13e41d09dSXin LI 23e41d09dSXin LI#------------------------------------------------------------------------------ 3*ae316d1dSXin LI# $File: coff,v 1.15 2024/11/10 18:54:33 christos Exp $ 43e41d09dSXin LI# coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures 53e41d09dSXin LI# 63e41d09dSXin LI# COFF 73e41d09dSXin LI# 8*ae316d1dSXin LI# by Joerg Jenderek at Oct 2015, Feb 2021, Mar 2024 93e41d09dSXin LI# https://en.wikipedia.org/wiki/COFF 103e41d09dSXin LI# https://de.wikipedia.org/wiki/Common_Object_File_Format 113e41d09dSXin LI# http://www.delorie.com/djgpp/doc/coff/filhdr.html 12*ae316d1dSXin LI# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-file-header-object-and-image 13*ae316d1dSXin LI# https://formats.kaitai.io/uefi_te/index.html 14*ae316d1dSXin LI 15*ae316d1dSXin LI# Display COFF processor type, including MS COFF and PE/COFF 16*ae316d1dSXin LI0 name display-coff-processor 17*ae316d1dSXin LI# PE/COFF, DJGPP, i386 COFF executable, MS Windows COFF Intel i386 object file (./intel) 18*ae316d1dSXin LI>0 uleshort 0x014c Intel i386 19*ae316d1dSXin LI>0 uleshort 0x014d Intel i860 20*ae316d1dSXin LI>0 uleshort 0x0160 MIPS R3000 (big-endian) 21*ae316d1dSXin LI>0 uleshort 0x0162 MIPS R3000 22*ae316d1dSXin LI>0 uleshort 0x0166 MIPS R4000 23*ae316d1dSXin LI>0 uleshort 0x0168 MIPS R10000 24*ae316d1dSXin LI>0 uleshort 0x0169 MIPS WCE v2 25*ae316d1dSXin LI>0 uleshort 0x0184 Alpha 32-bit 26*ae316d1dSXin LI>0 uleshort 0x01a2 Hitachi SH3 27*ae316d1dSXin LI>0 uleshort 0x01a3 Hitachi SH3 DSP 28*ae316d1dSXin LI>0 uleshort 0x01a4 Hitachi SH4E 29*ae316d1dSXin LI>0 uleshort 0x01a6 Hitachi SH4 30*ae316d1dSXin LI>0 uleshort 0x01a8 Hitachi SH5 31*ae316d1dSXin LI>0 uleshort 0x01c0 ARMv4 32*ae316d1dSXin LI>0 uleshort 0x01c2 ARMv4T 33*ae316d1dSXin LI>0 uleshort 0x01c4 ARMv7 34*ae316d1dSXin LI>0 uleshort 0x01d3 Matsushita AM33 35*ae316d1dSXin LI# executable (RISC System/6000 V3.1) or obj module (./ibm6000 v 1.15), not PE/COFF 36*ae316d1dSXin LI>0 uleshort 0x01df RISC System/6000 37*ae316d1dSXin LI>0 uleshort 0x01f0 PowerPC 32-bit (little-endian) 38*ae316d1dSXin LI>0 uleshort 0x01f1 PowerPC 32-bit with FPU (little-endian) 39*ae316d1dSXin LI>0 uleshort 0x01f2 PowerPC 64-bit (big-endian) 40*ae316d1dSXin LI>0 uleshort 0x0200 Intel Itanium 41*ae316d1dSXin LI>0 uleshort 0x0266 MIPS16 42*ae316d1dSXin LI>0 uleshort 0x0268 Motorola 68000 43*ae316d1dSXin LI>0 uleshort 0x0284 Alpha 64-bit 44*ae316d1dSXin LI>0 uleshort 0x0290 PA-RISC 45*ae316d1dSXin LI>0 uleshort 0x0366 MIPS with FPU 46*ae316d1dSXin LI>0 uleshort 0x0466 MIPS16 with FPU 47*ae316d1dSXin LI# Hitachi SH big-endian COFF (./hitachi-sh), not PE/COFF 48*ae316d1dSXin LI>0 uleshort 0x0500 Hitachi SH (big-endian) 49*ae316d1dSXin LI>0 uleshort 0x0520 Tricore 50*ae316d1dSXin LI# Hitachi SH little-endian COFF (./hitachi-sh), not PE/COFF 51*ae316d1dSXin LI>0 uleshort 0x0550 Hitachi SH (little-endian) 52*ae316d1dSXin LI>0 uleshort 0x0601 PowerPC 32-bit (big-endian) 53*ae316d1dSXin LI# Windows CE 3.0 Common Executable Format, created