xref: /dragonfly/contrib/file/magic/Magdir/msdos (revision 8accc937) 
1
2#------------------------------------------------------------------------------
3# $File: msdos,v 1.77 2011/12/07 22:05:05 christos Exp $
4# msdos:  file(1) magic for MS-DOS files
5#
6
7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
8# updated by Joerg Jenderek at Oct 2008,Apr 2011
90	string/t	@
10>1	string/cW	\ echo\ off	DOS batch file text
11!:mime	text/x-msdos-batch
12>1	string/cW	echo\ off	DOS batch file text
13!:mime	text/x-msdos-batch
14>1	string/cW	rem		DOS batch file text
15!:mime	text/x-msdos-batch
16>1	string/cW	set\ 		DOS batch file text
17!:mime	text/x-msdos-batch
18
19
20# OS/2 batch files are REXX. the second regex is a bit generic, oh well
21# the matched commands seem to be common in REXX and uncommon elsewhere
22100	search/0xffff   rxfuncadd
23>100	regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc	OS/2 REXX batch file text
24100	search/0xffff   say
25>100	regex/c =^[\ \t]{0,10}say\ ['"]			OS/2 REXX batch file text
26
270	leshort		0x14c	MS Windows COFF Intel 80386 object file
28#>4	ledate		x	stamp %s
290	leshort		0x166	MS Windows COFF MIPS R4000 object file
30#>4	ledate		x	stamp %s
310	leshort		0x184	MS Windows COFF Alpha object file
32#>4	ledate		x	stamp %s
330	leshort		0x268	MS Windows COFF Motorola 68000 object file
34#>4	ledate		x	stamp %s
350	leshort		0x1f0	MS Windows COFF PowerPC object file
36#>4	ledate		x	stamp %s
370	leshort		0x290	MS Windows COFF PA-RISC object file
38#>4	ledate		x	stamp %s
39
40# Tests for various EXE types.
41#
42# Many of the compressed formats were extraced from IDARC 1.23 source code.
43#
440	string/b	MZ
45!:mime	application/x-dosexec
46# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file.
47>0x18	leshort <0x40 MS-DOS executable
48# These traditional tests usually work but not always.  When test quality support is
49# implemented these can be turned on.
50#>>0x18	leshort	0x1c	(Borland compiler)
51#>>0x18	leshort	0x1e	(MS compiler)
52
53# If the relocation table is 0x40 or more bytes into the file, it's definitely
54# not a DOS EXE.
55>0x18  leshort >0x3f
56
57# Maybe it's a PE?
58>>(0x3c.l) string PE\0\0 PE
59>>>(0x3c.l+24)	leshort		0x010b	\b32 executable
60>>>(0x3c.l+24)	leshort		0x020b	\b32+ executable
61>>>(0x3c.l+24)	leshort		0x0107	ROM image
62>>>(0x3c.l+24)	default		x	Unknown PE signature
63>>>>&0 		leshort		x	0x%x
64>>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
65>>>(0x3c.l+92)	leshort		1	(native)
66>>>(0x3c.l+92)	leshort		2	(GUI)
67>>>(0x3c.l+92)	leshort		3	(console)
68>>>(0x3c.l+92)	leshort		7	(POSIX)
69>>>(0x3c.l+92)	leshort		9	(Windows CE)
70>>>(0x3c.l+92)	leshort		10	(EFI application)
71>>>(0x3c.l+92)	leshort		11	(EFI boot service driver)
72>>>(0x3c.l+92)	leshort		12	(EFI runtime driver)
73>>>(0x3c.l+92)	leshort		13	(EFI ROM)
74>>>(0x3c.l+92)	leshort		14	(XBOX)
75>>>(0x3c.l+92)	leshort		15	(Windows boot application)
76>>>(0x3c.l+92)	default		x	(Unknown subsystem
77>>>>&0		leshort		x	0x%x)
78>>>(0x3c.l+4)	leshort		0x14c	Intel 80386
79>>>(0x3c.l+4)	leshort		0x166	MIPS R4000
80>>>(0x3c.l+4)	leshort		0x168	MIPS R10000
81>>>(0x3c.l+4)	leshort		0x184	Alpha
82>>>(0x3c.l+4)	leshort		0x1a2	Hitachi SH3
83>>>(0x3c.l+4)	leshort		0x1a6	Hitachi SH4
84>>>(0x3c.l+4)	leshort		0x1c0	ARM
85>>>(0x3c.l+4)	leshort		0x1c2	ARM Thumb
86>>>(0x3c.l+4)	leshort		0x1f0	PowerPC
87>>>(0x3c.l+4)	leshort		0x200	Intel Itanium
88>>>(0x3c.l+4)	leshort		0x266	MIPS16
89>>>(0x3c.l+4)	leshort		0x268	Motorola 68000
90>>>(0x3c.l+4)	leshort		0x290	PA-RISC
91>>>(0x3c.l+4)	leshort		0x366	MIPSIV
92>>>(0x3c.l+4)	leshort		0x466	MIPS16 with FPU
93>>>(0x3c.l+4)	leshort		0xebc	EFI byte code
94>>>(0x3c.l+4)	leshort		0x8664	x86-64
95>>>(0x3c.l+4)	leshort		0xc0ee	MSIL
96>>>(0x3c.l+4)	default		x	Unknown processor type
97>>>>&0		leshort		x	0x%x
98>>>(0x3c.l+22)	leshort&0x0200	>0	(stripped to external PDB)
99>>>(0x3c.l+22)	leshort&0x1000	>0	system file
100>>>(0x3c.l+24)	leshort		0x010b
101>>>>(0x3c.l+232) lelong	>0	Mono/.Net assembly
102>>>(0x3c.l+24)	leshort		0x020b
103>>>>(0x3c.l+248) lelong	>0	Mono/.Net assembly
104
105# hooray, there's a DOS extender using the PE format, with a valid PE
106# executable inside (which just prints a message and exits if run in win)
