xref: /freebsd/contrib/file/magic/Magdir/msdos (revision 02e9120893770924227138ba49df1edb3896112a)
1
2#------------------------------------------------------------------------------
3# $File: msdos,v 1.169 2023/04/17 16:39:19 christos Exp $
4# msdos:  file(1) magic for MS-DOS files
5#
6
7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
8# updated by Joerg Jenderek at Oct 2008,Apr 2011
90	string/t	@
10>1	string/cW	\ echo\ off	DOS batch file text
11!:mime	text/x-msdos-batch
12!:ext	bat
13>1	string/cW	echo\ off	DOS batch file text
14!:mime	text/x-msdos-batch
15!:ext	bat
16>1	string/cW	rem		DOS batch file text
17!:mime	text/x-msdos-batch
18!:ext	bat
19>1	string/cW	set\ 		DOS batch file text
20!:mime	text/x-msdos-batch
21!:ext	bat
22
23
24# OS/2 batch files are REXX. the second regex is a bit generic, oh well
25# the matched commands seem to be common in REXX and uncommon elsewhere
26100	search/0xffff   rxfuncadd
27>100	regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc	OS/2 REXX batch file text
28100	search/0xffff   say
29>100	regex/c =^[\ \t]{0,10}say\ ['"]			OS/2 REXX batch file text
30
31# updated by Joerg Jenderek at Oct 2015
32# https://de.wikipedia.org/wiki/Common_Object_File_Format
33# http://www.delorie.com/djgpp/doc/coff/filhdr.html
34# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable"
35#0	leshort		0x14c	MS Windows COFF Intel 80386 object file
36#>4	ledate		x	stamp %s
370	leshort		0x166	MS Windows COFF MIPS R4000 object file
38#>4	ledate		x	stamp %s
390	leshort		0x184	MS Windows COFF Alpha object file
40#>4	ledate		x	stamp %s
410	leshort		0x268	MS Windows COFF Motorola 68000 object file
42#>4	ledate		x	stamp %s
430	leshort		0x1f0	MS Windows COFF PowerPC object file
44#>4	ledate		x	stamp %s
450	leshort		0x290	MS Windows COFF PA-RISC object file
46#>4	ledate		x	stamp %s
47
48# Tests for various EXE types.
49#
50# Many of the compressed formats were extracted from IDARC 1.23 source code.
51#
52# e_magic
530	string/b	MZ
54#	TODO
55# FLT:	Syntrillium CoolEdit Filter		https://en.wikipedia.org/wiki/Adobe_Audition
56# FMX64:FileMaker Pro 64-bit plug-in		https://en.wikipedia.org/wiki/FileMaker
57# FMX:	FileMaker Pro 32-bit plug-in		https://en.wikipedia.org/wiki/FileMaker
58# FOD:	WIFE Font Driver
59# GAU:	MS Flight Simulator Gauge
60# IFS:	OS/2 Installable File System		https://en.wikipedia.org/wiki/OS/2
61# MEXW32:MATLAB Windows 32bit compiled function	https://en.wikipedia.org/wiki/MATLAB
62# MEXW64:MATLAB Windows 64bit compiled function	https://en.wikipedia.org/wiki/MATLAB
63# MLL:	Maya plug-in (generic)	       		http://en.wikipedia.org/wiki/Autodesk_Maya
64# PFL:	PhotoFilter plugin			http://photofiltre.free.fr
65# 8*:	PhotoShop plug-in (generic)		http://www.adobe.com/products/photoshop/main.html
66# PLG:	Aston Shell plugin			http://www.astonshell.com/
67# QLB:	Microsoft Basic Quick library		https://en.wikipedia.org/wiki/QuickBASIC
68# SKL:	WinLIFT skin				http://www.zapsolution.com/winlift/index.htm
69# TBK:	Asymetrix ToolBook application		http://www.toolbook.com
70# TBP:	The Bat! plugin	   			http://www.ritlabs.com
71# UPC:	Ultimate Paint Graphics Editor plugin	http://ultimatepaint.j-t-l.com
72# XFM:	Syntrillium Cool Edit Transform Effect	bad http://www.cooledit.com
73# XPL:	X-Plane plugin	      			http://www.xsquawkbox.net/xpsdk/
74# ZAP:	ZoneLabs Zone Alarm data		http://www.zonelabs.com
75#
76# NEXT LINES FOR DEBUGGING!
77# e_cblp; bytes on last page of file
78# e_cp; pages in file
79#>4		uleshort	x	\b, e_cp 0x%x
80# e_lfanew; file address of new exe header
81#>0x3c		ulelong		x	\b, e_lfanew 0x%x
82# e_lfarlc; address of relocation table
83#>0x18		uleshort	x	\b, e_lfarlc=0x%x
84# e_ovno; overlay number. If zero, this is the main executable foo
85#>0x1a		uleshort	!0	\b, e_ovno 0x%x
86#>0x1C		ubequad		!0	\b, e_res 0x%16.16llx
87# e_oemid; often 0
88#>0x24		uleshort	!0	\b, e_oemid 0x%x
89# e_oeminfo; typically zeroes, but 13Dh (WORDSTAR.CNV WPFT5.CNV) 143h (WRITWIN.CNV)
90# 1A3h (DBASE.CNV LOTUS123.CNV RFTDCA.CNV WORDDOS.CNV WORDMAC.CNV WORDWIN1.CNVXLBIFF.CNV)
91#>0x26		uleshort	!0	\b, e_oeminfo 0x%x
92#  e_res2; typically zeroes, but 000006006F082D2Ah SCSICFG.EXE 00009A0300007C03h de.exe
93# 0000CA0000000002h country.exe dosxmgr.exe 421E0A00421EA823h QMC.EXE
94#>0x28		ubequad		!0	\b, e_res2 0x%16.16llx
95# https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593
96# https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs
97# new exe header magic like: PE NE LE LX W3 W4
98# no examples found for ZM DL MP P2 P3
99#>(0x3c.l)	string		x	\b, at [0x3c] %.2s
100#>(0x3c.l)	ubelong		x	\b, at [0x3c] %#8.8x
101#>(0x3c.l+4)	ubelong		x	\b, at [0x3c+4] %#8.8x
102#
103# Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the file.
104# http://www.mitec.cz/Downloads/EXE.zip/EXE64.exe	e_lfarlc=0x8ead
105# OS/2 ECS\INSTALL\DETECTEI\PCISCAN.EXE			e_lfarlc=0x1c
106# some EFI apps Shell_Full.efi ext4_x64_signed.efi	e_lfarlc=0
107# Icon library WORD60.ICL				e_lfarlc=0
108# Microsoft compiled help format 2.0 WINWORD.DEV.HXS	e_lfarlc=0
109>0x18	uleshort <0x40
110# check magic of new second header
111# NE executable with low e_lfarlc like: WORD60.ICL
112# ICL:	Icons Library 16-bit			http://fileformats.archiveteam.org/wiki/Icon_library
113>>(0x3c.l)	string	NE	Windows Icons Library 16-bit
114!:mime		image/x-ms-icl
115!:ext		icl
116# handle LX executable with low e_lfarlc like: PCISCAN.EXE
117>>(0x3c.l)	string	LX
118>>>(0x3c.l)	use		lx-executable
119# skip Portable Executable (PE) with low e_lfarlc here, because handled later
120# like: ext4_x64_signed.efi Shell_Full.efi WINWORD.DEV.HXS
121>>(0x3c.l)	string	PE
122# not New Executable (NE) and not PE with low e_lfarlc like:
123# MACCNV55.EXE WORK_RTF.EXE TELE200.EXE NDD.EXE iflash.exe
124>>(0x3c.l)	default	x	MS-DOS executable, MZ for MS-DOS
125!:mime	application/x-dosexec
126# Windows and later versions of DOS will allow .EXEs to be named with a .COM
127# extension, mostly for compatibility's sake.
