xref: /openbsd/usr.bin/file/magdir/msdos (revision e5dd7070) 
1#	$OpenBSD: msdos,v 1.7 2018/10/04 16:51:38 ccardenas Exp $
2
3#------------------------------------------------------------------------------
4# msdos:  file(1) magic for MS-DOS files
5#
6
7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
8# updated by Joerg Jenderek
90	string	@
10>1	string/cB	\ echo\ off	MS-DOS batch file text
11>1	string/cB	echo\ off	MS-DOS batch file text
12>1	string/cB	rem\ 		MS-DOS batch file text
13>1	string/cB	set\ 		MS-DOS batch file text
14
15
16# OS/2 batch files are REXX. the second regex is a bit generic, oh well
17# the matched commands seem to be common in REXX and uncommon elsewhere
18100	regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text
19100	regex/c =^[\ \t]{0,10}say\ ['"]	     OS/2 REXX batch file text
20
210	leshort		0x14c	MS Windows COFF Intel 80386 object file
22#>4	ledate		x	stamp %s
230	leshort		0x166	MS Windows COFF MIPS R4000 object file
24#>4	ledate		x	stamp %s
250	leshort		0x184	MS Windows COFF Alpha object file
26#>4	ledate		x	stamp %s
270	leshort		0x268	MS Windows COFF Motorola 68000 object file
28#>4	ledate		x	stamp %s
290	leshort		0x1f0	MS Windows COFF PowerPC object file
30#>4	ledate		x	stamp %s
310	leshort		0x290	MS Windows COFF PA-RISC object file
32#>4	ledate		x	stamp %s
33
34# XXX - according to Microsoft's spec, at an offset of 0x3c in a
35# PE-format executable is the offset in the file of the PE header;
36# unfortunately, that's a little-endian offset, and there's no way
37# to specify an indirect offset with a specified byte order.
38# So, for now, we assume the standard MS-DOS stub, which puts the
39# PE header at 0x80 = 128.
40#
41# Required OS version and subsystem version were 4.0 on some NT 3.51
42# executables built with Visual C++ 4.0, so it's not clear that
43# they're interesting.  The user version was 0.0, but there's
44# probably some linker directive to set it.  The linker version was
45# 3.0, except for one ".exe" which had it as 4.20 (same damn linker!).
46#
47# many of the compressed formats were extraced from IDARC 1.23 source code
48#
490	string	MZ		MS-DOS executable
50!:mime	application/x-dosexec
51>0 string MZ\0\0\0\0\0\0\0\0\0\0PE\0\0 \b, PE for MS Windows
52>>&18	leshort&0x2000	>0	(DLL)
53>>&88	leshort		0	(unknown subsystem)
54>>&88	leshort		1	(native)
55>>&88	leshort		2	(GUI)
56>>&88	leshort		3	(console)
57>>&88	leshort		7	(POSIX)
58>>&0	leshort		0x0	unknown processor
59>>&0	leshort		0x14c	Intel 80386
60>>&0	leshort		0x166	MIPS R4000
61>>&0	leshort		0x184	Alpha
62>>&0	leshort		0x268	Motorola 68000
63>>&0	leshort		0x1f0	PowerPC
64>>&0	leshort		0x290	PA-RISC
65>>&18	leshort&0x0100	>0	32-bit
66>>&18	leshort&0x1000	>0	system file
67>>&0xf4 search/0x140 \x0\x40\x1\x0
68>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
69>30		string	Copyright\ 1989-1990\ PKWARE\ Inc.	Self-extracting PKZIP archive
70!:mime	application/zip
71# Is next line correct? One might expect "Corp." not "Copr." If it is right, add a note to that effect.
