[File] [PATCH] of Magdir/msdos PE32 executable *.ICL *.MUI *.RLL ...

Jörg Jenderek joerg.jen.der.ek at gmx.net
Sat Jun 24 02:06:47 UTC 2023


Hello,

some time ago i send patch of Magdir/msdos to improve PE32 executable
details. Unfortunately some aspects are not unique enough. In this
session i will handle PE32 executable made for the Windows graphical
user interface (2=IMAGE_SUBSYSTEM_WINDOWS_GUI). That is indicated by
phrase (GUI) in file command output.

When running file command version 5.44 on such examples and other
related files i get at first glance not bad looking output like:

PCL5URES.DLL:           PE32+ executable (DLL)
			(GUI)
			x86-64, for MS Windows
PENetwork_OldIcons.icl: PE32 executable
			(GUI)
			Intel 80386
			, for MS Windows
TWEAKUI.CPL:            PE32 executable (DLL)
			(GUI)
			Intel 80386 (stripped to external PDB)
			, for MS Windows, 5 sections
iconlib-empty.icl:      PE32 executable (DLL)
			(GUI)
			Intel 80386
			, for MS Windows
iscsicpl.dll.mui:       PE32+ executable (DLL)
			(GUI)
			x86-64
			, for MS Windows
preview.wlx:            PE32+ executable (DLL)
			(GUI)
			x86-64 (stripped to external PDB)
			, for MS Windows, 9 sections
sqloledb.rll:           PE32 executable (DLL)
			(GUI)
			Intel 80386, for MS Windows
sqlsrv32.rll:           PE32+ executable (DLL)
			(GUI)
			x86-64
			, for MS Windows, 2 sections
ssText3d.scr:           PE32+ executable
			(GUI)
			x86-64
			, for MS Windows, 6 sections
wab32res.dll.mui:       PE32 executable (DLL)
			(GUI)
			Intel 80386
			, for MS Windows, 2 sections
win.com:                PE32 executable
			(GUI)
			Intel 80386
			, for MS Windows, 3 sections


But with --extension option often the correct file name extensions is
missing. This looks like:

PCL5URES.DLL:           dll/cpl/tlb/ocx/acm/ax/ime
PENetwork_OldIcons.icl: exe/scr
TWEAKUI.CPL:            dll/cpl/tlb/ocx/acm/ax/ime
iconlib-empty.icl:      dll/cpl/tlb/ocx/acm/ax/ime
iscsicpl.dll.mui:       dll/cpl/tlb/ocx/acm/ax/ime
preview.wlx:            dll/cpl/tlb/ocx/acm/ax/ime
sqloledb.rll:           dll/cpl/tlb/ocx/acm/ax/ime
sqlsrv32.rll:           dll/cpl/tlb/ocx/acm/ax/ime
ssText3d.scr:           exe/scr
wab32res.dll.mui:       dll/cpl/tlb/ocx/acm/ax/ime
win.com:                exe/scr

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This list the used
file name extension and often with -v option the related URL
pointing to used file format information ( See appended
trid-v-pe32.txt.gz).

Inside Magdir/msdos the first test looks for e_magic at the beginning
by line like
   0	string/b	MZ

The displaying part of portable executable (PE) start with lines like:
  >(0x3c.l)	string		PE\0\0	PE

For debugging purpose the DLL Characteristics value and Windows
Subsystem can be shown by lines like
#>>(0x3c.l+22)	uleshort	x	\b, CHARACTERISTICS %#4.4x,
 >>(0x3c.l+24)	leshort		0x010b	\b32 executable
#>>>(0x3c.l+92)	leshort		x	\b, SUBSYSTEM %u
 >>(0x3c.l+24)	leshort		0x020b	\b32+ executable
#>>>(0x3c.l+92)	leshort		x	\b, SUBSYSTEM %u

Here for the inspected samples i get sub system value 2.

At the end of PE displaying part the number of sections is shown if more
than one. This looks like:
 >>(0x3c.l+6)	leshort			>1	\b, %u sections
#>>(0x3c.l+6)	leshort			=1	\b, %u section

Normal Windows DLL libraries and executables have a few sections for
code, data and resource for example (with values like 3, 5, 9).
Sometimes the PE format is only used as container like for Windows Icons
Library (*.icl), Multilingual User Interface resource (*.mui), Microsoft
Resource Library (*.rll). Such PE container have less sections ( typical
value is 1). So i use this additional information to distinguish in more
detail PE samples. This is done by patch file-5.44-msdos-PE32-gui.diff.

