Merge pull request #36 from bojand/msi_dll_coff

add support for obj, dll, and coff object file formats
bojand · Mar 13, 2021 · 86a08ae · 86a08ae
2 parents e46b47d + ff0851a
commit 86a08ae
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -170,6 +170,7 @@ assert_eq!(kind.extension(), "foo");
 - **rpm** - `application/x-rpm`
 - **dcm** - `application/dicom`
 - **zst** - `application/zstd`
+- **msi** - `application/x-ole-storage`
 
 #### Book
 
@@ -196,17 +197,20 @@ assert_eq!(kind.extension(), "foo");
 
 - **wasm** - `application/wasm`
 - **exe** - `application/vnd.microsoft.portable-executable`
+- **dll** - `application/vnd.microsoft.portable-executable`
 - **elf** - `application/x-executable`
 - **bc** - `application/llvm`
 - **mach** - `application/x-mach-binary`
 - **class** - `application/java`
 - **dex** - `application/vnd.android.dex`
 - **dey** - `application/vnd.android.dey`
 - **der** - `application/x-x509-ca-cert`
+- **obj** - `application/x-executable`
 
 ## Known Issues
 
-- `doc`, `ppt`, `xls` all have the same magic number so it's not possible to tell which one just based on the binary data. `doc` is returned for all.
+- `doc`, `ppt`, `xls`, `msi` all have the same magic number so it's not possible to tell which one just based on the binary data. `doc` is returned for all.
+- `exe` and `dll` have the same magic number so it's not possible to tell which one just based on the binary data. `exe` is returned for all.
 
 ## License
 

diff --git a/src/map.rs b/src/map.rs
@@ -51,6 +51,12 @@ matcher_map!(
         "exe",
         matchers::app::is_exe
     ),
+    (
+        MatcherType::APP,
+        "application/vnd.microsoft.portable-executable",
+        "dll",
+        matchers::app::is_dll
+    ),
     (
         MatcherType::APP,
         "application/java",
@@ -87,6 +93,12 @@ matcher_map!(
         "der",
         matchers::app::is_der
     ),
+    (
+        MatcherType::APP,
+        "application/x-executable",
+        "obj",
+        matchers::app::is_coff
+    ),
     // Book
     (
         MatcherType::BOOK,
@@ -490,6 +502,12 @@ matcher_map!(
         "zst",
         matchers::archive::is_zst
     ),
+    (
+        MatcherType::ARCHIVE,
+        "application/x-ole-storage",
+        "msi",
+        matchers::archive::is_msi
+    ),
     // Text
     (
         MatcherType::TEXT,

diff --git a/src/matchers/app.rs b/src/matchers/app.rs
@@ -20,7 +20,7 @@ pub fn is_wasm(buf: &[u8]) -> bool {
         && buf[7] == 0x00
 }
 
-/// Returns whether a buffer is an EXE.
+/// Returns whether a buffer is an EXE. DLL and EXE have the same magic number, so returns true also for a DLL.
 ///
 /// # Example
 ///
@@ -32,6 +32,11 @@ pub fn is_exe(buf: &[u8]) -> bool {
     buf.len() > 1 && buf[0] == 0x4D && buf[1] == 0x5A
 }
 
+/// Returns whether a buffer is a DLL. DLL and EXE have the same magic number, so returns true also for an EXE.
+pub fn is_dll(buf: &[u8]) -> bool {
+    is_exe(buf)
+}
+
 /// Returns whether a buffer is an ELF.
 pub fn is_elf(buf: &[u8]) -> bool {
     buf.len() > 52 && buf[0] == 0x7F && buf[1] == 0x45 && buf[2] == 0x4C && buf[3] == 0x46
@@ -100,3 +105,23 @@ pub fn is_der(buf: &[u8]) -> bool {
 
     buf.len() > 2 && buf[0] == 0x30 && buf[1] == 0x82
 }
+
+/// Returns whether a buffer is a Common Object File Format for i386 architecture.
+pub fn is_coff_i386(buf: &[u8]) -> bool {
+    buf.len() > 2 && buf[0] == 0x4C && buf[1] == 0x01
+}
+
+/// Returns whether a buffer is a Common Object File Format for x64 architecture.
+pub fn is_coff_x64(buf: &[u8]) -> bool {
+    buf.len() > 2 && buf[0] == 0x64 && buf[1] == 0x86
+}
+
+/// Returns whether a buffer is a Common Object File Format for Itanium architecture.
+pub fn is_coff_ia64(buf: &[u8]) -> bool {
+    buf.len() > 2 && buf[0] == 0x00 && buf[1] == 0x02
+}
+
+/// Returns whether a buffer is a Common Object File Format.
+pub fn is_coff(buf: &[u8]) -> bool {
+    is_coff_x64(buf) || is_coff_i386(buf) || is_coff_ia64(buf)
+}
diff --git a/src/matchers/archive.rs b/src/matchers/archive.rs
@@ -192,3 +192,16 @@ pub fn is_dcm(buf: &[u8]) -> bool {
 pub fn is_zst(buf: &[u8]) -> bool {
     buf.len() > 3 && buf[0] == 0x28 && buf[1] == 0xB5 && buf[2] == 0x2F && buf[3] == 0xFD
 }
+
+/// Returns whether a buffer is a MSI Windows Installer archive.
+pub fn is_msi(buf: &[u8]) -> bool {
+    buf.len() > 7
+        && buf[0] == 0xD0
+        && buf[1] == 0xCF
+        && buf[2] == 0x11
+        && buf[3] == 0xE0
+        && buf[4] == 0xA1
+        && buf[5] == 0xB1
+        && buf[6] == 0x1A
+        && buf[7] == 0xE1
+}