1 2#------------------------------------------------------------------------------ 3# msdos: file(1) magic for MS-DOS files 4# 5 6# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 7# updated by Joerg Jenderek at Oct 2008 80 string @ 9>1 string/cB \ echo\ off DOS batch file text 10!:mime text/x-msdos-batch 11>1 string/cB echo\ off DOS batch file text 12!:mime text/x-msdos-batch 13>1 string/cB rem\ DOS batch file text 14!:mime text/x-msdos-batch 15>1 string/cB set\ DOS batch file text 16!:mime text/x-msdos-batch 17 18 19# OS/2 batch files are REXX. the second regex is a bit generic, oh well 20# the matched commands seem to be common in REXX and uncommon elsewhere 21100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 22100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 23 240 leshort 0x14c MS Windows COFF Intel 80386 object file 25#>4 ledate x stamp %s 260 leshort 0x166 MS Windows COFF MIPS R4000 object file 27#>4 ledate x stamp %s 280 leshort 0x184 MS Windows COFF Alpha object file 29#>4 ledate x stamp %s 300 leshort 0x268 MS Windows COFF Motorola 68000 object file 31#>4 ledate x stamp %s 320 leshort 0x1f0 MS Windows COFF PowerPC object file 33#>4 ledate x stamp %s 340 leshort 0x290 MS Windows COFF PA-RISC object file 35#>4 ledate x stamp %s 36 37# XXX - according to Microsoft's spec, at an offset of 0x3c in a 38# PE-format executable is the offset in the file of the PE header; 39# unfortunately, that's a little-endian offset, and there's no way 40# to specify an indirect offset with a specified byte order. 41# So, for now, we assume the standard MS-DOS stub, which puts the 42# PE header at 0x80 = 128. 43# 44# Required OS version and subsystem version were 4.0 on some NT 3.51 45# executables built with Visual C++ 4.0, so it's not clear that 46# they're interesting. The user version was 0.0, but there's 47# probably some linker directive to set it. The linker version was 48# 3.0, except for one ".exe" which had it as 4.20 (same damn linker!). 49# 50# many of the compressed formats were extraced from IDARC 1.23 source code 51# 520 string MZ 53!:mime application/x-dosexec 54>0x18 leshort <0x40 MS-DOS executable 55>0 string MZ\0\0\0\0\0\0\0\0\0\0PE\0\0 \b, PE for MS Windows 56>>&18 leshort&0x2000 >0 (DLL) 57>>&88 leshort 0 (unknown subsystem) 58>>&88 leshort 1 (native) 59>>&88 leshort 2 (GUI) 60>>&88 leshort 3 (console) 61>>&88 leshort 7 (POSIX) 62>>&0 leshort 0x0 unknown processor 63>>&0 leshort 0x14c Intel 80386 64>>&0 leshort 0x166 MIPS R4000 65>>&0 leshort 0x184 Alpha 66>>&0 leshort 0x268 Motorola 68000 67>>&0 leshort 0x1f0 PowerPC 68>>&0 leshort 0x290 PA-RISC 69>>&18 leshort&0x0100 >0 32-bit 70>>&18 leshort&0x1000 >0 system file 71>>&0xf4 search/0x140 \x0\x40\x1\x0 72>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 73>30 string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 74!:mime application/zip 75# Is next line correct? One might expect "Corp." not "Copr." If it is right, add a note to that effect. 76>30 string PKLITE\ Copr. Self-extracting PKZIP archive 77!:mime application/zip 78 79>0x18 leshort >0x3f 80>>(0x3c.l) string PE\0\0 PE 81>>>(0x3c.l+25) byte 1 \b32 executable 82>>>(0x3c.l+25) byte 2 \b32+ executable 83# hooray, there's a DOS extender using the PE format, with a valid PE 84# executable inside (which just prints a message and exits if run in win) 85>>>(0x3c.l+92) leshort <10 86>>>>(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender 87>>>>(8.s*16) string !32STUB for MS Windows 88>>>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 89>>>>>(0x3c.l+92) leshort 0 (unknown subsystem) 90>>>>>(0x3c.l+92) leshort 1 (native) 91>>>>>(0x3c.l+92) leshort 2 (GUI) 92>>>>>(0x3c.l+92) leshort 3 (console) 93>>>>>(0x3c.l+92) leshort 7 (POSIX) 94>>>(0x3c.l+92) leshort 10 (EFI application) 95>>>(0x3c.l+92) leshort 11 (EFI boot service driver) 96>>>(0x3c.l+92) leshort 12 (EFI runtime driver) 97>>>(0x3c.l+92) leshort 13 (XBOX) 98>>>(0x3c.l+4) leshort 