Lines Matching +full:com +full:- +full:offset
2 #------------------------------------------------------------------------------
4 # msdos: file(1) magic for MS-DOS files
7 # .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
11 !:mime text/x-msdos-batch
14 !:mime text/x-msdos-batch
17 !:mime text/x-msdos-batch
20 !:mime text/x-msdos-batch
40 # FMX64:FileMaker Pro 64-bit plug-in https://en.wikipedia.org/wiki/FileMaker
41 # FMX: FileMaker Pro 32-bit plug-in https://en.wikipedia.org/wiki/FileMaker
47 # MLL: Maya plug-in (generic) http://en.wikipedia.org/wiki/Autodesk_Maya
49 # 8*: PhotoShop plug-in (generic) http://www.adobe.com/products/photoshop/main.html
50 # PLG: Aston Shell plugin http://www.astonshell.com/
52 # SKL: WinLIFT skin http://www.zapsolution.com/winlift/index.htm
53 # TBK: Asymetrix ToolBook application http://www.toolbook.com
54 # TBP: The Bat! plugin http://www.ritlabs.com
55 # UPC: Ultimate Paint Graphics Editor plugin http://ultimatepaint.j-t-l.com
56 # XFM: Syntrillium Cool Edit Transform Effect bad http://www.cooledit.com
57 # XPL: X-Plane plugin http://www.xsquawkbox.net/xpsdk/
58 # ZAP: ZoneLabs Zone Alarm data http://www.zonelabs.com
79 # https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593
80 # https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs
87 # Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the fil…
97 >>(0x3c.l) string !PE\0\0 MS-DOS executable
101 # ICL: Icons Library 16-bit http://fileformats.archiveteam.org/wiki/Icon_library
102 >>(0x3c.l-0x02) string IMNE \b, NE
113 >>>>(0x3c.l) use lx-executable
116 >>>>(0x3c.l) use \^lx-executable
117 # no examples found for PDP-11 endian variant
119 # PDP-11-endian is not supported by magic "use" keyword yet
126 # Reference: https://docs.microsoft.com/de-de/windows/win32/debug/pe-format
128 !:mime application/vnd.microsoft.portable-executable
129 # https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics
134 # 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL)
136 # https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem
167 # `pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS`
168 # `objdump -p -s WINWORD.HXS`
171 # Second section for these binaries starts at fixed offset 288 (size of PE signature + size of COFF…
175 >>>>>>(&4.l+(-4)) string ITOLITLS \b, Microsoft compiled help format 2.0
191 # - NT kernel DLLs: hal.dll, kdcom.dll, pshed.dll, bootvid.dll, ...
192 # - NT kernel images: ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe
193 # - NT kernel drivers: Windows/System32/drivers/*.sys
194 # - NT native userspace DLLs: ntdll.dll, ...
195 # - NT native userspace executables: smss.exe, csrss.exe, autochk.exe, ...
237 !:ext exe/com
243 # Not used in image files, constant used only in in-memory structures of OS/2 subsystem as part of …
264 # https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-97-18.doc
293 # 12~IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER An EFI driver with run-time services
305 #!:ext foo-xbox
326 >>(0x3c.l+4) use display-coff-processor
331 # Check for presence of COM Runtime descriptor
343 # "(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender"
354 >>>(8.s*16) search/0x50 32rtm-stub\ for\ PE\ files \b, Borland 32rtm DOS extender (stub)
374 >>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
376 >>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
377 >>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive
378 >>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive
380 >>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive
381 >>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive
382 >>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive
383 >>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive
385 >>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive
388 >>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive
389 >>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive
390 >>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive
391 >>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip)
392 >>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive
393 >>0x30 string Inno \b, InnoSetup self-extracting archive
406 >>(0x3c.l) string !PE\0\0 MS-DOS executable
407 #!:mime application/x-dosexec
410 #!:mime application/x-dosexec
411 !:mime application/x-ms-ne-executable
428 # >>>(0x3c.l+0x0c) ubyte &0x04 \b, Per-Process Library Initialization OR real mode only
435 # https://www.fileformat.info/format/exe/corion-ne.htm
437 # Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API)
444 #>>>(0x3c.l+0x0D) ubyte &0x40 \b, Non-conforming OS/2 app OR private Win library above EMS line
458 # EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h
460 # InitStack; specifies the segment offset value of stack pointer SS:SP
467 # NoResNamesTabSiz; size in bytes of non-resident names table
470 # SegTableOffset; offset of Segment table like: 40h
472 # ResTableOffset; offset of resources table like: 40h 50h 58h F0h