72>30		string	PKLITE\ Copr.	Self-extracting PKZIP archive
73!:mime	application/zip
74
75>0x18  leshort >0x3f
76>>(0x3c.l) string PE\0\0 PE
77# hooray, there's a DOS extender using the PE format, with a valid PE
78# executable inside (which just prints a message and exits if run in win)
79>>>(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender
80>>>(8.s*16) string !32STUB for MS Windows
81>>>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
82>>>>(0x3c.l+92)	leshort		0	(unknown subsystem)
83>>>>(0x3c.l+92)	leshort		1	(native)
84>>>>(0x3c.l+92)	leshort		2	(GUI)
85>>>>(0x3c.l+92)	leshort		3	(console)
86>>>>(0x3c.l+92)	leshort		7	(POSIX)
87>>>>(0x3c.l+4)	leshort		0x0	unknown processor
88>>>>(0x3c.l+4)	leshort		0x14c	Intel 80386
89>>>>(0x3c.l+4)	leshort		0x166	MIPS R4000
90>>>>(0x3c.l+4)	leshort		0x184	Alpha
91>>>>(0x3c.l+4)	leshort		0x268	Motorola 68000
92>>>>(0x3c.l+4)	leshort		0x1f0	PowerPC
93>>>>(0x3c.l+4)	leshort		0x290	PA-RISC
94>>>>(0x3c.l+22)	leshort&0x0100	>0	32-bit
95>>>>(0x3c.l+22)	leshort&0x1000	>0	system file
96>>>>(0x3c.l+232)	lelong	>0	Mono/.Net assembly
97
98>>>>(0x3c.l+0xf8)	string		UPX0 \b, UPX compressed
99>>>>(0x3c.l+0xf8)	search/0x140	PEC2 \b, PECompact2 compressed
100>>>>(0x3c.l+0xf8)	search/0x140	UPX2
101>>>>>(&0x10.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
102>>>>(0x3c.l+0xf8)	search/0x140	.idata
103>>>>>(&0xe.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
104>>>>>(&0xe.l+(-4))	string		ZZ0 \b, ZZip self-extracting archive
105>>>>>(&0xe.l+(-4))	string		ZZ1 \b, ZZip self-extracting archive
106>>>>(0x3c.l+0xf8)	search/0x140	.rsrc
107>>>>>(&0x0f.l+(-4))	string		a\\\4\5 \b, WinHKI self-extracting archive
108>>>>>(&0x0f.l+(-4))	string		Rar! \b, RAR self-extracting archive
109>>>>>(&0x0f.l+(-4))	search/0x3000	MSCF \b, InstallShield self-extracting archive
110>>>>>(&0x0f.l+(-4))	search/32	Nullsoft \b, Nullsoft Installer self-extracting archive
111>>>>(0x3c.l+0xf8)	search/0x140	.data
112>>>>>(&0x0f.l)		string		WEXTRACT \b, MS CAB-Installer self-extracting archive
113>>>>(0x3c.l+0xf8)	search/0x140	.petite\0 \b, Petite compressed
114>>>>>(0x3c.l+0xf7)	byte		x
115>>>>>>(&0x104.l+(-4))	string		=!sfx! \b, ACE self-extracting archive
116>>>>(0x3c.l+0xf8)	search/0x140	.WISE \b, WISE installer self-extracting archive
117>>>>(0x3c.l+0xf8)	search/0x140	.dz\0\0\0 \b, Dzip self-extracting archive
118>>>>(0x3c.l+0xf8)	search/0x140	.reloc
119>>>>>(&0xe.l+(-4))	search/0x180	PK\3\4 \b, ZIP self-extracting archive (WinZip)
120
121>>>>&(0x3c.l+0xf8)	search/0x100	_winzip_ \b, ZIP self-extracting archive (WinZip)
122>>>>&(0x3c.l+0xf8)	search/0x100	SharedD \b, Microsoft Installer self-extracting archive
123>>>>0x30		string		Inno \b, InnoSetup self-extracting archive
124
125>>(0x3c.l)		string		NE \b, NE
126>>>(0x3c.l+0x36)	byte		0 (unknown OS)
127>>>(0x3c.l+0x36)	byte		1 for OS/2 1.x
128>>>(0x3c.l+0x36)	byte		2 for MS Windows 3.x
129>>>(0x3c.l+0x36)	byte		3 for MS-DOS
130>>>(0x3c.l+0x36)	byte		>3 (unknown OS)
131>>>(0x3c.l+0x36)	byte		0x81 for MS-DOS, Phar Lap DOS extender
132>>>(0x3c.l+0x0c)	leshort&0x8003	0x8002 (DLL)
133>>>(0x3c.l+0x0c)	leshort&0x8003	0x8001 (driver)
134>>>&(&0x24.s-1)		string		ARJSFX \b, ARJ self-extracting archive
135>>>(0x3c.l+0x70)	search/0x80	WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
136
137>>(0x3c.l)		string		LX\0\0 \b, LX
138>>>(0x3c.l+0x0a)	leshort		<1 (unknown OS)
139>>>(0x3c.l+0x0a)	leshort		1 for OS/2
140>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
141>>>(0x3c.l+0x0a)	leshort		3 for DOS
142>>>(0x3c.l+0x0a)	leshort		>3 (unknown OS)
143>>>(0x3c.l+0x10)	lelong&0x28000	=0x8000 (DLL)
144>>>(0x3c.l+0x10)	lelong&0x20000	>0 (device driver)
145>>>(0x3c.l+0x10)	lelong&0x300	0x300 (GUI)
146>>>(0x3c.l+0x10)	lelong&0x28300	<0x300 (console)
147>>>(0x3c.l+0x08)	leshort		1 i80286
148>>>(0x3c.l+0x08)	leshort		2 i80386
149>>>(0x3c.l+0x08)	leshort		3 i80486
150>>>(8.s*16)		string		emx \b, emx
151>>>>&1			string		x %s