107>>>(8.s*16)		string		32STUB	\b, 32rtm DOS extender
108>>>(8.s*16)		string		!32STUB	\b, for MS Windows
109>>>(0x3c.l+0xf8)	string		UPX0 \b, UPX compressed
110>>>(0x3c.l+0xf8)	search/0x140	PEC2 \b, PECompact2 compressed
111>>>(0x3c.l+0xf8)	search/0x140	UPX2
112>>>>(&0x10.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
113>>>(0x3c.l+0xf8)	search/0x140	.idata
114>>>>(&0xe.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
115>>>>(&0xe.l+(-4))	string		ZZ0 \b, ZZip self-extracting archive
116>>>>(&0xe.l+(-4))	string		ZZ1 \b, ZZip self-extracting archive
117>>>(0x3c.l+0xf8)	search/0x140	.rsrc
118>>>>(&0x0f.l+(-4))	string		a\\\4\5 \b, WinHKI self-extracting archive
119>>>>(&0x0f.l+(-4))	string		Rar! \b, RAR self-extracting archive
120>>>>(&0x0f.l+(-4))	search/0x3000	MSCF \b, InstallShield self-extracting archive
121>>>>(&0x0f.l+(-4))	search/32	Nullsoft \b, Nullsoft Installer self-extracting archive
122>>>(0x3c.l+0xf8)	search/0x140	.data
123>>>>(&0x0f.l)		string		WEXTRACT \b, MS CAB-Installer self-extracting archive
124>>>(0x3c.l+0xf8)	search/0x140	.petite\0 \b, Petite compressed
125>>>>(0x3c.l+0xf7)	byte		x
126>>>>>(&0x104.l+(-4))	string		=!sfx! \b, ACE self-extracting archive
127>>>(0x3c.l+0xf8)	search/0x140	.WISE \b, WISE installer self-extracting archive
128>>>(0x3c.l+0xf8)	search/0x140	.dz\0\0\0 \b, Dzip self-extracting archive
129>>>&(0x3c.l+0xf8)	search/0x100	_winzip_ \b, ZIP self-extracting archive (WinZip)
130>>>&(0x3c.l+0xf8)	search/0x100	SharedD \b, Microsoft Installer self-extracting archive
131>>>0x30			string		Inno \b, InnoSetup self-extracting archive
132
133# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
134# must be one of the unusual subformats.
135>>(0x3c.l) string !PE\0\0 MS-DOS executable
136
137>>(0x3c.l)		string		NE \b, NE
138>>>(0x3c.l+0x36)	byte		1 for OS/2 1.x
139>>>(0x3c.l+0x36)	byte		2 for MS Windows 3.x
140>>>(0x3c.l+0x36)	byte		3 for MS-DOS
141>>>(0x3c.l+0x36)	byte		4 for Windows 386
142>>>(0x3c.l+0x36)	byte		5 for Borland Operating System Services
143>>>(0x3c.l+0x36)	default		x
144>>>>(0x3c.l+0x36)	byte		x (unknown OS %x)
145>>>(0x3c.l+0x36)	byte		0x81 for MS-DOS, Phar Lap DOS extender
146>>>(0x3c.l+0x0c)	leshort&0x8003	0x8002 (DLL)
147>>>(0x3c.l+0x0c)	leshort&0x8003	0x8001 (driver)
148>>>&(&0x24.s-1)		string		ARJSFX \b, ARJ self-extracting archive
149>>>(0x3c.l+0x70)	search/0x80	WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
150
151>>(0x3c.l)		string		LX\0\0 \b, LX
152>>>(0x3c.l+0x0a)	leshort		<1 (unknown OS)
153>>>(0x3c.l+0x0a)	leshort		1 for OS/2
154>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
155>>>(0x3c.l+0x0a)	leshort		3 for DOS
156>>>(0x3c.l+0x0a)	leshort		>3 (unknown OS)
157>>>(0x3c.l+0x10)	lelong&0x28000	=0x8000 (DLL)
158>>>(0x3c.l+0x10)	lelong&0x20000	>0 (device driver)
159>>>(0x3c.l+0x10)	lelong&0x300	0x300 (GUI)
160>>>(0x3c.l+0x10)	lelong&0x28300	<0x300 (console)
161>>>(0x3c.l+0x08)	leshort		1 i80286
162>>>(0x3c.l+0x08)	leshort		2 i80386
163>>>(0x3c.l+0x08)	leshort		3 i80486
164>>>(8.s*16)		string		emx \b, emx
165>>>>&1			string		x %s
166>>>&(&0x54.l-3)		string		arjsfx \b, ARJ self-extracting archive
167
168# MS Windows system file, supposedly a collection of LE executables
169>>(0x3c.l)		string		W3 \b, W3 for MS Windows
170
171>>(0x3c.l)		string		LE\0\0 \b, LE executable
172>>>(0x3c.l+0x0a)	leshort		1
173# some DOS extenders use LE files with OS/2 header
174>>>>0x240		search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
175>>>>0x240		search/0x200	WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
176>>>>0x440		search/0x100	CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
177>>>>0x40		search/0x40	PMODE/W for MS-DOS, PMODE/W DOS extender
178>>>>0x40		search/0x40	STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
179>>>>0x40		search/0x80	STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
180>>>>0x40		search/0x80	DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
181# this is a wild guess; hopefully it is a specific signature
182>>>>&0x24		lelong		<0x50
183>>>>>(&0x4c.l)		string		\xfc\xb8WATCOM
184>>>>>>&0		search/8	3\xdbf\xb9 \b, 32Lite compressed
185# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
186#>>>>(0x3c.l+0x1c)	lelong		>0x10000 for OS/2
187# fails with DOS-Extenders.