475 # ResidNamTable; offset of resident names table
478 # ImportNameTable; offset of imported names table (array of counted strings, terminated with string…
481 # OffStartNonResTab; offset from start of file to non-resident names table
492 # targOS; Target OS; 0~unspecified (OS/2 or Windows); detect it based on Windows-only flags and OS/…
509 >>>>>>>&(&0.s-0x29) search/512/C \x08DOSCALLS for OS/2 1.x
513 >>>>>>>>&(&0.s-0x29) regex/512/C KERNEL|USER|GDI for MS Windows 1.x/2.x
533 # Windows P-code application
534 # https://web.archive.org/web/20000304044656/http://msdn.microsoft.com/library/backgrnd/html/msdn_c…
535 # https://library.thedatadungeon.com/msdn-1992-09/msjv7/html/msjv0g6a.content.htm
536 # https://en.wikipedia.org/wiki/P-code_machine#Microsoft_P-code
538 # MPC.EXE (Make P-Code utility) sets bit2 in MZ e_res[2] (e_flags) field
539 # Filter out false-positive Windows 3.x applications with OS/2 WLO loader
543 >>>>>>>0x20 ubyte&0x04 !0 \b, P-code application
544 # 32-bit Watcom Win386 extender in 16-bit Windows 3.x NE binaries
545 # https://www.os2museum.com/wp/watcom-win386/
546 # https://github.com/open-watcom/open-watcom-v2/blob/master/bld/win386/
547 # https://misc.daniel-marschall.de/spiele/blown_away/disassemble.php
552 # OS 3 was reserved for Multitasking MS-DOS but it never used NE version 5+ (only NE version 4)
553 #>>>>(0x3c.l+0x36) byte 3 for Multitasking MS-DOS
556 # OS 5 is assigned to BOSS (Borland Operating System Services) but is used also by other 16-bit DOS…
557 >>>>(0x3c.l+0x36) byte 5 for MS-DOS
560 >>>>>(8.s*16) ulequad&0xffff0000ff =0x494d0000e9 \b, HX DOS extender 16-bit (embedded with DPMI ho…
563 >>>>>>(8.s*16) search/0x200 cannot\ find\ loader\ DPMILD16.EXE \b, HX DOS extender 16-bit (stub)
565 >>>>>>(8.s*16) search/0x4000 DPMILD16: \b, HX DOS extender 16-bit (embedded without DPMI host)
572 # OS 6 is not assigned but is used by 32-bit DOS application with extender (found only with HX DOS …
573 # http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip
574 # D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE
576 >>>>(0x3c.l+0x36) byte 6 for MS-DOS
579 >>>>>(8.s*16) ulequad&0xffff0000ff =0x494d0000e9 \b, HX DOS extender 32-bit (embedded with DPMI ho…
582 >>>>>>(8.s*16) search/0x200 cannot\ find\ loader\ DPMILD32.EXE \b, HX DOS extender 32-bit (stub)
584 >>>>>>(8.s*16) search/0x4000 DPMILD32: \b, HX DOS extender 32-bit (embedded without DPMI host)
588 >>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap 286 DOS extender, emulating OS/2 1.x
591 >>>>(0x3c.l+0x36) byte 0x82 for MS-DOS, Phar Lap 286 DOS extender, emulating MS Windows
601 # gangstart; offset to start of gangload area like: 0 34h 58h 246h
612 # These versions are used only by WINE, Windows 1.x/2.x and Multitasking MS-DOS
613 # WINE binaries have special signature after the dos header (at fixed offset 0x40)
614 # Multitasking MS-DOS binaries imports DOSCALLS library, so use it for distinguishing
616 # 16-bit indirect offset 0x2a relative to the beginning of NE header, and consist
623 >>>>>&(&0.s-0x29) search/512/C \x08DOSCALLS for Multitasking MS-DOS
626 # - os type if is 0 or 2
627 # - bits proportional fonts and protected mode
646 …osoft Word text conversion https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-…
648 # Check segment count, if 0 then this is resource-only DLL
651 >>>>>>(&-4.l+1) string/C FONTRES (DLL, font)
653 >>>>>>(&-4.l+1) default x (DLL, resource-only)
655 >>>>>(0x3c.l+0x2c) lelong 0 (DLL, resource-only)
660 >>>>>>(&-4.l+1) string/C DDRV (DLL, driver)
662 >>>>>>(&-4.l+1) default x (DLL)
671 >>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive
672 >>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
675 !:mime application/x-dosexec
677 >>>>(0x3c.l) use lx-executable
680 >>>>(0x3c.l) use \^lx-executable
681 # no examples found for PDP-11 endian variant
683 # PDP-11-endian is not supported by magic "use" keyword yet
689 >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive
694 #!:mime application/x-dosexec
695 !:mime application/x-ms-w3-executable
706 #!:mime application/x-dosexec
707 !:mime application/x-ms-w4-executable
715 !:mime application/x-dosexec
718 >>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS/4G DOS extender
719 >>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS/4GW DOS extender
720 >>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
721 >>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender
722 >>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
723 >>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
724 >>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
726 >>>>(8.s*16) string o2LEstub for MS-DOS, D3X DOS extender
729 >>>>>(0x3c.l+0x10) lelong&0x38000 =0x18000 for MS-DOS (DLL)
732 # https://www.os2museum.com/wp/os2-history/os2-16-bit-server/
734 # with no external fixups (&0x20=0x20) is .386 32-bit driver module for OS/2 1.x
744 # fails with DOS-Extenders.
