[File] [PATCH] of Magdir/windows for Windows Precompiled iNF *.pnf
Christos Zoulas
christos at zoulas.com
Sun Mar 15 16:44:55 UTC 2020
Committed, thanks!
christos
> On Mar 13, 2020, at 6:03 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
> some days ago i migrate a Windows 7 system to 10 and a HP printer
> does not work afterwards. To remove failed printer driver i look at
> device driver files inside inf sub directory of windows directory.
> Just for interest i run file command version 5.38 on pre compiled
> Windows INF files with file name extension pnf. These PNF samples
> are now described as "data", whereas PNF samples found on older
> Windows systems like XP or 98 are identified correctly by
> Magdir/windows as "Windows Precompiled iNF".
>
> Furthermore the mentioned reference URL mentioned in Magdir/windows
> does not exist any more. So i look for a new one. There does not
> exist an official file format specification. So i search for source
> header file with structure like _PNF_HEADER. Unfortunately such
> information is only found on temporarily available sites referring to
> leaked, older Windows sources. In the end i used site expressed by
> comment lines like:
> # URL: http://fileformats.archiveteam.org/wiki/INF_(Windows)
> # Reference: http://en.verysource.com/code/10350344_1/inf.h.html
>
> Because no exact file format exist, i encapsulate displaying part
> inside sub routine starting with lines like
> 0 name PreCompiledInf
>> 0 uleshort x Windows Precompiled iNF
> !:mime application/x-pnf
> !:ext pnf
>
> Apparently the PNF header is the same at the beginning for all
> Windows versions. It starts with a 2 byte version value, where
> high byte stores major version number and low byte stores minor
> number. Originally that value was 101h for older Windows 98 and XP,
> but it is increased until 303h for current Windows 10 version. That
> information is now shown also in human readable form by lines:
>> 1 ubyte x \b, version %u
>> 0 ubyte x \b.%u
>> 0 uleshort =0x0101 (Windows
>>> 4 ulelong&0x00000001 !0x00000001 98)
>>> 4 ulelong&0x00000001 =0x00000001 XP)
>> 0 uleshort =0x0301 (Windows Vista-8.1)
>> 0 uleshort =0x0302 (Windows 10 older)
>> 0 uleshort =0x0303 (Windows 10)
>
> Afterwards show the InfStyle value if not two. Sometimes in rare
> cases i found value one. That is shown by line
>> 2 uleshort !2 \b, InfStyle %u
>
> Afterwards comes a 32 bit flag field. In older Windows only 6 lower
> bits are used and upper bits are unused ( that means 0 ). In newer
> Windows systems like Vista also upper bit are used, but the
> meaning is not known for me. So show unusual bit values and the
> known meanings by lines like:
>> 4 ulelong&0x03000180 >0 \b, flags
>>> 4 ulelong x 0x%x
>> 4 ulelong&0x00000001 0x00000001 \b, unicoded
>> 4 ulelong&0x00000002 0x00000002 \b, has strings
>> 4 ulelong&0x00000004 0x00000004 \b, src URL
>> 4 ulelong&0x00000008 0x00000008 \b, volatile dir ids
>> 4 ulelong&0x00000010 0x00000010 \b, verified
>> 4 ulelong&0x00000020 0x00000020 \b, digitally signed
>
> After FILETIME field the PNF header apparently varies for different
> Windows versions. So now first check for older Windows systems
> versions like 98 or XP and display remaining fields like in
> previous version. The WinDirPath comes directly after PNF header
> for all my inspected samples. For older Windows this offset values
> itself is stored at position 68. If stored WinDirPath does not
> start with uni coded C:\Wi (that is 0x43003a005c005700 for standard
> path C:\Windows), display unusual WinDirPath string. This looks like:
>>> 68 ulelong x
>>>> 4 ulelong&0x00000001 =0x00000001
>>>>> (68.l) ubequad !0x43003a005c005700
>>>>>> (68.l) lestring16 x \b, WinDirPath "%s"
>
> Another branch must be created for newer Windows like Vista. So
> check first for bigger version number and display remaining fields.
