1 2#------------------------------------------------------------------------------ 3# $File: msdos,v 1.77 2011/12/07 22:05:05 christos Exp $ 4# msdos: file(1) magic for MS-DOS files 5# 6 7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8# updated by Joerg Jenderek at Oct 2008,Apr 2011 90 string/t @ 10>1 string/cW \ echo\ off DOS batch file text 11!:mime text/x-msdos-batch 12>1 string/cW echo\ off DOS batch file text 13!:mime text/x-msdos-batch 14>1 string/cW rem DOS batch file text 15!:mime text/x-msdos-batch 16>1 string/cW set\ DOS batch file text 17!:mime text/x-msdos-batch 18 19 20# OS/2 batch files are REXX. the second regex is a bit generic, oh well 21# the matched commands seem to be common in REXX and uncommon elsewhere 22100 search/0xffff rxfuncadd 23>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 24100 search/0xffff say 25>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 26 270 leshort 0x14c MS Windows COFF Intel 80386 object file 28#>4 ledate x stamp %s 290 leshort 0x166 MS Windows COFF MIPS R4000 object file 30#>4 ledate x stamp %s 310 leshort 0x184 MS Windows COFF Alpha object file 32#>4 ledate x stamp %s 330 leshort 0x268 MS Windows COFF Motorola 68000 object file 34#>4 ledate x stamp %s 350 leshort 0x1f0 MS Windows COFF PowerPC object file 36#>4 ledate x stamp %s 370 leshort 0x290 MS Windows COFF PA-RISC object file 38#>4 ledate x stamp %s 39 40# Tests for various EXE types. 41# 42# Many of the compressed formats were extraced from IDARC 1.23 source code. 43# 440 string/b MZ 45!:mime application/x-dosexec 46# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 47>0x18 leshort <0x40 MS-DOS executable 48# These traditional tests usually work but not always. When test quality support is 49# implemented these can be turned on. 50#>>0x18 leshort 0x1c (Borland compiler) 51#>>0x18 leshort 0x1e (MS compiler) 52 53# If the relocation table is 0x40 or more bytes into the file, it's definitely 54# not a DOS EXE. 55>0x18 leshort >0x3f 56 57# Maybe it's a PE? 58>>(0x3c.l) string PE\0\0 PE 59>>>(0x3c.l+24) leshort 0x010b \b32 executable 60>>>(0x3c.l+24) leshort 0x020b \b32+ executable 61>>>(0x3c.l+24) leshort 0x0107 ROM image 62>>>(0x3c.l+24) default x Unknown PE signature 63>>>>&0 leshort x 0x%x 64>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 65>>>(0x3c.l+92) leshort 1 (native) 66>>>(0x3c.l+92) leshort 2 (GUI) 67>>>(0x3c.l+92) leshort 3 (console) 68>>>(0x3c.l+92) leshort 7 (POSIX) 69>>>(0x3c.l+92) leshort 9 (Windows CE) 70>>>(0x3c.l+92) leshort 10 (EFI application) 71>>>(0x3c.l+92) leshort 11 (EFI boot service driver) 72>>>(0x3c.l+92) leshort 12 (EFI runtime driver) 73>>>(0x3c.l+92) leshort 13 (EFI ROM) 74>>>(0x3c.l+92) leshort 14 (XBOX) 75>>>(0x3c.l+92) leshort 15 (Windows boot application) 76>>>(0x3c.l+92) default x (Unknown subsystem 77>>>>&0 leshort x 0x%x) 78>>>(0x3c.l+4) leshort 0x14c Intel 80386 79>>>(0x3c.l+4) leshort 0x166 MIPS R4000 80>>>(0x3c.l+4) leshort 0x168 MIPS R10000 81>>>(0x3c.l+4) leshort 0x184 Alpha 82>>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 83>>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 84>>>(0x3c.l+4) leshort 0x1c0 ARM 85>>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 86>>>(0x3c.l+4) leshort 0x1f0 PowerPC 87>>>(0x3c.l+4) leshort 0x200 Intel Itanium 88>>>(0x3c.l+4) leshort 0x266 MIPS16 89>>>(0x3c.l+4) leshort 0x268 Motorola 68000 90>>>(0x3c.l+4) leshort 0x290 PA-RISC 91>>>(0x3c.l+4) leshort 0x366 MIPSIV 92>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 93>>>(0x3c.l+4) leshort 0xebc EFI byte code 94>>>(0x3c.l+4) leshort 0x8664 x86-64 95>>>(0x3c.l+4) leshort 0xc0ee MSIL 96>>>(0x3c.l+4) default x Unknown processor type 97>>>>&0 leshort x 0x%x 98>>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 99>>>(0x3c.l+22) leshort&0x1000 >0 system file 100>>>(0x3c.l+24) leshort 0x010b 101>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 102>>>(0x3c.l+24) leshort 0x020b 103>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 104 105# hooray, there's a DOS extender using the PE format, with a valid PE 106# executable inside (which just prints a message and exits if run in win) 107>>>(8.s*16) string 32STUB \b, 32rtm DOS extender 108>>>(8.s*16) string !32STUB \b, for MS Windows 109>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 