745 # OS 2 was reserved for MS Windows 16-bit but it never used LE (NE format was used instead)
746 #>>>(0x3c.l+0x0a) leshort 2 for MS Windows 16-bit
747 # OS 3 was reserved for Multitasking MS-DOS but it never used LE (NE format was used instead)
748 #>>>(0x3c.l+0x0a) leshort 3 for Multitasking MS-DOS
767 >>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive
770 >>(0x3c.l) string LC\0\0 \b, LC for MS-DOS
775 # PX\0\0 signature for 32bit DOS Applications in DOS-PE Format (https://www.japheth.de/HX.html)
780 >>0 default x executable for MS-DOS
794 # If magic in the branch is not parsed then always jumps to mz-unrecognized
799 >>(0x3c.l-0x02) string !IMNE
801 >>>>0 use mz-unrecognized
804 >>>0 use mz-unrecognized
807 >>>0 use mz-unrecognized
810 >>>0 use mz-unrecognized
813 >>>0 use mz-unrecognized
819 >>>>&(2.s-514) leshort x
820 >>>>>&-2 use mz-next-overlay
821 >>>>>&-2 string BW
822 >>>>>>0 use mz-bw-collection
823 >>>>>&-2 string 3P
824 >>>>>>0 use mz-3p
826 >>>>>0 use mz-unrecognized
828 >>>>0 use mz-unrecognized
831 >>>>&-2 use mz-next-overlay
832 >>>>&-2 string BW
833 >>>>>0 use mz-bw-collection
834 >>>>&-2 string 3P
835 >>>>>0 use mz-3p
837 >>>>0 use mz-unrecognized
839 # Parse content of the COFF, executable type was already printed in mz-next-overlay
841 #!:mime application/x-dosexec
844 >>(&-6.l) string/b StubInfoMagic!!\0 for MS-DOS
846 >>(8.s*16) string go32stub for MS-DOS
849 >>&(&0x42.l-3) byte x
856 # Parse content of the a.out, executable type was already printed in mz-next-overlay
859 >>(&-6.l) string/b StubInfoMagic!!\0 for MS-DOS
862 # Note that for "redirect" binaries is offset (4.s*512) behind end-of-file, so access it via "defau…
865 >>(&-4.l) string/b StubInfoMagic!!\0
873 >>>>>&-1 string/16 x \b, autoload "%s"
877 >>>>>&-1 string/15 x \b, redirect to "%s"
898 >>>>>>>>>>&-1 string/16 x \b, autoload "%s"
903 >>>>>>>>&-7 regex/T =^CWSDPMI(\ [^\ ]+\ )? (embedded %s)
906 >>>>>>>>&-3 regex/T =^D3X(\ [^\ ]+\ )? (embedded %s)
909 >>>>&-1 string/8 x \b, redirect to "%s"
914 # may be a self-uncompressing archive, so look for evidence of that and
920 >0xe7 string LH/2\ Self-Extract \b, %s
923 >0x1c string RJSX \b, ARJ self-extracting archive
928 >0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. \b, Self-extracting PKZIP archive
931 >0x1e string PKLITE\ Copr. \b, Self-extracting PKZIP archive
934 >0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive
939 >0x24 string LHa's\ SFX \b, LHa self-extracting archive
940 !:mime application/x-lha
941 >0x24 string LHA's\ SFX \b, LHa self-extracting archive
942 !:mime application/x-lha
943 >0x24 string \ $ARX \b, ARX self-extracting archive
944 >0x24 string \ $LHarc \b, LHarc self-extracting archive
945 >0x20 string SFX\ by\ LARC \b, LARC self-extracting archive
946 >0x40 string aPKG \b, aPackage self-extracting archive
948 >0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive
950 >>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
951 >1638 string -lh5- \b, LHa self-extracting archive v2.13S
952 >0x17888 string Rar! \b, RAR self-extracting archive
958 >>&(2.s-517) byte x
959 >>>&0 string PK\3\4 \b, ZIP self-extracting archive
960 >>>&0 string Rar! \b, RAR self-extracting archive
961 >>>&0 string =!\x11 \b, AIN 2.x self-extracting archive
962 >>>&0 string =!\x12 \b, AIN 2.x self-extracting archive
963 >>>&0 string =!\x17 \b, AIN 1.x self-extracting archive
964 >>>&0 string =!\x18 \b, AIN 1.x self-extracting archive
965 >>>&7 search/400 **ACE** \b, ACE self-extracting archive
966 >>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive
970 >(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP)
971 # TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extr…
974 # TELVOX Teleinformatica CODEC self-extractor for OS/2:
980 # This named instance is called for multi overlay MZ executable with offset of the next overlay
981 0 name mz-next-overlay
982 >0 string P2 \b, EXP (P2) for MS-DOS, Phar Lap 286 DOS extender
983 >0 string P3 \b, EXP (P3) for MS-DOS, Phar Lap 386 DOS extender
984 >0 string MT \b, MT for MS-DOS, IGC XMLOD i386 DOS extender
985 >0 string 3P \b, 3P for MS-DOS
987 >>32 lelong&0x00000001 !0 \b, 16-bit
989 # CWC.EXE from cw349bin.zip is 32-bit
990 >>>32 lelong&0x00010000 0 \b, 32-bit
994 >0 string D3X1 \b, D3X1 for MS-DOS, D3X DOS extender
996 >0 string BW \b, BW collection for MS-DOS
1002 # now make offset aligned to 0x10
1003 >>0 offset%0x10 0x0
1005 >>>0x0 use mz-next-overlay-aligned
1006 >>0 offset%0x10 0x1
1007 >>>0xf use mz-next-overlay-aligned
1008 >>0 offset%0x10 0x2