by linkcef.exe with /MACHINE:CEF flag 54*ae316d1dSXin LI# https://web.archive.org/web/20000819035046/http://microsoft.com/windows/embedded/ce/downloads/cef.asp 55*ae316d1dSXin LI# https://web.archive.org/web/20000914080342/http://microsoft.com/windows/embedded/ce/developer/applications/appdevelopment/cef2.asp 56*ae316d1dSXin LI# https://web.archive.org/web/20021022055906/http://msdn.microsoft.com/library/en-us/dnce30/html/cef2.asp 57*ae316d1dSXin LI>0 uleshort 0x0cef Common Executable Format 58*ae316d1dSXin LI>0 uleshort 0x0ebc EFI byte code 59*ae316d1dSXin LI>0 uleshort 0x3a64 ARM64 (i386 ABI) 60*ae316d1dSXin LI>0 uleshort 0x5032 RISC-V 32-bit 61*ae316d1dSXin LI>0 uleshort 0x5064 RISC-V 64-bit 62*ae316d1dSXin LI>0 uleshort 0x5128 RISC-V 128-bit 63*ae316d1dSXin LI>0 uleshort 0x6232 LoongArch 32-bit 64*ae316d1dSXin LI>0 uleshort 0x6264 LoongArch 64-bit 65*ae316d1dSXin LI>0 uleshort 0x8664 x86-64 66*ae316d1dSXin LI>0 uleshort 0x9041 Mitsubishi M32R 67*ae316d1dSXin LI>0 uleshort 0xa641 ARM64 (x86-64 ABI) 68*ae316d1dSXin LI>0 uleshort 0xa64e ARM64 (classic + x86-64 ABI) 69*ae316d1dSXin LI# PE/COFF ARM64 classic ABI, ARM COFF (./arm) 70*ae316d1dSXin LI>0 uleshort 0xaa64 ARM64 71*ae316d1dSXin LI>0 uleshort 0xace1 OMNI VM (omniprox.dll) 72*ae316d1dSXin LI# Processor type CEE can be only in object files (created by older ilasm.exe with /OBJECT flag), not in PE executables 73*ae316d1dSXin LI>0 uleshort 0xc0ee COM+ Execution Engine 74*ae316d1dSXin LI>0 default x Unknown processor 75*ae316d1dSXin LI>>0 uleshort x 0x%04x 763e41d09dSXin LI 773e41d09dSXin LI# display name+variables+flags of Common Object Files Format (32bit) 783e41d09dSXin LI# Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel, 793e41d09dSXin LI# mips,motorola,msdos,osf1,sharc,varied.out,vax 803e41d09dSXin LI0 name display-coff 81*ae316d1dSXin LI# test for unused flag bits (0x8000,x0080) in f_flags 82*ae316d1dSXin LI# flag bits (0x0800,0x0400,0x0200) now seems to be used in RISC System/6000 V3.1 83*ae316d1dSXin LI>18 uleshort&0x8080 0 8443a5ec4eSXin LI# skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections 8543a5ec4eSXin LI>>2 uleshort >0 8643a5ec4eSXin LI# skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections 8743a5ec4eSXin LI>>>2 uleshort <4207 883e41d09dSXin LI# f_magic - magic number 89*ae316d1dSXin LI>>>>0 use display-coff-processor 9043a5ec4eSXin LI>>>>0 uleshort x COFF 913e41d09dSXin LI# F_EXEC flag bit 9243a5ec4eSXin LI>>>>18 leshort ^0x0002 object file 9343a5ec4eSXin LI!:mime application/x-coff 9443a5ec4eSXin LI!:ext o/obj/lib 9543a5ec4eSXin LI# no cof sample found 963e41d09dSXin LI#!:ext cof/o/obj/lib 9743a5ec4eSXin LI>>>>18 leshort &0x0002 executable 983e41d09dSXin LI#!:mime application/x-coffexec 99*ae316d1dSXin LI!:mime application/x-coff-executable 100*ae316d1dSXin LI# typically no file name suffix for executables 101*ae316d1dSXin LI!:ext / 1023e41d09dSXin LI# F_RELFLG flag bit,static object 10343a5ec4eSXin LI>>>>18 leshort &0x0001 \b, no relocation info 