110>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 111>>>(0x3c.l+0xf8) search/0x140 UPX2 112>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 113>>>(0x3c.l+0xf8) search/0x140 .idata 114>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 115>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 116>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 117>>>(0x3c.l+0xf8) search/0x140 .rsrc 118>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 119>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 120>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 121>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 122>>>(0x3c.l+0xf8) search/0x140 .data 123>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 124>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 125>>>>(0x3c.l+0xf7) byte x 126>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 127>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 128>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 129>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 130>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 131>>>0x30 string Inno \b, InnoSetup self-extracting archive 132 133# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 134# must be one of the unusual subformats. 135>>(0x3c.l) string !PE\0\0 MS-DOS executable 136 137>>(0x3c.l) string NE \b, NE 138>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 139>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 140>>>(0x3c.l+0x36) byte 3 for MS-DOS 141>>>(0x3c.l+0x36) byte 4 for Windows 386 142>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 143>>>(0x3c.l+0x36) default x 144>>>>(0x3c.l+0x36) byte x (unknown OS %x) 145>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 146>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) 147>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) 148>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 149>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 150 151>>(0x3c.l) string LX\0\0 \b, LX 152>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 153>>>(0x3c.l+0x0a) leshort 1 for OS/2 154>>>(0x3c.l+0x0a) leshort 2 for MS Windows 155>>>(0x3c.l+0x0a) leshort 3 for DOS 156>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 157>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 158>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 159>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 160>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 161>>>(0x3c.l+0x08) leshort 1 i80286 162>>>(0x3c.l+0x08) leshort 2 i80386 163>>>(0x3c.l+0x08) leshort 3 i80486 164>>>(8.s*16) string emx \b, emx 165>>>>&1 string x %s 166>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 167 168# MS Windows system file, supposedly a collection of LE executables 169>>(0x3c.l) string W3 \b, W3 for MS Windows 170 171>>(0x3c.l) string LE\0\0 \b, LE executable 172>>>(0x3c.l+0x0a) leshort 1 173# some DOS extenders use LE files with OS/2 header 174>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 175>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 176>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 177>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 178>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 179>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 180>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 181# this is a wild guess; hopefully it is a specific signature 182>>>>&0x24 lelong <0x50 183>>>>>(&0x4c.l) string \xfc\xb8WATCOM 184>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 185# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 186#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 187# fails with DOS-Extenders. 188>>>(0x3c.l+0x0a) leshort 2 for MS Windows 189>>>(0x3c.l+0x0a) leshort 3 for DOS 190>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 191>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 192>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 193 194# looks like ASCII, probably some embedded copyright message. 