1009 >>>0xe use mz-next-overlay-aligned
1010 >>0 offset%0x10 0x3
1011 >>>0xd use mz-next-overlay-aligned
1012 >>0 offset%0x10 0x4
1013 >>>0xc use mz-next-overlay-aligned
1014 >>0 offset%0x10 0x5
1015 >>>0xb use mz-next-overlay-aligned
1016 >>0 offset%0x10 0x6
1017 >>>0xa use mz-next-overlay-aligned
1018 >>0 offset%0x10 0x7
1019 >>>0x9 use mz-next-overlay-aligned
1020 >>0 offset%0x10 0x8
1021 >>>0x8 use mz-next-overlay-aligned
1022 >>0 offset%0x10 0x9
1023 >>>0x7 use mz-next-overlay-aligned
1024 >>0 offset%0x10 0xa
1025 >>>0x6 use mz-next-overlay-aligned
1026 >>0 offset%0x10 0xb
1027 >>>0x5 use mz-next-overlay-aligned
1028 >>0 offset%0x10 0xc
1029 >>>0x4 use mz-next-overlay-aligned
1030 >>0 offset%0x10 0xd
1031 >>>0x3 use mz-next-overlay-aligned
1032 >>0 offset%0x10 0xe
1033 >>>0x2 use mz-next-overlay-aligned
1034 >>0 offset%0x10 0xf
1035 >>>0x1 use mz-next-overlay-aligned
1036 0 name mz-next-overlay-aligned
1037 >0 string MP \b, EXP (MP) for MS-DOS, Phar Lap 386 DOS extender
1039 >>0 use mz-unrecognized
1042 # This named instance is called for unrecognized MZ DOS binary from any offset
1043 0 name mz-unrecognized
1044 >0 default x \b, MZ for MS-DOS
1045 !:mime application/x-dosexec
1046 # Windows and later versions of DOS will allow .EXEs to be named with a .COM
1048 # like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM
1050 # Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml
1052 !:ext exe/com/vlm/drv
1055 # This named instance is called for BW collection with offset from the beginning of the file
1056 0 name mz-bw-collection
1060 >>>&-8 string DOS/16M \b, DOS/16M DOS extender (embedded)
1061 >>>&-8 string DOS/4G \b, DOS/4G DOS extender (embedded)
1066 # This named instance is called for CauseWay MZ 3P binary with offset from the beginning of the file
1067 0 name mz-3p
1077 # Reference: http://www.textfiles.com/programming/FORMATS/lxexe.txt
1078 # https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h
1079 # https://github.com/bitwiseworks/os2tk45/blob/master/h/exe386.h
1081 # Note: by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)"
1082 # similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX"
1084 #!:mime application/x-msdownload
1085 !:mime application/x-lx-executable
1087 >>0 use lx-executable
1090 >>0 use \^lx-executable
1091 # no examples found for PDP-11 endian variant
1093 # PDP-11-endian is not supported by magic "use" keyword yet
1098 0 name lx-executable
1100 # byte order: 00h~little-endian 01h~big-endian
1101 #>0x02 ubyte =0 \b, little-endian byte order
1102 #>0x02 ubyte =1 \b, big-endian word order
1103 # word order: 00h~little-endian 01h~big-endian
1104 #>0x03 ubyte =0 \b, little-endian word order
1105 #>0x03 ubyte =1 \b, big-endian word order
1106 # cpu_type; CPU type like: 1~i286 2~i386 3~i486 4~i586 20h~i860-N10 21h~i860-N11 40h~MIPS R2000,R30…
1108 # os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 16-bit 3~Multitasking MS-DOS 4.…
1114 # OSF_INIT_INSTANCE=00000004h ~Per-Process Library Initialization; setting this bit for EXE file i…
1115 #>0x10 ulelong &0x00000004 \b, per-process library Initialization
1130 #>0x10 ulelong &0x00080000 \b, multiple-processor unsafe
1131 # Per-process Library Termination; setting this bit for EXE file is invalid
1132 #>0x10 ulelong &0x40000000 \b, per-process library termination
1136 # OS 2 was reserved for MS Windows 16-bit but it never used LX (NE format was used instead)
1137 #>0x0a leshort 2 for MS Windows 16-bit
1138 # OS 3 was reserved for Multitasking MS-DOS but it never used LX (NE format was used instead)
1139 #>0x0a leshort 3 for Multitasking MS-DOS
1146 # http://www.ctyme.com/intr/rb-2939.htm#Table1610
1147 # library by module type mask 00038000h (bits 15-17);
1151 # bits 8-10; OSF_PM_APP=700h in flags ~Uses PM windowing API; either it is GUI or console
1179 # Endianity for debugging, there are no samples for non-little-endian
1181 #>0x02 uleshort =0x0000 (little-endian)
1182 #>0x02 uleshort =0x0101 (big-endian)
1183 #>0x02 uleshort =0x0100 (PDP-11-endian)
1184 #>0x02 default x (unknown-endian)
1195 >>7 string >\0 \b, author=%-.14s
1197 #>>>&0 string x \b%-s
1198 >>>&0 string x \b%-.15s
1205 >>8 string x \b, name=%-.2s
1207 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file
1211 # Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html
1217 # https://bugs.astron.com/view.php?id=434
1220 >>>0 use msdos-driver
1221 0 name msdos-driver DOS executable (
1222 #!:mime application/octet-stream
1223 !:mime application/x-dosdriver
1225 # and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used?