> In principal things are the same, but offset of WinDirPath is now
> stored
> at position 80. The value now displayed is 60h until Windows 8.1
> and 68h for Windows 10.
> So for newer Windows this becomes visible by lines starting like:
>> 0 uleshort >0x0101
>>> 80 ulelong x \b, at 0x%x WinDirPath
>>>> 4 ulelong&0x00000001 0x00000001
>>>>> (80.l) ubequad !0x43003a005c005700
>>>>>> (80.l) lestring16 x "%s"
> In newer PNF files also new field appear in header. The language
> information is stored like in older version at other position as 2
> byte LanguageID value, where 0x409 means English_US and 0x407
> german_DE. That information is shown by lines
>>> 90 uleshort !0x409 \b, LanguageID %x
> But language information is also stored as uni coded string like
> "de-DE"or "en-US". That is shown by lines
>>> 92 ulelong >0 \b, at 0x%x
>>>> 4 ulelong&0x00000001 0x00000001
>>>>> (92.l) lestring16 x language %s
>
> I also display other fields like OsLoaderPath, SourcePath and InfName
> which can be important, if available.
>
> In previous magic the first test for PNF version look only for 101h
> value by line
> 0 leshort&0xFeFe 0x0000
> This check for valid PNF version within range from 101h til 303h
> now becomes like
> 0 leshort&0xFcFc =0x0000
>> 0 leshort&0x0303 !0x0000
> This test also match "PDP-11 UNIX/RT ldp". So more tests are needed.
>
> The second magic line was test for unused null bits in flags. This
> was done by line
>> 4 ulelong&0xFCffFe00 0x00000000
>
> Unfortunately in newer Windows version also upper bits in flags are
> used for unknown purposes. So i remove this second test line.
> Instead i check for valid valid InfStyles, which is one or two.
> This is now done by lines like:
>>> 2 uleshort >0
>>>> 2 uleshort <3
>>>>> 0 use PreCompiledInf
> This tests are sufficient for me. So call subroutine PreCompiledInf
> to display information about Windows Precompiled iNF at that point.
>
> For Windows 98 and XP the offset of WinDirPath has constant value
> 58h and a fixed position. This was used as third test by line:
>>> 68 ulelong >0x57
> In newer Windows version this offset is raised til value 68h. So
> the old third test line can not be used any more. Instead look for
> colon in WinDirPath after PNF header by possible test line
>>>>> 0x59 search/18 :
>
> After applying the above mentioned modifications by patch
> file-5.38-windows-pnf.diff then the newer PNF files are now also
> recognised and i get output like:
>
> pnf_98SE\Layout2.PNF: Windows Precompiled iNF,
> version 1.1 (Windows 98),
> at 0xb520 "signature",
> WinDirPath "C:\WIN98SE.DE",
> LanguageID 407
> pnf_98SE\machine.PNF: Windows Precompiled iNF,
> version 1.1 (Windows 98),
> has strings,
> at 0x5c50 "CatalogFile",
> WinDirPath "C:\WIN98SE.DE",
> OsLoaderPath "C:\",
> LanguageID 407
> pnf_98SE\msoe50.PNF: Windows Precompiled iNF,
> version 1.1 (Windows 98),
> has strings,
> at 0x5440 "SetupClass",
> WinDirPath "C:\WIN98SE.DE",
> LanguageID 407
> pnf_XP\mdmchipv.PNF: Windows Precompiled iNF,
> version 1.1 (Windows XP),
> InfStyle 1,
> flags 0x1a1, unicoded, digitally signed,
> at 0x8e0 "\364",
> LanguageID 407
> pnf_XP\mdmomrn3.PNF: Windows Precompiled iNF,
