[File] [PATCH] Magdir/windows Windows Precompiled iNF (PNF) misidentfies ACO+TGA images
Jörg Jenderek
joerg.jen.der.ek at gmx.net
Sat Sep 17 14:16:37 UTC 2022
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
Some days ago i handled Adobe Photoshop Color swatch files (*.ACO).
Some such example and also some Targa image (*.TGA) are described
also wrong as "Windows Precompiled iNF" with file name extension PNF.
Normally such PNF examples are found in directory C:\Windows\INF.
When running file command version 5.43 on good PNF examples and
related negative samples i get with -k option an output like:
1394.PNF: Windows Precompiled iNF, version 3.1
(Windows Vista-8.1), flags 0x3000083, unicoded
, has strings,
at 0x3c88 "Signature",
at 0x60 WinDirPath, LanguageID 407,
at 0x78 language de-DE
CWBAUD98.PNF: Windows Precompiled iNF, version 1.1
(Windows 98), has strings,
at 0x52f0 "CatalogFile", LanguageID 407
Mac OS.aco: Windows Precompiled iNF, version 1.0,
InfStyle 1, flags 0xffff0000,
at 0xcccc, LanguageID cccc,
at 0xcccc, at 0xffff0000
NVENETXP.PNF: Windows Precompiled iNF, version 1.1
(Windows XP), flags 0x183, unicoded, has strings,
at 0x44c0 "Class", WinDirPath "X:\minint"
, LanguageID 407
XING_T_UCM8.tga: Targa image data - Map (256) 240 x 164 x 8
- 8-bit alpha
Windows Precompiled iNF, version 1.0,
InfStyle 1,
at 0x282828ff,, LanguageID 6d56,
at 0x6d2c15af, at 0x146e4e36
bmpsuite-15col.tga: Targa image data - Map (240) 1024 x 768 x 8
Windows Precompiled iNF, version 1.0,
InfStyle 1,
at 0xa800a800,, LanguageID 54fc,
at 0xfca8fcfc, at 0xa8fcfc00
heci.PNF: Windows Precompiled iNF, version 3.2
(Windows 10 older), flags 0x1000083, unicoded
, has strings,
at 0x4a20 "Signature",
at 0x68 WinDirPath, LanguageID 407
oem0.PNF: Windows Precompiled iNF, version 3.1
(Windows Vista-8.1), flags 0x3000083, unicoded
, has strings,
at 0x11e0 "Signature",
at 0x60 WinDirPath "D:\Windows", LanguageID 0
tpm.PNF: Windows Precompiled iNF, version 3.3
(Windows 10), flags 0x1000083, unicoded
, has strings,
at 0x2310 "Signature",
at 0x68 WinDirPath, LanguageID 407,
at 0x80 language de-DE
For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This also does
recognise the PNF samples. The other samples are not misidentified as
PNF, because trid explicitly check for version. (See appended
trid-v-pnf.txt.gz).
For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/). This
only recognize the TGA examples as "Truevision TGA Bitmap" by PUID
fmt/402.
Unfortunately most used documentation URL does not exist any more.
I find no similar documents or archived versions.
The PNF samples have no real strong magic. Luckily the displaying
part is done by sub routine PreCompiledInf inside Magdir/windows.