195# and definitely not NE/LE/LX/PE 196>>0x3c lelong >0x20000000 197>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 198# header data too small for extended executable 199>2 long !0 200>>0x18 leshort <0x40 201>>>(4.s*512) leshort !0x014c 202 203>>>>&(2.s-514) string !LE 204>>>>>&-2 string !BW \b, MZ for MS-DOS 205>>>>&(2.s-514) string LE \b, LE 206>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 207# educated guess since indirection is still not capable enough for complex offset 208# calculations (next embedded executable would be at &(&2*512+&0-2) 209# I suspect there are only LE executables in these multi-exe files 210>>>>&(2.s-514) string BW 211>>>>>0x240 search/0x100 DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded) 212>>>>>0x240 search/0x100 !DOS/4G ,\b BW collection for MS-DOS 213 214# This sequence skips to the first COFF segment, usually .text 215>(4.s*512) leshort 0x014c \b, COFF 216>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 217>>(8.s*16) string emx 218>>>&1 string x for DOS, Win or OS/2, emx %s 219>>&(&0x42.l-3) byte x 220>>>&0x26 string UPX \b, UPX compressed 221# and yet another guess: small .text, and after large .data is unusal, could be 32lite 222>>&0x2c search/0xa0 .text 223>>>&0x0b lelong <0x2000 224>>>>&0 lelong >0x6000 \b, 32lite compressed 225 226>(8.s*16) string $WdX \b, WDos/X DOS extender 227 228# By now an executable type should have been printed out. The executable 229# may be a self-uncompressing archive, so look for evidence of that and 230# print it out. 231# 232# Some signatures below from Greg Roelofs, newt@uchicago.edu. 233# 234>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 235>0xe7 string LH/2\ Self-Extract \b, %s 236>0x1c string UC2X \b, UCEXE compressed 237>0x1c string WWP\ \b, WWPACK compressed 238>0x1c string RJSX \b, ARJ self-extracting archive 239>0x1c string diet \b, diet compressed 240>0x1c string LZ09 \b, LZEXE v0.90 compressed 241>0x1c string LZ91 \b, LZEXE v0.91 compressed 242>0x1c string tz \b, TinyProg compressed 243>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 244!:mime application/zip 245# Yes, this really is "Copr", not "Corp." 246>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 247!:mime application/zip 248# winarj stores a message in the stub instead of the sig in the MZ header 249>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 250>0x20 string AIN 251>>0x23 string 2 \b, AIN 2.x compressed 252>>0x23 string <2 \b, AIN 1.x compressed 253>>0x23 string >2 \b, AIN 1.x compressed 254>0x24 string LHa's\ SFX \b, LHa self-extracting archive 255!:mime application/x-lha 256>0x24 string LHA's\ SFX \b, LHa self-extracting archive 257!:mime application/x-lha 258>0x24 string \ $ARX \b, ARX self-extracting archive 259>0x24 string \ $LHarc \b, LHarc self-extracting archive 260>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 261>0x40 string aPKG \b, aPackage self-extracting archive 262>0x64 string W\ Collis\0\0 \b, Compack compressed 263>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 264>>&0xf4 search/0x140 \x0\x40\x1\x0 265>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 266>1638 string -lh5- \b, LHa self-extracting archive v2.13S 267>0x17888 string Rar! \b, RAR self-extracting archive 268 269# Skip to the end of the EXE. This will usually work fine in the PE case 270# because the MZ image is hardcoded into the toolchain and almost certainly 271# won't match any of these signatures. 272>(4.s*512) long x 273>>&(2.s-517) byte x 274>>>&0 string PK\3\4 \b, ZIP self-extracting archive 275>>>&0 string Rar! \b, RAR self-extracting archive 276>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 277>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 278>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 279>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 280>>>&7 search/400 **ACE** \b, ACE self-extracting archive 281>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 282 283# a few unknown ZIP sfxes, no idea if they are needed or if they are 284# already captured by the generic patterns above 285>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 286# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 287# 288 289# TELVOX Teleinformatica CODEC self-extractor for OS/2: 290>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 291>>49824 leshort =1 \b, 1 file 292>>49824 leshort >1 \b, %u files 293 294# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc 295# and http://www.freedos.org/software/?prog=kpdos 296# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 2970 string/b KCF FreeDOS KEYBoard Layout collection 298# only version=0x100 found 299>3 uleshort x \b, version 0x%x 300# length of string containing author,info and special characters 301>6 ubyte >0 302#>>6 pstring x \b, name=%s 303>>7 string >\0 \b, author=%-.14s 304>>7 search/254 \xff \b, info= 305#>>>&0 string x \b%-s 306>>>&0 string x \b%-.15s 307# for FreeDOS *.KL files 3080 string/b KLF FreeDOS KEYBoard Layout file 309# only version=0x100 or 0x101 found 310>3 uleshort x \b, version 0x%x 311# stringlength 312>5 ubyte >0 313>>8 string x \b, name=%-.2s 3140 string \xffKEYB\ \ \ \0\0\0\0 315>12 string \0\0\0\0`\360 MS-DOS KEYBoard Layout file 316 317# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) 318# Uncommenting only the first two lines will cover about 2/3 of COM files, 319# but it isn't feasible to match all COM files since there must be at least 320# two dozen different one-byte "magics". 321# test too generic ? 3220 byte 0xe9 DOS executable (COM) 323>0x1FE leshort 0xAA55 \b, boot code 324>6 string SFX\ of\ LHarc (%s) 325 326# DOS device driver updated by Joerg Jenderek at May 2011 327# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 3280 ulequad&0x07a0ffffffff 0xffffffff DOS executable ( 329>40 search/7 UPX! \bUPX compressed 330# DOS device driver attributes 331>4 uleshort&0x8000 0x0000 \bblock device driver 332# character device 333>4 uleshort&0x8000 0x8000 \b 334>>4 uleshort&0x0008 0x0008 \bclock 335# fast video output by int 29h 336>>4 uleshort&0x0010 0x0010 \bfast 337# standard input/output device 338>>4 uleshort&0x0003 >0 \bstandard 339>>>4 uleshort&0x0001 0x0001 \binput 340>>>4 uleshort&0x0003 0x0003 \b/ 341>>>4 uleshort&0x0002 0x0002 \boutput 342>>4 uleshort&0x8000 0x8000 \bcharacter device driver 343>0 ubyte x 344# upx compressed device driver has garbage instead of real in name field of header 345>>40 search/7 UPX! 346>>40 default x 347# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 348>>>12 ubyte >0x27 \b 349>>>>10 ubyte >0x20 350>>>>>10 ubyte !0x2E 351>>>>>>10 ubyte !0x2A \b%c 352>>>>11 ubyte >0x20 353>>>>>11 ubyte !0x2E \b%c 354>>>>12 ubyte >0x20 355>>>>>12 ubyte !0x39 356>>>>>>12 ubyte !0x2E \b%c 357>>>13 ubyte >0x20 358>>>>13 ubyte !0x2E \b%c 359>>>>14 ubyte >0x20 360>>>>>14 ubyte !0x2E \b%c 361>>>>15 ubyte >0x20 362>>>>>15 ubyte !0x2E \b%c 363>>>>16 ubyte >0x20 364>>>>>16 ubyte !0x2E 365>>>>>>16 ubyte <0xCB \b%c 366>>>>17 ubyte >0x20 367>>>>>17 ubyte !0x2E 368>>>>>>17 ubyte <0x90 \b%c 369# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 370>>>4 uleshort&0x8000 0x8000 371>>>>12 ubyte <0x2F 372# they have their real name at offset 22 373>>>>>22 string >\0 \b%-.5s 374>4 uleshort&0x8000 0x0000 375# 32 bit sector adressing ( > 32 MB) for block devices 376>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 377# support by driver functions 13h, 17h, 18h 378>4 uleshort&0x0040 0x0040 \b,IOCTL- 379# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 380>4 uleshort&0x0800 0x0800 \b,close media- 381# output until busy support by int 10h for character device driver 382>4 uleshort&0x8000 0x8000 383>>4 uleshort&0x2000 0x2000 \b,until busy- 384# direct read/write support by driver functions 03h,0Ch 385>4 uleshort&0x4000 0x4000 \b,control strings- 386>4 uleshort&0x8000 0x8000 387>>4 uleshort&0x6840 >0 \bsupport 388>4 uleshort&0x8000 0x0000 389>>4 uleshort&0x4842 >0 \bsupport 390>0 ubyte x \b) 391# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 392# Too weak, matches files that only contain 0's 393#0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable ( 394#>4 uleshort&0x8000 0x8000 \bcharacter device driver 395#>>10 string x %-.8s 396#>4 uleshort&0x4000 0x4000 \b,control strings-support) 397 398# test too generic ? 