1251 # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipp…
1252 …ce driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver…
1276 # they have their real name at offset 22
1278 >>>>22 string >\056 %-.6s
1281 >>4 uleshort&0x0002 0x0002 \b,32-bit sector-
1283 >4 uleshort&0x0040 0x0040 \b,IOCTL-
1285 >4 uleshort&0x0800 0x0800 \b,close media-
1288 >>4 uleshort&0x2000 0x2000 \b,until busy-
1290 >4 uleshort&0x4000 0x4000 \b,control strings-
1299 >0 use msdos-driver
1302 >0 use msdos-driver
1304 >0 use msdos-driver
1305 # https://www.uwe-sieber.de/files/cfg_echo.zip
1307 >0 use msdos-driver
1310 >0 use msdos-driver
1312 >0 use msdos-driver
1313 # 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS
1315 >0 use msdos-driver
1318 >0 use msdos-driver
1333 >>>>0 use msdos-com
1334 # the remaining files should be DOS *.COM executables
1335 # dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd
1336 # hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
1337 # UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
1338 # BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
1339 # RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
1340 # SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
1341 # validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e
1342 # devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e
1344 0 name msdos-com
1345 # URL: http://fileformats.archiveteam.org/wiki/DOS_executable_(.com)
1347 # DOS executable with JuMP 16-bit instruction
1349 # check for probably nil padding til offset 64 of Lotus driver name
1353 >>>24 regex =^[A-Z][A-Za-z\040]{5,21} \bLotus driver) %s
1354 !:mime application/x-dosexec
1357 # COM with nils like MODE.COM IBMDOS.COM (pcdos 3.31 ru Compaq) RSSTUB.COM (PC-DOS 2000 de) ACCESS.…
1359 !:mime application/x-dosexec
1360 !:ext com
1361 # DOS executable with JuMP 16-bit and without nil padding
1365 # look for unreliable Syslinux specific api call INTerrupt 22h for 16-bit COMBOOT program
1366 >>>1 search/0xc088 \xcd\x22 \bCOM or COMBOOT 16-bit)
1367 !:mime application/x-dosexec
1368 # like: sbm.cbt command.com (Windows XP) UNI2ASCI.COM (FreeDOS 1.2)
1369 !:ext com/cbt
1371 !:mime application/x-dosexec
1372 !:ext com
1373 # DOS executable without JuMP 16-bit instruction
1377 !:mime application/x-dosexec
1379 # COM executable without JuMP 16-bit instruction and not SCREATE.SYS
1381 !:mime application/x-dosexec
1382 !:ext com
1386 >4 string \ $ARX \b, ARX self-extracting archive
1387 >4 string \ $LHarc \b, LHarc self-extracting archive
1388 >0x20e string SFX\ by\ LARC \b, LARC self-extracting archive
1389 # like: E30ODI.COM MADGEODI.COM UNI2ASCI.COM RECOVER.COM (DOS 2) COMMAND.COM (DOS 2)
1392 # show more instructions but not in samples like: rem.com (DJGPP)
1399 >1 byte >-1
1400 # that offset must be accessible
1403 # if look like COM executable with x86 boot signature then this
1408 # like: FIXBIOS.COM (50 bytes)
1413 # ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/
1414 # skip unusual floppy image disk1.img of MS-DOS 1.25 (Corona Data Systems OEM)
1417 # "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 4.0.rar"
1421 # https://github.com/ventoy/Ventoy/releases/download/v1.0.78/ventoy-1.0.78-windows.zip
1424 # "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/PC-DOS 1.0 (5.25).rar"
1427 >>>>>>>>9 string !7-May-81
1428 # "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 5.0 Personal (BA).rar"
1432 # like: FIXBIOS.COM (50 bytes)
1433 >>>>>>>>>>0 use msdos-com
1435 # like: DEVICE.COM INSTALL.COM (GAG 4.10) WORD.COM (Word 1.15)
1440 # https://thestarman.pcministry.com/tool/hxd/dimtut.htm
1441 # skip unusual floppy image TK-DOS11.img IBMDOS11.img of IBM DOS 1.10
1443 >>>>>395 string !ibmbio\040\040com
1444 >>>>>>0 use msdos-com
1445 # 8-bit jump with valid number of FAT implies FAT volume already handled by ./filesystems
1449 # like: TDSK-64b.img
1450 >>>>(11.s-2) uleshort !0xAA55
1451 # skip unusual floppy image without boot signature like 360k-256.img (mtools 4.0.18)
1454 # "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/Microsoft MS-DOS 3.31 (Compaq OEM) (3.5).rar…
1456 # by check for characteristic OEM-ID text
1458 # no such DOS COM executables found
1459 >>>>>>>0 use msdos-com
1462 # display DOS executable (COM or COMBOOT 16-bit strength=40=40-0) after ESP-IDF application image (…
1463 #!:strength -0
1464 # 16-bit offset; for DEBUGGING!; can be negative like: USBDRIVE.COM
1465 # 2h (CPQ0TD.DRV) 4FEh (NDN.COM) 581h (DRMOUSE.COM) 1FDh (GAG.COM) BE07h (USBDRIVE.COM)
1466 #>1 uleshort x \b, OFFSET=%#4.4x
1467 #>1 leshort x \b, OFFSET %d
1469 >1 leshort >-1
1470 # that offset must be accessible
1474 # like: CALLVER.COM CPUCACHE.COM K437_EUR.COM SHSUCDX.COM UMBFILL.COM (183 bytes)
1476 >>>>0 use msdos-com
1478 # like: GAG.COM DRMOUSE.COM NDN.COM CPQ0TD.DRV
1479 # or ESP-IDF application image like: WLED_0.14.0_ESP32-C3.bin opendtu-generic_esp32.bin
1481 # skip ESP-IDF application image handled by ./firmware with ESP_APP_DESC_MAGIC_WORD
1483 >>>>>0 use msdos-com
1485 # like: IPXODI.COM PERUSE.COM TASKID.COM
1489 >>>>>0 use msdos-com
1492 # invalid sectorsize not a power of 2 from 32-32768. Then it is not a disk image and it must be DOS…
1493 # like: LEARN.COM (Word 1.15)
1495 >>>>>>0 use msdos-com
1496 # negative offset, must not lead into PSP
1497 # like: BASICA.COM (PC dos 3.20) FORMAT.COM SMC8100.COM WORD.COM (word4)
1498 # HIDSUPT1.COM USBDRIVE.COM USBSUPT1.COM USBUHCI.COM (FreeDOS USBDOS)
1499 >1 leshort <-259
1500 # that offset must be accessible
1501 # add 10000h to jump at end of 64 KiB segment, add 1 for jump instruction and 2 for 16-bit offset
1504 #>>>&-1 ubelong x \b, NEXT instruction %#8.8x
1505 >>>0 use msdos-com
1514 >>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT
1517 !:mime application/x-c32-comboot-syslinux-exec