0x0 unknown processor 99>>>(0x3c.l+4) leshort 0x14c Intel 80386 100>>>(0x3c.l+4) leshort 0x166 MIPS R4000 101>>>(0x3c.l+4) leshort 0x184 Alpha 102>>>(0x3c.l+4) leshort 0x268 Motorola 68000 103>>>(0x3c.l+4) leshort 0x1f0 PowerPC 104>>>(0x3c.l+4) leshort 0x290 PA-RISC 105>>>(0x3c.l+4) leshort 0x200 Intel Itanium 106>>>(0x3c.l+22) leshort&0x0100 >0 32-bit 107>>>(0x3c.l+22) leshort&0x1000 >0 system file 108>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 109 110>>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 111>>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 112>>>>(0x3c.l+0xf8) search/0x140 UPX2 113>>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 114>>>>(0x3c.l+0xf8) search/0x140 .idata 115>>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 116>>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 117>>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 118>>>>(0x3c.l+0xf8) search/0x140 .rsrc 119>>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 120>>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 121>>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 122>>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 123>>>>(0x3c.l+0xf8) search/0x140 .data 124>>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 125>>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 126>>>>>(0x3c.l+0xf7) byte x 127>>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 128>>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 129>>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 130>>>>(0x3c.l+0xf8) search/0x140 .reloc 131>>>>>(&0xe.l+(-4)) search/0x180 PK\3\4 \b, ZIP self-extracting archive (WinZip) 132 133>>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 134>>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 135>>>>0x30 string Inno \b, InnoSetup self-extracting archive 136 137>>(0x3c.l) string !PE\0\0 MS-DOS executable 138 139>>(0x3c.l) string NE \b, NE 140>>>(0x3c.l+0x36) byte 0 (unknown OS) 141>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 142>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 143>>>(0x3c.l+0x36) byte 3 for MS-DOS 144>>>(0x3c.l+0x36) byte >3 (unknown OS) 145>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 146>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) 147>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) 148>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 149>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 150 151>>(0x3c.l) string LX\0\0 \b, LX 152>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 153>>>(0x3c.l+0x0a) leshort 1 for OS/2 154>>>(0x3c.l+0x0a) leshort 2 for MS Windows 155>>>(0x3c.l+0x0a) leshort 3 for DOS 156>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 157>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 158>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 159>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 160>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 161>>>(0x3c.l+0x08) leshort 1 i80286 162>>>(0x3c.l+0x08) leshort 2 i80386 163>>>(0x3c.l+0x08) leshort 3 i80486 164>>>(8.s*16) string emx \b, emx 165>>>>&1 string x %s 166>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 167 168# MS Windows system file, supposedly a collection of LE executables 169>>(0x3c.l) string W3 \b, W3 for MS Windows 170 171>>(0x3c.l) string LE\0\0 \b, LE executable 172>>>(0x3c.l+0x0a) leshort 1 173# some DOS extenders use LE files with OS/2 header 174>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 175>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 176>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 177>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 178>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 179>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 180>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 181# this is a wild guess; hopefully it is a specific signature 182>>>>&0x24 lelong <0x50 183>>>>>(&0x4c.l) string \xfc\xb8WATCOM 184>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 185# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 186#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 187# fails with DOS-Extenders. 