3990 byte 0x8c DOS executable (COM) 400# updated by Joerg Jenderek at Oct 2008 4010 ulelong 0xffff10eb DR-DOS executable (COM) 402# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 4030 ubeshort&0xeb8d >0xeb00 404# DR-DOS STACKER.COM SCREATE.SYS missed 405>0 byte 0xeb 406>>0x1FE leshort 0xAA55 DOS executable (COM), boot code 407>>85 string UPX DOS executable (COM), UPX compressed 408>>4 string \ $ARX DOS executable (COM), ARX self-extracting archive 409>>4 string \ $LHarc DOS executable (COM), LHarc self-extracting archive 410>>0x20e string SFX\ by\ LARC DOS executable (COM), LARC self-extracting archive 411# updated by Joerg Jenderek at Oct 2008 412#0 byte 0xb8 COM executable 4130 uleshort&0x80ff 0x00b8 414# modified by Joerg Jenderek 415>1 lelong !0x21cd4cff COM executable for DOS 416# http://syslinux.zytor.com/comboot.php 417# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 418# start with assembler instructions mov eax,21cd4cffh 4190 uleshort&0xc0ff 0xc0b8 420>1 lelong 0x21cd4cff COM executable (32-bit COMBOOT) 421# syslinux:doc/comboot.txt 422# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 423# eax,21cd4cfeh) as a magic number. 4240 string/b \xb8\xfe\x4c\xcd\x21 COM executable (COM32R) 425# start with assembler instructions mov eax,21cd4cfeh 4260 uleshort&0xc0ff 0xc0b8 427>1 lelong 0x21cd4cfe COM executable (32-bit COMBOOT, relocatable) 4280 string/b \x81\xfc 429>4 string \x77\x02\xcd\x20\xb9 430>>36 string UPX! FREE-DOS executable (COM), UPX compressed 431252 string Must\ have\ DOS\ version DR-DOS executable (COM) 432# added by Joerg Jenderek at Oct 2008 433# GRR search is not working 434#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 43534 string UPX! FREE-DOS executable (COM), UPX compressed 43635 string UPX! FREE-DOS executable (COM), UPX compressed 437# GRR search is not working 438#2 search/28 \xcd\x21 COM executable for MS-DOS 439#WHICHFAT.cOM 4402 string \xcd\x21 COM executable for DOS 441#DELTREE.cOM DELTREE2.cOM 4424 string \xcd\x21 COM executable for DOS 443#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 4445 string \xcd\x21 COM executable for DOS 445#DELTMP.COm HASFAT32.cOM 4467 string \xcd\x21 447>0 byte !0xb8 COM executable for DOS 448#COMP.cOM MORE.COm 44910 string \xcd\x21 450>5 string !\xcd\x21 COM executable for DOS 451#comecho.com 45213 string \xcd\x21 COM executable for DOS 453#HELP.COm EDIT.coM 45418 string \xcd\x21 COM executable for MS-DOS 455#NWRPLTRM.COm 45623 string \xcd\x21 COM executable for MS-DOS 457#LOADFIX.cOm LOADFIX.cOm 45830 string \xcd\x21 COM executable for MS-DOS 459#syslinux.com 3.11 46070 string \xcd\x21 COM executable for DOS 461# many compressed/converted COMs start with a copy loop instead of a jump 4620x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 4630x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 464>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 4650x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 466# FIXME: missing diet .com compression 467 468# miscellaneous formats 4690 string/b LZ MS-DOS executable (built-in) 470#0 byte 0xf0 MS-DOS program library data 471# 472 473# AAF files: 474# <stuartc@rd.bbc.co.uk> Stuart Cunningham 4750 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 476>30 byte 9 (512B sectors) 477>30 byte 12 (4kB sectors) 4780 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 479>30 byte 9 (512B sectors) 480>30 byte 12 (4kB sectors) 481 482# Popular applications 4832080 string Microsoft\ Word\ 6.0\ Document %s 484!:mime application/msword 4852080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 486!:mime application/msword 487# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 4882112 string MSWordDoc Microsoft Word document data 489!:mime application/msword 490# 4910 belong 0x31be0000 Microsoft Word Document 492!:mime application/msword 493# 4940 string/b PO^Q` Microsoft Word 6.0 Document 495!:mime application/msword 496# 4970 string/b \376\067\0\043 Microsoft Office Document 498!:mime application/msword 4990 string/b \333\245-\0\0\0 Microsoft Office Document 500!:mime application/msword 501512 string/b \354\245\301 Microsoft Word Document 502!:mime application/msword 503# 5042080 string Microsoft\ Excel\ 5.0\ Worksheet %s 505!:mime application/vnd.ms-excel 506 5072080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s 508!:mime application/vnd.ms-excel 509# 510# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 5112114 string Biff5 Microsoft Excel 5.0 Worksheet 512!:mime application/vnd.ms-excel 513# Italian MS-Excel 5142121 string Biff5 Microsoft Excel 5.0 Worksheet 515!:mime application/vnd.ms-excel 5160 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 517!:mime application/vnd.ms-excel 518# 5190 belong 0x00001a00 Lotus 