1 2#------------------------------------------------------------------------------ 3# $File: msdos,v 1.65 2009/09/19 16:28:11 christos Exp $ 4# msdos: file(1) magic for MS-DOS files 5# 6 7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8# updated by Joerg Jenderek at Oct 2008 90 string @ 10>1 string/cW \ echo\ off DOS batch file text 11!:mime text/x-msdos-batch 12>1 string/cW echo\ off DOS batch file text 13!:mime text/x-msdos-batch 14>1 string/cW rem\ DOS batch file text 15!:mime text/x-msdos-batch 16>1 string/cW set\ DOS batch file text 17!:mime text/x-msdos-batch 18 19 20# OS/2 batch files are REXX. the second regex is a bit generic, oh well 21# the matched commands seem to be common in REXX and uncommon elsewhere 22100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 23100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 24 250 leshort 0x14c MS Windows COFF Intel 80386 object file 26#>4 ledate x stamp %s 270 leshort 0x166 MS Windows COFF MIPS R4000 object file 28#>4 ledate x stamp %s 290 leshort 0x184 MS Windows COFF Alpha object file 30#>4 ledate x stamp %s 310 leshort 0x268 MS Windows COFF Motorola 68000 object file 32#>4 ledate x stamp %s 330 leshort 0x1f0 MS Windows COFF PowerPC object file 34#>4 ledate x stamp %s 350 leshort 0x290 MS Windows COFF PA-RISC object file 36#>4 ledate x stamp %s 37 38# XXX - according to Microsoft's spec, at an offset of 0x3c in a 39# PE-format executable is the offset in the file of the PE header; 40# unfortunately, that's a little-endian offset, and there's no way 41# to specify an indirect offset with a specified byte order. 42# So, for now, we assume the standard MS-DOS stub, which puts the 43# PE header at 0x80 = 128. 44# 45# Required OS version and subsystem version were 4.0 on some NT 3.51 46# executables built with Visual C++ 4.0, so it's not clear that 47# they're interesting. The user version was 0.0, but there's 48# probably some linker directive to set it. The linker version was 49# 3.0, except for one ".exe" which had it as 4.20 (same damn linker!). 50# 51# many of the compressed formats were extraced from IDARC 1.23 source code 52# 530 string MZ 54!:mime application/x-dosexec 55>0x18 leshort <0x40 MS-DOS executable 56>0 string MZ\0\0\0\0\0\0\0\0\0\0PE\0\0 \b, PE for MS Windows 57>>&18 leshort&0x2000 >0 (DLL) 58>>&88 leshort 0 (unknown subsystem) 59>>&88 leshort 1 (native) 60>>&88 leshort 2 (GUI) 61>>&88 leshort 3 (console) 62>>&88 leshort 7 (POSIX) 63>>&0 leshort 0x0 unknown processor 64>>&0 leshort 0x14c Intel 80386 65>>&0 leshort 0x166 MIPS R4000 66>>&0 leshort 0x184 Alpha 67>>&0 leshort 0x268 Motorola 68000 68>>&0 leshort 0x1f0 PowerPC 69>>&0 leshort 0x290 PA-RISC 70>>&18 leshort&0x0100 >0 32-bit 71>>&18 leshort&0x1000 >0 system file 72>>&0xf4 search/0x140 \x0\x40\x1\x0 73>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 74>30 string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 75!:mime application/zip 76# Is next line correct? One might expect "Corp." not "Copr." If it is right, add a note to that effect. 77>30 string PKLITE\ Copr. Self-extracting PKZIP archive 78!:mime application/zip 79 80>0x18 leshort >0x3f 81>>(0x3c.l) string PE\0\0 PE 82>>>(0x3c.l+25) byte 1 \b32 executable 83>>>(0x3c.l+25) byte 2 \b32+ executable 84# hooray, there's a DOS extender using the PE format, with a valid PE 85# executable inside (which just prints a message and exits if run in win) 86>>>(0x3c.l+92) leshort <10 87>>>>(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender 88>>>>(8.s*16) string !32STUB for MS Windows 89>>>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 90>>>>>(0x3c.l+92) leshort 0 (unknown subsystem) 91>>>>>(0x3c.l+92) leshort 1 (native) 92>>>>>(0x3c.l+92) leshort 2 (GUI) 93>>>>>(0x3c.l+92) leshort 3 (console) 94>>>>>(0x3c.l+92) leshort 7 (POSIX) 95>>>(0x3c.l+92) leshort 10 (EFI application) 96>>>(0x3c.l+92) leshort 11 (EFI boot service driver) 97>>>(0x3c.l+92) leshort 12 (EFI runtime driver) 