188>>>(0x3c.l+0x0a) leshort 2 for MS Windows 189>>>(0x3c.l+0x0a) leshort 3 for DOS 190>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 191>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 192>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 193 194# looks like ASCII, probably some embedded copyright message. 195# and definitely not NE/LE/LX/PE 196>>0x3c lelong >0x20000000 197>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 198# header data too small for extended executable 199>2 long !0 200>>0x18 leshort <0x40 201>>>(4.s*512) leshort !0x014c 202 203>>>>&(2.s-514) string !LE 204>>>>>&-2 string !BW \b, MZ for MS-DOS 205>>>>&(2.s-514) string LE \b, LE 206>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 207# educated guess since indirection is still not capable enough for complex offset 208# calculations (next embedded executable would be at &(&2*512+&0-2) 209# I suspect there are only LE executables in these multi-exe files 210>>>>&(2.s-514) string BW 211>>>>>0x240 search/0x100 DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded) 212>>>>>0x240 search/0x100 !DOS/4G ,\b BW collection for MS-DOS 213 214# This sequence skips to the first COFF segment, usually .text 215>(4.s*512) leshort 0x014c \b, COFF 216>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 217>>(8.s*16) string emx 218>>>&1 string x for DOS, Win or OS/2, emx %s 219>>&(&0x42.l-3) byte x 220>>>&0x26 string UPX \b, UPX compressed 221# and yet another guess: small .text, and after large .data is unusal, could be 32lite 222>>&0x2c search/0xa0 .text 223>>>&0x0b lelong <0x2000 224>>>>&0 lelong >0x6000 \b, 32lite compressed 225 226>(8.s*16) string $WdX \b, WDos/X DOS extender 227 228# .EXE formats (Greg Roelofs, newt@uchicago.edu) 229# 230>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 231>0xe7 string LH/2\ Self-Extract \b, %s 232>0x1c string diet \b, diet compressed 233>0x1c string LZ09 \b, LZEXE v0.90 compressed 234>0x1c string LZ91 \b, LZEXE v0.91 compressed 235>0x1c string tz \b, TinyProg compressed 236>0x1e string PKLITE \b, %s compressed 237>0x64 string W\ Collis\0\0 \b, Compack compressed 238>0x24 string LHa's\ SFX \b, LHa self-extracting archive 239!:mime application/x-lha 240>0x24 string LHA's\ SFX \b, LHa self-extracting archive 241!:mime application/x-lha 242>0x24 string \ $ARX \b, ARX self-extracting archive 243>0x24 string \ $LHarc \b, LHarc self-extracting archive 244>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 245>1638 string -lh5- \b, LHa self-extracting archive v2.13S 246>0x17888 string Rar! \b, RAR self-extracting archive 247>0x40 string aPKG \b, aPackage self-extracting archive 248 249>32 string AIN 250>>35 string 2 \b, AIN 2.x compressed 251>>35 string <2 \b, AIN 1.x compressed 252>>35 string >2 \b, AIN 1.x compressed 253>28 string UC2X \b, UCEXE compressed 254>28 string WWP\ \b, WWPACK compressed 255 256# skip to the end of the exe 257>(4.s*512) long x 258>>&(2.s-517) byte x 259>>>&0 string PK\3\4 \b, ZIP self-extracting archive 260>>>&0 string Rar! \b, RAR self-extracting archive 261>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 262>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 263>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 264>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 265>>>&7 search/400 **ACE** \b, ACE self-extracting archive 266>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 267 268>0x1c string RJSX \b, ARJ self-extracting archive 269# winarj stores a message in the stub instead of the sig in the MZ header 270>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 271 272# a few unknown ZIP sfxes, no idea if they are needed or if they are 273# already captured by