128# like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM
129# URL:		https://en.wikipedia.org/wiki/Personal_NetWare#VLM
130# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml
131# also like: BGISRV.DRV
132!:ext	exe/com/vlm/drv
133# These traditional tests usually work but not always.  When test quality support is
134# implemented these can be turned on.
135#>>0x18	leshort	0x1c	(Borland compiler)
136#>>0x18	leshort	0x1e	(MS compiler)
137
138# Maybe it's a PE?
139# URL:		http://fileformats.archiveteam.org/wiki/Portable_Executable
140# Reference:	https://docs.microsoft.com/de-de/windows/win32/debug/pe-format
141>(0x3c.l)	string		PE\0\0	PE
142!:mime	application/vnd.microsoft.portable-executable
143# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics
144# DLL Characteristics
145#>>(0x3c.l+22)	uleshort	x	\b, CHARACTERISTICS %#4.4x,
146# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file
147# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program.
148# 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL)
149>>(0x3c.l+24)	leshort		0x010b	\b32 executable
150# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem
151#>>>(0x3c.l+92)	leshort		x	\b, SUBSYSTEM %u
152>>(0x3c.l+24)	leshort		0x020b	\b32+ executable
153#>>>(0x3c.l+92)	leshort		x	\b, SUBSYSTEM %u
154>>(0x3c.l+24)	leshort		0x0107	ROM image
155>>(0x3c.l+24)	default		x	Unknown PE signature
156>>>&0 		leshort		x	%#x
157>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
158# 0~IMAGE_SUBSYSTEM_UNKNOWN An unknown subsystem
159>>(0x3c.l+92)	leshort		0	(
160# Summary:	Microsoft compiled help *.HXS format 2.0
161# URL:		https://en.wikipedia.org/wiki/Microsoft_Help_2
162# Reference:	http://www.russotto.net/chm/itolitlsformat.html
163#		https://mark0.net/download/triddefs_xml.7z/defs/h/hxs.trid.xml
164# Note:		2 PE sections (.rsrc, .its) implies Microsoft compiled help format; the .its section contains the help content ITOLITLS
165#		verified by command like `pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS`
166>>>(0x3c.l+6)	uleshort	=2	\bMicrosoft compiled help format 2.0)
167!:ext	hxs
168# 3 PE sections (.text, .reloc, .rsrc) implies some Control Panel Item like:
169# CPL:	Control Panel item for WINE 1.7.28	https://www.winehq.org/
170>>>(0x3c.l+6)	uleshort	!2	\bControl Panel Item)
171!:ext	cpl
172# 1~IMAGE_SUBSYSTEM_NATIVE device drivers and native Windows processes
173>>(0x3c.l+92)	leshort		1
174# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the
175# drivers in Windows/System32/drivers/*.sys.
176>>>(0x3c.l+22)	leshort&0x2000	>0	(native)
177!:ext	dll/sys
178>>>(0x3c.l+22)	leshort&0x2000	0	(native)
179!:ext	exe/sys
180# 2~IMAGE_SUBSYSTEM_WINDOWS_GUI	The Windows graphical user interface (GUI) subsystem
181>>(0x3c.l+92)	leshort		2
182>>>(0x3c.l+22)	leshort&0x2000	>0	(GUI)
183# These could probably be at least partially distinguished from one another by
184# looking for specific exported functions.
185# CPL: Control Panel item
186# TLB: Type library
187# OCX: OLE/ActiveX control
188# ACM: Audio compression manager codec
189# AX: DirectShow source filter
190# IME: Input method editor
191!:ext	dll/cpl/tlb/ocx/acm/ax/ime
192>>>(0x3c.l+22)	leshort&0x2000	0	(GUI)
193# Screen savers typically include code from the scrnsave.lib static library, but
194# that's not guaranteed.
195!:ext	exe/scr
196# 3~IMAGE_SUBSYSTEM_WINDOWS_CUI	The Windows character subsystem
197>>(0x3c.l+92)	leshort		3
198>>>(0x3c.l+22)	leshort&0x2000	>0	(console)
199!:ext	dll/cpl/tlb/ocx/acm/ax/ime
200>>>(0x3c.l+22)	leshort&0x2000	0	(console)
201!:ext	exe/com
202# NO Windows Subsystem number 4!
203>>(0x3c.l+92)	leshort		4	(Unknown subsystem 4)
204# 5~IMAGE_SUBSYSTEM_OS2_CUI The OS/2 character subsystem
205>>(0x3c.l+92)	leshort		5	(OS/2)
206# GRR: No examples found by Joerg Jenderek
207#!:ext	foo-exe-os2
208# NO Windows Subsystem number 6!
209>>(0x3c.l+92)	leshort		6	(Unknown subsystem 6)
210# 7~IMAGE_SUBSYSTEM_POSIX_CUI The Posix character subsystem
211>>(0x3c.l+92)	leshort		7	(POSIX
212>>>(0x3c.l+22)	leshort&0x2000	>0	\b)
213# like: PSXDLL.DLL
214!:ext	dll
215>>>(0x3c.l+22)	leshort&0x2000	0	\b)
216# like: PAX.EXE
217!:ext	exe
218# 8~IMAGE_SUBSYSTEM_NATIVE_WINDOWS Native Win9x driver
219>>(0x3c.l+92)	leshort		8	(Win9x)
220# GRR: No examples found by Joerg Jenderek
221#!:ext	foo-exe-win98
222# 9~IMAGE_SUBSYSTEM_WINDOWS_CE_GUI Windows CE
223>>(0x3c.l+92)	leshort		9	(Windows CE
224>>>(0x3c.l+22)	leshort&0x2000	>0	\b)
225# like: MCS9900Ce50.dll Mosiisr99x.dll TMCGPS.DLL
226!:ext	dll
227>>>(0x3c.l+22)	leshort&0x2000	0	\b)
228# like: NNGStart.exe navigator.exe
229!:ext	exe
230# 10~IMAGE_SUBSYSTEM_EFI_APPLICATION An Extensible Firmware Interface (EFI) application
231>>(0x3c.l+92)	leshort		10	(EFI application)
232# like: bootmgfw.efi grub.efi gdisk_x64.efi Shell_Full.efi shim.efi syslinux.efi
233!:ext	efi
234# 11~IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER An EFI driver with boot services
235>>(0x3c.l+92)	leshort		11	(EFI boot service driver)
236# like: ext2_x64_signed.efi Fat_x64.efi iso9660_x64_signed.efi
237!:ext	efi
238>>(0x3c.l+92)	leshort		12	(EFI runtime driver)
239# no sample found
240!:ext	efi
241# 13~IMAGE_SUBSYSTEM_EFI_ROM An EFI ROM image
242>>(0x3c.l+92)	leshort		13	(EFI ROM)
243# no sample found
244!:ext	efi
245# 14~IMAGE_SUBSYSTEM_XBOX XBOX
246>>(0x3c.l+92)	leshort		14	(XBOX)
247#!:ext	foo-xbox
248# NO Windows Subsystem number 15!
249>>(0x3c.l+92)	leshort		15	(Unknown subsystem 15)
250# 16~IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION Windows boot application
251>>(0x3c.l+92)	leshort		16	(Windows boot application
252>>>(0x3c.l+22)	leshort&0x2000	>0	\b)
253# like: bootvhd.dll bootuwf.dll hvloader.dll tcbloader.dll bootspaces.dll
254!:ext	dll
255>>>(0x3c.l+22)	leshort&0x2000	0	\b)
256# like: bootmgr.efi memtest.efi shellx64.efi memtest.exe winload.exe winresume.exe bootvhd.dll hvloader.dll
257!:ext	efi/exe
258# GRR: the next 2 lines are not executed!