98>>>(0x3c.l+92) leshort 13 (XBOX) 99>>>(0x3c.l+4) leshort 0x0 unknown processor 100>>>(0x3c.l+4) leshort 0x14c Intel 80386 101>>>(0x3c.l+4) leshort 0x166 MIPS R4000 102>>>(0x3c.l+4) leshort 0x184 Alpha 103>>>(0x3c.l+4) leshort 0x268 Motorola 68000 104>>>(0x3c.l+4) leshort 0x1f0 PowerPC 105>>>(0x3c.l+4) leshort 0x290 PA-RISC 106>>>(0x3c.l+4) leshort 0x200 Intel Itanium 107>>>(0x3c.l+22) leshort&0x0100 >0 32-bit 108>>>(0x3c.l+22) leshort&0x1000 >0 system file 109>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 110 111>>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 112>>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 113>>>>(0x3c.l+0xf8) search/0x140 UPX2 114>>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 115>>>>(0x3c.l+0xf8) search/0x140 .idata 116>>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 117>>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 118>>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 119>>>>(0x3c.l+0xf8) search/0x140 .rsrc 120>>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 121>>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 122>>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 123>>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 124>>>>(0x3c.l+0xf8) search/0x140 .data 125>>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 126>>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 127>>>>>(0x3c.l+0xf7) byte x 128>>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 129>>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 130>>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 131>>>>(0x3c.l+0xf8) search/0x140 .reloc 132>>>>>(&0xe.l+(-4)) search/0x180 PK\3\4 \b, ZIP self-extracting archive (WinZip) 133 134>>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 135>>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 136>>>>0x30 string Inno \b, InnoSetup self-extracting archive 137 138>>(0x3c.l) string !PE\0\0 MS-DOS executable 139 140>>(0x3c.l) string NE \b, NE 141>>>(0x3c.l+0x36) byte 0 (unknown OS) 142>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 143>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 144>>>(0x3c.l+0x36) byte 3 for MS-DOS 145>>>(0x3c.l+0x36) byte >3 (unknown OS) 146>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 147>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) 148>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) 149>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 150>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 151 152>>(0x3c.l) string LX\0\0 \b, LX 153>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 154>>>(0x3c.l+0x0a) leshort 1 for OS/2 155>>>(0x3c.l+0x0a) leshort 2 for MS Windows 156>>>(0x3c.l+0x0a) leshort 3 for DOS 157>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 158>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 159>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 160>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 161>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 162>>>(0x3c.l+0x08) leshort 1 i80286 163>>>(0x3c.l+0x08) leshort 2 i80386 164>>>(0x3c.l+0x08) leshort 3 i80486 165>>>(8.s*16) string emx \b, emx 166>>>>&1 string x %s 167>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 168 169# MS Windows system file, supposedly a collection of LE executables 170>>(0x3c.l) string W3 \b, W3 for MS Windows 171 172>>(0x3c.l) string LE\0\0 \b, LE executable 173>>>(0x3c.l+0x0a) leshort 1 174# some DOS extenders use LE files with OS/2 header 175>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 176>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 177>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 178>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 179>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 180>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 181>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 182# this is a wild guess; hopefully it is a specific signature 183>>>>&0x24 lelong <0x50 184>>>>>(&0x4c.l) string \xfc\xb8WATCOM 185>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 186# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 187#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 188# fails with DOS-Extenders. 