the generic patterns above 274>122 string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 275>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 276# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 277# 278 279# TELVOX Teleinformatica CODEC self-extractor for OS/2: 280>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 281>>49824 leshort =1 \b, 1 file 282>>49824 leshort >1 \b, %u files 283 284# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) 285# Uncommenting only the first two lines will cover about 2/3 of COM files, 286# but it isn't feasible to match all COM files since there must be at least 287# two dozen different one-byte "magics". 288# test too generic ? 2890 byte 0xe9 DOS executable (COM) 290>0x1FE leshort 0xAA55 \b, boot code 291>6 string SFX\ of\ LHarc (%s) 2920 belong 0xffffffff DOS executable (device driver) 293#CMD640X2.SYS 294>10 string >\x23 295>>10 string !\x2e 296>>>17 string <\x5B 297>>>>10 string x \b, name: %.8s 298#UDMA.SYS KEYB.SYS CMD640X2.SYS 299>10 string <\x41 300>>12 string >\x40 301>>>10 string !$ 302>>>>12 string x \b, name: %.8s 303#BTCDROM.SYS ASPICD.SYS 304>22 string >\x40 305>>22 string <\x5B 306>>>23 string <\x5B 307>>>>22 string x \b, name: %.8s 308#ATAPICD.SYS 309>76 string \0 310>>77 string >\x40 311>>>77 string <\x5B 312>>>>77 string x \b, name: %.8s 313# test too generic ? 3140 byte 0x8c DOS executable (COM) 315# updated by Joerg Jenderek at Oct 2008 3160 ulelong 0xffff10eb DR-DOS executable (COM) 317# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 3180 ubeshort&0xeb8d >0xeb00 319# DR-DOS STACKER.COM SCREATE.SYS missed 320>0 byte 0xeb DOS executable (COM) 321>>0x1FE leshort 0xAA55 \b, boot code 322>>85 string UPX \b, UPX compressed 323>>4 string \ $ARX \b, ARX self-extracting archive 324>>4 string \ $LHarc \b, LHarc self-extracting archive 325>>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 326# updated by Joerg Jenderek at Oct 2008 327#0 byte 0xb8 COM executable 3280 uleshort&0x80ff 0x00b8 329# modified by Joerg Jenderek 330>1 lelong !0x21cd4cff COM executable for DOS 331# http://syslinux.zytor.com/comboot.php 332# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 333# start with assembler instructions mov eax,21cd4cffh 3340 uleshort&0xc0ff 0xc0b8 335>1 lelong 0x21cd4cff COM executable (32-bit COMBOOT) 3360 string \x81\xfc 337>4 string \x77\x02\xcd\x20\xb9 338>>36 string UPX! FREE-DOS executable (COM), UPX compressed 339252 string Must\ have\ DOS\ version DR-DOS executable (COM) 340# added by Joerg Jenderek at Oct 2008 341# GRR search is not working 342#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 34334 string UPX! FREE-DOS executable (COM), UPX compressed 34435 string UPX! FREE-DOS executable (COM), UPX compressed 345# GRR search is not working 346#2 search/28 \xcd\x21 COM executable for MS-DOS 347#WHICHFAT.cOM 3482 string \xcd\x21 COM executable for DOS 349#DELTREE.cOM DELTREE2.cOM 3504 string \xcd\x21 COM executable for DOS 351#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 3525 string \xcd\x21 COM executable for DOS 353#DELTMP.COm HASFAT32.cOM 3547 string \xcd\x21 355>0 byte !0xb8 COM executable for DOS 356#COMP.cOM MORE.COm 35710 string \xcd\x21 358>5 string !\xcd\x21 COM executable for DOS 359#comecho.com 36013 string \xcd\x21 COM executable for DOS 361#HELP.COm EDIT.coM 36218 string \xcd\x21 COM executable for MS-DOS 363#NWRPLTRM.COm 36423 string \xcd\x21 COM executable for MS-DOS 365#LOADFIX.cOm LOADFIX.cOm 36630 string \xcd\x21 COM executable for MS-DOS 367#syslinux.com 3.11 36870 string \xcd\x21 COM executable for DOS 369# many compressed/converted COMs start with a copy loop instead of a jump 3700x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 3710x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 372>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 3730x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 374# FIXME: missing diet .com compression 375 