152>>>&(&0x54.l-3)		string		arjsfx \b, ARJ self-extracting archive
153
154# MS Windows system file, supposedly a collection of LE executables
155>>(0x3c.l)		string		W3 \b, W3 for MS Windows
156
157>>(0x3c.l)		string		LE\0\0 \b, LE executable
158>>>(0x3c.l+0x0a)	leshort		1
159# some DOS extenders use LE files with OS/2 header
160>>>>0x240		search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
161>>>>0x240		search/0x200	WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
162>>>>0x440		search/0x100	CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
163>>>>0x40		search/0x40	PMODE/W for MS-DOS, PMODE/W DOS extender
164>>>>0x40		search/0x40	STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
165>>>>0x40		search/0x80	STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
166>>>>0x40		search/0x80	DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
167# this is a wild guess; hopefully it is a specific signature
168>>>>&0x24		lelong		<0x50
169>>>>>(&0x4c.l)		string		\xfc\xb8WATCOM
170>>>>>>&0		search/8	3\xdbf\xb9 \b, 32Lite compressed
171# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
172#>>>>(0x3c.l+0x1c)	lelong		>0x10000 for OS/2
173# fails with DOS-Extenders.
174>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
175>>>(0x3c.l+0x0a)	leshort		3 for DOS
176>>>(0x3c.l+0x0a)	leshort		4 for MS Windows (VxD)
177>>>(&0x7c.l+0x26)	string		UPX \b, UPX compressed
178>>>&(&0x54.l-3)		string		UNACE \b, ACE self-extracting archive
179
180# looks like ASCII, probably some embedded copyright message.
181# and definitely not NE/LE/LX/PE
182>>0x3c		lelong	>0x20000000
183>>>(4.s*512)	leshort !0x014c \b, MZ for MS-DOS
184# header data too small for extended executable
185>2		long	!0
186>>0x18		leshort	<0x40
187>>>(4.s*512)	leshort !0x014c
188
189>>>>&(2.s-514)	string	!LE
190>>>>>&-2	string	!BW \b, MZ for MS-DOS
191>>>>&(2.s-514)	string	LE \b, LE
192>>>>>0x240	search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
193# educated guess since indirection is still not capable enough for complex offset
194# calculations (next embedded executable would be at &(&2*512+&0-2)
195# I suspect there are only LE executables in these multi-exe files
196>>>>&(2.s-514)	string	BW
197>>>>>0x240	search/0x100	DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded)
198>>>>>0x240	search/0x100	!DOS/4G ,\b BW collection for MS-DOS
199
200# This sequence skips to the first COFF segment, usually .text
201>(4.s*512)	leshort		0x014c \b, COFF
202>>(8.s*16)	string		go32stub for MS-DOS, DJGPP go32 DOS extender
203>>(8.s*16)	string		emx
204>>>&1		string		x for DOS, Win or OS/2, emx %s
205>>&(&0x42.l-3)	byte		x
206>>>&0x26	string		UPX \b, UPX compressed
207# and yet another guess: small .text, and after large .data is unusal, could be 32lite
208>>&0x2c		search/0xa0	.text
209>>>&0x0b	lelong		<0x2000
210>>>>&0		lelong		>0x6000 \b, 32lite compressed
211
212>(8.s*16) string $WdX \b, WDos/X DOS extender
213
214# .EXE formats (Greg Roelofs, newt@uchicago.edu)
215#
216>0x35   string  \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
217>0xe7	string	LH/2\ Self-Extract \b, %s
218>0x1c	string	diet \b, diet compressed
219>0x1c	string	LZ09 \b, LZEXE v0.90 compressed
220>0x1c	string	LZ91 \b, LZEXE v0.91 compressed
221>0x1c   string  tz \b, TinyProg compressed
222>0x1e	string	PKLITE \b, %s compressed
223>0x64   string  W\ Collis\0\0 \b, Compack compressed
224>0x24	string	LHa's\ SFX \b, LHa self-extracting archive
225!:mime	application/x-lha
226>0x24	string	LHA's\ SFX \b, LHa self-extracting archive
227!:mime	application/x-lha
228>0x24   string  \ $ARX \b, ARX self-extracting archive
229>0x24   string  \ $LHarc \b, LHarc self-extracting archive
230>0x20   string  SFX\ by\ LARC \b, LARC self-extracting archive
231>1638	string	-lh5- \b, LHa self-extracting archive v2.13S
232>0x17888 string	Rar! \b, RAR self-extracting archive
233>0x40   string aPKG \b, aPackage self-extracting archive
234
235>32      string AIN
