[File] [PATCH] Magdir/windows Windows Precompiled iNF (PNF) misidentfies ACO+TGA images

Christos Zoulas christos at zoulas.com
Fri Sep 23 13:23:44 UTC 2022 

Committed, thanks!

christos

> On Sep 17, 2022, at 10:16 AM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> Some days ago i handled Adobe Photoshop Color swatch files (*.ACO).
> Some such example and also some Targa image (*.TGA) are described
> also wrong as "Windows Precompiled iNF" with file name extension PNF.
> Normally such PNF examples are found in directory C:\Windows\INF.
> 
> When running file command version 5.43 on good PNF examples and
> related negative samples i get with -k option an output like:
> 
> 1394.PNF:           Windows Precompiled iNF, version 3.1
> 		    (Windows Vista-8.1), flags 0x3000083, unicoded
> 		    , has strings,
> 		    at 0x3c88 "Signature",
> 		    at 0x60 WinDirPath, LanguageID 407,
> 		    at 0x78 language de-DE
> CWBAUD98.PNF:       Windows Precompiled iNF, version 1.1
> 		    (Windows 98), has strings,
> 		    at 0x52f0 "CatalogFile", LanguageID 407
> Mac OS.aco:         Windows Precompiled iNF, version 1.0,
>    		    InfStyle 1, flags 0xffff0000,
> 		    at 0xcccc, LanguageID cccc,
> 		    at 0xcccc, at 0xffff0000
> NVENETXP.PNF:       Windows Precompiled iNF, version 1.1
> 		    (Windows XP), flags 0x183, unicoded, has strings,
> 		    at 0x44c0 "Class", WinDirPath "X:\minint"
> 		    , LanguageID 407
> XING_T_UCM8.tga:    Targa image data - Map (256) 240 x 164 x 8
> 		    - 8-bit alpha
> 		    Windows Precompiled iNF, version 1.0,
> 		    InfStyle 1,
> 		    at 0x282828ff,, LanguageID 6d56,
> 		    at 0x6d2c15af, at 0x146e4e36
> bmpsuite-15col.tga: Targa image data - Map (240) 1024 x 768 x 8
> 		    Windows Precompiled iNF, version 1.0,
> 		    InfStyle 1,
> 		    at 0xa800a800,, LanguageID 54fc,
> 		    at 0xfca8fcfc, at 0xa8fcfc00
> heci.PNF:           Windows Precompiled iNF, version 3.2
> 		    (Windows 10 older), flags 0x1000083, unicoded
> 		    , has strings,
> 		    at 0x4a20 "Signature",
> 		    at 0x68 WinDirPath, LanguageID 407
> oem0.PNF:           Windows Precompiled iNF, version 3.1
> 		    (Windows Vista-8.1), flags 0x3000083, unicoded
> 		    , has strings,
> 		    at 0x11e0 "Signature",
> 		    at 0x60 WinDirPath "D:\Windows", LanguageID 0
> tpm.PNF:            Windows Precompiled iNF, version 3.3
> 		    (Windows 10), flags 0x1000083, unicoded
> 		    , has strings,
> 		    at 0x2310 "Signature",
> 		    at 0x68 WinDirPath, LanguageID 407,
> 		    at 0x80 language de-DE
> 
> 
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). This also does
> recognise the PNF samples. The other samples are not misidentified as
> PNF, because trid explicitly check for version. (See appended
> trid-v-pnf.txt.gz).
> 
> For comparison reason i also run the file format identification
> utility DROID ( See https://sourceforge.net/projects/droid/). This
> only recognize the TGA examples as "Truevision TGA Bitmap" by PUID
> fmt/402.
> 
> Unfortunately most used documentation URL does not exist any more.
> I find no similar documents or archived versions.
> 
> The PNF samples have no real strong magic. Luckily the displaying
> part is done by sub routine PreCompiledInf inside Magdir/windows.
> Then only suited test lines must be added before calling this sub
> routine. This starts with lines like:
> 0	name	PreCompiledInf
>> 0		uleshort	x	Windows Precompiled iNF
> !:mime	application/x-pnf
> !:ext	pnf
>> 1		ubyte		x		\b, version %u
>> 0		ubyte		x		\b.%u
>> 0		uleshort	=0x0101		(Windows
>>> 4	ulelong&0x00000001	!0x00000001	98)
>>> 4	ulelong&0x00000001	=0x00000001	XP)
>> 0		uleshort	=0x0301		(Windows Vista-8.1)
>> 0		uleshort	=0x0302		(Windows 10 older)
>> 0		uleshort	=0x0303		(Windows 10)
> 
> In ACO and TGA samples these bytes are misinterpreted as version
> 1.0. That is lower than oldest windows 98 examples with version
> 1.1. So i also check more older Windows 95 examples. There i get
> the same version 1.1 found for Windows 98. For completeness i also
> check samples of newer Windows 11 (like tpm.PNF). There i get the
> same version 3.3 i got for newer Windows 10 samples. Unfortunately
> in the unofficial documentation nothing is said about the version
> numbers. So i can not use this item reliable as test criterium. But
> i update these lines. So theses now becomes like:
