[File] [PATCH] of Magdir/windows for Windows Precompiled iNF *.pnf

Christos Zoulas christos at zoulas.com
Sun Mar 15 16:44:55 UTC 2020 

Committed, thanks!

christos

> On Mar 13, 2020, at 6:03 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> some days ago i migrate a Windows 7 system to 10 and a HP printer
> does not work afterwards. To remove failed  printer driver i look at
> device driver files inside inf sub directory of windows directory.
> Just for interest i run file command version 5.38 on pre compiled
> Windows INF files with file name extension pnf. These PNF samples
> are now described as "data", whereas PNF samples found on older
> Windows systems like XP or 98 are identified correctly by
> Magdir/windows as "Windows Precompiled iNF".
> 
> Furthermore the mentioned reference URL mentioned in Magdir/windows
> does not exist any more. So i look for a new one. There does not
> exist an official file format specification. So i search for source
> header file with structure like _PNF_HEADER. Unfortunately such
> information is only found on temporarily available sites referring to
> leaked, older Windows sources. In the end i used site expressed by
> comment lines like:
> # URL: http://fileformats.archiveteam.org/wiki/INF_(Windows)
> # Reference: http://en.verysource.com/code/10350344_1/inf.h.html
> 
> Because no exact file format exist, i encapsulate displaying part
> inside sub routine starting with lines like
> 0	name	PreCompiledInf
>> 0		uleshort	x	Windows Precompiled iNF
> !:mime	application/x-pnf
> !:ext	pnf
> 
> Apparently the PNF header is the same at the beginning for all
> Windows versions. It starts with a 2 byte version value, where
> high byte stores major version number and low byte stores minor
> number. Originally that value was 101h for older Windows 98 and XP,
> but it is increased until 303h for current Windows 10 version. That
> information is now shown also in human readable form by lines:
>> 1		ubyte		x		\b, version %u
>> 0		ubyte		x		\b.%u
>> 0		uleshort	=0x0101		(Windows
>>> 4	ulelong&0x00000001	!0x00000001	98)
>>> 4	ulelong&0x00000001	=0x00000001	XP)
>> 0		uleshort	=0x0301		(Windows Vista-8.1)
>> 0		uleshort	=0x0302		(Windows 10 older)
>> 0		uleshort	=0x0303		(Windows 10)
> 
> Afterwards show the InfStyle value if not two. Sometimes in rare
> cases i found value one. That is shown by line
>> 2		uleshort	!2		\b, InfStyle %u
> 
> Afterwards comes a 32 bit flag field. In older Windows only 6 lower
> bits are used and upper bits are unused ( that means 0 ). In newer
> Windows systems like Vista also upper bit  are used, but the
> meaning is not known for me. So show unusual bit values and the
> known meanings by lines like:
>> 4	ulelong&0x03000180	>0		\b, flags
>>> 4	ulelong			x		0x%x
>> 4	ulelong&0x00000001	0x00000001	\b, unicoded
>> 4	ulelong&0x00000002	0x00000002	\b, has strings
>> 4	ulelong&0x00000004	0x00000004	\b, src URL
>> 4	ulelong&0x00000008	0x00000008	\b, volatile dir ids
>> 4	ulelong&0x00000010	0x00000010	\b, verified
>> 4	ulelong&0x00000020	0x00000020	\b, digitally signed
> 
> After FILETIME field the PNF header apparently varies for different
> Windows versions. So now first check for older Windows systems
> versions like 98 or XP and display remaining fields like in
> previous version. The WinDirPath comes directly after PNF header
> for all my inspected samples. For older Windows this offset values
> itself is stored at position 68. If stored WinDirPath does not