188>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
189>>>(0x3c.l+0x0a)	leshort		3 for DOS
190>>>(0x3c.l+0x0a)	leshort		4 for MS Windows (VxD)
191>>>(&0x7c.l+0x26)	string		UPX \b, UPX compressed
192>>>&(&0x54.l-3)		string		UNACE \b, ACE self-extracting archive
193
194# looks like ASCII, probably some embedded copyright message.
195# and definitely not NE/LE/LX/PE
196>>0x3c		lelong	>0x20000000
197>>>(4.s*512)	leshort !0x014c \b, MZ for MS-DOS
198# header data too small for extended executable
199>2		long	!0
200>>0x18		leshort <0x40
201>>>(4.s*512)	leshort !0x014c
202
203>>>>&(2.s-514)	string	!LE
204>>>>>&-2	string	!BW \b, MZ for MS-DOS
205>>>>&(2.s-514)	string	LE \b, LE
206>>>>>0x240	search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
207# educated guess since indirection is still not capable enough for complex offset
208# calculations (next embedded executable would be at &(&2*512+&0-2)
209# I suspect there are only LE executables in these multi-exe files
210>>>>&(2.s-514)	string	BW
211>>>>>0x240	search/0x100	DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded)
212>>>>>0x240	search/0x100	!DOS/4G ,\b BW collection for MS-DOS
213
214# This sequence skips to the first COFF segment, usually .text
215>(4.s*512)	leshort		0x014c \b, COFF
216>>(8.s*16)	string		go32stub for MS-DOS, DJGPP go32 DOS extender
217>>(8.s*16)	string		emx
218>>>&1		string		x for DOS, Win or OS/2, emx %s
219>>&(&0x42.l-3)	byte		x
220>>>&0x26	string		UPX \b, UPX compressed
221# and yet another guess: small .text, and after large .data is unusal, could be 32lite
222>>&0x2c		search/0xa0	.text
223>>>&0x0b	lelong		<0x2000
224>>>>&0		lelong		>0x6000 \b, 32lite compressed
225
226>(8.s*16) string $WdX \b, WDos/X DOS extender
227
228# By now an executable type should have been printed out.  The executable
229# may be a self-uncompressing archive, so look for evidence of that and
230# print it out.
231#
232# Some signatures below from Greg Roelofs, newt@uchicago.edu.
233#
234>0x35	string	\x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
235>0xe7	string	LH/2\ 	Self-Extract \b, %s
236>0x1c	string	UC2X	\b, UCEXE compressed
237>0x1c	string	WWP\ 	\b, WWPACK compressed
238>0x1c	string	RJSX 	\b, ARJ self-extracting archive
239>0x1c	string	diet 	\b, diet compressed
240>0x1c	string	LZ09 	\b, LZEXE v0.90 compressed
241>0x1c	string	LZ91 	\b, LZEXE v0.91 compressed
242>0x1c	string	tz 	\b, TinyProg compressed
243>0x1e	string	Copyright\ 1989-1990\ PKWARE\ Inc.	Self-extracting PKZIP archive
244!:mime	application/zip
245# Yes, this really is "Copr", not "Corp."
246>0x1e	string	PKLITE\ Copr.	Self-extracting PKZIP archive
247!:mime	application/zip
248# winarj stores a message in the stub instead of the sig in the MZ header
249>0x20	search/0xe0	aRJsfX \b, ARJ self-extracting archive
250>0x20	string AIN
251>>0x23	string 2	\b, AIN 2.x compressed
252>>0x23	string <2	\b, AIN 1.x compressed
253>>0x23	string >2	\b, AIN 1.x compressed
254>0x24	string	LHa's\ SFX \b, LHa self-extracting archive
255!:mime	application/x-lha
256>0x24	string	LHA's\ SFX \b, LHa self-extracting archive
257!:mime	application/x-lha
258>0x24	string	\ $ARX \b, ARX self-extracting archive
259>0x24	string	\ $LHarc \b, LHarc self-extracting archive
260>0x20	string	SFX\ by\ LARC \b, LARC self-extracting archive
261>0x40	string aPKG \b, aPackage self-extracting archive
262>0x64	string	W\ Collis\0\0 \b, Compack compressed
263>0x7a	string		Windows\ self-extracting\ ZIP	\b, ZIP self-extracting archive
264>>&0xf4 search/0x140 \x0\x40\x1\x0
265>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
266>1638	string	-lh5- \b, LHa self-extracting archive v2.13S
267>0x17888 string Rar! \b, RAR self-extracting archive
268
269# Skip to the end of the EXE.  This will usually work fine in the PE case
270# because the MZ image is hardcoded into the toolchain and almost certainly
271# won't match any of these signatures.