189>>>(0x3c.l+0x0a) leshort 2 for MS Windows 190>>>(0x3c.l+0x0a) leshort 3 for DOS 191>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 192>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 193>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 194 195# looks like ASCII, probably some embedded copyright message. 196# and definitely not NE/LE/LX/PE 197>>0x3c lelong >0x20000000 198>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 199# header data too small for extended executable 200>2 long !0 201>>0x18 leshort <0x40 202>>>(4.s*512) leshort !0x014c 203 204>>>>&(2.s-514) string !LE 205>>>>>&-2 string !BW \b, MZ for MS-DOS 206>>>>&(2.s-514) string LE \b, LE 207>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 208# educated guess since indirection is still not capable enough for complex offset 209# calculations (next embedded executable would be at &(&2*512+&0-2) 210# I suspect there are only LE executables in these multi-exe files 211>>>>&(2.s-514) string BW 212>>>>>0x240 search/0x100 DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded) 213>>>>>0x240 search/0x100 !DOS/4G ,\b BW collection for MS-DOS 214 215# This sequence skips to the first COFF segment, usually .text 216>(4.s*512) leshort 0x014c \b, COFF 217>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 218>>(8.s*16) string emx 219>>>&1 string x for DOS, Win or OS/2, emx %s 220>>&(&0x42.l-3) byte x 221>>>&0x26 string UPX \b, UPX compressed 222# and yet another guess: small .text, and after large .data is unusal, could be 32lite 223>>&0x2c search/0xa0 .text 224>>>&0x0b lelong <0x2000 225>>>>&0 lelong >0x6000 \b, 32lite compressed 226 227>(8.s*16) string $WdX \b, WDos/X DOS extender 228 229# .EXE formats (Greg Roelofs, newt@uchicago.edu) 230# 231>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 232>0xe7 string LH/2\ Self-Extract \b, %s 233>0x1c string diet \b, diet compressed 234>0x1c string LZ09 \b, LZEXE v0.90 compressed 235>0x1c string LZ91 \b, LZEXE v0.91 compressed 236>0x1c string tz \b, TinyProg compressed 237>0x1e string PKLITE \b, %s compressed 238>0x64 string W\ Collis\0\0 \b, Compack compressed 239>0x24 string LHa's\ SFX \b, LHa self-extracting archive 240!:mime application/x-lha 241>0x24 string LHA's\ SFX \b, LHa self-extracting archive 242!:mime application/x-lha 243>0x24 string \ $ARX \b, ARX self-extracting archive 244>0x24 string \ $LHarc \b, LHarc self-extracting archive 245>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 246>1638 string -lh5- \b, LHa self-extracting archive v2.13S 247>0x17888 string Rar! \b, RAR self-extracting archive 248>0x40 string aPKG \b, aPackage self-extracting archive 249 250>32 string AIN 251>>35 string 2 \b, AIN 2.x compressed 252>>35 string <2 \b, AIN 1.x compressed 253>>35 string >2 \b, AIN 1.x compressed 254>28 string UC2X \b, UCEXE compressed 255>28 string WWP\ \b, WWPACK compressed 256 257# skip to the end of the exe 258>(4.s*512) long x 259>>&(2.s-517) byte x 260>>>&0 string PK\3\4 \b, ZIP self-extracting archive 261>>>&0 string Rar! \b, RAR self-extracting archive 262>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 263>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 264>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 265>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 266>>>&7 search/400 **ACE** \b, ACE self-extracting archive 267>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 268 269>0x1c string RJSX \b, ARJ self-extracting archive 270# winarj stores a message in the stub instead of the sig in the MZ header 271>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 272 273# a few unknown ZIP sfxes, no idea if they are needed or if