>> 1		ubyte		x		\b, version %u
>> 0		ubyte		x		\b.%u
>> 0		uleshort	=0x0101		(Windows
>>> 4	ulelong&0x00000001	!0x00000001	95-98)
>>> 4	ulelong&0x00000001	=0x00000001	XP)
>> 0		uleshort	=0x0301		(Windows Vista-8.1)
>> 0		uleshort	=0x0302		(Windows 10 older)
>> 0		uleshort	=0x0303		(Windows 10-11)
> 
> Next possible test criterium would be WinDirPath with value like
> "C:\Windows". Unfortunately the offset varies depending on version.
> So i do not choose it as test.
> 
> When looking in output we see that after first "at 0x" phrase the
> first section name of sourced INF is displayed for real PNF
> samples. This string is something like:
> CatalogFile Class DriverVer layoutfile LayoutFile SetupClass
> signature Signature
> This string is encoded as ASCII or as UTF-16 little endian
> depending on flags. This is done by lines like:
>> 20		ulelong		x		\b, at %#x
>> 4	ulelong&0x00000001	=0x00000001
>>> (20.l)	lestring16	x		"%s"
>> 4	ulelong&0x00000001	!0x00000001
>>> (20.l)	string		x		"%s"
> For the misidentified samples i get invalid low values (0x0) here.
> Assuming that lowest section name starts with AA then lowest value is
> 0x41004100 for worst UTF case. So skip few Adobe Photoshop Color
> swatch ("Mac OS.aco" TRUMATCH-Farben.aco Windows.aco) and some
> Targa image (money-256.tga XING_B_UCM8.tga
> x-fmt-367-signature-id-604.tga) with "invalid low section name" by
> additional test line. This part now becomes like:
>>>> 2		uleshort	<3
>>>>> (20.l)	ubelong		>0x40004000
>>>>>> 0	use	PreCompiledInf
> 
> Furthermore show now 8 byte time-stamp by additional line:
>> 24		qwdate	x	\b, InfVersionLastWriteTime %s
> I am not sure about this. For example oem0.PNF it is correct til
> seconds.
> 
> After applying the above mentioned modifications by patch
> file-5.43-windows-pnf.diff and using Magdir/images then all my
> inspected PNF samples still described correctly, but the negative
> samples are not misidentified any more. This with -k option now
> looks like:
> 
> 1394.PNF:           Windows Precompiled iNF, version 3.1
> 		    (Windows Vista-8.1), flags 0x3000083, unicoded
> 		    , has strings,
> 		    at 0x3c88 "Signature",
> 		    InfVersionLastWriteTime Thu Aug 22 14:32:40 2013,
> 		    at 0x60 WinDirPath, LanguageID 407,
> 		    at 0x78 language de-DE
> CWBAUD98.PNF:       Windows Precompiled iNF, version 1.1
> 		    (Windows 95-98), has strings,
> 		    at 0x52f0 "CatalogFile",
> 		    InfVersionLastWriteTime Wed May  5 19:22:00 1999,
> 		    LanguageID 407
> Mac OS.aco:         data
> NVENETXP.PNF:       Windows Precompiled iNF, version 1.1
> 		    (Windows XP), flags 0x183, unicoded, has strings,
> 		    at 0x44c0 "Class",
> 		    InfVersionLastWriteTime Mon Feb  9 01:35:36 2004,
> 		    WinDirPath "X:\minint", LanguageID 407
> XING_T_UCM8.tga:    Targa image data - Map (256) 240 x 164 x 8
> 		    - 8-bit alpha
> bmpsuite-15col.tga: Targa image data - Map (240) 1024 x 768 x 8
> heci.PNF:           Windows Precompiled iNF, version 3.2
> 		    (Windows 10 older), flags 0x1000083, unicoded
> 		    , has strings,
> 		    at 0x4a20 "Signature",
> 		    InfVersionLastWriteTime Fri Sep  4 10:20:04 2015,
> 		    at 0x68 WinDirPath, LanguageID 407
> oem0.PNF:           Windows Precompiled iNF, version 3.1
> 		    (Windows Vista-8.1), flags 0x3000083, unicoded
> 		    , has strings,
> 		    at 0x11e0 "Signature",
> 		    InfVersionLastWriteTime Thu Nov  2 11:54:05 2006,
> 		    at 0x60 WinDirPath "D:\Windows", LanguageID 0
> tpm.PNF:            Windows Precompiled iNF, version 3.3
> 		    (Windows 10-11), flags 0x1000083, unicoded
> 		    , has strings,
> 		    at 0x2310 "Signature",
> 		    InfVersionLastWriteTime Sat Dec  7 08:07:56 2019,
> 		    at 0x68 WinDirPath, LanguageID 407,
> 		    at 0x80 language de-DE
> 
> I hope my diff file can be applied in future version of file
> utility.
> 
> With best wishes,
> Jörg Jenderek
> - --
> Jörg Jenderek
> 
> 
> 
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYyXWxQAKCRCv8rHJQhrU
> 1lyPAKClUqF+xcU0tWgXYbaUAIc17dbboQCgviPRBX9v0Hk/iRw+w/WkFdlLkGQ=
> =fMUi
> -----END PGP SIGNATURE-----
> <trid-v-pnf.txt.gz><file-5_43-windows-pnf_diff.DEFANGED-119><file-5_43-windows-pnf_diff_sig.DEFANGED-120>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20220923/9bd0f05a/attachment.asc>

More information about the File mailing list