272>(4.s*512)	long	x
273>>&(2.s-517)	byte	x
274>>>&0	string		PK\3\4 \b, ZIP self-extracting archive
275>>>&0	string		Rar! \b, RAR self-extracting archive
276>>>&0	string		=!\x11 \b, AIN 2.x self-extracting archive
277>>>&0	string		=!\x12 \b, AIN 2.x self-extracting archive
278>>>&0	string		=!\x17 \b, AIN 1.x self-extracting archive
279>>>&0	string		=!\x18 \b, AIN 1.x self-extracting archive
280>>>&7	search/400	**ACE** \b, ACE self-extracting archive
281>>>&0	search/0x480	UC2SFX\ Header \b, UC2 self-extracting archive
282
283# a few unknown ZIP sfxes, no idea if they are needed or if they are
284# already captured by the generic patterns above
285>(8.s*16)	search/0x20	PKSFX \b, ZIP self-extracting archive (PKZIP)
286# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
287#
288
289# TELVOX Teleinformatica CODEC self-extractor for OS/2:
290>49801	string	\x79\xff\x80\xff\x76\xff	\b, CODEC archive v3.21
291>>49824 leshort		=1			\b, 1 file
292>>49824 leshort		>1			\b, %u files
293
294# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc
295# and http://www.freedos.org/software/?prog=kpdos
296# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
2970	string/b	KCF		FreeDOS KEYBoard Layout collection
298# only version=0x100 found
299>3	uleshort	x		\b, version 0x%x
300# length of string containing author,info and special characters
301>6	ubyte		>0
302#>>6	pstring		x		\b, name=%s
303>>7	string		>\0		\b, author=%-.14s
304>>7	search/254	\xff		\b, info=
305#>>>&0	string		x		\b%-s
306>>>&0	string		x		\b%-.15s
307# for FreeDOS *.KL files
3080	string/b	KLF		FreeDOS KEYBoard Layout file
309# only version=0x100 or 0x101 found
310>3	uleshort	x		\b, version 0x%x
311# stringlength
312>5	ubyte		>0
313>>8	string		x		\b, name=%-.2s
3140	string	\xffKEYB\ \ \ \0\0\0\0
315>12	string	\0\0\0\0`\360		MS-DOS KEYBoard Layout file
316
317# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com)
318# Uncommenting only the first two lines will cover about 2/3 of COM files,
319# but it isn't feasible to match all COM files since there must be at least
320# two dozen different one-byte "magics".
321# test too generic ?
3220	byte		0xe9		DOS executable (COM)
323>0x1FE leshort		0xAA55		\b, boot code
324>6	string		SFX\ of\ LHarc	(%s)
325
326# DOS device driver updated by Joerg Jenderek at May 2011
327# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
3280	ulequad&0x07a0ffffffff		0xffffffff		DOS executable (
329>40	search/7			UPX!			\bUPX compressed
330# DOS device driver attributes
331>4	uleshort&0x8000			0x0000			\bblock device driver
332# character device
333>4	uleshort&0x8000			0x8000			\b
334>>4	uleshort&0x0008			0x0008			\bclock
335# fast video output by int 29h
336>>4	uleshort&0x0010			0x0010			\bfast
337# standard input/output device
338>>4	uleshort&0x0003			>0			\bstandard
339>>>4	uleshort&0x0001			0x0001			\binput
340>>>4	uleshort&0x0003			0x0003			\b/
341>>>4	uleshort&0x0002			0x0002			\boutput
342>>4	uleshort&0x8000			0x8000			\bcharacter device driver
343>0	ubyte				x
344# upx compressed device driver has garbage instead of real in name field of header
345>>40	search/7			UPX!
346>>40	default				x
347# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
348>>>12		ubyte			>0x27			\b
349>>>>10		ubyte			>0x20
350>>>>>10		ubyte			!0x2E
351>>>>>>10	ubyte			!0x2A			\b%c
352>>>>11		ubyte			>0x20
353>>>>>11		ubyte			!0x2E			\b%c
354>>>>12		ubyte			>0x20
355>>>>>12		ubyte			!0x39
356>>>>>>12	ubyte			!0x2E			\b%c
357>>>13		ubyte			>0x20
358>>>>13		ubyte			!0x2E			\b%c
359>>>>14		ubyte			>0x20
360>>>>>14		ubyte			!0x2E			\b%c
361>>>>15		ubyte			>0x20
362>>>>>15		ubyte			!0x2E			\b%c
363>>>>16		ubyte			>0x20
364>>>>>16		ubyte			!0x2E
365>>>>>>16	ubyte			<0xCB			\b%c
366>>>>17		ubyte			>0x20
367>>>>>17		ubyte			!0x2E
368>>>>>>17	ubyte			<0x90			\b%c
369# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
370>>>4		uleshort&0x8000		0x8000
371>>>>12		ubyte			<0x2F
372# they have their real name at offset 22
373>>>>>22		string			>\0			\b%-.5s
374>4	uleshort&0x8000			0x0000
375# 32 bit sector adressing ( > 32 MB) for block devices
376>>4	uleshort&0x0002			0x0002			\b,32-bit sector-
377# support by driver functions 13h, 17h, 18h
378>4	uleshort&0x0040			0x0040			\b,IOCTL-
379# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
380>4	uleshort&0x0800			0x0800			\b,close media-
381# output until busy support by int 10h for character device driver
382>4	uleshort&0x8000			0x8000
383>>4	uleshort&0x2000			0x2000			\b,until busy-
384# direct read/write support by driver functions 03h,0Ch
385>4	uleshort&0x4000			0x4000			\b,control strings-
386>4	uleshort&0x8000			0x8000
387>>4	uleshort&0x6840			>0			\bsupport
388>4	uleshort&0x8000			0x0000
389>>4	uleshort&0x4842			>0			\bsupport
390>0	ubyte				x			\b)
391# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
392# Too weak, matches files that only contain 0's
393#0	ulequad&0x000007a0ffffffed	0x0000000000000000	DOS-executable (
394#>4	uleshort&0x8000			0x8000			\bcharacter device driver
395#>>10	string				x			%-.8s
396#>4	uleshort&0x4000			0x4000			\b,control strings-support)
397
398# test too generic ?