259#>>(0x3c.l+92)	default		x	(Unknown subsystem
260#>>>&0		leshort		x	%#x)
261>>(0x3c.l+92)	leshort		>16	(Unknown subsystem
262>>>&0		leshort		x	%#x)
263>>(0x3c.l+4)	leshort		0x14c	Intel 80386
264>>(0x3c.l+4)	leshort		0x166	MIPS R4000
265>>(0x3c.l+4)	leshort		0x168	MIPS R10000
266>>(0x3c.l+4)	leshort		0x184	Alpha
267>>(0x3c.l+4)	leshort		0x1a2	Hitachi SH3
268>>(0x3c.l+4)	leshort		0x1a3	Hitachi SH3 DSP
269>>(0x3c.l+4)	leshort		0x1a8	Hitachi SH5
270>>(0x3c.l+4)	leshort		0x169	MIPS WCE v2
271>>(0x3c.l+4)	leshort		0x1a6	Hitachi SH4
272>>(0x3c.l+4)	leshort		0x1c0	ARM
273>>(0x3c.l+4)	leshort		0x1c2	ARM Thumb
274>>(0x3c.l+4)	leshort		0x1c4	ARMv7 Thumb
275>>(0x3c.l+4)	leshort		0x1d3	Matsushita AM33
276>>(0x3c.l+4)	leshort		0x1f0	PowerPC
277>>(0x3c.l+4)	leshort		0x1f1	PowerPC with FPU
278>>(0x3c.l+4)	leshort		0x1f2	PowerPC (big-endian)
279>>(0x3c.l+4)	leshort		0x200	Intel Itanium
280>>(0x3c.l+4)	leshort		0x266	MIPS16
281>>(0x3c.l+4)	leshort		0x268	Motorola 68000
282>>(0x3c.l+4)	leshort		0x290	PA-RISC
283>>(0x3c.l+4)	leshort		0x366	MIPSIV
284>>(0x3c.l+4)	leshort		0x466	MIPS16 with FPU
285>>(0x3c.l+4)	leshort		0xebc	EFI byte code
286>>(0x3c.l+4)	leshort		0x5032	RISC-V 32-bit
287>>(0x3c.l+4)	leshort		0x5064	RISC-V 64-bit
288>>(0x3c.l+4)	leshort		0x5128	RISC-V 128-bit
289>>(0x3c.l+4)	leshort		0x6232	LoongArch 32-bit
290>>(0x3c.l+4)	leshort		0x6264	LoongArch 64-bit
291>>(0x3c.l+4)	leshort		0x9041	Mitsubishi M32R
292>>(0x3c.l+4)	leshort		0x8664	x86-64
293>>(0x3c.l+4)	leshort		0xaa64	Aarch64
294>>(0x3c.l+4)	leshort		0xc0ee	MSIL
295# GRR: the next 2 lines are not executed!
296>>(0x3c.l+4)	default		x	Unknown processor type
297>>>&0		leshort		x	%#x
298>>(0x3c.l+22)	leshort&0x0200	>0	(stripped to external PDB)
299>>(0x3c.l+22)	leshort&0x1000	>0	system file
300>>(0x3c.l+24)	leshort		0x010b
301>>>(0x3c.l+232) lelong	>0	Mono/.Net assembly
302>>(0x3c.l+24)	leshort		0x020b
303>>>(0x3c.l+248) lelong	>0	Mono/.Net assembly
304
305# hooray, there's a DOS extender using the PE format, with a valid PE
306# executable inside (which just prints a message and exits if run in win)
307>>(8.s*16)		string		32STUB	\b, 32rtm DOS extender
308>>(8.s*16)		string		!32STUB	\b, for MS Windows
309>>(0x3c.l+0xf8)		string		UPX0 \b, UPX compressed
310>>(0x3c.l+0xf8)		search/0x140	PEC2 \b, PECompact2 compressed
311>>(0x3c.l+0xf8)		search/0x140	UPX2
312>>>(&0x10.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
313>>(0x3c.l+0xf8)		search/0x140	.idata
314>>>(&0xe.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
315>>>(&0xe.l+(-4))	string		ZZ0 \b, ZZip self-extracting archive
316>>>(&0xe.l+(-4))	string		ZZ1 \b, ZZip self-extracting archive
317>>(0x3c.l+0xf8)		search/0x140	.rsrc
318>>>(&0x0f.l+(-4))	string		a\\\4\5 \b, WinHKI self-extracting archive
319>>>(&0x0f.l+(-4))	string		Rar! \b, RAR self-extracting archive
320>>>(&0x0f.l+(-4))	search/0x3000	MSCF \b, InstallShield self-extracting archive
321>>>(&0x0f.l+(-4))	search/32	Nullsoft \b, Nullsoft Installer self-extracting archive
322>>(0x3c.l+0xf8)		search/0x140	.data
323>>>(&0x0f.l)		string		WEXTRACT \b, MS CAB-Installer self-extracting archive
324>>(0x3c.l+0xf8)		search/0x140	.petite\0 \b, Petite compressed
325>>>(0x3c.l+0xf7)	byte		x
326>>>>(&0x104.l+(-4))	string		=!sfx! \b, ACE self-extracting archive
327>>(0x3c.l+0xf8)		search/0x140	.WISE \b, WISE installer self-extracting archive
328>>(0x3c.l+0xf8)		search/0x140	.dz\0\0\0 \b, Dzip self-extracting archive
329>>&(0x3c.l+0xf8)	search/0x100	_winzip_ \b, ZIP self-extracting archive (WinZip)
330>>&(0x3c.l+0xf8)	search/0x100	SharedD \b, Microsoft Installer self-extracting archive
331>>0x30			string		Inno \b, InnoSetup self-extracting archive
332# NumberOfSections; Normal Dynamic Link libraries have a few sections for code, data and resource etc.
333# PE used as container have less sections
334>>(0x3c.l+6)	leshort			>1	\b, %u sections
335# do not display for 1 section to get output like in version 5.43 and to keep output columns low
336#>>(0x3c.l+6)	leshort			=1	\b, %u section
337
338# If the relocation table is 0x40 or more bytes into the file, it's definitely
339# not a DOS EXE.
340>0x18	uleshort	>0x3f
341
342# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
343# must be one of the unusual subformats.
344>>(0x3c.l) string !PE\0\0 MS-DOS executable
345#!:mime	application/x-dosexec
346
347>>(0x3c.l)		string		NE \b, NE
348#!:mime	application/x-dosexec
349!:mime	application/x-ms-ne-executable
350# FOR DEBUGGING!