1043e41d09dSXin LI# F_LNNO flag bit 10543a5ec4eSXin LI>>>>18 leshort &0x0004 \b, no line number info 1063e41d09dSXin LI# F_LSYMS flag bit 10743a5ec4eSXin LI>>>>18 leshort &0x0008 \b, stripped 10843a5ec4eSXin LI>>>>18 leshort ^0x0008 \b, not stripped 1093e41d09dSXin LI# flags in other COFF versions 1103e41d09dSXin LI#0x0010 F_FDPR_PROF 1113e41d09dSXin LI#0x0020 F_FDPR_OPTI 1123e41d09dSXin LI#0x0040 F_DSA 1133e41d09dSXin LI# F_AR32WR flag bit 11443a5ec4eSXin LI#>>>>18 leshort &0x0100 \b, 32 bit little endian 1153e41d09dSXin LI#0x1000 F_DYNLOAD 1163e41d09dSXin LI#0x2000 F_SHROBJ 1173e41d09dSXin LI#0x4000 F_LOADONLY 11843a5ec4eSXin LI# f_nscns - number of sections like: 1 2 3 4 5 7 8 9 11 12 15 16 19 20 21 22 26 30 36 40 42 56 80 89 96 124 11943a5ec4eSXin LI>>>>2 uleshort <2 \b, %u section 12043a5ec4eSXin LI>>>>2 uleshort >1 \b, %u sections 1213e41d09dSXin LI# f_symptr - symbol table pointer, only for not stripped 12243a5ec4eSXin LI# like: 0 0x7c 0xf4 0x104 0x182 0x1c2 0x1c6 0x468 0x948 0x416e 0x149a6 0x1c9d8 0x23a68 0x35120 0x7afa0 12343a5ec4eSXin LI>>>>8 ulelong >0 \b, symbol offset=%#x 1243e41d09dSXin LI# f_nsyms - number of symbols, only for not stripped 12543a5ec4eSXin LI# like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546 12643a5ec4eSXin LI>>>>12 ulelong >0 \b, %d symbols 12743a5ec4eSXin LI# f_opthdr - optional header size. An object file should have a value of 0 128*ae316d1dSXin LI# like: 72 (IBM\HH\HYPERHLP) 12943a5ec4eSXin LI>>>>16 uleshort >0 \b, optional header size %u 130*ae316d1dSXin LI# f_timdat - file time & date stamp 13143a5ec4eSXin LI>>>>4 ledate >0 \b, created %s 1323e41d09dSXin LI# at offset 20 can be optional header, extra bytes FILHSZ-20 because 1333e41d09dSXin LI# do not rely on sizeof(FILHDR) to give the correct size for header. 1343e41d09dSXin LI# or first section header 1353e41d09dSXin LI# additional variables for other COFF files 13643a5ec4eSXin LI>>>>16 uleshort =0 137*ae316d1dSXin LI# most section names start with point character except samples created by "exotic" compilers 138*ae316d1dSXin LI# first section name s_name[8] like: .text .data .debug$S .drectve .testseg .rsrc .rsrc$01 .pad 139*ae316d1dSXin LI>>>>>(16.s+20) string x \b, 1st section name "%.8s" 140*ae316d1dSXin LI# physical address s_paddr like: 0 141*ae316d1dSXin LI#>>>>>(16.s+28) lelong !0 \b, s_paddr %#8.8x 142*ae316d1dSXin LI# virtual address s_vaddr like: 0 143*ae316d1dSXin LI#>>>>>(16.s+32) lelong !0 \b, s_vaddr %#8.8x 144*ae316d1dSXin LI# section size s_size 145*ae316d1dSXin LI#>>>>>(16.s+36) lelong x \b, s_size %#8.8x 146*ae316d1dSXin LI# file ptr to raw data for section s_scnpt 147*ae316d1dSXin LI#>>>>>(16.s+40) lelong x \b, s_scnpt %#8.8x 148*ae316d1dSXin LI# file ptr to relocation s_relptr like: 0 149*ae316d1dSXin LI#>>>>>(16.s+44) lelong !0 \b, s_relptr %#8.8x 150*ae316d1dSXin LI# file ptr to gp histogram s_lnnoptr like: 0 151*ae316d1dSXin LI#>>>>>(16.s+48) lelong !0 \b, s_lnnoptr %#8.8x 152*ae316d1dSXin LI# number of relocation entries s_nreloc like: 