3990	byte		0x8c		DOS executable (COM)
400# updated by Joerg Jenderek at Oct 2008
4010	ulelong		0xffff10eb	DR-DOS executable (COM)
402# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
4030	ubeshort&0xeb8d	>0xeb00
404# DR-DOS STACKER.COM SCREATE.SYS missed
405>0	byte		0xeb
406>>0x1FE leshort		0xAA55		DOS executable (COM), boot code
407>>85	string		UPX		DOS executable (COM), UPX compressed
408>>4	string		\ $ARX		DOS executable (COM), ARX self-extracting archive
409>>4	string		\ $LHarc	DOS executable (COM), LHarc self-extracting archive
410>>0x20e string		SFX\ by\ LARC	DOS executable (COM), LARC self-extracting archive
411# updated by Joerg Jenderek at Oct 2008
412#0	byte		0xb8		COM executable
4130	uleshort&0x80ff	0x00b8
414# modified by Joerg Jenderek
415>1	lelong		!0x21cd4cff	COM executable for DOS
416# http://syslinux.zytor.com/comboot.php
417# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
418# start with assembler instructions mov eax,21cd4cffh
4190	uleshort&0xc0ff	0xc0b8
420>1	lelong		0x21cd4cff	COM executable (32-bit COMBOOT)
421# syslinux:doc/comboot.txt
422# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
423# eax,21cd4cfeh) as a magic number.
4240       string/b	\xb8\xfe\x4c\xcd\x21	COM executable (COM32R)
425# start with assembler instructions mov eax,21cd4cfeh
4260	uleshort&0xc0ff	0xc0b8
427>1	lelong		0x21cd4cfe	COM executable (32-bit COMBOOT, relocatable)
4280	string/b	\x81\xfc
429>4	string	\x77\x02\xcd\x20\xb9
430>>36	string	UPX!			FREE-DOS executable (COM), UPX compressed
431252	string Must\ have\ DOS\ version DR-DOS executable (COM)
432# added by Joerg Jenderek at Oct 2008
433# GRR search is not working
434#34	search/2	UPX!		FREE-DOS executable (COM), UPX compressed
43534	string	UPX!			FREE-DOS executable (COM), UPX compressed
43635	string	UPX!			FREE-DOS executable (COM), UPX compressed
437# GRR search is not working
438#2	search/28	\xcd\x21	COM executable for MS-DOS
439#WHICHFAT.cOM
4402	string	\xcd\x21		COM executable for DOS
441#DELTREE.cOM DELTREE2.cOM
4424	string	\xcd\x21		COM executable for DOS
443#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
4445	string	\xcd\x21		COM executable for DOS
445#DELTMP.COm HASFAT32.cOM
4467	string	\xcd\x21
447>0	byte	!0xb8			COM executable for DOS
448#COMP.cOM MORE.COm
44910	string	\xcd\x21
450>5	string	!\xcd\x21		COM executable for DOS
451#comecho.com
45213	string	\xcd\x21		COM executable for DOS
453#HELP.COm EDIT.coM
45418	string	\xcd\x21		COM executable for MS-DOS
455#NWRPLTRM.COm
45623	string	\xcd\x21		COM executable for MS-DOS
457#LOADFIX.cOm LOADFIX.cOm
45830	string	\xcd\x21		COM executable for MS-DOS
459#syslinux.com 3.11
46070	string	\xcd\x21		COM executable for DOS
461# many compressed/converted COMs start with a copy loop instead of a jump
4620x6	search/0xa	\xfc\x57\xf3\xa5\xc3	COM executable for MS-DOS
4630x6	search/0xa	\xfc\x57\xf3\xa4\xc3	COM executable for DOS
464>0x18	search/0x10	\x50\xa4\xff\xd5\x73	\b, aPack compressed
4650x3c	string		W\ Collis\0\0		COM executable for MS-DOS, Compack compressed
466# FIXME: missing diet .com compression
467
468# miscellaneous formats
4690	string/b	LZ		MS-DOS executable (built-in)
470#0	byte		0xf0		MS-DOS program library data
471#
472
473# AAF files:
474# <stuartc@rd.bbc.co.uk> Stuart Cunningham
4750	string/b	\320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377			AAF legacy file using MS Structured Storage
476>30	byte	9		(512B sectors)
477>30	byte	12		(4kB sectors)
4780	string/b	\320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001			AAF file using MS Structured Storage
479>30	byte	9		(512B sectors)
480>30	byte	12		(4kB sectors)
481
482# Popular applications
4832080	string	Microsoft\ Word\ 6.0\ Document	%s
484!:mime	application/msword
4852080	string	Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data
486!:mime	application/msword
487# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word)
4882112	string	MSWordDoc			Microsoft Word document data
489!:mime	application/msword
490#
4910	belong	0x31be0000			Microsoft Word Document
492!:mime	application/msword
493#
4940	string/b	PO^Q`				Microsoft Word 6.0 Document
495!:mime	application/msword
496#
4970	string/b	\376\067\0\043			Microsoft Office Document
498!:mime	application/msword
4990	string/b	\333\245-\0\0\0			Microsoft Office Document
500!:mime	application/msword
501512	string/b		\354\245\301		Microsoft Word Document
502!:mime	application/msword