236>>35     string 2              \b, AIN 2.x compressed
237>>35     string <2             \b, AIN 1.x compressed
238>>35     string >2             \b, AIN 1.x compressed
239>28      string UC2X           \b, UCEXE compressed
240>28      string WWP\           \b, WWPACK compressed
241
242# skip to the end of the exe
243>(4.s*512)	long	x
244>>&(2.s-517)	byte	x
245>>>&0	string		PK\3\4 \b, ZIP self-extracting archive
246>>>&0	string		Rar! \b, RAR self-extracting archive
247>>>&0	string		=!\x11 \b, AIN 2.x self-extracting archive
248>>>&0	string		=!\x12 \b, AIN 2.x self-extracting archive
249>>>&0	string		=!\x17 \b, AIN 1.x self-extracting archive
250>>>&0	string		=!\x18 \b, AIN 1.x self-extracting archive
251>>>&7	search/400	**ACE** \b, ACE self-extracting archive
252>>>&0	search/0x480	UC2SFX\ Header \b, UC2 self-extracting archive
253
254>0x1c	string		RJSX \b, ARJ self-extracting archive
255# winarj stores a message in the stub instead of the sig in the MZ header
256>0x20	search/0xe0	aRJsfX \b, ARJ self-extracting archive
257
258# a few unknown ZIP sfxes, no idea if they are needed or if they are
259# already captured by the generic patterns above
260>122		string		Windows\ self-extracting\ ZIP	\b, ZIP self-extracting archive
261>(8.s*16)	search/0x20	PKSFX \b, ZIP self-extracting archive (PKZIP)
262# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
263#
264
265# TELVOX Teleinformatica CODEC self-extractor for OS/2:
266>49801	string	\x79\xff\x80\xff\x76\xff	\b, CODEC archive v3.21
267>>49824	leshort		=1			\b, 1 file
268>>49824	leshort		>1			\b, %u files
269
270# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com)
271# Uncommenting only the first two lines will cover about 2/3 of COM files,
272# but it isn't feasible to match all COM files since there must be at least
273# two dozen different one-byte "magics".
274#0	byte		0xe9		DOS executable (COM)
275#>0x1FE	leshort		0xAA55		\b, boot code
276>6	string		SFX\ of\ LHarc	(%s)
2770	belong	0xffffffff		DOS executable (device driver)
278#CMD640X2.SYS
279>10	string	>\x23
280>>10	string	!\x2e
281>>>17	string	<\x5B
282>>>>10	string	x			\b, name: %.8s
283#UDMA.SYS KEYB.SYS CMD640X2.SYS
284>10	string	<\x41
285>>12	string	>\x40
286>>>10	string	!$
287>>>>12	string	x			\b, name: %.8s
288#BTCDROM.SYS ASPICD.SYS
289>22	string	>\x40
290>>22	string	<\x5B
291>>>23	string	<\x5B
292>>>>22	string	x			\b, name: %.8s
293#ATAPICD.SYS
294>76	string	\0
295>>77	string	>\x40
296>>>77	string	<\x5B
297>>>>77	string	x			\b, name: %.8s
298#0	byte		0x8c		DOS executable (COM)
299# 0xeb conflicts with "sequent" magic
300#0	byte		0xeb		DOS executable (COM)
301#>0x1FE	leshort		0xAA55		\b, boot code
302#>85	string		UPX		\b, UPX compressed
303#>4	string		\ $ARX		\b, ARX self-extracting archive
304#>4	string		\ $LHarc	\b, LHarc self-extracting archive
305#>0x20e	string		SFX\ by\ LARC	\b, LARC self-extracting archive
306#0	byte		0xb8		COM executable
307# modified by Joerg Jenderek
308>1	lelong          !0x21cd4cff	for DOS
309# http://syslinux.zytor.com/comboot.php
310# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
311# start with assembler instructions mov eax,21cd4cffh
312>1	lelong          0x21cd4cff	(32-bit COMBOOT)
3130	string	\x81\xfc
314>4	string	\x77\x02\xcd\x20\xb9
315>>36	string	UPX! 			FREE-DOS executable (COM), UPX compressed
316252	string Must\ have\ DOS\ version	DR-DOS executable (COM)
317# GRR search is not working
318#2	search/28	\xcd\x21	COM executable for MS-DOS
319#WHICHFAT.cOM
3202	string	\xcd\x21		COM executable for DOS
321#DELTREE.cOM DELTREE2.cOM
3224	string	\xcd\x21		COM executable for DOS
323#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
3245	string	\xcd\x21		COM executable for DOS
325#DELTMP.COm HASFAT32.cOM
3267	string	\xcd\x21
327>0	byte	!0xb8			COM executable for DOS
328#COMP.cOM MORE.COm
32910	string	\xcd\x21
330>5	string	!\xcd\x21		COM executable for DOS
331#comecho.com
33213	string	\xcd\x21		COM executable for DOS
333#HELP.COm EDIT.coM