0 1 2 5 6 8 19h 26h 27h 38h 50h 5Fh 89h Dh 1Ch 69h A9h 1DCh 651h 153*ae316d1dSXin LI#>>>>>(16.s+52) uleshort x \b, s_nreloc %#4.4x 154*ae316d1dSXin LI# number of gp histogram entries s_nlnno like: 0 155*ae316d1dSXin LI#>>>>>(16.s+54) uleshort !0 \b, s_nlnno %#4.4x 156*ae316d1dSXin LI# flags s_flags 157*ae316d1dSXin LI#>>>>>(16.s+56) lelong x \b, s_flags %#8.8x 158*ae316d1dSXin LI# second section name s_name[8] like: .bss .data .debug$S .rsrc$01 159*ae316d1dSXin LI>>>>2 uleshort >1 160*ae316d1dSXin LI>>>>>(16.s+60) string x \b, 2nd section name "%.8s" 1613e41d09dSXin LI# >20 beshort 0407 (impure) 1623e41d09dSXin LI# >20 beshort 0410 (pure) 1633e41d09dSXin LI# >20 beshort 0413 (demand paged) 1643e41d09dSXin LI# >20 beshort 0421 (standalone) 1653e41d09dSXin LI# >22 leshort >0 - version %d 1663e41d09dSXin LI# >168 string .lowmem Apple toolbox 1673e41d09dSXin LI 168*ae316d1dSXin LI# PowerPC COFF object file or executable 169*ae316d1dSXin LI0 leshort 0x01f0 170*ae316d1dSXin LI>16 leshort 0 171*ae316d1dSXin LI>>0 use display-coff 172*ae316d1dSXin LI# can be created by: LINK.EXE /MACHINE:powerpc /ROM 173*ae316d1dSXin LI>16 leshort !0 174*ae316d1dSXin LI>>18 leshort &0x0002 175*ae316d1dSXin LI>>>20 leshort 0x010b 176*ae316d1dSXin LI>>>>0 use display-coff 177*ae316d1dSXin LI0 leshort 0x01f1 178*ae316d1dSXin LI>16 leshort 0 179*ae316d1dSXin LI>>0 use display-coff 180*ae316d1dSXin LI0 leshort 0x01f2 181*ae316d1dSXin LI>16 leshort 0 182*ae316d1dSXin LI>>0 use display-coff 183*ae316d1dSXin LI0 leshort 0x0601 184*ae316d1dSXin LI>16 leshort 0 185*ae316d1dSXin LI>>0 use display-coff 186*ae316d1dSXin LI# can be created by: LINK.EXE /MACHINE:MPPC /ROM 187*ae316d1dSXin LI>16 leshort !0 188*ae316d1dSXin LI>>18 leshort &0x0002 189*ae316d1dSXin LI>>>20 leshort 0x010b 190*ae316d1dSXin LI>>>>0 use display-coff 191*ae316d1dSXin LI 192*ae316d1dSXin LI0 name display-subsystem 193*ae316d1dSXin LI>0 ubyte 0 unknown 194*ae316d1dSXin LI>0 ubyte 1 native 195*ae316d1dSXin LI>0 ubyte 2 windows_gui 196*ae316d1dSXin LI>0 ubyte 3 windows_cui 197*ae316d1dSXin LI>0 ubyte 7 posix_cui 198*ae316d1dSXin LI>0 ubyte 9 windows_ce_gui 199*ae316d1dSXin LI>0 ubyte 10 efi_application 200*ae316d1dSXin LI>0 ubyte 11 efi_boot_service_driver 201*ae316d1dSXin LI>0 ubyte 12 efi_runtime_driver 202*ae316d1dSXin LI>0 ubyte 13 efi_rom 203*ae316d1dSXin LI>0 ubyte 14 xbox 204*ae316d1dSXin LI>0 ubyte 16 windows_boot-application 205*ae316d1dSXin LI>0 default x Unknown subsystem 206*ae316d1dSXin LI>>0 ubyte x %#x 207*ae316d1dSXin LI 208*ae316d1dSXin LI 209*ae316d1dSXin LI# https://formats.kaitai.io/uefi_te/index.html 210*ae316d1dSXin LI0 string VZ TE (Terse Executable) file 211*ae316d1dSXin LI>2 use display-coff-processor 212*ae316d1dSXin LI>4 byte x \b, sections %d 213*ae316d1dSXin LI>5 use display-subsystem 214*ae316d1dSXin LI>6 uleshort x \b, stripped-size %u 215*ae316d1dSXin LI>8 ulelong x \b, entry %#x 216*ae316d1dSXin LI>12 ulelong x \b, base_of_code %#x 217*ae316d1dSXin LI>16 ulequad x \b, image_base %#llx 218