376# miscellaneous formats 3770 string LZ MS-DOS executable (built-in) 378#0 byte 0xf0 MS-DOS program library data 379# 380 381# AAF files: 382# <stuartc@rd.bbc.co.uk> Stuart Cunningham 3830 string \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 384>30 byte 9 (512B sectors) 385>30 byte 12 (4kB sectors) 3860 string \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 387>30 byte 9 (512B sectors) 388>30 byte 12 (4kB sectors) 389 390# Popular applications 3912080 string Microsoft\ Word\ 6.0\ Document %s 392!:mime application/msword 3932080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 394!:mime application/msword 395# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 3962112 string MSWordDoc Microsoft Word document data 397!:mime application/msword 398# 3990 belong 0x31be0000 Microsoft Word Document 400!:mime application/msword 401# 4020 string PO^Q` Microsoft Word 6.0 Document 403!:mime application/msword 404# 4050 string \376\067\0\043 Microsoft Office Document 406!:mime application/msword 4070 string \333\245-\0\0\0 Microsoft Office Document 408!:mime application/msword 409512 string \354\245\301 Microsoft Word Document 410!:mime application/msword 411# 4122080 string Microsoft\ Excel\ 5.0\ Worksheet %s 413!:mime application/vnd.ms-excel 414 4152080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s 416!:mime application/vnd.ms-excel 417# 418# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 4192114 string Biff5 Microsoft Excel 5.0 Worksheet 420!:mime application/vnd.ms-excel 421# Italian MS-Excel 4222121 string Biff5 Microsoft Excel 5.0 Worksheet 423!:mime application/vnd.ms-excel 4240 string \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 425!:mime application/vnd.ms-excel 426# 4270 belong 0x00001a00 Lotus 1-2-3 428!:mime application/x-123 429>4 belong 0x00100400 wk3 document data 430>4 belong 0x02100400 wk4 document data 431>4 belong 0x07800100 fm3 or fmb document data 432>4 belong 0x07800000 fm3 or fmb document data 433# 4340 belong 0x00000200 Lotus 1-2-3 435!:mime application/x-123 436>4 belong 0x06040600 wk1 document data 437>4 belong 0x06800200 fmt document data 4380 string WordPro\0 Lotus WordPro 439!:mime application/vnd.lotus-wordpro 4400 string WordPro\r\373 Lotus WordPro 441!:mime application/vnd.lotus-wordpro 442 443 444# Summary: Script used by InstallScield to uninstall applications 445# Extension: .isu 446# Submitted by: unknown 447# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 4480 string \x71\xa8\x00\x00\x01\x02 449>12 string Stirling\ Technologies, InstallShield Uninstall Script 450 451# Winamp .avs 452#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 4530 string Nullsoft\ AVS\ Preset\ Winamp plug in 454 455# Windows Metafont .WMF 4560 string \327\315\306\232 ms-windows metafont .wmf 4570 string \002\000\011\000 ms-windows metafont .wmf 4580 string \001\000\011\000 ms-windows metafont .wmf 459 460#tz3 files whatever that is (MS Works files) 4610 string \003\001\001\004\070\001\000\000 tz3 ms-works file 4620 string \003\002\001\004\070\001\000\000 tz3 ms-works file 4630 string \003\003\001\004\070\001\000\000 tz3 ms-works file 464 465# PGP sig files .sig 466#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 4670 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 4680 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 4690 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 4700 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 4710 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 4720 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 473 474# windows zips files .dmf 4750 string MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 476 477 478#ico files 4790 string \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows 480 481# Windows icons (Ian Springer <ips@fpk.hp.com>) 4820 string \000\000\001\000 MS Windows icon resource 483!:mime image/x-ico 484>4 byte 1 - 1 icon 485>4 byte >1 - %d