> start with uni coded C:\Wi (that is 0x43003a005c005700 for standard
> path C:\Windows), display unusual WinDirPath string. This looks like:
>>> 68		ulelong		x
>>>> 4	ulelong&0x00000001	=0x00000001
>>>>> (68.l)	ubequad		!0x43003a005c005700
>>>>>> (68.l)	lestring16	x		\b, WinDirPath "%s"
> 
> Another branch must be created for newer Windows like Vista. So
> check first for bigger version number and display remaining fields.
> In principal things are the same, but offset of WinDirPath is now
> stored
> at position 80. The value now displayed is 60h until Windows 8.1
> and 68h for Windows 10.
> So for newer Windows this becomes visible by lines starting like:
>> 0		uleshort	>0x0101
>>> 80	ulelong			x	\b, at 0x%x WinDirPath
>>>> 4	ulelong&0x00000001	0x00000001
>>>>> (80.l)	ubequad		!0x43003a005c005700
>>>>>> (80.l)	lestring16	x		"%s"
> In newer PNF files also new field appear in header. The language
> information is stored like in older version at other position as 2
> byte LanguageID value, where 0x409 means English_US and 0x407
> german_DE. That information is shown by lines
>>> 90		uleshort	!0x409		\b, LanguageID %x
> But language information is also stored as uni coded string like
> "de-DE"or "en-US". That is shown by lines
>>> 92	ulelong			>0		\b, at 0x%x
>>>> 4	ulelong&0x00000001	0x00000001
>>>>> (92.l)	lestring16	x		language %s
> 
> I also display other fields like OsLoaderPath, SourcePath and InfName
> which can be important, if available.
> 
> In previous magic the first test for PNF version look only for 101h
> value by line
> 0		leshort&0xFeFe	0x0000
> This check for valid PNF version within range from 101h til 303h
> now becomes like
> 0		leshort&0xFcFc	=0x0000
>> 0		leshort&0x0303	!0x0000
> This test also match "PDP-11 UNIX/RT ldp". So more tests are needed.
> 
> The second magic line was test for unused null bits in flags. This
> was done by line
>> 4	ulelong&0xFCffFe00	0x00000000
> 
> Unfortunately in newer Windows version also upper bits in flags are
> used for unknown purposes. So i remove this second test line.
> Instead i check for valid valid InfStyles, which is one or two.
> This is now done by lines like:
>>> 2		uleshort	>0
>>>> 2		uleshort	<3
>>>>> 0	use	PreCompiledInf
> This tests are sufficient for me. So call subroutine PreCompiledInf
> to display information about Windows Precompiled iNF at that point.
> 
> For Windows 98 and XP the offset of WinDirPath has constant value
> 58h and a fixed position. This was used as third test by line:
>>> 68		ulelong		>0x57
> In newer Windows version this offset is raised til value 68h. So
> the old third test line can not be used any more. Instead look for
> colon in WinDirPath after PNF header by possible test line
>>>>> 0x59	search/18	:
> 
> After applying the above mentioned modifications by patch
> file-5.38-windows-pnf.diff then the newer PNF files are now also
> recognised and i get output like:
> 
> pnf_98SE\Layout2.PNF:        Windows Precompiled iNF,
> 	version 1.1 (Windows 98),
> 	at 0xb520 "signature",
> 	WinDirPath "C:\WIN98SE.DE",
> 	LanguageID 407
> pnf_98SE\machine.PNF:        Windows Precompiled iNF,
> 	version 1.1 (Windows 98),
> 	has strings,
> 	at 0x5c50 "CatalogFile",
> 	WinDirPath "C:\WIN98SE.DE",
> 	OsLoaderPath "C:\",
> 	LanguageID 407
> pnf_98SE\msoe50.PNF:         Windows Precompiled iNF,
> 	version 1.1 (Windows 98),
> 	has strings,
> 	at 0x5440 "SetupClass",
> 	WinDirPath "C:\WIN98SE.DE",
> 	LanguageID 407
> pnf_XP\mdmchipv.PNF:         Windows Precompiled iNF,