503#
5042080	string	Microsoft\ Excel\ 5.0\ Worksheet	%s
505!:mime	application/vnd.ms-excel
506
5072080	string	Foglio\ di\ lavoro\ Microsoft\ Exce	%s
508!:mime	application/vnd.ms-excel
509#
510# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel)
5112114	string	Biff5		Microsoft Excel 5.0 Worksheet
512!:mime	application/vnd.ms-excel
513# Italian MS-Excel
5142121	string	Biff5		Microsoft Excel 5.0 Worksheet
515!:mime	application/vnd.ms-excel
5160	string/b	\x09\x04\x06\x00\x00\x00\x10\x00	Microsoft Excel Worksheet
517!:mime	application/vnd.ms-excel
518#
5190	belong	0x00001a00	Lotus 1-2-3
520!:mime	application/x-123
521>4	belong	0x00100400	wk3 document data
522>4	belong	0x02100400	wk4 document data
523>4	belong	0x07800100	fm3 or fmb document data
524>4	belong	0x07800000	fm3 or fmb document data
525#
5260	belong	0x00000200	Lotus 1-2-3
527!:mime	application/x-123
528>4	belong	0x06040600	wk1 document data
529>4	belong	0x06800200	fmt document data
5300	string/b		WordPro\0	Lotus WordPro
531!:mime	application/vnd.lotus-wordpro
5320	string/b		WordPro\r\373	Lotus WordPro
533!:mime	application/vnd.lotus-wordpro
534
535
536# Summary: Script used by InstallScield to uninstall applications
537# Extension: .isu
538# Submitted by: unknown
539# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
5400		string		\x71\xa8\x00\x00\x01\x02
541>12		string		Stirling\ Technologies,		InstallShield Uninstall Script
542
543# Winamp .avs
544#0	string	Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
5450	string/b	Nullsoft\ AVS\ Preset\ 	Winamp plug in
546
547# Windows Metafont .WMF
5480	string/b	\327\315\306\232	ms-windows metafont .wmf
5490	string/b	\002\000\011\000	ms-windows metafont .wmf
5500	string/b	\001\000\011\000	ms-windows metafont .wmf
551
552#tz3 files whatever that is (MS Works files)
5530	string/b	\003\001\001\004\070\001\000\000	tz3 ms-works file
5540	string/b	\003\002\001\004\070\001\000\000	tz3 ms-works file
5550	string/b	\003\003\001\004\070\001\000\000	tz3 ms-works file
556
557# PGP sig files .sig
558#0 string \211\000\077\003\005\000\063\237\127 065 to  \027\266\151\064\005\045\101\233\021\002 PGP sig
5590 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
5600 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
5610 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
5620 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
5630 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
5640 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
565
566# windows zips files .dmf
5670	string/b	MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
568
569
570#ico files
5710	string/b	\102\101\050\000\000\000\056\000\000\000\000\000\000\000	Icon for MS Windows
572
573# Windows icons (Ian Springer <ips@fpk.hp.com>)
5740	string/b	\000\000\001\000	MS Windows icon resource
575!:mime	image/x-icon
576>4	byte	1			- 1 icon
577>4	byte	>1			- %d icons
578>>6	byte	>0			\b, %dx
579>>>7	byte	>0			\b%d
580>>8	byte	0			\b, 256-colors
581>>8	byte	>0			\b, %d-colors
582
583
584# .chr files
5850	string/b	PK\010\010BGI	Borland font
586>4	string	>\0	%s
587# then there is a copyright notice
588
589
590# .bgi files
5910	string/b	pk\010\010BGI	Borland device
592>4	string	>\0	%s
593# then there is a copyright notice
594
595
596# Windows Recycle Bin record file (named INFO2)
597# By Abel Cheung (abelcheung AT gmail dot com)
598# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
599# Since Vista uses another structure, INFO2 structure probably won't change
600# anymore. Detailed analysis in:
601# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
6020	lelong		0x00000004
603>12	lelong		0x00000118	Windows Recycle Bin INFO2 file (Win98 or below)
604
6050	lelong		0x00000005
606>12	lelong		0x00000320	Windows Recycle Bin INFO2 file (Win2k - WinXP)
607
608
609##### put in Either Magic/font or Magic/news
610# Acroread or something	 files wrongly identified as G3	 .pfm
611# these have the form \000 \001 any? \002 \000 \000
612# or \000 \001 any? \022 \000 \000
6130	belong&0xffff00ff	0x00010012	PFM data
614>4	string			\000\000
615>6	string			>\060		- %s
616
6170	belong&0xffff00ff	0x00010002	PFM data
618>4	string			\000\000
619>6	string			>\060		- %s
620#0	string	\000\001 pfm?
621#>3	string	\022\000\000Copyright\	yes
622#>3	string	\002\000\000Copyright\	yes
623#>3	string	>\0	oops, not a font file. Cancel that.
624#it clashes with ttf files so put it lower down.