The sub system 2 (IMAGE_SUBSYSTEM_WINDOWS_GUI) are shown by lines like:
   >>(0x3c.l+92)	leshort		2
   >>>(0x3c.l+22)	leshort&0x2000	>0	(GUI)
   !:ext	dll/cpl/tlb/ocx/acm/ax/ime
   >>>(0x3c.l+22)	leshort&0x2000	0	(GUI)
   !:ext	exe/scr

The last branch was for GUI PE without DLL characteristic. This get 2
sub branches. One with "more" sections (code, data,...) implies
executable or screensaver. This is expressed by lines like:
  >>>>(0x3c.l+6)	uleshort	>1	(GUI)
!:ext	exe/scr/com
Here i also found executables with suffix COM instead EXE like WIN.COM
(XP). The other branch (GUI PE with only 1 resource section) implies
icon library (like PENetwork_OldIcons.icl) or Resource Library ( like
sqloledb.rll sqlxmlx.rll). So this becomes like
  >>>>(0x3c.l+6)	uleshort	=1	(Icons or Resource Library)
#!:mime	image/x-ms-icl
!:ext	icl/rll
Instead application/vnd.microsoft.portable-executable mime type for icl
samples another mime type should be used, because some graphical
application like XnView have just enough knowledge to handle graphic
such embedded inside PE32 executables. This can be verified by XnView
command like:
	nconvert -info *.icl

The first branch was for GUI PE with DLL characteristic. This get 2 sub
branches. One with 1 section (.rsrc) is hint for icon library (*.icl),
Resource Library (like 0409.rll sqlsrv32.rll sqloledb.rll), Microsoft
Multilingual User Interface resource library (like iscsicpl.dll.mui) or
few DLL (like cscompui.dll dmdskres.dll oledb32r.dll PCL5URES.DLL
STSLISTI.DLL tapiui.dll wab32res.dll). So this is now handled by lines like:
 >>>(0x3c.l+22)	leshort&0x2000	>0
 >>>>(0x3c.l+6)	uleshort=1 \
	(Icons, Resource, Multilingual User Interface library or GUI)
!:ext	dll/icl/mui/rll

The other branch (GUI PE DLL with more sections code, data,...) implies
library, plug-in or similar. So this is now handled by lines like:
   >>>(0x3c.l+22)	leshort&0x2000	>0
   >>>>(0x3c.l+6)	uleshort	>1	(GUI)
   !:ext	dll/cpl/tlb/ocx/acm/ax/ime/\
	8bf/bpl/drv/exe/mui/pyd/rll/\
	vdf/vdm/vst3/wcx/wcx64/wdx/wdx64/wfx/wfx64/wlx/wlx64

Many programs add-ons/plug-ins are realised as Windows dynamic link
library. Typically this have file name extension dll, but many programs
use their own extensions. So after i add more extensions to line
starting with "!:ext	dll/cpl". This now this gets too large (111
characters). I then get error messages like:
Warning: using regular magic file `msdos
msdos, 232: Warning: EXTENSION type `
dll/cpl/tlb/ocx/acm/ax/ime/
8bf/bpl/drv/exe/icl/mui/pyd/rll/
vdf/vdm/vst3/wcx/wcx64/wdx/wdx64/wfx/wfx64/wlx/wlx64' truncated 64

So i changed in src/file.h some definitions. In structure magic changed
last element for file name extension from line
	char ext[64];		/* Popular extensions */
to
	char ext[MAXEXT];	/* Popular extensions like dll... */
and define maximal length of text extensions by line like
#define MAXEXT	120		/* from old 64 raised by 56 */
Then i get error message like:
# file: magic element size 432 != 376
So i changed line from
#define FILE_MAGICSIZE	376
to
#define FILE_MAGICSIZE	432	/* from old 376 raised by 56 */
After applying these modifications by patch file.h-5.44-extensions.diff
the long extension line works for me, but i am no c expert. So i do
not know if i get some side effects.