351# Reference:	https://wiki.osdev.org/NE
352# ProgFlags; Program flags, bitmapped
353#>>>(0x3c.l+0x0C)	ubyte		x	\b, ProgFlags 0x%2.2x
354# >>>(0x3c.l+0x0c)	ubyte&0x03	=0	\b, none
355# >>>(0x3c.l+0x0c)	ubyte&0x03	=1	\b, single shared
356# >>>(0x3c.l+0x0c)	ubyte&0x03	=2	\b, multiple
357# >>>(0x3c.l+0x0c)	ubyte&0x03	=3	\b, (null)
358# >>>(0x3c.l+0x0c)	ubyte		&0x04	\b, Global initialization
359# >>>(0x3c.l+0x0c)	ubyte		&0x08	\b, Protected mode only
360# >>>(0x3c.l+0x0c)	ubyte		&0x10	\b, 8086 instructions
361# >>>(0x3c.l+0x0c)	ubyte		&0x20	\b, 80286 instructions
362# >>>(0x3c.l+0x0c)	ubyte		&0x40	\b, 80386 instructions
363# >>>(0x3c.l+0x0c)	ubyte		&0x80	\b, 80x87 instructions
364# ApplFlags; Application flags, bitmapped
365# https://www.fileformat.info/format/exe/corion-ne.htm
366#>>>(0x3c.l+0x0D)	ubyte		x	\b, ApplFlags 0x%2.2x
367# Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API)
368# 2~Compatible with Windows/P.M. API 3~Uses Windows/P.M. API
369#>>>(0x3c.l+0x0D)	ubyte&0x07	=1	\b, Full screen
370#>>>(0x3c.l+0x0D)	ubyte&0x07	=2	\b, Compatible with Windows/P.M. API
371#>>>(0x3c.l+0x0D)	ubyte&0x07	=3	\b, use Windows/P.M. API
372# bit 7; DLL or driver (SS:SP info invalid, CS:IP points at FAR init routine called with AX handle
373#>>>(0x3c.l+0x0D)	ubyte		&0x80	\b, DLL or driver
374# AutoDataSegIndex; automatic data segment index like: 0 2 3 22
375# zero if the SINGLEDATA and MULTIPLEDATA bits are cleared
376#>>>(0x3c.l+0x0e)	uleshort	x	\b, AutoDataSegIndex %u
377# InitHeapSize; intial local heap size like; 0 400h 1400h
378# zero if there is no local allocation
379#>>>(0x3c.l+0x10)	uleshort	!0	\b, InitHeapSize 0x%x
380# InitStackSize; inital stack size like: 0 10h A00h 7D0h A8Ch FA0h 1000h 1388h
381# 1400h (CBT) 1800h 2000h 2800h 2EE0h 2F3Ch 3258h 3E80h 4000h 4E20h 5000h 6000h
382# 6D60h 8000h 40000h
383# zero if the SS register value does not equal the DS register value
384#>>>(0x3c.l+0x12)	uleshort	!0	\b, InitStackSize 0x%x
385# EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h
386#>>>(0x3c.l+0x14)	ulelong		!0 	\b, EntryPoint 0x%x
387# InitStack; specifies the segment offset value of stack pointer SS:SP
388# like: 0 20000h 160000h
389#>>>(0x3c.l+0x18)	ulelong		!0	\b, InitStack 0x%x
390# SegCount; number of segments in segment table like: 0 1 2 3 16h
391#>>>(0x3c.l+0x1C)	uleshort	x	\b, SegCount 0x%x
392# ModRefs; number of module references (DLLs) like; 0 1 3
393#>>>(0x3c.l+0x1E)	uleshort	!0	\b, ModRefs %u
394# NoResNamesTabSiz; size in bytes of non-resident names table
395# like: Bh 16h B4h B9h 2Ch 18Fh 16AAh
396#>>>(0x3c.l+0x20)	uleshort	x	\b, NoResNamesTabSiz 0x%x
397# SegTableOffset; offset of Segment table like: 40h
398#>>>(0x3c.l+0x22)	uleshort	!0x40	\b, SegTableOffset 0x%x
399# ResTableOffset; offset of resources table like: 40h 50h 58h F0h
400# 40h for most fonts likedos737.fon FMFONT.FOT but 60h for L1WBASE.FON
401#>>>(0x3c.l+0x24)	uleshort	x 	\b, ResTableOffset 0x%x
402# ResidNamTable; offset of resident names table
403# like: 58h 5Ch 60h 68h 74h 98h 2E3h 2E7h 2F0h
404#>>>(0x3c.l+0x26)	uleshort		x \b, ResidNamTable 0x%x
405# ImportNameTable; offset of imported names table (array of counted strings, terminated with string of length 00h)
406# like: 77h 7Eh 80h C6h A7h ACh 2F8h 3FFh
407#>>>(0x3c.l+0x2a)	uleshort	x	\b, ImportNameTable 0x%x
408# OffStartNonResTab; offset from start of file to non-resident names table
409# like: 110h 11Dh 19Bh 1A5h 3F5h 4C8h 4EEh D93h
410#>>>(0x3c.l+0x2c)	ulelong		x	\b, OffStartNonResTab 0x%x
411# MovEntryCount; number of movable entry points like: 0 4 5 6 16 17 24 312 355 446
412#>>>(0x3c.l+0x30)	uleshort	!0	\b, MovEntryCount %u
413# FileAlnSzShftCnt; log2 of the segment sector size; 4~16 0~9~512 (default)
414#>>>(0x3c.l+0x32)	uleshort	!9 	\b, FileAlnSzShftCnt %u
415# nResTabEntries; number of resource table entries like: 0 2
416#>>>(0x3c.l+0x34)	uleshort	!0	\b, nResTabEntries %u
417# targOS; Target OS; 0~unknown~OS/2 1.0 or MS Windows 1-2
418# OS/2 1.0 like: DTM.DLL SHELL11F.EXE HELPMSG.EXE CREATEDD.EXE
419# or Windows 1.03 - 2.1 like: MSDOSD.EXE KARTEI.EXE KALENDER.EXE
420#>>>(0x3c.l+0x36)	byte		x TARGOS %x
421>>>(0x3c.l+0x36)	byte		0 for OS/2 1.0 or MS Windows 1-2
422>>>(0x3c.l+0x36)	byte		1 for OS/2 1.x
423>>>(0x3c.l+0x36)	byte		2 for MS Windows 3.x
424>>>(0x3c.l+0x36)	byte		3 for MS-DOS
425>>>(0x3c.l+0x36)	byte		4 for Windows 386
426>>>(0x3c.l+0x36)	byte		5 for Borland Operating System Services
427# http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip
428# D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE
429# GRR: WHAT OS is this?
430#>>>(0x3c.l+0x36)	byte		6 for TARGET SIX
431# https://en.wikipedia.org/wiki/Phar_Lap_(company)
432>>>(0x3c.l+0x36)	byte		0x81 for MS-DOS, Phar Lap DOS extender, OS/2
433# like: CVP7.EXE
434>>>(0x3c.l+0x36)	byte		0x82 for MS-DOS, Phar Lap DOS extender, Windows
435>>>(0x3c.l+0x36)	default		x
436>>>>(0x3c.l+0x36)	ubyte		x (unknown OS %#x)
437# expctwinver; expected Windows version (minor first) like:
438# 0.0~DTM.DLL 203.4~Windows 1.03 GDI.EXE 2.1~TTY.DRV 3.0~dos737.fon FMFONT.FOT THREED.VBX 3.10~GDI.EXE 4.0~(ME) VGAFULL.3GR
439>>>(0x3c.l+0x3F)	ubyte		x	(%u
440>>>(0x3c.l+0x3E)	ubyte		x	\b.%u)
441# OS2EXEFlags; other EXE flags
442# 0~Long filename support 1~2.x protected mode 4~2.x proportional fonts 8~Executable has gangload area
443#>>>(0x3c.l+0x37)	byte		!0	\b, OS2EXEFlags 0x%x
444# retThunkOffset; offset to return thunks or start of gangload area like: 0 34h 58h 246h
445#>>>(0x3c.l+0x38)	uleshort	!0	\b, retThunkOffset 0x%x
446# segrefthunksoff; offset to segment reference thunks or size of gangload area
447# like: 0 33Eh 39Ah AEEh
448#>>>(0x3c.l+0x3A)	uleshort	!0	\b, segrefthunksoff 0x%x
449# mincodeswap; minimum code swap area size like 0 620Ch
450#>>>(0x3c.l+0x3C)	uleshort	!0 \b, mincodeswap 0x%x
451>>>(0x3c.l+0x0c)	leshort&0x8000	0x8000 (DLL or font)
452# DRV: Driver
453# 3GR: Grabber device driver
454# CPL: Control Panel Item
455# VBX: Visual Basic Extension		https://en.wikipedia.org/wiki/Visual_Basic