1519 # https://syslinux.zytor.com/comboot.php
1521 # (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
1528 # "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
1531 # look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x)
1533 …ING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Sys…
1534 # 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS)
1540 # skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems
1543 # few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.…
1545 >>>>>>0 use msdos-com
1552 >>>>>>0 use msdos-com
1555 #>>>>>&-1 ubyte x \b, INTERUPT %#x
1556 # like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com
1557 >>>>>0 use msdos-com
1558 # few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM
1559 # or some EUC-KR text files or one Ulead Imaginfo thumbnail
1561 # FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM)
1568 # skip some EUC-KR text files like: euckr_falsepositive.txt
1569 # https://bugs.astron.com/view.php?id=186
1571 # like: RESTART.COM (DOS 7.10) REBOOT.COM
1572 >>>>>>0 use msdos-com
1575 # Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/
1576 # src/stub/src/i086-dos16.com.S
1578 # assembler instructions: cmp sp, offset sp_limit
1581 # assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy
1588 >>&2 string UPX! FREE-DOS executable (COM), UPX
1589 !:mime application/x-dosexec
1594 !:ext com
1599 252 string Must\ have\ DOS\ version DR-DOS executable (COM)
1600 !:mime application/x-dosexec
1601 !:ext com
1603 #2 search/28 \xcd\x21 COM executable for MS-DOS
1604 #WHICHFAT.cOM
1605 2 string \xcd\x21 COM executable for DOS
1606 !:mime application/x-dosexec
1607 !:ext com
1608 #DELTREE.cOM DELTREE2.cOM
1609 4 string \xcd\x21 COM executable for DOS
1610 !:mime application/x-dosexec
1611 !:ext com
1612 #IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
1613 5 string \xcd\x21 COM executable for DOS
1614 !:mime application/x-dosexec
1615 !:ext com
1616 #DELTMP.COm HASFAT32.cOM
1618 >0 byte !0xb8 COM executable for DOS
1619 !:mime application/x-dosexec
1620 !:ext com
1621 #COMP.cOM MORE.COm
1623 >5 string !\xcd\x21 COM executable for DOS
1624 !:mime application/x-dosexec
1625 !:ext com
1626 #comecho.com
1627 13 string \xcd\x21 COM executable for DOS
1628 !:mime application/x-dosexec
1629 !:ext com
1630 #HELP.COm EDIT.coM
1635 >>17 default x COM executable for MS-DOS
1636 !:mime application/x-dosexec
1637 !:ext com
1638 #NWRPLTRM.COm
1639 23 string \xcd\x21 COM executable for MS-DOS
1640 !:mime application/x-dosexec
1641 !:ext com
1642 #LOADFIX.cOm LOADFIX.cOm
1643 30 string \xcd\x21 COM executable for MS-DOS
1644 !:mime application/x-dosexec
1645 !:ext com
1646 #syslinux.com 3.11
1647 70 string \xcd\x21 COM executable for DOS
1648 !:mime application/x-dosexec
1649 !:ext com
1651 0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS
1652 !:mime application/x-dosexec
1653 !:ext com
1654 0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS
1655 !:mime application/x-dosexec
1656 !:ext com
1658 0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed
1659 !:mime application/x-dosexec
1660 !:ext com
1661 # FIXME: missing diet .com compression
1664 0 string/b LZ MS-DOS executable (built-in)
1665 #0 byte 0xf0 MS-DOS program library data
1682 # http://www.msxnet.org/word2rtf/formats/ffh-dosword5
1685 # skip droid skeleton like x-fmt-274-signature-id-488.doc
1692 >>>0x6E ulequad =0 1.0-4.0
1693 >>>0x6E ulequad !0 5.0-6.0
1697 !:mime application/x-mswrite
1710 >>>&-2 uleshort =0x0014
1724 >>>>>>>>>>&1 string x \b, %-.8s
1726 >>>>>>>>>>&9 string x created %-.8s
1728 >>0x1E string >0 \b, formatted by %-.66s
1732 >>0x62 string >0 \b, %-.8s printer
1774 0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document
1787 !:mime application/vnd.ms-excel
1788 # https://www.macdisk.com/macsigen.php
1793 # URL: https://en.wikipedia.org/wiki/Lotus_1-2-3
1800 # Lotus Multi Byte Character Set (LMBCS=1-31)
1802 >>20 ubyte <32 Lotus 1-2-3
1803 #!:mime application/x-123
1804 !:mime application/vnd.lotus-1-2-3
1806 # (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data"
1809 # (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data"
1826 # (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data"
1827 # TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet"
1844 >>>>>11 ubyte x \b%d-
1861 # URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3
1862 # Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
1863 # Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
1867 # to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
1868 !:strength -1
1869 # skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
1873 # !:mime application/x-123
1874 !:mime application/vnd.lotus-1-2-3
1877 # undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3"
1878 >>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF)
1880 >>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J
1882 >>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1
1886 >>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2
1888 >>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4
1890 >>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x
1892 >>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x
1896 >>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1
1903 # (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data"
1905 >>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2
1909 >>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ
1912 #>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2
1915 >>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J
1917 # (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data"
1918 >>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x
1922 >>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0
1924 # (version 5.26) labeled the entry as "Lotus 1-2-3"