icons 486>>6 byte >0 \b, %dx 487>>>7 byte >0 \b%d 488>>8 byte 0 \b, 256-colors 489>>8 byte >0 \b, %d-colors 490 491 492# .chr files 4930 string PK\010\010BGI Borland font 494>4 string >\0 %s 495# then there is a copyright notice 496 497 498# .bgi files 4990 string pk\010\010BGI Borland device 500>4 string >\0 %s 501# then there is a copyright notice 502 503 504# Windows Recycle Bin record file (named INFO2) 505# By Abel Cheung (abelcheung AT gmail dot com) 506# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 507# Since Vista uses another structure, INFO2 structure probably won't change 508# anymore. Detailed analysis in: 509# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 5100 lelong 0x00000004 511>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 512 5130 lelong 0x00000005 514>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 515 516 517##### put in Either Magic/font or Magic/news 518# Acroread or something files wrongly identified as G3 .pfm 519# these have the form \000 \001 any? \002 \000 \000 520# or \000 \001 any? \022 \000 \000 521#0 string \000\001 pfm? 522#>3 string \022\000\000Copyright\ yes 523#>3 string \002\000\000Copyright\ yes 524#>3 string >\0 oops, not a font file. Cancel that. 525#it clashes with ttf files so put it lower down. 526 527# From Doug Lee via a FreeBSD pr 5289 string GERBILDOC First Choice document 5299 string GERBILDB First Choice database 5309 string GERBILCLIP First Choice database 5310 string GERBIL First Choice device file 5329 string RABBITGRAPH RabbitGraph file 5330 string DCU1 Borland Delphi .DCU file 5340 string =!<spell> MKS Spell hash list (old format) 5350 string =!<spell2> MKS Spell hash list 536# Too simple - MPi 537#0 string AH Halo(TM) bitmapped font file 5380 lelong 0x08086b70 TurboC BGI file 5390 lelong 0x08084b50 TurboC Font file 540 541# WARNING: below line conflicts with Infocom game data Z-machine 3 5420 byte 0x03 DBase 3 data file 543>0x04 lelong 0 (no records) 544>0x04 lelong >0 (%ld records) 5450 byte 0x83 DBase 3 data file with memo(s) 546>0x04 lelong 0 (no records) 547>0x04 lelong >0 (%ld records) 5480 leshort 0x0006 DBase 3 index file 5490 string PMCC Windows 3.x .GRP file 5501 string RDC-meg MegaDots 551>8 byte >0x2F version %c 552>9 byte >0x2F \b.%c file 5530 lelong 0x4C 554>4 lelong 0x00021401 Windows shortcut file 555 556# DOS EPS Binary File Header 557# From: Ed Sznyter <ews@Black.Market.NET> 5580 belong 0xC5D0D3C6 DOS EPS Binary File 559>4 long >0 Postscript starts at byte %d 560>>8 long >0 length %d 561>>>12 long >0 Metafile starts at byte %d 562>>>>16 long >0 length %d 563>>>20 long >0 TIFF starts at byte %d 564>>>>24 long >0 length %d 565 566# TNEF magic From "Joomy" <joomy@se-ed.net> 567# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 5680 leshort 0x223e9f78 TNEF 569!:mime application/vnd.ms-tnef 570 571# HtmlHelp files (.chm) 5720 string ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data 573 574# GFA-BASIC (Wolfram Kleff) 5752 string GFA-BASIC3 GFA-BASIC 3 data 576 577#------------------------------------------------------------------------------ 578# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 579# Microsoft Cabinet files 5800 string MSCF\0\0\0\0 Microsoft Cabinet archive data 581!:mime application/vnd.ms-cab-compressed 582>8 lelong x \b, %u bytes 583>28 leshort 1 \b, 1 file 584>28 leshort >1 \b, %u files 585 586# InstallShield Cabinet files 5870 string ISc( InstallShield Cabinet archive data 588>5 byte&0xf0 =0x60 version 6, 589>5 byte&0xf0 !0x60 version 4/5, 590>(12.l+40) lelong x %u files 591 592# Windows CE package files 5930 string MSCE\0\0\0\0 Microsoft WinCE install header 594>20 lelong 0 \b, architecture-independent 595>20 lelong 103 \b, Hitachi SH3 596>20 lelong 104 \b, Hitachi SH4 597>20 lelong 0xA11 \b, StrongARM 598>20 lelong 4000 \b, MIPS R4000 599>20 lelong 10003 \b, Hitachi SH3 600>20 lelong 10004 \b, Hitachi SH3E 601>20 lelong 10005 \b, Hitachi SH4 602>20 lelong 70001 \b, ARM 7TDMI 603>52 leshort 1 \b, 1 file 604>52 leshort >1 \b, %u files 605>56 leshort 1 \b, 1 registry entry 606>56 leshort >1 \b, %u registry entries 607 608 609# Windows Enhanced Metafile (EMF) 610# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 611# for further information. 