33418	string	\xcd\x21		COM executable for MS-DOS
335#NWRPLTRM.COm
33623	string	\xcd\x21		COM executable for MS-DOS
337#LOADFIX.cOm LOADFIX.cOm
33830	string	\xcd\x21		COM executable for MS-DOS
339#syslinux.com 3.11
34070	string	\xcd\x21		COM executable for DOS
341# many compressed/converted COMs start with a copy loop instead of a jump
3420x6	search/0xa	\xfc\x57\xf3\xa5\xc3	COM executable for MS-DOS
3430x6	search/0xa	\xfc\x57\xf3\xa4\xc3	COM executable for DOS
344>0x18	search/0x10	\x50\xa4\xff\xd5\x73	\b, aPack compressed
3450x3c	string		W\ Collis\0\0		COM executable for MS-DOS, Compack compressed
346# FIXME: missing diet .com compression
347
348# miscellaneous formats
3490	string		LZ		MS-DOS executable (built-in)
350#0	byte		0xf0		MS-DOS program library data
351#
352
353#
354# Windows Registry files.
355# updated by Joerg Jenderek
3560	string		regf		Windows NT/XP registry file
3570	string		CREG		Windows 95/98/ME registry file
3580	string		SHCC3		Windows 3.1 registry file
359
360
361# AAF files:
362# <stuartc@rd.bbc.co.uk> Stuart Cunningham
3630	string	\320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377			AAF legacy file using MS Structured Storage
364>30	byte	9		(512B sectors)
365>30	byte	12		(4kB sectors)
3660	string	\320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001			AAF file using MS Structured Storage
367>30	byte	9		(512B sectors)
368>30	byte	12		(4kB sectors)
369
370# Popular applications
3712080	string	Microsoft\ Word\ 6.0\ Document	%s
372!:mime	application/msword
3732080	string	Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data
374!:mime	application/msword
375# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word)
3762112	string	MSWordDoc			Microsoft Word document data
377!:mime	application/msword
378#
3790	belong	0x31be0000			Microsoft Word Document
380!:mime	application/msword
381#
3820       string  PO^Q`				Microsoft Word 6.0 Document
383!:mime	application/msword
384#
3850	string	\376\067\0\043			Microsoft Office Document
386!:mime	application/msword
3870	string	\333\245-\0\0\0			Microsoft Office Document
388!:mime	application/msword
389512	string		\354\245\301		Microsoft Word Document
390!:mime	application/msword
391#
3922080	string	Microsoft\ Excel\ 5.0\ Worksheet	%s
393!:mime	application/vnd.ms-excel
394
3952080	string	Foglio\ di\ lavoro\ Microsoft\ Exce	%s
396!:mime	application/vnd.ms-excel
397#
398# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel)
3992114	string	Biff5		Microsoft Excel 5.0 Worksheet
400!:mime	application/vnd.ms-excel
401# Italian MS-Excel
4022121	string	Biff5		Microsoft Excel 5.0 Worksheet
403!:mime	application/vnd.ms-excel
4040	string	\x09\x04\x06\x00\x00\x00\x10\x00	Microsoft Excel Worksheet
405!:mime	application/vnd.ms-excel
406#
4070	belong	0x00001a00	Lotus 1-2-3
408!:mime	application/x-123
409>4	belong	0x00100400	wk3 document data
410>4	belong	0x02100400	wk4 document data
411>4	belong	0x07800100	fm3 or fmb document data
412>4	belong	0x07800000	fm3 or fmb document data
413#
4140	belong	0x00000200 	Lotus 1-2-3
415!:mime	application/x-123
416>4	belong	0x06040600	wk1 document data
417>4	belong	0x06800200	fmt document data
4180	string		WordPro\0	Lotus WordPro
419!:mime	application/vnd.lotus-wordpro
4200	string		WordPro\r\373	Lotus WordPro
421!:mime	application/vnd.lotus-wordpro
422
423
424# Help files
4250	string	?_\3\0		MS Windows Help Data
426
427#  DeIsL1.isu what this is I don't know
4280	string	\161\250\000\000\001\002	DeIsL1.isu whatever that is
429
430# Winamp .avs
431#0	string	Nullsoft\ AVS\ Preset\ \060\056\061\032	A plug in for Winamp ms-windows Freeware media player
4320	string	Nullsoft\ AVS\ Preset\ 	Winamp plug in
433
434# Hyper terminal:
4350	string	HyperTerminal\ 	hyperterm
436>15	string	1.0\ --\ HyperTerminal\ data\ file	MS-windows Hyperterminal
437
438# Windows Metafont .WMF
4390       string  \327\315\306\232        ms-windows metafont .wmf
4400       string  \002\000\011\000        ms-windows metafont .wmf