1-2-3 520!:mime application/x-123 521>4 belong 0x00100400 wk3 document data 522>4 belong 0x02100400 wk4 document data 523>4 belong 0x07800100 fm3 or fmb document data 524>4 belong 0x07800000 fm3 or fmb document data 525# 5260 belong 0x00000200 Lotus 1-2-3 527!:mime application/x-123 528>4 belong 0x06040600 wk1 document data 529>4 belong 0x06800200 fmt document data 5300 string/b WordPro\0 Lotus WordPro 531!:mime application/vnd.lotus-wordpro 5320 string/b WordPro\r\373 Lotus WordPro 533!:mime application/vnd.lotus-wordpro 534 535 536# Summary: Script used by InstallScield to uninstall applications 537# Extension: .isu 538# Submitted by: unknown 539# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 5400 string \x71\xa8\x00\x00\x01\x02 541>12 string Stirling\ Technologies, InstallShield Uninstall Script 542 543# Winamp .avs 544#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 5450 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 546 547# Windows Metafont .WMF 5480 string/b \327\315\306\232 ms-windows metafont .wmf 5490 string/b \002\000\011\000 ms-windows metafont .wmf 5500 string/b \001\000\011\000 ms-windows metafont .wmf 551 552#tz3 files whatever that is (MS Works files) 5530 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 5540 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 5550 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 556 557# PGP sig files .sig 558#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 5590 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 5600 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 5610 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 5620 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 5630 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 5640 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 565 566# windows zips files .dmf 5670 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 568 569 570#ico files 5710 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows 572 573# Windows icons (Ian Springer <ips@fpk.hp.com>) 5740 string/b \000\000\001\000 MS Windows icon resource 575!:mime image/x-icon 576>4 byte 1 - 1 icon 577>4 byte >1 - %d icons 578>>6 byte >0 \b, %dx 579>>>7 byte >0 \b%d 580>>8 byte 0 \b, 256-colors 581>>8 byte >0 \b, %d-colors 582 583 584# .chr files 5850 string/b PK\010\010BGI Borland font 586>4 string >\0 %s 587# then there is a copyright notice 588 589 590# .bgi files 5910 string/b pk\010\010BGI Borland device 592>4 string >\0 %s 593# then there is a copyright notice 594 595 596# Windows Recycle Bin record file (named INFO2) 597# By Abel Cheung (abelcheung AT gmail dot com) 598# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 599# Since Vista uses another structure, INFO2 structure probably won't change 600# anymore. Detailed analysis in: 601# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 6020 lelong 0x00000004 603>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 604 6050 lelong 0x00000005 606>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 607 608 609##### put in Either Magic/font or Magic/news 610# Acroread or something files wrongly identified as G3 .pfm 611# these have the form \000 \001 any? \002 \000 \000 612# or \000 \001 any? \022 \000 \000 6130 belong&0xffff00ff 0x00010012 PFM data 614>4 string \000\000 615>6 string >\060 - %s 616 6170 belong&0xffff00ff 0x00010002 PFM data 618>4 string \000\000 619>6 string >\060 - %s 620#0 string \000\001 pfm? 621#>3 string \022\000\000Copyright\ yes 622#>3 string \002\000\000Copyright\ yes 623#>3 string >\0 oops, not a font file. Cancel that. 624#it clashes with ttf files so put it lower down. 625 626# From Doug Lee via a FreeBSD pr 6279 string GERBILDOC First Choice document 6289 string GERBILDB First Choice database 6299 string GERBILCLIP First Choice database 6300 string GERBIL First Choice device file 6319 string RABBITGRAPH RabbitGraph file 6320 string DCU1 Borland Delphi .DCU file 6330 string =!<spell> MKS Spell hash list (old format) 6340 string =!