1929 >>>6 use lotus-cells
1931 >>>(8.s+10) use lotus-cells
1933 0 name lotus-cells
1939 >>>6 uleshort x \b%d-
1945 !:mime application/vnd.lotus-wordpro
1947 !:mime application/vnd.lotus-wordpro
1953 # Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
1958 #0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media pl…
1964 # Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WM…
1967 # verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File)
1970 # Note: called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119
1971 # and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Wi…
1972 # skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf wi…
1973 # and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAV…
1976 # seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf
1979 # sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024)
1980 # but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589)
1982 # Left; x-coordinate of the upper-left corner of the rectangle
1984 # Top; y-coordinate upper-left corner
1986 # Right; x-coordinate lower-right corner
1988 # Bottom; y-coordinate lower-right corner
1992 # Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf
1997 >>22 use wmf-head
2000 >0 use wmf-head
2001 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml
2003 # "Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119
2004 # verified by XnView `nconvert -info *.wmf` as Windows metafile
2007 # skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011)
2012 >>0 use wmf-head
2014 0 name wmf-head
2019 # MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAV…
2020 # but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf
2032 # NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8…
2036 … 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-…
2040 0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file
2041 0 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file
2042 0 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file
2063 >>0 use cur-ico-dir
2066 >>0 use cur-ico-dir
2068 0 name cur-ico-dir
2069 # skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
2070 # 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
2075 # https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon
2077 #!:mime image/x-icon
2079 >>>>4 uleshort x - %d icon
2083 >>>>0x06 use ico-entry
2086 >>>>>0x16 use ico-entry
2088 #!:mime image/x-cur
2089 !:mime image/x-win-bitmap
2091 >>>>4 uleshort x - %d icon
2094 >>>>0x06 use cur-entry
2095 #>>>>0x16 use cur-entry
2097 0 name cur-entry
2098 >0 use cur-ico-entry
2102 0 name ico-entry
2103 >0 use cur-ico-entry
2109 0 name cur-ico-entry
2119 # offset of PNG or DIB image
2120 #>12 ulelong x \b, offset %#x
2124 >>&-4 indirect x \b with
2127 #>>&-4 use dib-image
2129 # Windows non-animated cursors
2133 # GRR: line below is too general as it catches also Lotus 1-2-3 files
2136 >>0 use cur-ico-dir
2138 >>0 use cur-ico-dir
2153 # By Abel Cheung (abelcheung AT gmail dot com)
2162 >12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP)
2173 # Too simple - MPi
2180 # http://www.woodmann.com/fravia/dafix_t1.htm
2187 1 string RDC-meg MegaDots
2194 !:mime application/x-dosexec
2200 #>0x181 leshort x \b, offset %x
2205 >>>&-1 string <PIFMGR.DLL \b, icon=%s
2206 #>>>&-1 string PIFMGR.DLL \b, icon=%s
2207 >>>&-1 string >PIFMGR.DLL \b, icon=%s
2209 >>>&-1 string <Terminal \b, font=%.32s
2210 #>>>&-1 string =Terminal \b, font=%.32s
2211 >>>&-1 string >Terminal \b, font=%.32s
2213 >>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s
2214 #>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s
2215 >>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s
2216 #>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style
2217 #>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style
2218 >0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style
2219 #>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style
2226 # of http://www.davep.org/norton-guides/ng2h-105.tgz
2229 # only value 0x100 found at offset 2
2231 !:mime application/x-norton-guide
2235 >>8 string >\0 "%-.40s"
2238 >>48 string >\0 \b, %-.66s
2239 >>114 string >\0 %-.66s
2242 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml
2250 >6 search/7089 Non-DOS\ disk Norton Commander module message
2251 !:mime application/x-norton-msg
2254 # URL: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm
2255 # Reference: https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml
2258 #!:mime application/octet-stream
2259 #!:mime application/x-novell-msg
2263 # digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr
2282 # followed by Ctrl-J Ctrl-Z
2285 # Ctrl-Z
2290 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml
2291 # ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html
2297 #!:mime application/octet-stream
2298 #!:mime application/x-novell-msg
2305 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-tp-2.trid.xml
2308 #!:mime application/octet-stream
2309 !:mime application/x-pascal-hlp
2313 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-4dos-v2.trid.xml
2318 !:mime application/x-4dos-hlp
2321 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-4dos-v4.trid.xml
2324 #!:mime application/octet-stream
2325 !:mime application/x-4dos-hlp
2329 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-4dos.trid.xml
2334 #!:mime application/octet-stream
2335 !:mime application/x-4dos-hlp
2340 # one-digit major version number of version string
2341 >4 string x \b, version %-1.1s
2342 # two-digit minor version number depending on pascal string length at the beginning
2344 >>>5 string x \b%-2.2s
2345 # Byte at offset 7 (A=41h) and 8 (A=41h) is not Revison like C (=43h) as reported by VER /R for 4DO…
2347 >>>7 string x %-.2s
2350 >>>5 string x \b%-2.2s
2353 #>>>5 string x %-2.2s