they are 274# already captured by the generic patterns above 275>122 string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 276>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 277# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 278# 279 280# TELVOX Teleinformatica CODEC self-extractor for OS/2: 281>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 282>>49824 leshort =1 \b, 1 file 283>>49824 leshort >1 \b, %u files 284 285# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) 286# Uncommenting only the first two lines will cover about 2/3 of COM files, 287# but it isn't feasible to match all COM files since there must be at least 288# two dozen different one-byte "magics". 289# test too generic ? 2900 byte 0xe9 DOS executable (COM) 291>0x1FE leshort 0xAA55 \b, boot code 292>6 string SFX\ of\ LHarc (%s) 2930 belong 0xffffffff DOS executable (device driver) 294#CMD640X2.SYS 295>10 string >\x23 296>>10 string !\x2e 297>>>17 string <\x5B 298>>>>10 string x \b, name: %.8s 299#UDMA.SYS KEYB.SYS CMD640X2.SYS 300>10 string <\x41 301>>12 string >\x40 302>>>10 string !$ 303>>>>12 string x \b, name: %.8s 304#BTCDROM.SYS ASPICD.SYS 305>22 string >\x40 306>>22 string <\x5B 307>>>23 string <\x5B 308>>>>22 string x \b, name: %.8s 309#ATAPICD.SYS 310>76 string \0 311>>77 string >\x40 312>>>77 string <\x5B 313>>>>77 string x \b, name: %.8s 314# test too generic ? 3150 byte 0x8c DOS executable (COM) 316# updated by Joerg Jenderek at Oct 2008 3170 ulelong 0xffff10eb DR-DOS executable (COM) 318# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 3190 ubeshort&0xeb8d >0xeb00 320# DR-DOS STACKER.COM SCREATE.SYS missed 321>0 byte 0xeb DOS executable (COM) 322>>0x1FE leshort 0xAA55 \b, boot code 323>>85 string UPX \b, UPX compressed 324>>4 string \ $ARX \b, ARX self-extracting archive 325>>4 string \ $LHarc \b, LHarc self-extracting archive 326>>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 327# updated by Joerg Jenderek at Oct 2008 328#0 byte 0xb8 COM executable 3290 uleshort&0x80ff 0x00b8 330# modified by Joerg Jenderek 331>1 lelong !0x21cd4cff COM executable for DOS 332# http://syslinux.zytor.com/comboot.php 333# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 334# start with assembler instructions mov eax,21cd4cffh 3350 uleshort&0xc0ff 0xc0b8 336>1 lelong 0x21cd4cff COM executable (32-bit COMBOOT) 3370 string \x81\xfc 338>4 string \x77\x02\xcd\x20\xb9 339>>36 string UPX! FREE-DOS executable (COM), UPX compressed 340252 string Must\ have\ DOS\ version DR-DOS executable (COM) 341# added by Joerg Jenderek at Oct 2008 342# GRR search is not working 343#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 34434 string UPX! FREE-DOS executable (COM), UPX compressed 34535 string UPX! FREE-DOS executable (COM), UPX compressed 346# GRR search is not working 347#2 search/28 \xcd\x21 COM executable for MS-DOS 348#WHICHFAT.cOM 3492 string \xcd\x21 COM executable for DOS 350#DELTREE.cOM DELTREE2.cOM 3514 string \xcd\x21 COM executable for DOS 352#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 3535 string \xcd\x21 COM executable for DOS 354#DELTMP.COm HASFAT32.cOM 3557 string \xcd\x21 356>0 byte !0xb8 COM executable for DOS 357#COMP.cOM MORE.COm 35810 string \xcd\x21 359>5 string !\xcd\x21 COM executable for DOS 360#comecho.com 36113 string \xcd\x21 COM executable for DOS 362#HELP.COm EDIT.coM 36318 string \xcd\x21 COM executable for MS-DOS 364#NWRPLTRM.COm 36523 string \xcd\x21 COM executable for MS-DOS 366#LOADFIX.cOm LOADFIX.cOm 36730 string \xcd\x21 COM executable for MS-DOS 368#syslinux.com 3.11 36970 string \xcd\x21 COM executable for DOS 370# many compressed/converted COMs start with a copy loop instead of a jump 3710x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 3720x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 373>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 3740x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 375# FIXME: missing diet .com compression 376 377# miscellaneous formats 3780 string LZ MS-DOS executable (built-in) 379#0 byte 0xf0 MS-DOS program library data 380# 381 382# AAF files: 383# <stuartc@rd.bbc.co.uk> Stuart Cunningham 3840 string \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 385>30 byte 9 (512B sectors) 386>30 byte 12 (4kB sectors) 3870 string \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 388>30 byte 9 (512B sectors) 389>30 byte 12 (4kB sectors) 390 391# Popular applications 3922080 string Microsoft\ Word\ 6.0\ Document %s 393!:mime application/msword 3942080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 395!:mime application/msword 396# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 3972112 string MSWordDoc Microsoft Word document data 398!:mime application/msword 399# 4000 belong 0x31be0000 Microsoft Word Document 401!:mime application/msword 402# 4030 string PO^Q` Microsoft Word 6.0 Document 404!:mime application/msword 405# 4060 string \376\067\0\043 Microsoft Office Document 407!:mime application/msword 4080 string \333\245-\0\0\0 Microsoft Office Document 409!:mime application/msword 410512 string \354\245\301 Microsoft Word Document 411!:mime application/msword 412# 4132080 string Microsoft\ Excel\ 5.0\ Worksheet %s 414!:mime application/vnd.ms-excel 415 4162080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s 417!:mime application/vnd.ms-excel 418# 419# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 4202114 string Biff5 Microsoft Excel 5.0 Worksheet 421!:mime application/vnd.ms-excel 422# Italian MS-Excel 4232121 string Biff5 Microsoft Excel 5.0 Worksheet 424!:mime application/vnd.ms-excel 4250 string \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 426!:mime application/vnd.ms-excel 427# 4280 belong 0x00001a00 Lotus 1-2-3 429!:mime application/x-123 430>4 belong 0x00100400 wk3 document data 431>4 belong 0x02100400 wk4 document data 432>4 belong 0x07800100 fm3 or fmb document data 433>4 belong 0x07800000 fm3 or fmb document data 434# 4350 belong 0x00000200 Lotus 1-2-3 436!:mime application/x-123 437>4 belong 0x06040600 wk1 document data 438>4 belong 0x06800200 fmt document data 4390 string WordPro\0 Lotus WordPro 440!:mime application/vnd.lotus-wordpro 4410 string WordPro\r\373 Lotus WordPro 442!:mime application/vnd.lotus-wordpro 443 444 445# Summary: Script used by InstallScield to uninstall applications 446# Extension: .isu 447# Submitted by: unknown 448# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 4490 string \x71\xa8\x00\x00\x01\x02 450>12 string Stirling\ Technologies, InstallShield Uninstall Script 451 452# Winamp .avs 453#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 4540 string Nullsoft\ AVS\ Preset\ Winamp plug in 455 456# Windows Metafont .WMF 4570 string \327\315\306\232 ms-windows metafont .wmf 4580 string \002\000\011\000 ms-windows metafont .wmf 4590 string \001\000\011\000 ms-windows metafont .wmf 460 461#tz3 files whatever that is (MS Works files) 4620 string \003\001\001\004\070\001\000\000 tz3 ms-works file 4630 string \003\002\001\004\070\001\000\000 tz3 ms-works file 4640 string \003\003\001\004\070\001\000\000 tz3 ms-works file 465 466# PGP sig files .sig 467#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 4680 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 4690 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 4700 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 4710 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 4720 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 4730 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 474 475# windows zips files .dmf 4760 string MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 477 478 479#ico files 4800 string \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows 481 482# Windows icons (Ian Springer <ips@fpk.hp.com>) 4830 string \000\000\001\000 MS Windows icon resource 484!:mime image/x-ico 485>4 byte 1 - 1 icon 