625
626# From Doug Lee via a FreeBSD pr
6279	string		GERBILDOC	First Choice document
6289	string		GERBILDB	First Choice database
6299	string		GERBILCLIP	First Choice database
6300	string		GERBIL		First Choice device file
6319	string		RABBITGRAPH	RabbitGraph file
6320	string		DCU1		Borland Delphi .DCU file
6330	string		=!<spell>	MKS Spell hash list (old format)
6340	string		=!<spell2>	MKS Spell hash list
635# Too simple - MPi
636#0	string		AH		Halo(TM) bitmapped font file
6370	lelong		0x08086b70	TurboC BGI file
6380	lelong		0x08084b50	TurboC Font file
639
640# WARNING: below line conflicts with Infocom game data Z-machine 3
6410	byte		0x03
642>0x02	byte		<0x13		DBase 3 data file
643>>0x04	lelong		0		(no records)
644>>0x04	lelong		>0		(%ld records)
6450	byte		0x83
646>0x02	byte		<0x13		DBase 3 data file with memo(s)
647>>0x04	lelong		0		(no records)
648>>0x04	lelong		>0		(%ld records)
6490	leshort		0x0006		DBase 3 index file
6500	string		PMCC		Windows 3.x .GRP file
6511	string		RDC-meg		MegaDots
652>8	byte		>0x2F		version %c
653>9	byte		>0x2F		\b.%c file
6540	lelong		0x4C
655>4	lelong		0x00021401	Windows shortcut file
656
657# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm
658# only for windows versions equal or greater 3.0
6590x171	string	MICROSOFT\ PIFEX\0	Windows Program Information File
660!:mime	application/x-dosexec
661#>2	string	 	>\0		\b, Title:%.30s
662>0x24	string		>\0		\b for %.63s
663>0x65	string		>\0		\b, directory=%.64s
664>0xA5	string		>\0		\b, parameters=%.64s
665#>0x181	leshort	x	\b, offset %x
666#>0x183	leshort	x	\b, offsetdata %x
667#>0x185	leshort	x	\b, section length %x
668>0x187	search/0xB55	WINDOWS\ VMM\ 4.0\0
669>>&0x5e		ubyte	>0
670>>>&-1		string	<PIFMGR.DLL		\b, icon=%s
671#>>>&-1		string	PIFMGR.DLL		\b, icon=%s
672>>>&-1		string	>PIFMGR.DLL		\b, icon=%s
673>>&0xF0		ubyte	>0
674>>>&-1		string	<Terminal		\b, font=%.32s
675#>>>&-1		string	=Terminal		\b, font=%.32s
676>>>&-1		string	>Terminal		\b, font=%.32s
677>>&0x110	ubyte	>0
678>>>&-1		string	<Lucida\ Console	\b, TrueTypeFont=%.32s
679#>>>&-1		string	=Lucida\ Console	\b, TrueTypeFont=%.32s
680>>>&-1		string	>Lucida\ Console	\b, TrueTypeFont=%.32s
681#>0x187	search/0xB55	WINDOWS\ 286\ 3.0\0	\b, Windows 3.X standard mode-style
682#>0x187	search/0xB55	WINDOWS\ 386\ 3.0\0	\b, Windows 3.X enhanced mode-style
683>0x187	search/0xB55	WINDOWS\ NT\ \ 3.1\0	\b, Windows NT-style
684#>0x187	search/0xB55	WINDOWS\ NT\ \ 4.0\0	\b, Windows NT-style
685>0x187	search/0xB55	CONFIG\ \ SYS\ 4.0\0	\b +CONFIG.SYS
686#>>&06		string	x			\b:%s
687>0x187	search/0xB55	AUTOEXECBAT\ 4.0\0	\b +AUTOEXEC.BAT
688#>>&06		string	x			\b:%s
689
690# DOS EPS Binary File Header
691# From: Ed Sznyter <ews@Black.Market.NET>
6920	belong		0xC5D0D3C6	DOS EPS Binary File
693>4	long		>0		Postscript starts at byte %d
694>>8	long		>0		length %d
695>>>12	long		>0		Metafile starts at byte %d
696>>>>16	long		>0		length %d
697>>>20	long		>0		TIFF starts at byte %d
698>>>>24	long		>0		length %d
699
700# TNEF magic From "Joomy" <joomy@se-ed.net>
701# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
7020	leshort		0x223e9f78	TNEF
703!:mime	application/vnd.ms-tnef
704
705# HtmlHelp files (.chm)
7060	string/b	ITSF\003\000\000\000\x60\000\000\000\001\000\000\000	MS Windows HtmlHelp Data
707
708# GFA-BASIC (Wolfram Kleff)
7092	string/b	GFA-BASIC3	GFA-BASIC 3 data
710
711#------------------------------------------------------------------------------
712# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
713# Microsoft Cabinet files
7140	string/b	MSCF\0\0\0\0	Microsoft Cabinet archive data
715!:mime application/vnd.ms-cab-compressed
716>8	lelong		x		\b, %u bytes
717>28	leshort		1		\b, 1 file
718>28	leshort		>1		\b, %u files
719
720# InstallShield Cabinet files
7210	string/b	ISc(		InstallShield Cabinet archive data
722>5	byte&0xf0	=0x60		version 6,
723>5	byte&0xf0	!0x60		version 4/5,
724>(12.l+40)	lelong	x		%u files
725
726# Windows CE package files
7270	string/b	MSCE\0\0\0\0	Microsoft WinCE install header
728>20	lelong		0		\b, architecture-independent
729>20	lelong		103		\b, Hitachi SH3
730>20	lelong		104		\b, Hitachi SH4
731>20	lelong		0xA11		\b, StrongARM
732>20	lelong		4000		\b, MIPS R4000
733>20	lelong		10003		\b, Hitachi SH3
734>20	lelong		10004		\b, Hitachi SH3E
735>20	lelong		10005		\b, Hitachi SH4
736>20	lelong		70001		\b, ARM 7TDMI
737>52	leshort		1		\b, 1 file
738>52	leshort		>1		\b, %u files
739>56	leshort		1		\b, 1 registry entry
740>56	leshort		>1		\b, %u registry entries
741
742
743# Windows Enhanced Metafile (EMF)
744# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
745# for further information.