456# FON: Bitmap font			http://fileformats.archiveteam.org/wiki/FON
457# FOT: Font resource file
458# EXE: WINSPOOL.EXE USER.EXE krnl386.exe GDI.EXE
459# CNV: Microsoft Word text conversion	https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-conversion-data
460!:ext	dll/drv/3gr/cpl/vbx/fon/fot
461>>>(0x3c.l+0x0c)	leshort&0x8000	0 (EXE)
462!:ext	exe/scr
463>>>&(&0x24.s-1)		string		ARJSFX \b, ARJ self-extracting archive
464>>>(0x3c.l+0x70)	search/0x80	WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
465
466>>(0x3c.l)		string		LX\0\0 \b, LX
467!:mime	application/x-dosexec
468>>>(0x3c.l+0x0a)	leshort		<1 (unknown OS)
469>>>(0x3c.l+0x0a)	leshort		1 for OS/2
470>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
471>>>(0x3c.l+0x0a)	leshort		3 for DOS
472>>>(0x3c.l+0x0a)	leshort		>3 (unknown OS)
473>>>(0x3c.l+0x10)	lelong&0x28000	=0x8000 (DLL)
474>>>(0x3c.l+0x10)	lelong&0x20000	>0 (device driver)
475>>>(0x3c.l+0x10)	lelong&0x300	0x300 (GUI)
476>>>(0x3c.l+0x10)	lelong&0x28300	<0x300 (console)
477>>>(0x3c.l+0x08)	leshort		1 i80286
478>>>(0x3c.l+0x08)	leshort		2 i80386
479>>>(0x3c.l+0x08)	leshort		3 i80486
480>>>(8.s*16)		string		emx \b, emx
481>>>>&1			string		x %s
482>>>&(&0x54.l-3)		string		arjsfx \b, ARJ self-extracting archive
483
484# MS Windows system file, supposedly a collection of LE executables
485# like vmm32.vxd WIN386.EXE
486>>(0x3c.l)		string		W3 \b, W3 for MS Windows
487#!:mime	application/x-dosexec
488!:mime	application/x-ms-w3-executable
489!:ext	vxd/exe
490# W4 executable
491>>(0x3c.l)		string		W4 \b, W4 for MS Windows
492#!:mime	application/x-dosexec
493!:mime	application/x-ms-w4-executable
494# windows 98 VMM32.VXD
495!:ext	vxd
496
497>>(0x3c.l)		string		LE\0\0 \b, LE executable
498!:mime	application/x-dosexec
499>>>(0x3c.l+0x0a)	leshort		1
500# some DOS extenders use LE files with OS/2 header
501>>>>0x240		search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
502>>>>0x240		search/0x200	WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
503>>>>0x440		search/0x100	CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
504>>>>0x40		search/0x40	PMODE/W for MS-DOS, PMODE/W DOS extender
505>>>>0x40		search/0x40	STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
506>>>>0x40		search/0x80	STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
507>>>>0x40		search/0x80	DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
508# this is a wild guess; hopefully it is a specific signature
509>>>>&0x24		lelong		<0x50
510>>>>>(&0x4c.l)		string		\xfc\xb8WATCOM
511>>>>>>&0		search/8	3\xdbf\xb9 \b, 32Lite compressed
512# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
513#>>>>(0x3c.l+0x1c)	lelong		>0x10000 for OS/2
514# fails with DOS-Extenders.
515>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
516>>>(0x3c.l+0x0a)	leshort		3 for DOS
517>>>(0x3c.l+0x0a)	leshort		4 for MS Windows (VxD)
518# VXD: VxD for Windows 95/98/Me
519# 386: VxD for Windows 2.10, 3.0, 3.1x
520# PDR: Port driver
521# MPD: Miniport driver (?)
522!:ext	vxd/386/pdr/mpd
523>>>(&0x7c.l+0x26)	string		UPX \b, UPX compressed
524>>>&(&0x54.l-3)		string		UNACE \b, ACE self-extracting archive
525
526# looks like ASCII, probably some embedded copyright message.
527# and definitely not NE/LE/LX/PE
528>>0x3c		lelong	>0x20000000
529>>>(4.s*512)	leshort !0x014c \b, MZ for MS-DOS
530!:mime	application/x-dosexec
531!:ext	exe/com
532# header data too small for extended executable
533>2		long	!0
534>>0x18		uleshort <0x40
535>>>(4.s*512)	leshort !0x014c
536
537>>>>&(2.s-514)	string	!LE
538>>>>>&-2	string	!BW
539#>>>>>>(0x3c.l)	string		x	\b, 2ND MAGIC %.2s
540# but some LX executable appear here also like: PCISCAN.EXE
541>>>>>>(0x3c.l)	string	!LX
542# because Portable Executable (PE) already done skip many here like:
543# xcopy32.exe stinger64.exe WimUtil.exe
544# NO such DOS examples found and
545# DOS examples seems to be already handled by e_lfarlc <0x40 like: CMD8086.COM CMD-FR.COM
546>>>>>>>(0x3c.l)	string	!PE	\b, MZ for MS-DOS
547!:mime	application/x-dosexec
548>>>>&(2.s-514)	string	LE \b, LE
549>>>>>0x240	search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
550# educated guess since indirection is still not capable enough for complex offset
551# calculations (next embedded executable would be at &(&2*512+&0-2)
552# I suspect there are only LE executables in these multi-exe files
553>>>>&(2.s-514)	string	BW
554>>>>>0x240	search/0x100	DOS/4G	\b, LE for MS-DOS, DOS4GW DOS extender (embedded)
555>>>>>0x240	search/0x100	!DOS/4G	\b, BW collection for MS-DOS
556
557# This sequence skips to the first COFF segment, usually .text
558>(4.s*512)	leshort		0x014c \b, COFF
559!:mime	application/x-dosexec
560>>(8.s*16)	string		go32stub for MS-DOS, DJGPP go32 DOS extender
561>>(8.s*16)	string		emx
562>>>&1		string		x for DOS, Win or OS/2, emx %s
563>>&(&0x42.l-3)	byte		x
564>>>&0x26	string		UPX \b, UPX compressed
565# and yet another guess: small .text, and after large .data is unusual, could be 32lite
566>>&0x2c		search/0xa0	.text
567>>>&0x0b	lelong		<0x2000
568>>>>&0		lelong		>0x6000 \b, 32lite compressed
569
570>(8.s*16) string $WdX \b, WDos/X DOS extender
571
572# By now an executable type should have been printed out.  The executable
573# may be a self-uncompressing archive, so look for evidence of that and
574# print it out.
575#
576# Some signatures below from Greg Roelofs, newt@uchicago.edu.
577#
578>0x35	string	\x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
579>0xe7	string	LH/2\ 	Self-Extract \b, %s
580>0x1c	string	UC2X	\b, UCEXE compressed
581>0x1c	string	WWP\ 	\b, WWPACK compressed
582>0x1c	string	RJSX 	\b, ARJ self-extracting archive
583>0x1c	string	diet 	\b, diet compressed
584>0x1c	string	LZ09 	\b, LZEXE v0.90 compressed
585>0x1c	string	LZ91 	\b, LZEXE v0.91 compressed
586>0x1c	string	tz 	\b, TinyProg compressed
587>0x1e	string	Copyright\ 1989-1990\ PKWARE\ Inc.	Self-extracting PKZIP archive
588!:mime	application/zip
589# Yes, this really is "Copr", not "Corp."