486>4 byte >1 - %d icons 487>>6 byte >0 \b, %dx 488>>>7 byte >0 \b%d 489>>8 byte 0 \b, 256-colors 490>>8 byte >0 \b, %d-colors 491 492 493# .chr files 4940 string PK\010\010BGI Borland font 495>4 string >\0 %s 496# then there is a copyright notice 497 498 499# .bgi files 5000 string pk\010\010BGI Borland device 501>4 string >\0 %s 502# then there is a copyright notice 503 504 505# Windows Recycle Bin record file (named INFO2) 506# By Abel Cheung (abelcheung AT gmail dot com) 507# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 508# Since Vista uses another structure, INFO2 structure probably won't change 509# anymore. Detailed analysis in: 510# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 5110 lelong 0x00000004 512>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 513 5140 lelong 0x00000005 515>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 516 517 518##### put in Either Magic/font or Magic/news 519# Acroread or something files wrongly identified as G3 .pfm 520# these have the form \000 \001 any? \002 \000 \000 521# or \000 \001 any? \022 \000 \000 522#0 string \000\001 pfm? 523#>3 string \022\000\000Copyright\ yes 524#>3 string \002\000\000Copyright\ yes 525#>3 string >\0 oops, not a font file. Cancel that. 526#it clashes with ttf files so put it lower down. 527 528# From Doug Lee via a FreeBSD pr 5299 string GERBILDOC First Choice document 5309 string GERBILDB First Choice database 5319 string GERBILCLIP First Choice database 5320 string GERBIL First Choice device file 5339 string RABBITGRAPH RabbitGraph file 5340 string DCU1 Borland Delphi .DCU file 5350 string =!<spell> MKS Spell hash list (old format) 5360 string =!<spell2> MKS Spell hash list 537# Too simple - MPi 538#0 string AH Halo(TM) bitmapped font file 5390 lelong 0x08086b70 TurboC BGI file 5400 lelong 0x08084b50 TurboC Font file 541 542# WARNING: below line conflicts with Infocom game data Z-machine 3 5430 byte 0x03 DBase 3 data file 544>0x04 lelong 0 (no records) 545>0x04 lelong >0 (%ld records) 5460 byte 0x83 DBase 3 data file with memo(s) 547>0x04 lelong 0 (no records) 548>0x04 lelong >0 (%ld records) 5490 leshort 0x0006 DBase 3 index file 5500 string PMCC Windows 3.x .GRP file 5511 string RDC-meg MegaDots 552>8 byte >0x2F version %c 553>9 byte >0x2F \b.%c file 5540 lelong 0x4C 555>4 lelong 0x00021401 Windows shortcut file 556 557# DOS EPS Binary File Header 558# From: Ed Sznyter <ews@Black.Market.NET> 5590 belong 0xC5D0D3C6 DOS EPS Binary File 560>4 long >0 Postscript starts at byte %d 561>>8 long >0 length %d 562>>>12 long >0 Metafile starts at byte %d 563>>>>16 long >0 length %d 564>>>20 long >0 TIFF starts at byte %d 565>>>>24 long >0 length %d 566 567# TNEF magic From "Joomy" <joomy@se-ed.net> 568# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 5690 leshort 0x223e9f78 TNEF 570!:mime application/vnd.ms-tnef 571 572# HtmlHelp files (.chm) 5730 string ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data 574 575# GFA-BASIC (Wolfram Kleff) 5762 string GFA-BASIC3 GFA-BASIC 3 data 577 578#------------------------------------------------------------------------------ 579# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 580# Microsoft Cabinet files 5810 string MSCF\0\0\0\0 Microsoft Cabinet archive data 582!:mime application/vnd.ms-cab-compressed 583>8 lelong x \b, %u bytes 584>28 leshort 1 \b, 1 file 585>28 leshort >1 \b, %u files 586 587# InstallShield Cabinet files 5880 string ISc( InstallShield Cabinet archive data 589>5 byte&0xf0 =0x60 version 6, 590>5 byte&0xf0 !0x60 version 4/5, 591>(12.l+40) lelong x %u files 592 593# Windows CE package files 5940 string MSCE\0\0\0\0 Microsoft WinCE install header 595>20 lelong 0 \b, architecture-independent 596>20 lelong 103 \b, Hitachi SH3 597>20 lelong 104 \b, Hitachi SH4 598>20 lelong 0xA11 \b, StrongARM 599>20 lelong 4000 \b, MIPS R4000 600>20 lelong 10003 \b, Hitachi SH3 601>20 lelong 10004 \b, Hitachi SH3E 602>20 lelong 10005 \b, Hitachi SH4 603>20 lelong 70001 \b, ARM 7TDMI 604>52 leshort 1 \b, 1 file 605>52 leshort >1 \b, %u files 606>56 leshort 1 \b, 1 registry entry 607>56 leshort >1 \b, %u registry entries 608 609 610# Windows Enhanced Metafile (EMF) 611# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 612# for further information. 