After applying the above mentioned modifications by patches
file.h-5.44-extensions.diff file-5.44-msdos-pe32-gui.diff
then i get a more detailed output like:

iconlib-empty.icl:      PE32 executable (DLL)
			(Icons, Resource, MUI library or GUI)
			Intel 80386, for MS Windows
			, created Sun Dec  6 13:08:39 2020
iscsicpl.dll.mui:       PE32+ executable (DLL)
			(Icons, Resource, MUI library or GUI)
			x86-64, for MS Windows
			, created Tue Jul 14 00:01:21 2009
PCL5URES.DLL:           PE32+ executable (DLL)
			(Icons, Resource, MUI library or GUI)
			x86-64, for MS Windows
			, created Mon Aug  7 01:32:51 2006
PENetwork_OldIcons.icl: PE32 executable
			(Icons or Resource Library)
			Intel 80386, for MS Windows
			, created Thu Apr 26 22:37:00 2001
preview.wlx:            PE32+ executable (DLL)
			(GUI)
			x86-64 (stripped to external PDB)
			, for MS Windows, 9 sections
sqloledb.rll:           PE32 executable (DLL)
			(Icons, Resource, MUI library or GUI)
			Intel 80386, for MS Windows
			, created Thu Nov  2 08:11:43 2006
sqlsrv32.rll:           PE32+ executable (DLL)
			(GUI)
			x86-64, for MS Windows, 2 sections
			, created Fri Oct 30 02:41:57 2015
ssText3d.scr:           PE32+ executable
			(GUI)
			x86-64, for MS Windows, 6 sections
			, created Wed Dec 26 11:08:06 2012
TWEAKUI.CPL:            PE32 executable (DLL)
			(GUI)
			Intel 80386 (stripped to external PDB)
			, for MS Windows, 5 sections
			, created Sun Jun 18 21:02:46 2000
wab32res.dll.mui:       PE32 executable (DLL)
			(GUI)
			Intel 80386
			, for MS Windows, 2 sections
win.com:                PE32 executable
			(GUI)
			Intel 80386
			, for MS Windows, 3 sections
			, created Fri Aug 17 20:58:33 2001


Now with --extension option for inspected samples the correct file
name extensions are shown like:

iconlib-empty.icl:      dll/icl/mui/rll
iscsicpl.dll.mui:       dll/icl/mui/rll
PCL5URES.DLL:           dll/icl/mui/rll
PENetwork_OldIcons.icl: icl/rll
preview.wlx:            dll/cpl/tlb/ocx/acm/ax/ime
			/8bf/bpl/drv/exe/icl/mui/pyd/rll/vdf/vdm
			/vst3/wcx/wcx64/wdx/wdx64/wfx/wfx64/wlx/wlx64
sqloledb.rll:           dll/icl/mui/rll
sqlsrv32.rll:           dll/cpl/tlb/ocx/acm/ax/ime
			/8bf/bpl/drv/exe/icl/mui/pyd/rll/vdf/vdm
			/vst3/wcx/wcx64/wdx/wdx64/wfx/wfx64/wlx/wlx64
ssText3d.scr:           exe/scr/com
TWEAKUI.CPL:            dll/cpl/tlb/ocx/acm/ax/ime
			/8bf/bpl/drv/exe/icl/mui/pyd/rll/vdf/vdm
			/vst3/wcx/wcx64/wdx/wdx64/wfx/wfx64/wlx/wlx64
wab32res.dll.mui:       dll/cpl/tlb/ocx/acm/ax/ime
			/8bf/bpl/drv/exe/icl/mui/pyd/rll/vdf/vdm
			/vst3/wcx/wcx64/wdx/wdx64/wfx/wfx64/wlx/wlx64
win.com:                exe/scr/com


I hope my diff files can be applied in future version of
file utility.

With best wishes
Jörg Jenderek
--
Jörg Jenderek
-------------- next part --------------
--- /home/tmp/file-5.44/src/file.h.orig	2022-12-26 19:00:48.000000000 +0100
+++ /home/tmp/file-5.44/src/file.h	2023-06-24 02:43:56.657234366 +0200
@@ -158,11 +158,12 @@
 #define FILE_BADSIZE CAST(size_t, ~0ul)
 #define MAXDESC	64		/* max len of text description/MIME type */
 #define MAXMIME	80		/* max len of text MIME type */
+#define MAXEXT	120		/* max len of text extensions; from old 64 raised by 56 */
 #define MAXstring 128		/* max len of "string" types */
 