<spell2> MKS Spell hash list 635# Too simple - MPi 636#0 string AH Halo(TM) bitmapped font file 6370 lelong 0x08086b70 TurboC BGI file 6380 lelong 0x08084b50 TurboC Font file 639 640# WARNING: below line conflicts with Infocom game data Z-machine 3 6410 byte 0x03 642>0x02 byte <0x13 DBase 3 data file 643>>0x04 lelong 0 (no records) 644>>0x04 lelong >0 (%ld records) 6450 byte 0x83 646>0x02 byte <0x13 DBase 3 data file with memo(s) 647>>0x04 lelong 0 (no records) 648>>0x04 lelong >0 (%ld records) 6490 leshort 0x0006 DBase 3 index file 6500 string PMCC Windows 3.x .GRP file 6511 string RDC-meg MegaDots 652>8 byte >0x2F version %c 653>9 byte >0x2F \b.%c file 6540 lelong 0x4C 655>4 lelong 0x00021401 Windows shortcut file 656 657# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm 658# only for windows versions equal or greater 3.0 6590x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 660!:mime application/x-dosexec 661#>2 string >\0 \b, Title:%.30s 662>0x24 string >\0 \b for %.63s 663>0x65 string >\0 \b, directory=%.64s 664>0xA5 string >\0 \b, parameters=%.64s 665#>0x181 leshort x \b, offset %x 666#>0x183 leshort x \b, offsetdata %x 667#>0x185 leshort x \b, section length %x 668>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 669>>&0x5e ubyte >0 670>>>&-1 string <PIFMGR.DLL \b, icon=%s 671#>>>&-1 string PIFMGR.DLL \b, icon=%s 672>>>&-1 string >PIFMGR.DLL \b, icon=%s 673>>&0xF0 ubyte >0 674>>>&-1 string <Terminal \b, font=%.32s 675#>>>&-1 string =Terminal \b, font=%.32s 676>>>&-1 string >Terminal \b, font=%.32s 677>>&0x110 ubyte >0 678>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 679#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 680>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 681#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 682#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 683>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 684#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 685>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 686#>>&06 string x \b:%s 687>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 688#>>&06 string x \b:%s 689 690# DOS EPS Binary File Header 691# From: Ed Sznyter <ews@Black.Market.NET> 6920 belong 0xC5D0D3C6 DOS EPS Binary File 693>4 long >0 Postscript starts at byte %d 694>>8 long >0 length %d 695>>>12 long >0 Metafile starts at byte %d 696>>>>16 long >0 length %d 697>>>20 long >0 TIFF starts at byte %d 698>>>>24 long >0 length %d 699 700# TNEF magic From "Joomy" <joomy@se-ed.net> 701# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 7020 leshort 0x223e9f78 TNEF 703!:mime application/vnd.ms-tnef 704 705# HtmlHelp files (.chm) 7060 string/b ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data 707 708# GFA-BASIC (Wolfram Kleff) 7092 string/b GFA-BASIC3 GFA-BASIC 3 data 710 711#------------------------------------------------------------------------------ 712# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 713# Microsoft Cabinet files 7140 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 715!:mime application/vnd.ms-cab-compressed 716>8 lelong x \b, %u bytes 717>28 leshort 1 \b, 1 file 718>28 leshort >1 \b, %u files 719 720# InstallShield Cabinet files 7210 string/b ISc( InstallShield Cabinet archive data 722>5 byte&0xf0 =0x60 version 6, 723>5 byte&0xf0 !0x60 version 4/5, 724>(12.l+40) lelong x %u files 725 726# Windows CE package files 7270 string/b MSCE\0\0\0\0 Microsoft WinCE install header 728>20 lelong 0 \b, architecture-independent 729>20 lelong 103 \b, Hitachi SH3 730>20 lelong 104 \b, Hitachi SH4 731>20 lelong 0xA11 \b, StrongARM 732>20 lelong 4000 \b, MIPS R4000 733>20 lelong 10003 \b, Hitachi SH3 734>20 lelong 10004 \b, Hitachi SH3E 735>20 lelong 10005 \b, Hitachi SH4 736>20 lelong 70001 \b, ARM 7TDMI 737>52 leshort 1 \b, 1 file 738>52 leshort >1 \b, %u files 739>56 leshort 1 \b, 1 registry entry 740>56 leshort >1 \b, %u registry entries 741 742 743# Windows Enhanced Metafile (EMF) 744# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 745# for further information. 