2374 # ExtHelpName; string[13]; name for external help program like: HELP.COM DOSBOOK.EXE
2380 # SharewareData : SharewareDataRec; shareware info for 4DOS.COM
2383 # old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/f…
2385 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-ms-adv.trid.xml
2388 #!:mime application/octet-stream
2389 !:mime application/x-ms-hlp
2394 !:mime application/vnd.ms-htmlhelp
2397 # GFA-BASIC (Wolfram Kleff)
2398 2 string/b GFA-BASIC3 GFA-BASIC 3 data
2400 #------------------------------------------------------------------------------
2404 # Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx
2409 # https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-su…
2415 !:mime application/vnd.ms-cab-compressed
2421 !:mime application/vnd.ms-cab-compressed
2425 !:mime application/vnd.ms-powerpoint
2429 # Reference: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/
2430 # http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget
2432 #!:mime application/vnd.ms-cab-compressed
2434 !:mime application/x-windows-gadget
2436 # http://www.incredimail.com/
2439 !:mime application/x-incredimail
2453 # http://file-extension.net/seeker/file_extension_ime
2461 # URL: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-…
2462 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml
2463 >>>&-1 string PackageInfo.xml \b, Device Metadata Package
2464 !:mime application/vnd.ms-cab-compressed
2465 !:ext devicemetadata-ms
2467 >>>&-1 string/c _accrpt_.snp \b, Access report snapshot
2471 >>>&-1 string manifest.xsf \b, InfoPath Form Template
2472 !:mime application/vnd.ms-cab-compressed
2473 #!:mime application/vnd.ms-infopath
2478 !:mime application/vnd.ms-cab-compressed
2481 # https://support.microsoft.com/kb/934307/en-US
2484 >>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update
2485 !:mime application/vnd.ms-cab-compressed
2487 >>>&-1 default x
2490 >>>>&-1 search/255 .
2491 # http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm
2492 # PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002
2496 !:mime application/vnd.ms-powerpoint
2501 !:mime application/vnd.ms-cab-compressed
2503 # https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx
2507 !:mime application/x-windows-themepack
2508 # https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8
2509 # 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack
2519 # 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor �ffnen…
2526 # 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu
2528 !:mime application/vnd.ms-cab-compressed
2536 !:mime application/vnd.ms-cab-compressed
2544 !:mime application/vnd.ms-cab-compressed
2548 !:mime application/vnd.ms-cab-compressed
2551 >>>>&-1 default x
2553 !:mime application/vnd.ms-cab-compressed
2557 !:mime application/vnd.ms-cab-compressed
2569 # offset of the first CFFILE entry coffFiles: minimal 2Ch
2571 >(16.l) use cab-file
2577 >>>>&0 use cab-file
2586 # Cabinet files have a 16-bit cabinet setID field that is designed for application use.
2587 # default is zero, however, the -i option of cabarc can be used to set this field
2594 # cbCFHeader optional size of per-cabinet reserved area 14h 1800h
2596 # cbCFFolder is optional size of per-folder reserved area
2598 # cbCFData is optional size of per-datablock reserved area
2600 # optional per-cabinet reserved area abReserve[cbCFHeader]
2603 >>>(36.s+40) use cab-folder
2608 >>>36 use cab-folder
2611 >>>36 use cab-anchor
2614 >>>36 use cab-anchor
2616 # can not use sub routine cab-anchor to display previous and next cabinet together
2617 #>>>36 use cab-anchor
2618 #>>>>&0 use cab-anchor
2626 >>>>>>>&1 use cab-folder
2628 0 name cab-anchor
2634 0 name cab-folder
2635 # offset of the CFDATA block in this folder
2643 # optional per-folder reserved area
2646 0 name cab-file
2649 # uoffFolderStart is uncompressed offset of file in folder
2661 # define _A_RDONLY (0x01) file is read-only
2682 #>>&17 string >\0 \b, NEXT NAME %-.50s
2692 >20 lelong 0 \b, architecture-independent
2708 # See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
2718 # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
2739 !:mime application/x-ms-reader
2746 # if anything, produced files with version numbers 0-2.
2757 # URL: http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS)
2758 # Reference: http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm
2763 >0x5 ubyte-1 <31
2764 >>0x6 ubyte-1 <12
2768 #!:mime application/octet-stream
2774 # skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd
2778 # FFh -127 = -1 -127 = -128
2779 # 00h -127 = 0 -127 = -127
2780 >0 byte-127 <-126
2782 >>0x53 ubyte-1 <78
2796 >>>>>>0 ubyte x DOS 2.0-3.2 backed up
2802 #!:mime application/octet-stream
2825 # URL: http://fileformats.archiveteam.org/wiki/MS-DOS_date/time
2826 # Reference: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofil…
2829 0 name dos-date
2830 # HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2)
2834 # YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31)
2858 # ExcelBIFF2-8BOF.magic - Excel Binary Interchange File Format versions 2-8
2860 # See https://www.gaia-gis.it/gaia-sins/freexl-1.0.6-doxy-doc/html/Format.html
2885 # Add-in (VBA) .xla Adds custom functionality; written in VBA
2895 # Add-in (DLL) .xll Adds custom functionality; written in C++/C,
2897 # dynamic-link library
2898 # Macro .xlm A macro is created by the user or pre-installed
2900 # Template .xlt A pre-formatted spreadsheet created by the user
2910 #!:mime application/vnd.ms-excel
2914 # Offset Size Contents
2931 # Offset Size Contents
2962 # Offset Size Contents
2993 # Offset Size Contents
3027 # Various external tools write non-standard BOF records with the record
3028 # identifier 0809H (determining a BIFF5-BIFF8 BOF record), but with a
3033 # Offset Size Contents