 #define MAGICNO		0xF11E041C
 #define VERSIONNO	18
-#define FILE_MAGICSIZE	376
+#define FILE_MAGICSIZE	432	/* from old 376 raised by 56 for dll/cpl/tlb... */
 
 #define FILE_GUID_SIZE	sizeof("XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX")
 
@@ -364,7 +365,7 @@
 	/* Words 61-62 */
 	char apple[8];		/* APPLE CREATOR/TYPE */
 	/* Words 63-78 */
-	char ext[64];		/* Popular extensions */
+	char ext[MAXEXT];	/* Popular extensions from old 64 raised by 56 for dll/cpl/tlb... */
 };
 
 #define BIT(A)   (1 << (A))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.h-5.44-extensions.diff.sig
Type: application/octet-stream
Size: 661 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230624/09c3510a/attachment.obj>
-------------- next part --------------
--- file-5.44/magic/Magdir/msdos.old	2022-12-26 19:00:48.000000000 +0100
+++ file-5.44/magic/Magdir/msdos	2023-06-24 03:27:18.798340739 +0200
@@ -139,10 +139,16 @@
 # URL:		http://fileformats.archiveteam.org/wiki/Portable_Executable
-# Reference:	https://docs.microsoft.com/de-de/windows/win32/debug/pe-format
+# Reference:	https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
 >(0x3c.l)	string		PE\0\0	PE
 !:mime	application/vnd.microsoft.portable-executable
-# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics
+#  https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#characteristics
 # DLL Characteristics
 #>>(0x3c.l+22)	uleshort	x	\b, CHARACTERISTICS %#4.4x,
-# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file
-# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program. 
+# 0x0001~IMAGE_FILE_RELOCS_STRIPPED file does not contain base relocations
+# 0x0002~IMAGE_FILE_EXECUTABLE_IMAGE file is valid and can be run
+# 0x0004~IMAGE_FILE_LINE_NUMS_STRIPPED COFF line numbers have been removed
+# 0x0008~IMAGE_FILE_LOCAL_SYMS_STRIPPED COFF symbol table entries for local symbols have been removed
+# 0x0020~IMAGE_FILE_LARGE_ADDRESS_AWARE	application can handle > 2-GB addresses
+# 0x0100~IMAGE_FILE_32BIT_MACHINE machine is based on a 32-bit-word architecture
+# 0x0200~IMAGE_FILE_DEBUG_STRIPPED debugging information is removed from the image file
+# 0x1000~IMAGE_FILE_SYSTEM image file is a system file, not a user program
 # 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL)
@@ -181,3 +187,5 @@
 >>(0x3c.l+92)	leshort		2
->>>(0x3c.l+22)	leshort&0x2000	>0	(GUI)
+>>>(0x3c.l+22)	leshort&0x2000	>0
+# GUI PE DLL with more sections (code, data,...) implies library, plugin or ...
+>>>>(0x3c.l+6)	uleshort	>1	(GUI)
 # These could probably be at least partially distinguished from one another by
@@ -190,7 +198,52 @@
 # IME: Input method editor
-!:ext	dll/cpl/tlb/ocx/acm/ax/ime
->>>(0x3c.l+22)	leshort&0x2000	0	(GUI)
+# 8BF:	Adobe Photoshop filter plug-in		http://en.wikipedia.org/wiki/Adobe_Photoshop
+# BPL:	Borland Package Library			https://fileinfo.com/extension/bpl
+# DRV:	Driver 32-bit/64-bit (winspool.drv...)	http://fileformats.archiveteam.org/wiki/Dynamic-link_library_(Windows)
+# EXE:	(dpnsvr.exe dplaysvr.exe)
+# ICL:	Icons Library 32-bit			http://fileformats.archiveteam.org/wiki/Icon_library
+# MUI:	Multilingual User Interface resource	http://www.cryer.co.uk/file-types/m/mui.htm
+# PYD:	Python Dynamic module			http://en.wikipedia.org/wiki/Python_(programming_language)
+# RLL:	Microsoft Resource Library		https://fileinfo.com/extension/rll
+# VDF:	VirtualDub Filter Plug-in		http://www.virtualdub.org
+# VDM:	Microsoft Virus Definition Module	https://en.wikipedia.org/wiki/Microsoft_Defender