590>0x1e	string	PKLITE\ Copr.	Self-extracting PKZIP archive
591!:mime	application/zip
592# winarj stores a message in the stub instead of the sig in the MZ header
593>0x20	search/0xe0	aRJsfX \b, ARJ self-extracting archive
594>0x20	string AIN
595>>0x23	string 2	\b, AIN 2.x compressed
596>>0x23	string <2	\b, AIN 1.x compressed
597>>0x23	string >2	\b, AIN 1.x compressed
598>0x24	string	LHa's\ SFX \b, LHa self-extracting archive
599!:mime	application/x-lha
600>0x24	string	LHA's\ SFX \b, LHa self-extracting archive
601!:mime	application/x-lha
602>0x24	string	\ $ARX \b, ARX self-extracting archive
603>0x24	string	\ $LHarc \b, LHarc self-extracting archive
604>0x20	string	SFX\ by\ LARC \b, LARC self-extracting archive
605>0x40	string aPKG \b, aPackage self-extracting archive
606>0x64	string	W\ Collis\0\0 \b, Compack compressed
607>0x7a	string		Windows\ self-extracting\ ZIP	\b, ZIP self-extracting archive
608>>&0xf4 search/0x140 \x0\x40\x1\x0
609>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
610>1638	string	-lh5- \b, LHa self-extracting archive v2.13S
611>0x17888 string Rar! \b, RAR self-extracting archive
612
613# Skip to the end of the EXE.  This will usually work fine in the PE case
614# because the MZ image is hardcoded into the toolchain and almost certainly
615# won't match any of these signatures.
616>(4.s*512)	long	x
617>>&(2.s-517)	byte	x
618>>>&0	string		PK\3\4 \b, ZIP self-extracting archive
619>>>&0	string		Rar! \b, RAR self-extracting archive
620>>>&0	string		=!\x11 \b, AIN 2.x self-extracting archive
621>>>&0	string		=!\x12 \b, AIN 2.x self-extracting archive
622>>>&0	string		=!\x17 \b, AIN 1.x self-extracting archive
623>>>&0	string		=!\x18 \b, AIN 1.x self-extracting archive
624>>>&7	search/400	**ACE** \b, ACE self-extracting archive
625>>>&0	search/0x480	UC2SFX\ Header \b, UC2 self-extracting archive
626
627# a few unknown ZIP sfxes, no idea if they are needed or if they are
628# already captured by the generic patterns above
629>(8.s*16)	search/0x20	PKSFX \b, ZIP self-extracting archive (PKZIP)
630# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
631#
632
633# TELVOX Teleinformatica CODEC self-extractor for OS/2:
634>49801	string	\x79\xff\x80\xff\x76\xff	\b, CODEC archive v3.21
635>>49824 leshort		=1			\b, 1 file
636>>49824 leshort		>1			\b, %u files
637
638# Summary:	OS/2 LX Library and device driver (no DOS stub)
639# From:		Joerg Jenderek
640# URL:		http://en.wikipedia.org/wiki/EXE
641# Reference:	http://www.textfiles.com/programming/FORMATS/lxexe.txt
642#		https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h
643# Note:		by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)"
644# TODO:		unify with DOS stub variant (MZ magic)
6450	string/b	LX
646>2	ushort		=0
647>>0	use			lx-executable
648# no examples found for big endian variant
649>2	ushort		=0x0101
650>>0	use			\^lx-executable
6510       name    	lx-executable
652# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX"
653#>0x00	uleshort		x	executable,
654# signature OSF_FLAT_LX_SIGNATURE~0x584C~LX OSF_FLAT_SIGNATURE~0x454C~LE
655>0x00	uleshort		=0x584c	LX
656>0x00	uleshort		=0x454C	LE
657>0x00	uleshort		x	executable
658#!:mime	application/x-msdownload
659!:mime	application/x-lx-executable
660!:ext	exe
661# byte order: 00h~little-endian non-zero=1~big-endian
662#>0x02	ubyte			=0		(little-endian)
663>0x02	ubyte			!0		(big-endian)
664# FOR DEBUGGING!
665# word order: 00h~little-endian non-zero=1~big-endian
666#>0x03	ubyte			=0		\b, little-endian word order
667#>0x03	ubyte			!0		\b, big-endian word order
668# cpu_type; CPU type like: 1~286 2~386 3~486 4 20h~i860 21h~Intel N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000
669#>0x08	uleshort		x		\b, CPU %u
670# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 3~DOS 4.x 4~Windows 386
671#>0x0A	leshort			x		\b, OS %u
672# flags; module type flags
673#>0x10	ulelong			x		\b, FLAGS %#8.8x
674# 00000002h				~Reserved for system use
675#>0x10	ulelong			&0x00000002	\b, 2h reserved
676# OSF_INIT_INSTANCE=00000004h		~Per-Process Library Initialization; setting this bit for EXE file is invalid
677#>0x10	ulelong			&0x00000004	\b, per-process library Initialization
678# OSF_INTERNAL_FIXUPS_DONE=00000010h	~Internal fixups for the module have been applied
679#>0x10	ulelong			&0x00000010	\b, int. fixup
680# OSF_EXTERNAL_FIXUPS_DONE=00000020h	~External fixups for the module have been applied
681#>0x10	ulelong			&0x00000020	\b, ext. fixup
682# OSF_NOT_PM_COMPATIBLE=00000100h	~Incompatible with PM windowing
683#>0x10	ulelong&0x00000100	=0x00000100	\b, incompatible with PM windowing
684# OSF_PM_COMPATIBLE=00000200h		~Compatible with PM windowing
685#>0x10	ulelong&0x00000200	=0x00000200	\b, compatible with PM windowing
686# bit 17; device driver
687#>0x10	ulelong&0x00020000	>0		\b, device driver
688# Per-process Library Termination; setting this bit for EXE file is invalid
689#>0x10	ulelong&0x40000000	=0x40000000	\b, per-process library termination
690>0x0a	leshort			1		for OS/2
691# no example found
692>0x0a	leshort			3		for DOS
693# http://www.ctyme.com/intr/rb-2939.htm#Table1610
694# library by module type mask 00038000h (bits 15-17);
695# 0h ~executable Program module
696>0x10	ulelong&0x00038000	=0x00000000	(program)
697#!:ext	exe
698# OSF_IS_DLL=8000h			~Library module (DLL)
699>0x10	ulelong&0x00038000	>0x00000000
700# OSF_PHYS_DEVICE=00020000h		~device driver
701>>0x10	ulelong&0x00020000	>0		(device driver)
702!:ext	sys
703# if not device driver it is library (DLL)
704>>0x10	ulelong&0x00020000	=0		(library)
705!:ext	dll
706# bits 8-10; OSF_PM_APP=300h in flags	~Uses PM windowing API; either it is GUI or console
707>0x10  	ulelong&0x00000300	=0x00000300	(GUI)
708>0x10	ulelong&0x00000300	!0x00000300	(console)
709# CPU type
710>0x08	uleshort		1		i80286
711# all inspected examples
712>0x08	uleshort		2		i80386
713>0x08	uleshort		3		i80486
714>0x08	uleshort		4		i80586
715# 21h 	Intel "N11" or compatible
716# 40h 	MIPS Mark I ( R2000, R3000) or compatible
717# 41h 	MIPS Mark II ( R6000 ) or compatible
718# 42h 	MIPS Mark III ( R4000 ) or compatible
719
720# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc
721# and https://www.freedos.org/software/?prog=kpdos
722# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
7230	string/b	KCF		FreeDOS KEYBoard Layout collection
724# only version=0x100 found
725>3	uleshort	x		\b, version %#x
726# length of string containing author,info and special characters
727>6	ubyte		>0
728#>>6	pstring		x		\b, name=%s
729>>7	string		>\0		\b, author=%-.14s
730>>7	search/254	\xff		\b, info=
731#>>>&0	string		x		\b%-s
732>>>&0	string		x		\b%-.15s
733# for FreeDOS *.KL files
7340	string/b	KLF		FreeDOS KEYBoard Layout file
735# only version=0x100 or 0x101 found
736>3	uleshort	x		\b, version %#x
737# stringlength
738>5	ubyte		>0
739>>8	string		x		\b, name=%-.2s
7400	string	\xffKEYB\ \ \ \0\0\0\0
741>12	string	\0\0\0\0`\004\360	MS-DOS KEYBoard Layout file
742
743# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020,Mar 2023
744# URL:		http://fileformats.archiveteam.org/wiki/DOS_device_driver
745# Reference:	http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html
746# http://www.o3one.org/hwdocs/bios_doc/dosref22.html
7470	ulequad&0x07a0ffffffff		0xffffffff
748# skip OS/2 INI ./os2
749>4  ubelong   !0x14000000
750#>>10  ubequad   x		MAYBE_DRIVER_NAME=%16.16llx
751# https://bugs.astron.com/view.php?id=434
752# skip OOXML document fragment 0000.dat where driver name is "empty" instead of "ASCII like"
753>>10  ubequad   !0
754>>>0	use				msdos-driver
7550       name    			msdos-driver		DOS executable (
756#!:mime	application/octet-stream
757!:mime	application/x-dosdriver
758# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN
759# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used?
