PM John Villalovos <john at sodarock.com> wrote:
>
> Support ARM64 Linux vmlinux files
>
> Currently 'file' says that the ARM64 Linux vmlinux files are MS-DOS
> executables. They are in fact PE files that are used to boot via
> UEFI.
>
> Here is a before and after showing the difference with and without the patch.
> $ file vmlinux
> linux: MS-DOS executable
> $ file -m msdos vmlinux
> linux: MS-DOS executable PE PE32+ executable (EFI application) ARM64
> (stripped to external PDB), for MS Windows
>
> Info of the vmlinux file:
> $ head -c 256 vmlinux | xxd
> 00000000: 4d5a 0091 ffbf 2d14 0000 0800 0000 0000 MZ....-.........
> 00000010: 0020 2601 0000 0000 0a00 0000 0000 0000 . &.............
> 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000030: 0000 0000 0000 0000 4152 4d64 4000 0000 ........ARMd at ...
> 00000040: 5045 0000 64aa 0200 0000 0000 0000 0000 PE..d...........
> 00000050: 0000 0000 a000 0602 0b02 0214 0010 c300 ................
> 00000060: 0000 6300 0000 0000 e85a b700 0010 0000 ..c......Z......
> 00000070: 0000 0000 0000 0000 0010 0000 0002 0000 ................
> 00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000090: 0020 2601 0010 0000 23a2 1d01 0a00 0000 . &.....#.......
> 000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 000000c0: 0000 0000 0600 0000 0000 0000 0000 0000 ................
> 000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 000000e0: 0000 0000 0000 0000 0032 1d01 7005 0000 .........2..p...
> 000000f0: 0000 0000 0000 0000 2e74 6578 7400 0000 .........text...
>
> In the patch I duplicated the check for PE\0\0 twice as removing the
> old check and then having to de-dent everything by one '<' seemed very
> intrusive of a patch.
>
> Also added the code to identify ARM64 CPU code.
>
> $ git diff
> diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos
> index 5ed6d633..70f835a4 100644
> --- a/magic/Magdir/msdos
> +++ b/magic/Magdir/msdos
> @@ -61,11 +61,8 @@
> #>>0x18 leshort 0x1c (Borland compiler)
> #>>0x18 leshort 0x1e (MS compiler)
>
> -# If the relocation table is 0x40 or more bytes into the file, it's definitely
> -# not a DOS EXE.
> ->0x18 leshort >0x3f
> -
> # Maybe it's a PE?
> +>(0x3c.l) string PE\0\0 PE
> >>(0x3c.l) string PE\0\0 PE
> !:mime application/x-dosexec
> >>>(0x3c.l+24) leshort 0x010b \b32 executable
> @@ -129,6 +126,7 @@
> >>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU
> >>>(0x3c.l+4) leshort 0xebc EFI byte code
> >>>(0x3c.l+4) leshort 0x8664 x86-64
> +>>>(0x3c.l+4) leshort 0xaa64 ARM64
> >>>(0x3c.l+4) leshort 0xc0ee MSIL
> >>>(0x3c.l+4) default x Unknown processor type
> >>>>&0 leshort x 0x%x
More information about the File
mailing list