[File] [PATCH] Support ARM64 Linux vmlinux files

John Villalovos john at sodarock.com
Thu Oct 17 19:19:19 UTC 2019


Ah, I think I see what you mean about the <0x40 comment.

To resolve it, it will likely make the patch bigger but I'm thinking
to put the PE block before the: >0x18 leshort >0x3f  test.

It would make the patch bigger though, but not sure any other way. Let
me investigate it more and see what I can do.

Thanks,
John

On Thu, Oct 17, 2019 at 11:00 AM John Villalovos <john at sodarock.com> wrote:
>
> An example can be found here:
> http://ftp.nl.debian.org/debian/dists/buster/main/installer-arm64/current/images/netboot/netboot.tar.gz
>
> Extract the tarball and look at the file: debian-installer/arm64/linux
>
> It is reported as an MS-DOS file, but it is a PE file for ARM64.
>
> As far as things <0x40 being treated as PE files. I'm not an expert,
> but the files have MZ at the start. Then they also are passing the
> test of having PE\0\0 at the location pointed to by 0x3x. Seems
> unlikely that something is not a PE file if it has this. I am unsure
> why the value in 0x18 is used to determine if something is a PE file.
>
> Thanks,
> John
>
>
> On Thu, Oct 17, 2019 at 10:48 AM Christos Zoulas <christos at zoulas.com> wrote:
> >
> > On Oct 17,  9:27am, john at sodarock.com (John Villalovos) wrote:
> > -- Subject: Re: [File] [PATCH] Support ARM64 Linux vmlinux files
> >
> > | Any feedback on this patch? Is there something else I should do?
> >
> > I think that this will break stuff because the lines you removed, will
> > end up making the <0x40 test below enforced for PE binaries. Do you
> > have an example file we can test with?
> >
> > thanks,
> >
> > christos
> >
> > # All non-DOS EXE extensions have the relocation table more than 0x40 bytes into
> >  the file.
> > >0x18   leshort <0x40 MS-DOS executable
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This will be applied to PE binaries now
> > !:mime  application/x-dosexec
> > # Windows and later versions of DOS will allow .EXEs to be named with a .COM
> > # extension, mostly for compatibility's sake.
> > !:ext   exe/com
> > # These traditional tests usually work but not always.  When test quality suppor
> > t is
> > # implemented these can be turned on.
> > #>>0x18 leshort 0x1c    (Borland compiler)
> > #>>0x18 leshort 0x1e    (MS compiler)
> >
> > # If the relocation table is 0x40 or more bytes into the file, it's definitely
> > # not a DOS EXE.
> > >0x18  leshort >0x3f
> > ^^^^^^^^^^^^^^^^^^^^ This is what you removed.
> >
> >
> > christos
> > --
> > File mailing list
> > File at astron.com
> > https://mailman.astron.com/mailman/listinfo/file


More information about the File mailing list