6130 ulelong 1 614>40 string \ EMF Windows Enhanced Metafile (EMF) image data 615>>44 ulelong x version 0x%x 616 617# From: Alex Beregszaszi <alex@fsn.hu> 6180 string COWD VMWare3 619>4 byte 3 disk image 620>>32 lelong x (%d/ 621>>36 lelong x \b%d/ 622>>40 lelong x \b%d) 623>4 byte 2 undoable disk image 624>>32 string >\0 (%s) 625 6260 string VMDK VMware4 disk image 6270 string KDMV VMware4 disk image 628 629#-------------------------------------------------------------------- 630# Qemu Emulator Images 631# Lines written by Friedrich Schwittay (f.schwittay@yousable.de) 632# Made by reading sources and doing trial and error on existing 633# qcow files 6340 string QFI Qemu Image, Format: Qcow 635 636# Uncomment the following line to display Magic (only used for debugging 637# this magic number) 638#>0 string x , Magic: %s 639 640# There are currently 2 Versions: "1" and "2" 641# I do not use Version 2 and therefor branch here 642# but can assure: it works (tested on both versions) 643# Also my Qemu 0.9.0 which uses this Version 2 refuses 644# to start in its bios 645>0x04 belong 2 , Version: 2 646>0x04 belong 1 , Version: 1 647 648# Using the existence of the Backing File Offset to Branch or not 649# to read Backing File Information 650>>0xc belong >0 , Backing File( Offset: %lu 651>>>(0xc.L) string >\0 , Path: %s 652 653# Didn't get the trick here how qemu stores the "Size" at this Position 654# There is actually something stored but nothing makes sense 655# The header in the sources talks about it 656#>>>16 lelong x , Size: %lu 657 658# Modification time of the Backing File 659# Really useful if you want to know if your backing 660# file is still usable together with this image 661>>>20 bedate x , Mtime: %s ) 662 663# Don't know how to calculate in Magicfiles 664# Also: this Information is not reliably 665# stored in image-files 666>>24 lelong x , Disk Size could be: %d * 256 bytes 667 6680 string QEVM QEMU's suspend to disk image 669 6700 string Bochs\ Virtual\ HD\ Image Bochs disk image, 671>32 string x type %s, 672>48 string x subtype %s 673 6740 lelong 0x02468ace Bochs Sparse disk image 675 676# from http://filext.com by Derek M Jones <derek@knosof.co.uk> 677# False positive with PPT (also currently this string is too long) 678#0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer 6790 string \320\317\021\340\241\261\032\341 Microsoft Office Document 680#>48 byte 0x1B Excel Document 681#!:mime application/vnd.ms-excel 682>546 string bjbj Microsoft Word Document 683!:mime application/msword 684>546 string jbjb Microsoft Word Document 685!:mime application/msword 686 6870 string \224\246\056 Microsoft Word Document 688!:mime application/msword 689 690512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document 691!:mime application/msword 692 693# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 694# Magic type for Dell's BIOS .hdr files 695# Dell's .hdr 6960 string $RBU 697>23 string Dell %s system BIOS 698>48 string x version %.3s 699 700# Type: Microsoft DirectDraw Surface 701# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp 702# From: Morten Hustveit <morten@debian.org> 7030 string DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), 704>16 lelong >0 %hd x 705>12 lelong >0 %hd, 706>84 string x %.4s 707 708# Type: Microsoft Document Imaging Format (.mdi) 709# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 710# From: Daniele Sempione <scrows@oziosi.org> 7110 short 0x5045 Microsoft Document Imaging Format 712 713# MS eBook format (.lit) 7140 string ITOLITLS Microsoft Reader eBook Data 715>8 lelong x \b, version %u 716!:mime application/x-ms-reader 717