6120 ulelong 1 613>40 string \ EMF Windows Enhanced Metafile (EMF) image data 614>>44 ulelong x version 0x%x 615 616# From: Alex Beregszaszi <alex@fsn.hu> 6170 string COWD VMWare3 618>4 byte 3 disk image 619>>32 lelong x (%d/ 620>>36 lelong x \b%d/ 621>>40 lelong x \b%d) 622>4 byte 2 undoable disk image 623>>32 string >\0 (%s) 624 6250 string VMDK VMware4 disk image 6260 string KDMV VMware4 disk image 627 628#-------------------------------------------------------------------- 629# Qemu Emulator Images 630# Lines written by Friedrich Schwittay (f.schwittay@yousable.de) 631# Made by reading sources and doing trial and error on existing 632# qcow files 6330 string QFI Qemu Image, Format: Qcow 634 635# Uncomment the following line to display Magic (only used for debugging 636# this magic number) 637#>0 string x , Magic: %s 638 639# There are currently 2 Versions: "1" and "2" 640# I do not use Version 2 and therefor branch here 641# but can assure: it works (tested on both versions) 642# Also my Qemu 0.9.0 which uses this Version 2 refuses 643# to start in its bios 644>0x04 belong 2 , Version: 2 645>0x04 belong 1 , Version: 1 646 647# Using the existence of the Backing File Offset to Branch or not 648# to read Backing File Information 649>>0xc belong >0 , Backing File( Offset: %lu 650>>>(0xc.L) string >\0 , Path: %s 651 652# Didn't get the trick here how qemu stores the "Size" at this Position 653# There is actually something stored but nothing makes sense 654# The header in the sources talks about it 655#>>>16 lelong x , Size: %lu 656 657# Modification time of the Backing File 658# Really useful if you want to know if your backing 659# file is still usable together with this image 660>>>20 bedate x , Mtime: %s ) 661 662# Don't know how to calculate in Magicfiles 663# Also: this Information is not reliably 664# stored in image-files 665>>24 lelong x , Disk Size could be: %d * 256 bytes 666 6670 string QEVM QEMU's suspend to disk image 668 6690 string Bochs\ Virtual\ HD\ Image Bochs disk image, 670>32 string x type %s, 671>48 string x subtype %s 672 6730 lelong 0x02468ace Bochs Sparse disk image 674 675# from http://filext.com by Derek M Jones <derek@knosof.co.uk> 676# False positive with PPT (also currently this string is too long) 677#0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer 6780 string \320\317\021\340\241\261\032\341 Microsoft Office Document 679#>48 byte 0x1B Excel Document 680#!:mime application/vnd.ms-excel 681>546 string bjbj Microsoft Word Document 682!:mime application/msword 683>546 string jbjb Microsoft Word Document 684!:mime application/msword 685 6860 string \224\246\056 Microsoft Word Document 687!:mime application/msword 688 689512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document 690!:mime application/msword 691 692# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 693# Magic type for Dell's BIOS .hdr files 694# Dell's .hdr 6950 string $RBU 696>23 string Dell %s system BIOS 697>48 string x version %.3s 698 699# Type: Microsoft DirectDraw Surface 700# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp 701# From: Morten Hustveit <morten@debian.org> 7020 string DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), 703>16 lelong >0 %hd x 704>12 lelong >0 %hd, 705>84 string x %.4s 706 707# Type: Microsoft Document Imaging Format (.mdi) 708# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 709# From: Daniele Sempione <scrows@oziosi.org> 7100 short 0x5045 Microsoft Document Imaging Format 711 712# MS eBook format (.lit) 7130 string ITOLITLS Microsoft Reader eBook Data 714>8 lelong x \b, version %u 715!:mime application/x-ms-reader 716