760# PROTMAN.DOS ELNKPL.DOS
761!:ext	sys/dev/bin/dos
762# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device"
763>40	search/7			UPX!			\bUPX compressed
764# DOS device driver attributes
765>4	uleshort&0x8000			0x0000			\bblock device driver
766# character device
767>4	uleshort&0x8000			0x8000			\b
768# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$"
769>>4	uleshort&0x0008			0x0008			\bclock
770# fast video output by int 29h
771# 1 space char after "fast" to get phrase like "fast standard input/output character device driver"
772>>4	uleshort&0x0010			0x0010			\bfast
773# standard input/output device
774# 1 space char after "standard" to get phrase like "standard input/output character device driver"
775>>4	uleshort&0x0003			>0			\bstandard
776>>>4	uleshort&0x0001			0x0001			\binput
777>>>4	uleshort&0x0003			0x0003			\b/
778# 1 space char after "output" to get phrase like "input/output character device driver"
779>>>4	uleshort&0x0002			0x0002			\boutput
780>>4	uleshort&0x8000			0x8000			\bcharacter device driver
781>0	ubyte				x
782# upx compressed device driver has garbage instead of real in name field of header
783>>40	search/7			UPX!
784>>40	default				x
785# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
786# 1 space char before device driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver PC$MOUSE"
787>>>12		ubyte			>0x23			\b
788>>>>10		ubyte			>0x20
789>>>>>10		ubyte			!0x2E
790>>>>>>10	ubyte			!0x2A			\b%c
791>>>>11		ubyte			>0x20
792>>>>>11		ubyte			!0x2E			\b%c
793>>>>12		ubyte			>0x20
794>>>>>12		ubyte			!0x39
795>>>>>>12	ubyte			!0x2E			\b%c
796>>>13		ubyte			>0x20
797>>>>13		ubyte			!0x2E			\b%c
798>>>>14		ubyte			>0x20
799>>>>>14		ubyte			!0x2E			\b%c
800>>>>15		ubyte			>0x20
801>>>>>15		ubyte			!0x2E			\b%c
802>>>>16		ubyte			>0x20
803>>>>>16		ubyte			!0x2E
804>>>>>>16	ubyte			<0xCB			\b%c
805>>>>17		ubyte			>0x20
806>>>>>17		ubyte			!0x2E
807>>>>>>17	ubyte			<0x90			\b%c
808# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
809>>>12		ubyte			<0x2F
810# they have their real name at offset 22
811# also block device drivers like DUMBDRV.SYS
812>>>>22		string			>\056			%-.6s
813>4	uleshort&0x8000			0x0000
814# 32 bit sector addressing ( > 32 MB) for block devices
815>>4	uleshort&0x0002			0x0002			\b,32-bit sector-
816# support by driver functions 13h, 17h, 18h
817>4	uleshort&0x0040			0x0040			\b,IOCTL-
818# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
819>4	uleshort&0x0800			0x0800			\b,close media-
820# output until busy support by int 10h for character device driver
821>4	uleshort&0x8000			0x8000
822>>4	uleshort&0x2000			0x2000			\b,until busy-
823# direct read/write support by driver functions 03h,0Ch
824>4	uleshort&0x4000			0x4000			\b,control strings-
825>4	uleshort&0x8000			0x8000
826>>4	uleshort&0x6840			>0			\bsupport
827>4	uleshort&0x8000			0x0000
828>>4	uleshort&0x4842			>0			\bsupport
829>0	ubyte				x			\b)
830>0	ulelong				!0xffffffff		with pointer %#x
831# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
8320	ulequad				0x0513c00000000012
833>0	use				msdos-driver
834# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field
8350	ulequad				0x32f28000ffff0016
836>0	use				msdos-driver
8370	ulequad				0x007f00000000ffff
838>0	use				msdos-driver
839# https://www.uwe-sieber.de/files/cfg_echo.zip
8400	ulequad				0x001600000000ffff
841>0	use				msdos-driver
842# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field
8430	ulequad				0x0bf708c2ffffffff
844>0	use				msdos-driver
8450	ulequad				0x07bd08c2ffffffff
846>0	use				msdos-driver
847# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS
8480	ulequad				0x027ac0c0ffffffff
849>0	use				msdos-driver
850# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS
8510	ulequad				0x00228880ffffffff
852>0	use				msdos-driver
853
854# updated by Joerg Jenderek
855# GRR: line below too general as it catches also
856# rt.lib DYADISKS.PIC and many more
857# start with assembler instruction MOV
8580	ubyte		0x8c
859# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
860>4	string			!O====
861# skip some unknown basic binaries like RocketRnger.SHR
862>>5	string			!MAIN
863# skip "GPG symmetrically encrypted data" ./gnu
864# skip "PGP symmetric key encrypted data" ./pgp
865# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
866>>>4	ubyte			>13
867>>>>0		use	msdos-com
868# the remaining files should be DOS *.COM executables
869# dosshell.COM	8cc0 2ea35f07 e85211 e88a11 b80058 cd
870# hmload.COM	8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
871# UNDELETE.COM	8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
872# BOOTFIX.COM	8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
873# RAWRITE3.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
874# SHARE.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
875# validchr.COM	8cca 2e8916 9603 b430 cd21 8b 2e028b1e
876# devload.COM	8cca 8916ad01 b430 cd21 8b2e0200 892e
877
8780       name    msdos-com
879# URL:		http://fileformats.archiveteam.org/wiki/DOS_executable_(.com)
880>0  byte        x               DOS executable (
881# DOS executable with JuMP 16-bit instruction
882>0	byte			=0xE9
883# check for probably nil padding til offset 64 of Lotus driver name
884>>56		quad		=0
885# check for "long" alphabetic Lotus driver name like:
886# Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus"
887>>>24			regex	=^[A-Z][A-Za-z\040]{5,21}	\bLotus driver) %s
888!:mime				application/x-dosexec
889# like: CPQ0TD.DRV IBM0MONO.DRV (Lotus 123 10a) SDIAB4.DRV SPL0CPLS.DRV (Lotus Symphony 2)
890!:ext				drv
891# COM with nils like MODE.COM IBMDOS.COM (pcdos 3.31 ru Compaq) RSSTUB.COM (PC-DOS 2000 de) ACCESS.COM (Lotus Symphony 1)
892>>>24			default	x				\bCOM)
893!:mime				application/x-dosexec
894!:ext				com
895# DOS executable with JuMP 16-bit and without nil padding
896>>56		quad		!0
897# https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot
898# TODO: HOWTO distinguish COMboot from pure DOS executables?
