#------------------------------------------------------------------------------ # $File: coff,v 1.15 2024/11/10 18:54:33 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF # # by Joerg Jenderek at Oct 2015, Feb 2021, Mar 2024 # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html # https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-file-header-object-and-image # https://formats.kaitai.io/uefi_te/index.html # Display COFF processor type, including MS COFF and PE/COFF 0 name display-coff-processor # PE/COFF, DJGPP, i386 COFF executable, MS Windows COFF Intel i386 object file (./intel) >0 uleshort 0x014c Intel i386 >0 uleshort 0x014d Intel i860 >0 uleshort 0x0160 MIPS R3000 (big-endian) >0 uleshort 0x0162 MIPS R3000 >0 uleshort 0x0166 MIPS R4000 >0 uleshort 0x0168 MIPS R10000 >0 uleshort 0x0169 MIPS WCE v2 >0 uleshort 0x0184 Alpha 32-bit >0 uleshort 0x01a2 Hitachi SH3 >0 uleshort 0x01a3 Hitachi SH3 DSP >0 uleshort 0x01a4 Hitachi SH4E >0 uleshort 0x01a6 Hitachi SH4 >0 uleshort 0x01a8 Hitachi SH5 >0 uleshort 0x01c0 ARMv4 >0 uleshort 0x01c2 ARMv4T >0 uleshort 0x01c4 ARMv7 >0 uleshort 0x01d3 Matsushita AM33 # executable (RISC System/6000 V3.1) or obj module (./ibm6000 v 1.15), not PE/COFF >0 uleshort 0x01df RISC System/6000 >0 uleshort 0x01f0 PowerPC 32-bit (little-endian) >0 uleshort 0x01f1 PowerPC 32-bit with FPU (little-endian) >0 uleshort 0x01f2 PowerPC 64-bit (big-endian) >0 uleshort 0x0200 Intel Itanium >0 uleshort 0x0266 MIPS16 >0 uleshort 0x0268 Motorola 68000 >0 uleshort 0x0284 Alpha 64-bit >0 uleshort 0x0290 PA-RISC >0 uleshort 0x0366 MIPS with FPU >0 uleshort 0x0466 MIPS16 with FPU # Hitachi SH big-endian COFF (./hitachi-sh), not PE/COFF >0 uleshort 0x0500 Hitachi SH (big-endian) >0 uleshort 0x0520 Tricore # Hitachi SH little-endian COFF (./hitachi-sh), not PE/COFF >0 uleshort 0x0550 Hitachi SH (little-endian) >0 uleshort 0x0601 PowerPC 32-bit (big-endian) # Windows CE 3.0 Common Executable Format, created by linkcef.exe with /MACHINE:CEF flag # https://web.archive.org/web/20000819035046/http://microsoft.com/windows/embedded/ce/downloads/cef.asp # https://web.archive.org/web/20000914080342/http://microsoft.com/windows/embedded/ce/developer/applications/appdevelopment/cef2.asp # https://web.archive.org/web/20021022055906/http://msdn.microsoft.com/library/en-us/dnce30/html/cef2.asp >0 uleshort 0x0cef Common Executable Format >0 uleshort 0x0ebc EFI byte code >0 uleshort 0x3a64 ARM64 (i386 ABI) >0 uleshort 0x5032 RISC-V 32-bit >0 uleshort 0x5064 RISC-V 64-bit >0 uleshort 0x5128 RISC-V 128-bit >0 uleshort 0x6232 LoongArch 32-bit >0 uleshort 0x6264 LoongArch 64-bit >0 uleshort 0x8664 x86-64 >0 uleshort 0x9041 Mitsubishi M32R >0 uleshort 0xa641 ARM64 (x86-64 ABI) >0 uleshort 0xa64e ARM64 (classic + x86-64 ABI) # PE/COFF ARM64 classic ABI, ARM COFF (./arm) >0 uleshort 0xaa64 ARM64 >0 uleshort 0xace1 OMNI VM (omniprox.dll) # Processor type CEE can be only in object files (created by older ilasm.exe with /OBJECT flag), not in PE executables >0 uleshort 0xc0ee COM+ Execution Engine >0 default x Unknown processor >>0 uleshort x 0x%04x # display name+variables+flags of Common Object Files Format (32bit) # Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel, # mips,motorola,msdos,osf1,sharc,varied.out,vax 0 name display-coff # test for unused flag bits (0x8000,x0080) in f_flags # flag bits (0x0800,0x0400,0x0200) now seems to be used in RISC System/6000 V3.1 >18 uleshort&0x8080 0 # skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections >>2 uleshort >0 # skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections >>>2 uleshort <4207 # f_magic - magic number >>>>0 use display-coff-processor >>>>0 uleshort x COFF # F_EXEC flag bit >>>>18 leshort ^0x0002 object file !:mime application/x-coff !:ext o/obj/lib # no cof sample found #!:ext cof/o/obj/lib >>>>18 leshort &0x0002 executable #!:mime application/x-coffexec !:mime application/x-coff-executable # typically no file name suffix for executables !:ext / # F_RELFLG flag bit,static object >>>>18 leshort &0x0001 \b, no relocation info # F_LNNO flag bit >>>>18 leshort &0x0004 \b, no line number info # F_LSYMS flag bit >>>>18 leshort &0x0008 \b, stripped >>>>18 leshort ^0x0008 \b, not stripped # flags in other COFF versions #0x0010 F_FDPR_PROF #0x0020 F_FDPR_OPTI #0x0040 F_DSA # F_AR32WR flag bit #>>>>18 leshort &0x0100 \b, 32 bit little endian #0x1000 F_DYNLOAD #0x2000 F_SHROBJ #0x4000 F_LOADONLY # f_nscns - number of sections like: 1 2 3 4 5 7 8 9 11 12 15 16 19 20 21 22 26 30 36 40 42 56 80 89 96 124 >>>>2 uleshort <2 \b, %u section >>>>2 uleshort >1 \b, %u sections # f_symptr - symbol table pointer, only for not stripped # like: 0 0x7c 0xf4 0x104 0x182 0x1c2 0x1c6 0x468 0x948 0x416e 0x149a6 0x1c9d8 0x23a68 0x35120 0x7afa0 >>>>8 ulelong >0 \b, symbol offset=%#x # f_nsyms - number of symbols, only for not stripped # like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546 >>>>12 ulelong >0 \b, %d symbols # f_opthdr - optional header size. An object file should have a value of 0 # like: 72 (IBM\HH\HYPERHLP) >>>>16 uleshort >0 \b, optional header size %u # f_timdat - file time & date stamp >>>>4 ledate >0 \b, created %s # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. # or first section header # additional variables for other COFF files >>>>16 uleshort =0 # most section names start with point character except samples created by "exotic" compilers # first section name s_name[8] like: .text .data .debug$S .drectve .testseg .rsrc .rsrc$01 .pad >>>>>(16.s+20) string x \b, 1st section name "%.8s" # physical address s_paddr like: 0 #>>>>>(16.s+28) lelong !0 \b, s_paddr %#8.8x # virtual address s_vaddr like: 0 #>>>>>(16.s+32) lelong !0 \b, s_vaddr %#8.8x # section size s_size #>>>>>(16.s+36) lelong x \b, s_size %#8.8x # file ptr to raw data for section s_scnpt #>>>>>(16.s+40) lelong x \b, s_scnpt %#8.8x # file ptr to relocation s_relptr like: 0 #>>>>>(16.s+44) lelong !0 \b, s_relptr %#8.8x # file ptr to gp histogram s_lnnoptr like: 0 #>>>>>(16.s+48) lelong !0 \b, s_lnnoptr %#8.8x # number of relocation entries s_nreloc like: 0 1 2 5 6 8 19h 26h 27h 38h 50h 5Fh 89h Dh 1Ch 69h A9h 1DCh 651h #>>>>>(16.s+52) uleshort x \b, s_nreloc %#4.4x # number of gp histogram entries s_nlnno like: 0 #>>>>>(16.s+54) uleshort !0 \b, s_nlnno %#4.4x # flags s_flags #>>>>>(16.s+56) lelong x \b, s_flags %#8.8x # second section name s_name[8] like: .bss .data .debug$S .rsrc$01 >>>>2 uleshort >1 >>>>>(16.s+60) string x \b, 2nd section name "%.8s" # >20 beshort 0407 (impure) # >20 beshort 0410 (pure) # >20 beshort 0413 (demand paged) # >20 beshort 0421 (standalone) # >22 leshort >0 - version %d # >168 string .lowmem Apple toolbox # PowerPC COFF object file or executable 0 leshort 0x01f0 >16 leshort 0 >>0 use display-coff # can be created by: LINK.EXE /MACHINE:powerpc /ROM >16 leshort !0 >>18 leshort &0x0002 >>>20 leshort 0x010b >>>>0 use display-coff 0 leshort 0x01f1 >16 leshort 0 >>0 use display-coff 0 leshort 0x01f2 >16 leshort 0 >>0 use display-coff 0 leshort 0x0601 >16 leshort 0 >>0 use display-coff # can be created by: LINK.EXE /MACHINE:MPPC /ROM >16 leshort !0 >>18 leshort &0x0002 >>>20 leshort 0x010b >>>>0 use display-coff 0 name display-subsystem >0 ubyte 0 unknown >0 ubyte 1 native >0 ubyte 2 windows_gui >0 ubyte 3 windows_cui >0 ubyte 7 posix_cui >0 ubyte 9 windows_ce_gui >0 ubyte 10 efi_application >0 ubyte 11 efi_boot_service_driver >0 ubyte 12 efi_runtime_driver >0 ubyte 13 efi_rom >0 ubyte 14 xbox >0 ubyte 16 windows_boot-application >0 default x Unknown subsystem >>0 ubyte x %#x # https://formats.kaitai.io/uefi_te/index.html 0 string VZ TE (Terse Executable) file >2 use display-coff-processor >4 byte x \b, sections %d >5 use display-subsystem >6 uleshort x \b, stripped-size %u >8 ulelong x \b, entry %#x >12 ulelong x \b, base_of_code %#x >16 ulequad x \b, image_base %#llx