> version 1.1 (Windows XP),
> flags 0x1a3, unicoded, has strings, digitally signed,
> at 0x11ec0 "DriverVer",
> LanguageID 407
> pnf_XP\mdmosice.PNF: Windows Precompiled iNF,
> version 1.1 (Windows XP),
> flags 0x1a3, unicoded, has strings, digitally signed,
> at 0x4fe8 "Class",
> LanguageID 407
> pnf_XP\msports.PNF: Windows Precompiled iNF,
> version 1.1 (Windows XP),
> flags 0x10001a3, unicoded, has strings, digitally signed,
> at 0x5378 "LayoutFile",
> LanguageID 407
> pnf_XP\oem2.PNF: Windows Precompiled iNF,
> version 1.1 (Windows XP),
> flags 0x10001a3, unicoded, has strings, digitally signed,
> at 0x1888 "catalogfile",
> LanguageID 407,
> at 0x1eb8 SourcePath
> "c:\programme\virtual pc integration components",
> at 0x1f18 InfName "vmadd_xp_drv.inf"
> pnf_XP\certclas.PNF: Windows Precompiled iNF,
> version 1.1 (Windows XP),
> flags 0x10001a1, unicoded, digitally signed,
> at 0x1a98 "signature",
> LanguageID 407
> pnf_XP\wab50.PNF: Windows Precompiled iNF,
> version 1.1 (Windows XP),
> flags 0x10001ab, unicoded, has strings, digitally signed,
> volatile dir ids
> at 0x3fc8 "SetupClass",
> LanguageID 407
> pnf_xp_virtual\corelist.PNF: Windows Precompiled iNF,
> version 1.1 (Windows XP),
> flags 0x1a3, unicoded, has strings, digitally signed,
> at 0x50a0 "signature",
> OsLoaderPath "C:\",
> LanguageID 407
> pnf_vista\oem0.PNF: Windows Precompiled iNF,
> version 3.1 (Windows Vista-8.1),
> flags 0x1000083, unicoded, has strings,
> at 0x11e0 "Signature",
> at 0x60 WinDirPath "D:\Windows",
> LanguageID 0
> pnf_vista\bthpan.PNF: Windows Precompiled iNF,
> version 3.1 (Windows Vista-8.1),
> flags 0x1000083, unicoded, has strings,
> at 0x1e20 "Provider",
> at 0x60 WinDirPath "D:\Windows",
> at 0x78 language en-US
> pnf_vista\nete1g32.PNF: Windows Precompiled iNF,
> version 3.1 (Windows Vista-8.1),
> flags 0x1000083, unicoded, has strings,
> at 0xcbc0 "Signature", at 0x60 WinDirPath,
> LanguageID 407, at 0x78 language de-DE
> pnf_win7\prnfx002.PNF: Windows Precompiled iNF,
> version 3.1 (Windows Vista-8.1),
> flags 0x3000083, unicoded, has strings,
> at 0x2208 "DriverIsolation",
> at 0x60 WinDirPath "D:\Windows",
> at 0x78 language en-US
> pnf_10_x\c_display.PNF: Windows Precompiled iNF,
> version 3.2 (Windows 10 older),
> flags 0x1000083, unicoded, has strings,
> at 0x1228 "Signature",
> at 0x68 WinDirPath "X:\windows",
> LanguageID 407, at 0x80 language en-US
> pnf_win10\BthLCPen.PNF: Windows Precompiled iNF,
> version 3.3 (Windows 10),
> flags 0x3000083, unicoded, has strings,
> at 0x11e8 "Signature",
> at 0x68 WinDirPath,
> LanguageID 407, at 0x80 language en-US
>
> I hope my diff file can be applied in future version of
> file utility.
>
> With best wishes
> Jörg Jenderek
> - --
> Jörg Jenderek
>
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCXmwDLAAKCRCv8rHJQhrU
> 1sQpAKCVBHe/FbrfEy2rV28czlR7Bgq8IwCgsyPMSV1zktkrRnNWgaeP5sqNwR0=
> =600m
> -----END PGP SIGNATURE-----
> <file-5_38-windows-pnf_diff.DEFANGED-14><file-5_38-windows-pnf_diff_sig.DEFANGED-15>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20200315/75de4d6c/attachment.asc>
More information about the File
mailing list