4410       string  \001\000\011\000        ms-windows metafont .wmf
442
443#tz3 files whatever that is (MS Works files)
4440	string	\003\001\001\004\070\001\000\000	tz3 ms-works file
4450	string	\003\002\001\004\070\001\000\000	tz3 ms-works file
4460	string	\003\003\001\004\070\001\000\000	tz3 ms-works file
447
448# PGP sig files .sig
449#0 string \211\000\077\003\005\000\063\237\127 065 to  \027\266\151\064\005\045\101\233\021\002 PGP sig
4500 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
4510 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
4520 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
4530 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
4540 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
4550 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
456
457# windows zips files .dmf
4580	string	MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
459
460
461# Windows help file FTG FTS
4620	string	\164\146\115\122\012\000\000\000\001\000\000\000	MS Windows help cache
463
464# grp old windows 3.1 group files
4650 string  \120\115\103\103	MS Windows 3.1 group files
466
467
468# lnk files windows symlinks
4690	string	\114\000\000\000\001\024\002\000\000\000\000\000\300\000\000\000\000\000\000\106	MS Windows shortcut
470
471#ico files
4720	string	\102\101\050\000\000\000\056\000\000\000\000\000\000\000	Icon for MS Windows
473
474# Windows icons (Ian Springer <ips@fpk.hp.com>)
4750	string	\000\000\001\000	MS Windows icon resource
476!:mime	image/x-ico
477>4	byte	1			- 1 icon
478>4	byte	>1			- %d icons
479>>6	byte	>0			\b, %dx
480>>>7	byte	>0			\b%d
481>>8	byte	0			\b, 256-colors
482>>8	byte	>0			\b, %d-colors
483
484
485# .chr files
4860	string	PK\010\010BGI	Borland font
487>4	string	>\0	%s
488# then there is a copyright notice
489
490
491# .bgi files
4920	string	pk\010\010BGI	Borland device
493>4	string	>\0	%s
494# then there is a copyright notice
495
496
497# recycled/info the windows trash bin index
4989	string	\000\000\000\030\001\000\000\000 MS Windows recycled bin info
499
500
501##### put in Either Magic/font or Magic/news
502# Acroread or something  files wrongly identified as G3  .pfm
503# these have the form \000 \001 any? \002 \000 \000
504# or \000 \001 any? \022 \000 \000
505#0	string  \000\001 pfm?
506#>3	string  \022\000\000Copyright\  yes
507#>3	string  \002\000\000Copyright\  yes
508#>3	string  >\0     oops, not a font file. Cancel that.
509#it clashes with ttf files so put it lower down.
510
511# From Doug Lee via a FreeBSD pr
5129	string		GERBILDOC	First Choice document
5139	string		GERBILDB	First Choice database
5149	string		GERBILCLIP	First Choice database
5150	string		GERBIL		First Choice device file
5169	string		RABBITGRAPH	RabbitGraph file
5170	string		DCU1		Borland Delphi .DCU file
5180	string		=!<spell>	MKS Spell hash list (old format)
5190	string		=!<spell2>	MKS Spell hash list
520# Too simple - MPi
521#0	string		AH		Halo(TM) bitmapped font file
5220	lelong		0x08086b70	TurboC BGI file
5230	lelong		0x08084b50	TurboC Font file
524
525# WARNING: below line conflicts with Infocom game data Z-machine 3
5260	byte		0x03		DBase 3 data file
527>0x04	lelong		0		(no records)
528>0x04	lelong		>0		(%ld records)
5290	byte		0x83		DBase 3 data file with memo(s)
530>0x04	lelong		0		(no records)
531>0x04	lelong		>0		(%ld records)
5320	leshort		0x0006		DBase 3 index file
5330	string		PMCC		Windows 3.x .GRP file
5341	string		RDC-meg		MegaDots
535>8	byte		>0x2F		version %c
536>9	byte		>0x2F		\b.%c file
5370	lelong		0x4C
538>4	lelong		0x00021401	Windows shortcut file
539
540# DOS EPS Binary File Header
541# From: Ed Sznyter <ews@Black.Market.NET>
5420	belong		0xC5D0D3C6	DOS EPS Binary File
543>4	long		>0		Postscript starts at byte %d
544>>8	long		>0		length %d
545>>>12	long		>0		Metafile starts at byte %d
546>>>>16	long		>0		length %d
547>>>20	long		>0		TIFF starts at byte %d
548>>>>24	long		>0		length %d
549