7460	ulelong 1
747>40	string	\ EMF		Windows Enhanced Metafile (EMF) image data
748>>44	ulelong x		version 0x%x
749
750# From: Alex Beregszaszi <alex@fsn.hu>
7510	string/b	COWD		VMWare3
752>4	byte	3		disk image
753>>32	lelong	x		(%d/
754>>36	lelong	x		\b%d/
755>>40	lelong	x		\b%d)
756>4	byte	2		undoable disk image
757>>32	string	>\0		(%s)
758
7590	string/b	VMDK		 VMware4 disk image
7600	string/b	KDMV		 VMware4 disk image
761
762#--------------------------------------------------------------------
763# Qemu Emulator Images
764# Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
765# Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
766# Made by reading sources, reading documentation, and doing trial and error
767# on existing QCOW files
7680	string/b	QFI\xFB	QEMU QCOW Image
769
770# Uncomment the following line to display Magic (only used for debugging
771# this magic number)
772#>0	string/b	x	, Magic: %s
773
774# There are currently 2 Versions: "1" and "2".
775# http://www.gnome.org/~markmc/qcow-image-format-version-1.html
776>4	belong	1	(v1)
777
778# Using the existence of the Backing File Offset to determine whether
779# to read Backing File Information
780>>12	belong	 >0	 \b, has backing file (
781# Note that this isn't a null-terminated string; the length is actually
782# (16.L). Assuming a null-terminated string happens to work usually, but it
783# may spew junk until it reaches a \0 in some cases.
784>>>(12.L)	 string >\0	\bpath %s
785
786# Modification time of the Backing File
787# Really useful if you want to know if your backing
788# file is still usable together with this image
789>>>>20	bedate >0	\b, mtime %s)
790>>>>20	default x	\b)
791
792# Size is stored in bytes in a big-endian u64.
793>>24	bequad	x	 \b, %lld bytes
794
795# 1 for AES encryption, 0 for none.
796>>36	belong	1	\b, AES-encrypted
797
798# http://www.gnome.org/~markmc/qcow-image-format.html
799>4	belong	2	(v2)
800# Using the existence of the Backing File Offset to determine whether
801# to read Backing File Information
802>>8	bequad  >0	 \b, has backing file
803# Note that this isn't a null-terminated string; the length is actually
804# (16.L). Assuming a null-terminated string happens to work usually, but it
805# may spew junk until it reaches a \0 in some cases. Also, since there's no
806# .Q modifier, we just use the bottom four bytes as an offset. Note that if
807# the file is over 4G, and the backing file path is stored after the first 4G,
808# the wrong filename will be printed. (This should be (8.Q), when that syntax
809# is introduced.)
810>>>(12.L)	 string >\0	(path %s)
811>>24	bequad	x	\b, %lld bytes
812>>32	belong	1	\b, AES-encrypted
813
814>4	default x	(unknown version)
815
8160	string/b	QEVM		QEMU suspend to disk image
817
8180	string/b	Bochs\ Virtual\ HD\ Image	Bochs disk image,
819>32	string	x				type %s,
820>48	string	x				subtype %s
821
8220	lelong	0x02468ace			Bochs Sparse disk image
823
824# from http://filext.com by Derek M Jones <derek@knosof.co.uk>
825# False positive with PPT (also currently this string is too long)
826#0	string/b	\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06	Microsoft Installer
8270	string/b	\320\317\021\340\241\261\032\341	Microsoft Office Document
828#>48	byte	0x1B					Excel Document
829#!:mime application/vnd.ms-excel
830>546	string	bjbj			Microsoft Word Document
831!:mime	application/msword
832>546	string	jbjb			Microsoft Word Document
833!:mime	application/msword
834
8350	string/b	\224\246\056		Microsoft Word Document
836!:mime	application/msword
837
838512	string	R\0o\0o\0t\0\ \0E\0n\0t\0r\0y	Microsoft Word Document
839!:mime	application/msword
840
841# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
842# Magic type for Dell's BIOS .hdr files
843# Dell's .hdr
8440	string/b $RBU
845>23	string Dell			%s system BIOS
846>5	byte   2
847>>48	byte   x			version %d.
848>>49	byte   x			\b%d.
849>>50	byte   x			\b%d
850>5	byte   <2
851>>48	string x			version %.3s
852
853# Type: Microsoft DirectDraw Surface
854# URL:	http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp
855# From: Morten Hustveit <morten@debian.org>
8560	string/b	DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS),
857>16	lelong	>0			%hd x
858>12	lelong	>0			%hd,
859>84	string	x			%.4s
860
861# Type: Microsoft Document Imaging Format (.mdi)
862# URL:	http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
863# From: Daniele Sempione <scrows@oziosi.org>
8640	short	0x5045			Microsoft Document Imaging Format
865
866# MS eBook format (.lit)
8670	string/b	ITOLITLS		Microsoft Reader eBook Data
868>8	lelong	x			\b, version %u
869!:mime					application/x-ms-reader
870
871# Windows CE Binary Image Data Format
872# From: Dr. Jesus <j@hug.gs>
8730	string/b	B000FF\n	Windows Embedded CE binary image
874
875# Windows Imaging (WIM) Image
8760	string/b	MSWIM\000\000\000	Windows imaging (WIM) image
877