Then only suited test lines must be added before calling this sub
routine. This starts with lines like:
0 name PreCompiledInf
>0 uleshort x Windows Precompiled iNF
!:mime application/x-pnf
!:ext pnf
>1 ubyte x \b, version %u
>0 ubyte x \b.%u
>0 uleshort =0x0101 (Windows
>>4 ulelong&0x00000001 !0x00000001 98)
>>4 ulelong&0x00000001 =0x00000001 XP)
>0 uleshort =0x0301 (Windows Vista-8.1)
>0 uleshort =0x0302 (Windows 10 older)
>0 uleshort =0x0303 (Windows 10)
In ACO and TGA samples these bytes are misinterpreted as version
1.0. That is lower than oldest windows 98 examples with version
1.1. So i also check more older Windows 95 examples. There i get
the same version 1.1 found for Windows 98. For completeness i also
check samples of newer Windows 11 (like tpm.PNF). There i get the
same version 3.3 i got for newer Windows 10 samples. Unfortunately
in the unofficial documentation nothing is said about the version
numbers. So i can not use this item reliable as test criterium. But
i update these lines. So theses now becomes like:
>1 ubyte x \b, version %u
>0 ubyte x \b.%u
>0 uleshort =0x0101 (Windows
>>4 ulelong&0x00000001 !0x00000001 95-98)
>>4 ulelong&0x00000001 =0x00000001 XP)
>0 uleshort =0x0301 (Windows Vista-8.1)
>0 uleshort =0x0302 (Windows 10 older)
>0 uleshort =0x0303 (Windows 10-11)
Next possible test criterium would be WinDirPath with value like
"C:\Windows". Unfortunately the offset varies depending on version.
So i do not choose it as test.
When looking in output we see that after first "at 0x" phrase the
first section name of sourced INF is displayed for real PNF
samples. This string is something like:
CatalogFile Class DriverVer layoutfile LayoutFile SetupClass
signature Signature
This string is encoded as ASCII or as UTF-16 little endian
depending on flags. This is done by lines like:
>20 ulelong x \b, at %#x
>4 ulelong&0x00000001 =0x00000001
>>(20.l) lestring16 x "%s"
>4 ulelong&0x00000001 !0x00000001
>>(20.l) string x "%s"
For the misidentified samples i get invalid low values (0x0) here.
Assuming that lowest section name starts with AA then lowest value is
0x41004100 for worst UTF case. So skip few Adobe Photoshop Color
swatch ("Mac OS.aco" TRUMATCH-Farben.aco Windows.aco) and some
Targa image (money-256.tga XING_B_UCM8.tga
x-fmt-367-signature-id-604.tga) with "invalid low section name" by
additional test line. This part now becomes like:
>>> 2 uleshort <3
>>>> (20.l) ubelong >0x40004000
>>>>> 0 use PreCompiledInf
Furthermore show now 8 byte time-stamp by additional line:
>24 qwdate x \b, InfVersionLastWriteTime %s
I am not sure about this. For example oem0.PNF it is correct til
seconds.
After applying the above mentioned modifications by patch
file-5.43-windows-pnf.diff and using Magdir/images then all my
inspected PNF samples still described correctly, but the negative
samples are not misidentified any more. This with -k option now
looks like:
1394.PNF: Windows Precompiled iNF, version 3.1
(Windows Vista-8.1), flags 0x3000083, unicoded
, has strings,
at 0x3c88 "Signature",
InfVersionLastWriteTime Thu Aug 22 14:32:40 2013,
at 0x60 WinDirPath, LanguageID 407,
at 0x78 language de-DE
CWBAUD98.PNF: Windows Precompiled iNF, version 1.1
(Windows 95-98), has strings,
at 0x52f0 "CatalogFile",
InfVersionLastWriteTime Wed May 5 19:22:00 1999,
LanguageID 407
Mac OS.aco: data
NVENETXP.PNF: Windows Precompiled iNF, version 1.1
(Windows XP), flags 0x183, unicoded, has strings,
at 0x44c0 "Class",
InfVersionLastWriteTime Mon Feb 9 01:35:36 2004,
WinDirPath "X:\minint", LanguageID 407
XING_T_UCM8.tga: Targa image data - Map (256) 240 x 164 x 8
- 8-bit alpha
bmpsuite-15col.tga: Targa image data - Map (240) 1024 x 768 x 8
heci.PNF: Windows Precompiled iNF, version 3.2
(Windows 10 older), flags 0x1000083, unicoded
, has strings,
at 0x4a20 "Signature",
InfVersionLastWriteTime Fri Sep 4 10:20:04 2015,
at 0x68 WinDirPath, LanguageID 407
oem0.PNF: Windows Precompiled iNF, version 3.1
(Windows Vista-8.1), flags 0x3000083, unicoded
, has strings,
at 0x11e0 "Signature",
InfVersionLastWriteTime Thu Nov 2 11:54:05 2006,
at 0x60 WinDirPath "D:\Windows", LanguageID 0
tpm.PNF: Windows Precompiled iNF, version 3.3
(Windows 10-11), flags 0x1000083, unicoded
, has strings,
at 0x2310 "Signature",
InfVersionLastWriteTime Sat Dec 7 08:07:56 2019,
at 0x68 WinDirPath, LanguageID 407,
at 0x80 language de-DE
I hope my diff file can be applied in future version of file
utility.