> 	version 1.1 (Windows XP),
> 	InfStyle 1,
> 	flags 0x1a1, unicoded, digitally signed,
> 	at 0x8e0 "\364",
> 	LanguageID 407
> pnf_XP\mdmomrn3.PNF:         Windows Precompiled iNF,
> 	version 1.1 (Windows XP),
> 	flags 0x1a3, unicoded, has strings, digitally signed,
> 	at 0x11ec0 "DriverVer",
> 	LanguageID 407
> pnf_XP\mdmosice.PNF:         Windows Precompiled iNF,
> 	version 1.1 (Windows XP),
> 	flags 0x1a3, unicoded, has strings, digitally signed,
> 	at 0x4fe8 "Class",
> 	LanguageID 407
> pnf_XP\msports.PNF:          Windows Precompiled iNF,
> 	version 1.1 (Windows XP),
> 	flags 0x10001a3, unicoded, has strings, digitally signed,
> 	at 0x5378 "LayoutFile",
> 	LanguageID 407
> pnf_XP\oem2.PNF:             Windows Precompiled iNF,
> 	version 1.1 (Windows XP),
> 	flags 0x10001a3, unicoded, has strings, digitally signed,
> 	at 0x1888 "catalogfile",
> 	LanguageID 407,
> 	at 0x1eb8 SourcePath
> 	"c:\programme\virtual pc integration components",
> 	at 0x1f18 InfName "vmadd_xp_drv.inf"
> pnf_XP\certclas.PNF:         Windows Precompiled iNF,
> 	version 1.1 (Windows XP),
> 	flags 0x10001a1, unicoded, digitally signed,
> 	at 0x1a98 "signature",
> 	LanguageID 407
> pnf_XP\wab50.PNF:            Windows Precompiled iNF,
> 	version 1.1 (Windows XP),
> 	flags 0x10001ab, unicoded, has strings, digitally signed,
> 	volatile dir ids
> 	at 0x3fc8 "SetupClass",
> 	LanguageID 407
> pnf_xp_virtual\corelist.PNF: Windows Precompiled iNF,
> 	version 1.1 (Windows XP),
> 	flags 0x1a3, unicoded, has strings, digitally signed,
> 	at 0x50a0 "signature",
> 	OsLoaderPath "C:\",
> 	LanguageID 407
> pnf_vista\oem0.PNF:          Windows Precompiled iNF,
> 	version 3.1 (Windows Vista-8.1),
> 	flags 0x1000083, unicoded, has strings,
> 	at 0x11e0 "Signature",
> 	at 0x60 WinDirPath "D:\Windows",
> 	LanguageID 0
> pnf_vista\bthpan.PNF:        Windows Precompiled iNF,
> 	version 3.1 (Windows Vista-8.1),
> 	flags 0x1000083, unicoded, has strings,
> 	at 0x1e20 "Provider",
> 	at 0x60 WinDirPath "D:\Windows",
> 	at 0x78 language en-US
> pnf_vista\nete1g32.PNF:      Windows Precompiled iNF,
> 	version 3.1 (Windows Vista-8.1),
> 	flags 0x1000083, unicoded, has strings,
> 	at 0xcbc0 "Signature", at 0x60 WinDirPath,
> 	LanguageID 407, at 0x78 language de-DE
> pnf_win7\prnfx002.PNF:       Windows Precompiled iNF,
> 	version 3.1 (Windows Vista-8.1),
> 	flags 0x3000083, unicoded, has strings,
> 	at 0x2208 "DriverIsolation",
> 	at 0x60 WinDirPath "D:\Windows",
> 	at 0x78	language en-US
> pnf_10_x\c_display.PNF:      Windows Precompiled iNF,
> 	version 3.2 (Windows 10 older),
> 	flags 0x1000083, unicoded, has strings,
> 	at 0x1228 "Signature",
> 	at 0x68 WinDirPath "X:\windows",
> 	LanguageID 407, at 0x80 language en-US
> pnf_win10\BthLCPen.PNF:      Windows Precompiled iNF,
> 	version 3.3 (Windows 10),
> 	flags 0x3000083, unicoded, has strings,
> 	at 0x11e8 "Signature",
> 	at 0x68 WinDirPath,
> 	LanguageID 407, at 0x80 language en-US
> 
> I hope my diff file can be applied in future version of
> file utility.
> 
> With best wishes
> Jörg Jenderek
> - --
> Jörg Jenderek
> 
> 
> 
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCXmwDLAAKCRCv8rHJQhrU
> 1sQpAKCVBHe/FbrfEy2rV28czlR7Bgq8IwCgsyPMSV1zktkrRnNWgaeP5sqNwR0=
> =600m
> -----END PGP SIGNATURE-----
> <file-5_38-windows-pnf_diff.DEFANGED-14><file-5_38-windows-pnf_diff_sig.DEFANGED-15>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20200315/75de4d6c/attachment.asc>

More information about the File mailing list