+# VST3:	Cubase audio plugin	   		https://www.file-extensions.org/vst3-file-extension
+# WCX:	Total Commander Packer extension	http://www.ghisler.com/plugins.htm
+# WCX64:Total Commander Packer extension	http://www.ghisler.com/plugins.htm
+# WDX:	Total Commander Content plugin		http://www.ghisler.com/plugins.htm#content
+# WDX64:Total Commander Content plugin		http://www.ghisler.com/plugins.htm#content
+# WFX:	Total Commander File system extension	http://www.ghisler.com/plugins.htm#filesys
+# WFX64:Total Commander File system extension	http://www.ghisler.com/plugins.htm#filesys
+# WLX:	Total Commander Lister extension	http://www.ghisler.com/plugins.htm#lister
+# WLX64:Total Commander Lister extension	http://www.ghisler.com/plugins.htm#lister
+#!:ext	dll/cpl/tlb/ocx/acm/ax/ime
+!:ext	dll/cpl/tlb/ocx/acm/ax/ime/8bf/bpl/drv/exe/icl/mui/pyd/rll/vdf/vdm/vst3/wcx/wcx64/wdx/wdx64/wfx/wfx64/wlx/wlx64
+# the line above only works if in ../../src/file.h FILE_MAGICSIZE ext[] are raised or you get
+# Warning: using regular magic file `msdos
+# msdos, 232: Warning: EXTENSION type `      dll/cpl/tlb/ocx/acm/ax/ime/8bf/bpl/drv/exe/icl/mui/pyd/rll/vdf/vdm/vst3/wcx/wcx64/wdx/wdx64/wfx/wfx64/wlx/wlx64' truncated 64
+# file: magic element size 432 != 376
+# GUI PE DLL with only 1 section (.rsrc) is hint for icon library
+# created by RealWorld Icon Editor RWIconEditor.exe like: iconlib-empty.icl
+# or many Microsoft Resource Library like: sqloledb.rll
+# or many Microsoft Multilingual User Interface resource like: iscsicpl.dll.mui
+# or few DLL like: cscompui.dl dmdskres.dll oledb32r.dll PCL5URES.DLL STSLISTI.DLL tapiui.dll wab32res.dll
+>>>>(0x3c.l+6)	uleshort	=1	(Icons, Resource, Multilingual User Interface library or GUI)
+# ICL:	Icons Library 32-bit			http://fileformats.archiveteam.org/wiki/Icon_library
+# MUI:	Multilingual User Interface resource	http://www.cryer.co.uk/file-types/m/mui.htm
+!:ext	dll/icl/mui/rll
+# GUI PE without DLL characteristics
+>>>(0x3c.l+22)	leshort&0x2000	0
+# GUI PE with more sections (code, data,...) implies executable or screensaver
+>>>>(0x3c.l+6)	uleshort	>1	(GUI)
 # Screen savers typically include code from the scrnsave.lib static library, but
 # that's not guaranteed.
-!:ext	exe/scr
+# also like: win.com (XP)
+!:ext	exe/scr/com
+# GUI PE with only 1 section (resource) implies icon library like: PENetwork_OldIcons.icl
+# or Microsoft Resource Library like: sqloledb.rll sqlxmlx.rll
+>>>>(0x3c.l+6)	uleshort	=1	(Icons or Resource Library)
+# ICL:	Icons Library 32-bit		http://fileformats.archiveteam.org/wiki/Icon_library
+# Note:		called "Windows Icons Library (generic) by TrID and
+#		verified by XnView `nconvert -info *.icl` as "Icon Library"
+#!:mime	image/x-ms-icl
+!:ext	icl/rll
 # 3~IMAGE_SUBSYSTEM_WINDOWS_CUI	The Windows character subsystem 
@@ -334,2 +387,7 @@
 #>>(0x3c.l+6)	leshort			=1	\b, %u section
+# TimeDateStamp; 32 bits of the number of seconds since 00:00 January 1, 1970 when the file was created
+# if stamp value 0 or 0xFFFFFFFF then not real date/time stamp
+#>>(0x3c.l+8)	belong			x	TIME=%#8.8x
+>>(0x3c.l+8)	ubelong			>0
+>>>(0x3c.l+8)	date			x	\b, created %s
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.44-msdos-pe32-gui.diff.sig
Type: application/octet-stream
Size: 2515 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230624/09c3510a/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-pe32.txt.gz
Type: application/x-gzip
Size: 1478 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230624/09c3510a/attachment.bin>


More information about the File mailing list