550# TNEF magic From "Joomy" <joomy@se-ed.net>
551# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
5520	leshort		0x223e9f78	TNEF
553!:mime	application/vnd.ms-tnef
554
555# HtmlHelp files (.chm)
5560	string  ITSF\003\000\000\000\x60\000\000\000\001\000\000\000	MS Windows HtmlHelp Data
557
558# GFA-BASIC (Wolfram Kleff)
5592	string		GFA-BASIC3	GFA-BASIC 3 data
560
561#------------------------------------------------------------------------------
562# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
563# Microsoft Cabinet files
5640	string		MSCF\0\0\0\0	Microsoft Cabinet archive data
565>8	lelong		x		\b, %u bytes
566>28	leshort		1		\b, 1 file
567>28	leshort		>1		\b, %u files
568
569# InstallShield Cabinet files
5700	string		ISc(		InstallShield Cabinet archive data
571>5	byte&0xf0	=0x60 		version 6,
572>5	byte&0xf0	!0x60 		version 4/5,
573>(12.l+40)	lelong	x		%u files
574
575# Windows CE package files
5760	string		MSCE\0\0\0\0	Microsoft WinCE install header
577>20	lelong		0		\b, architecture-independent
578>20	lelong		103		\b, Hitachi SH3
579>20	lelong		104		\b, Hitachi SH4
580>20	lelong		0xA11		\b, StrongARM
581>20	lelong		4000		\b, MIPS R4000
582>20	lelong		10003		\b, Hitachi SH3
583>20	lelong		10004		\b, Hitachi SH3E
584>20	lelong		10005		\b, Hitachi SH4
585>20	lelong		70001		\b, ARM 7TDMI
586>52	leshort		1 		\b, 1 file
587>52	leshort		>1 		\b, %u files
588>56	leshort		1 		\b, 1 registry entry
589>56	leshort		>1 		\b, %u registry entries
590
591# Outlook Personal Folders
5920	lelong	0x4E444221	Microsoft Outlook binary email folder
593>10	leshort 0x0e		(Outlook <=2002)
594>10	leshort 0x17		(Outlook >=2003)
595
596
597# From: Dirk Jagdmann <doj@cubic.org>
5980	lelong	0x00035f3f	Windows 3.x help file
599
600# Christophe Monniez
6010	string	Client\ UrlCache\ MMF 	Microsoft Internet Explorer Cache File
602>20	string	>\0			Version %s
6030	string	\xCF\xAD\x12\xFE	Microsoft Outlook Express DBX File
604>4	byte	=0xC5			Message database
605>4	byte	=0xC6			Folder database
606>4	byte	=0xC7			Accounts informations
607>4	byte	=0x30			Offline database
608
609
610# Windows Enhanced Metafile (EMF)
611# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
612# for further information. Note that "0 lelong 1" should be true i.e.
613# the first double word in the file should be 1. With the extended
614# syntax available by some file commands you could write:
615# 0 lelong 1
616# &40 ulelong 0x464D4520 Windows Enhanced Metafile (EMF) image data
617#40	ulelong 0x464D4520	Windows Enhanced Metafile (EMF) image data
618#>44	ulelong x		version 0x%x.
619# If the description has a length greater than zero, it exists and is
620# found at offset (*64).
621#>64	ulelong >0		Description available at offset 0x%x
622#>>60	ulelong	>0		(length 0x%x)
623# Note it would be better to print out the description, which is found
624# as below. Unfortunately the following only prints out the first couple
625# of characters instead of all the "description length"
626# number of characters -- indicated by the ulelong at offset 60.
627#>>(64.l)  lestring16 >0 Description: %15.15s
628
629# From: Alex Beregszaszi <alex@fsn.hu>
6300	string	COWD		VMWare3
631>4	byte	3	 	disk image
632>>32	lelong	x		(%d/
633>>36	lelong	x		\b%d/
634>>40	lelong	x		\b%d)
635>4	byte	2	 	undoable disk image
636>>32	string  >\0		(%s)
637
6380	string	VMDK		 VMware4 disk image
6390	string	KDMV		 VMware4 disk image
640
641#--------------------------------------------------------------------
642# Qemu Emulator Images
643# Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
644# Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
645# Made by reading sources, reading documentation, and doing trial and error
646# on existing QCOW files
6470	string/b	QFI\xFB	QEMU QCOW Image
648
649# Uncomment the following line to display Magic (only used for debugging
650# this magic number)
651#>0	string/b	x	, Magic: %s
652
653# There are currently 2 Versions: "1" and "2".