With best wishes,
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYyXWxQAKCRCv8rHJQhrU
1lyPAKClUqF+xcU0tWgXYbaUAIc17dbboQCgviPRBX9v0Hk/iRw+w/WkFdlLkGQ=
=fMUi
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-pnf.txt.gz
Type: application/x-gzip
Size: 908 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220917/5ee2534c/attachment.bin>
-------------- next part --------------
--- file-5.43/magic/Magdir/windows.old 2022-07-06 20:56:40.000000000 +0200
+++ file-5.43/magic/Magdir/windows 2022-09-17 16:07:29.624393900 +0200
@@ -871,21 +871,24 @@
>>>2 uleshort <3
# look for colon in WinDirPath after PNF header
#>>>>0x59 search/18 :
->>>>0 use PreCompiledInf
+# skip few Adobe Photoshop Color swatch ("Mac OS.aco" TRUMATCH-Farben.aco Windows.aco) and some
+# Targa image (money-256.tga XING_B_UCM8.tga x-fmt-367-signature-id-604.tga) with "invalid low section name" \0
+>>>>(20.l) ubelong >0x40004000
+>>>>>0 use PreCompiledInf
0 name PreCompiledInf
>0 uleshort x Windows Precompiled iNF
!:mime application/x-pnf
!:ext pnf
# major version 1 for older Windows like XP and 3 since about Windows Vista
-# 101h~98-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362
+# 101h~95-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362-Windows11
>1 ubyte x \b, version %u
>0 ubyte x \b.%u
>0 uleshort =0x0101 (Windows
->>4 ulelong&0x00000001 !0x00000001 98)
+>>4 ulelong&0x00000001 !0x00000001 95-98)
>>4 ulelong&0x00000001 =0x00000001 XP)
>0 uleshort =0x0301 (Windows Vista-8.1)
>0 uleshort =0x0302 (Windows 10 older)
->0 uleshort =0x0303 (Windows 10)
+>0 uleshort =0x0303 (Windows 10-11)
# 1 ,2 (windows 98 SE)
>2 uleshort !2 \b, InfStyle %u
# PNF_FLAG_IS_UNICODE 0x00000001
@@ -927,7 +930,7 @@
>>(20.l) string x "%s"
# FILETIME is number of 100-nanosecond intervals since 1 January 1601
#>24 ulequad x \b, InfVersionLastWriteTime %16.16llx
-#>24 foodate-0xbar x \b, InfVersionLastWriteTime %s
+>24 qwdate x \b, InfVersionLastWriteTime %s
# for Windows 98, XP
>0 uleshort <0x0102
# only found values lower 0x00ffFFff
@@ -965,6 +968,7 @@
>>>>>(72.l) string x OsLoaderPath "%s"
# 1fdh
#>>>76 uleshort x \b, StringTableHashBucketCount %#x
+# https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a
# only 407h found
>>>78 uleshort !0x409 \b, LanguageID %x
#>>>78 uleshort =0x409 \b, LanguageID %x
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.43-windows-pnf.diff.sig
Type: application/octet-stream
Size: 1229 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220917/5ee2534c/attachment.obj>
More information about the File
mailing list