7460 ulelong 1 747>40 string \ EMF Windows Enhanced Metafile (EMF) image data 748>>44 ulelong x version 0x%x 749 750# From: Alex Beregszaszi <alex@fsn.hu> 7510 string/b COWD VMWare3 752>4 byte 3 disk image 753>>32 lelong x (%d/ 754>>36 lelong x \b%d/ 755>>40 lelong x \b%d) 756>4 byte 2 undoable disk image 757>>32 string >\0 (%s) 758 7590 string/b VMDK VMware4 disk image 7600 string/b KDMV VMware4 disk image 761 762#-------------------------------------------------------------------- 763# Qemu Emulator Images 764# Lines written by Friedrich Schwittay (f.schwittay@yousable.de) 765# Updated by Adam Buchbinder (adam.buchbinder@gmail.com) 766# Made by reading sources, reading documentation, and doing trial and error 767# on existing QCOW files 7680 string/b QFI\xFB QEMU QCOW Image 769 770# Uncomment the following line to display Magic (only used for debugging 771# this magic number) 772#>0 string/b x , Magic: %s 773 774# There are currently 2 Versions: "1" and "2". 775# http://www.gnome.org/~markmc/qcow-image-format-version-1.html 776>4 belong 1 (v1) 777 778# Using the existence of the Backing File Offset to determine whether 779# to read Backing File Information 780>>12 belong >0 \b, has backing file ( 781# Note that this isn't a null-terminated string; the length is actually 782# (16.L). Assuming a null-terminated string happens to work usually, but it 783# may spew junk until it reaches a \0 in some cases. 784>>>(12.L) string >\0 \bpath %s 785 786# Modification time of the Backing File 787# Really useful if you want to know if your backing 788# file is still usable together with this image 789>>>>20 bedate >0 \b, mtime %s) 790>>>>20 default x \b) 791 792# Size is stored in bytes in a big-endian u64. 793>>24 bequad x \b, %lld bytes 794 795# 1 for AES encryption, 0 for none. 796>>36 belong 1 \b, AES-encrypted 797 798# http://www.gnome.org/~markmc/qcow-image-format.html 799>4 belong 2 (v2) 800# Using the existence of the Backing File Offset to determine whether 801# to read Backing File Information 802>>8 bequad >0 \b, has backing file 803# Note that this isn't a null-terminated string; the length is actually 804# (16.L). Assuming a null-terminated string happens to work usually, but it 805# may spew junk until it reaches a \0 in some cases. Also, since there's no 806# .Q modifier, we just use the bottom four bytes as an offset. Note that if 807# the file is over 4G, and the backing file path is stored after the first 4G, 808# the wrong filename will be printed. (This should be (8.Q), when that syntax 809# is introduced.) 810>>>(12.L) string >\0 (path %s) 811>>24 bequad x \b, %lld bytes 812>>32 belong 1 \b, AES-encrypted 813 814>4 default x (unknown version) 815 8160 string/b QEVM QEMU suspend to disk image 817 8180 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, 819>32 string x type %s, 820>48 string x subtype %s 821 8220 lelong 0x02468ace Bochs Sparse disk image 823 824# from http://filext.com by Derek M Jones <derek@knosof.co.uk> 825# False positive with PPT (also currently this string is too long) 826#0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer 8270 string/b \320\317\021\340\241\261\032\341 Microsoft Office Document 828#>48 byte 0x1B Excel Document 829#!:mime application/vnd.ms-excel 830>546 string bjbj Microsoft Word Document 831!:mime application/msword 832>546 string jbjb Microsoft Word Document 833!:mime application/msword 834 8350 string/b \224\246\056 Microsoft Word Document 836!:mime application/msword 837 838512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document 839!:mime application/msword 840 841# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 842# Magic type for Dell's BIOS .hdr files 843# Dell's .hdr 8440 string/b $RBU 845>23 string Dell %s system BIOS 846>5 byte 2 847>>48 byte x version %d. 848>>49 byte x \b%d. 849>>50 byte x \b%d 850>5 byte <2 851>>48 string x version %.3s 852 853# Type: Microsoft DirectDraw Surface 854# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp 855# From: Morten Hustveit <morten@debian.org> 8560 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), 857>16 lelong >0 %hd x 858>12 lelong >0 %hd, 859>84 string x %.4s 860 861# Type: Microsoft Document Imaging Format (.mdi) 862# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 863# From: Daniele Sempione <scrows@oziosi.org> 8640 short 0x5045 Microsoft Document Imaging Format 865 866# MS eBook format (.lit) 8670 string/b ITOLITLS Microsoft Reader eBook Data 868>8 lelong x \b, version %u 869!:mime application/x-ms-reader 870 871# Windows CE Binary Image Data Format 872# From: Dr. Jesus <j@hug.gs> 8730 string/b B000FF\n Windows Embedded CE binary image 874 875# Windows Imaging (WIM) Image 8760 string/b MSWIM\000\000\000 Windows imaging (WIM) image 877