654# http://www.gnome.org/~markmc/qcow-image-format-version-1.html
655>4	belong	1	(v1)
656
657# Using the existence of the Backing File Offset to determine whether
658# to read Backing File Information
659>>12	belong	 >0	 \b, has backing file (
660# Note that this isn't a null-terminated string; the length is actually
661# (16.L). Assuming a null-terminated string happens to work usually, but it
662# may spew junk until it reaches a \0 in some cases.
663>>>(12.L)	 string >\0	\bpath %s
664
665# Modification time of the Backing File
666# Really useful if you want to know if your backing
667# file is still usable together with this image
668>>>>20	bedate >0	\b, mtime %s)
669>>>>20	default x	\b)
670
671# Size is stored in bytes in a big-endian u64.
672>>24	bequad	x	 \b, %lld bytes
673
674# 1 for AES encryption, 0 for none.
675>>36	belong	1	\b, AES-encrypted
676
677# http://www.gnome.org/~markmc/qcow-image-format.html
678>4	belong	2	(v2)
679# Using the existence of the Backing File Offset to determine whether
680# to read Backing File Information
681>>8	bequad  >0	 \b, has backing file
682# Note that this isn't a null-terminated string; the length is actually
683# (16.L). Assuming a null-terminated string happens to work usually, but it
684# may spew junk until it reaches a \0 in some cases. Also, since there's no
685# .Q modifier, we just use the bottom four bytes as an offset. Note that if
686# the file is over 4G, and the backing file path is stored after the first 4G,
687# the wrong filename will be printed. (This should be (8.Q), when that syntax
688# is introduced.)
689>>>(12.L)	 string >\0	(path %s)
690>>24	bequad	x	\b, %lld bytes
691>>32	belong	1	\b, AES-encrypted
692
693>4	belong	3	(v3)
694# Using the existence of the Backing File Offset to determine whether
695# to read Backing File Information
696>>8	bequad  >0	 \b, has backing file
697# Note that this isn't a null-terminated string; the length is actually
698# (16.L). Assuming a null-terminated string happens to work usually, but it
699# may spew junk until it reaches a \0 in some cases. Also, since there's no
700# .Q modifier, we just use the bottom four bytes as an offset. Note that if
701# the file is over 4G, and the backing file path is stored after the first 4G,
702# the wrong filename will be printed. (This should be (8.Q), when that syntax
703# is introduced.)
704>>>(12.L)	 string >\0	(path %s)
705>>24	bequad	x	\b, %lld bytes
706>>32	belong	1	\b, AES-encrypted
707
708>4	default x	(unknown version)
709
7100	string/b	QEVM		QEMU suspend to disk image
711
712# QEMU QED Image
713# http://wiki.qemu.org/Features/QED/Specification
7140	string/b	QED\0		QEMU QED Image
715
7160	string	Bochs\ Virtual\ HD\ Image	Bochs disk image,
717>32	string	x				type %s,
718>48	string	x				subtype %s
719
7200	lelong	0x02468ace			Bochs Sparse disk image
721
722# from http://filext.com by Derek M Jones <derek@knosof.co.uk>
723# False positive with PPT (also currently this string is too long)
724#0	string	\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06	Microsoft Installer
7250	string	\320\317\021\340\241\261\032\341	Microsoft Office Document
726#>48	byte	0x1B	                                Excel Document
727#!:mime	application/vnd.ms-excel
728>546	string	bjbj			Microsoft Word Document
729!:mime	application/msword
730>546	string	jbjb			Microsoft Word Document
731!:mime	application/msword
732
7330       string	\224\246\056		Microsoft Word Document
734!:mime	application/msword
735
736512	string	R\0o\0o\0t\0\ \0E\0n\0t\0r\0y	Microsoft Word Document
737!:mime	application/msword
738
739# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
740# Magic type for Dell's BIOS .hdr files
741# Dell's .hdr
7420	string $RBU
743>23	string Dell			%s system BIOS
744>48	string x			version %.3s
745
746# Type: Microsoft DirectDraw Surface
747# URL:  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp
748# From: Morten Hustveit <morten@debian.org>
7490	string	DDS\040\174\000\000\000	Microsoft DirectDraw Surface (DDS),
750>16	lelong	>0			%hd x
751>12	lelong	>0			%hd,
752>84	string	x			%.4s
753
754# Type: Microsoft Document Imaging Format (.mdi)
755# URL:  http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
756# From: Daniele Sempione <scrows@oziosi.org>
7570	short	0x5045			Microsoft Document Imaging Format
758
759# MS eBook format (.lit)
7600	string  ITOLITLS		Microsoft Reader eBook Data
761>8	lelong	x			\b, version %u
762!:mime					application/x-ms-reader
763