899# look for unreliable Syslinux specific api call INTerrupt 22h for 16-bit COMBOOT program
900>>>1			search/0xc088	\xcd\x22		\bCOM or COMBOOT 16-bit)
901!:mime				application/x-dosexec
902# like: sbm.cbt command.com (Windows XP) UNI2ASCI.COM (FreeDOS 1.2)
903!:ext				com/cbt
904>>>1			default		x			\bCOM)
905!:mime				application/x-dosexec
906!:ext				com
907# DOS executable without JuMP 16-bit instruction
908>0	byte			!0xE9
909# SCREATE.SYS	https://en.wikipedia.org/wiki/Stac_Electronics
910>>10		string		=?STACVOL			\bSCREATE.SYS)
911!:mime			application/x-dosexec
912!:ext			sys
913# COM executable without JuMP 16-bit instruction and not SCREATE.SYS
914>>10		string		!?STACVOL			\bCOM)
915!:mime			application/x-dosexec
916!:ext			com
917>6	string		SFX\ of\ LHarc	\b, %s
918>0x1FE leshort	0xAA55		    \b, boot code
919>85	string		UPX		        \b, UPX compressed
920>4	string		\ $ARX		    \b, ARX self-extracting archive
921>4	string		\ $LHarc	    \b, LHarc self-extracting archive
922>0x20e string	SFX\ by\ LARC	\b, LARC self-extracting archive
923# like: E30ODI.COM MADGEODI.COM UNI2ASCI.COM RECOVER.COM (DOS 2) COMMAND.COM (DOS 2)
924>1	search/0xc088	\xcd\x22	\b, maybe with interrupt 22h
925>0	ubelong		x		\b, start instruction %#8.8x
926# show more instructions but not in samples like: rem.com (DJGPP)
927>4	ubelong		x		%8.8x
928
929# JMP 8bit
9300	        byte	0xeb
931# byte 0xeb conflicts with magic leshort 0xn2eb of "SYMMETRY i386" handled by ./sequent
932# allow forward jumps only
933>1          byte    >-1
934# that offset must be accessible
935# with hexadecimal values like: 0e 2e 50 8c 8d ba bc bd be e8 fb fc
936>>(1.b+2)   byte    x
937# if look like COM executable with x86 boot signature then this
938# implies FAT volume with x86 real mode code already handled by ./filesystems
939#
940# No x86 boot signature implies often DOS executable
941# check for unrealistic high number of FATs. Then it is an unusual disk image or often a DOS executable
942# like: FIXBIOS.COM (50 bytes)
943>>>16		ubyte		>3
944# https://www.drivedroid.io/
945# skip MBR disk image drivedroid.img version 12 July 2013 by start message
946>>>>2		string		!DriveDroid
947# ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/
948# skip unusual floppy image disk1.img of MS-DOS 1.25 (Corona Data Systems OEM)
949# by check for characteristic message text near the beginning
950>>>>>15		string		!Non\040System\040disk
951# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 4.0.rar"
952# skip BeOS 4 bootfloppy.img done as "Linux kernel x86 boot executable" by ./linux
953# by check for characteristic message text near the beginning
954>>>>>>6		string		!read\040error\015
955# https://github.com/ventoy/Ventoy/releases/download/v1.0.78/ventoy-1.0.78-windows.zip
956# skip ventoy 1.0.78 boot_hybrid.img
957>>>>>>>24	string		!\220\220\353I$\022\017
958# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/PC-DOS 1.0 (5.25).rar"
959# skip unusual floppy image PCDOS100.IMG of DOS 1.0
960# by check for characteristic message text near the beginning
961>>>>>>>>9	string		!7-May-81
962# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 5.0 Personal (BA).rar"
963# skip BeOS 5 floppy_1.44.00.ima done as "DOS/MBR boot sector" by ./filesystems
964# by check for characteristic message near the beginning
965>>>>>>>>>3	string		!\370sdfS\270
966# like: FIXBIOS.COM (50 bytes)
967>>>>>>>>>>0		use		msdos-com
968# check for unrealistic low number of FATs. Then it is an unusual FAT disk image or often a DOS executable
969# like: DEVICE.COM INSTALL.COM (GAG 4.10) WORD.COM (Word 1.15)
970>>>16		ubyte		=0
971# if low FATs with x86 boot signature it can be unusual disk image like: boot.img (Ventoy 1.0.27) geodspms.img (Syslinux)
972>>>>0x1FE	leshort		=0xAA55
973>>>>0x1FE	default		x
974# https://thestarman.pcministry.com/tool/hxd/dimtut.htm
975# skip unusual floppy image TK-DOS11.img IBMDOS11.img of IBM DOS 1.10
976# by check for characteristic bootloader names near end of boot sector
977>>>>>395	string		!ibmbio\040\040com
978>>>>>>0			use		msdos-com
979# 8-bit jump with valid number of FAT implies FAT volume already handled by ./filesystems
980# like: balder.img
981>>>16		default		x
982# skip disk images with boot signature at end of 1st sector
983# like: TDSK-64b.img
984>>>>(11.s-2)	uleshort	!0xAA55
985# skip unusual floppy image without boot signature like 360k-256.img (mtools 4.0.18)
986# by check for characteristic file system type text for FAT (12 bit or 16 bit)
987>>>>>54		string		!FAT
988# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/Microsoft MS-DOS 3.31 (Compaq OEM) (3.5).rar"
989# skip unusual floppy image Disk4.img without boot signature and file system type text
990# by check for characteristic OEM-ID text
991>>>>>>3		string		!COMPAQ\040\040
992# no such DOS COM executables found
993>>>>>>>0		use		msdos-com
994# JMP 16bit
9950           byte    0xe9
996# 16-bit offset; for DEBUGGING!; can be negative like: USBDRIVE.COM
997#>1		leshort		x	\b, OFFSET %d
998# forward jumps
999>1		leshort	>-1
1000# that offset must be accessible
1001# with hexadecimal values like: 06 1e 0e 2e 60 8c 8d b4 ba be e8 fc
1002>>(1.s+3)   byte    x
1003# check for unrealistic high number of FATs. Then it is not a disk image and it is a DOS executable
1004# like: CALLVER.COM CPUCACHE.COM K437_EUR.COM SHSUCDX.COM UMBFILL.COM (183 bytes)
1005>>>16		ubyte		>3
1006>>>>0			use		msdos-com
1007# check for unrealistic low number of FATs. Then it is not a disk image and it is a DOS executable
1008# like: GAG.COM DRMOUSE.COM NDN.COM CPQ0TD.DRV
1009>>>16		ubyte		=0
1010>>>>0			use		msdos-com
1011# maybe disc image with valid number of FATs or DOS executable
1012# like: IPXODI.COM PERUSE.COM TASKID.COM
1013>>>16		default	x
1014# invalid low media descriptor. Then it is not a disk image and it is a DOS executable
1015>>>>21		ubyte		<0xE5
1016>>>>>0			use		msdos-com
1017# valid media descriptor. Then it is maybe disk image or DOS executable
1018>>>>21		ubyte		>0xE4
1019# invalid sectorsize not a power of 2 from 32-32768. Then it is not a disk image and it must be DOS executable
1020# like: LEARN.COM (Word 1.15)
1021>>>>>11		uleshort&0x001f	!0
1022>>>>>>0			use		msdos-com
1023# negative offset, must not lead into PSP
1024# like: BASICA.COM (PC dos 3.20) FORMAT.COM SMC8100.COM WORD.COM (word4)
1025# HIDSUPT1.COM USBDRIVE.COM USBSUPT1.COM USBUHCI.COM (FreeDOS USBDOS)
1026>1		leshort	<-259
1027# that offset must be accessible
1028# add 10000h to jump at end of 64 KiB segment, add 1 for jump instruction and 2 for 16-bit offset
1029>>(1,s+65539)   byte    x
1030# after jump next instruction for DEBUGGING!
1031#>>>&-1		ubelong	x	\b, NEXT instruction %#8.8x
1032>>>0        use msdos-com
1033
1034# updated by Joerg Jenderek at Oct 2008,2015,2022
1035# following line is too general
10360	ubyte		0xb8
1037# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
1038>0	string		!\xb8\xc0\x07\x8e
1039# modified by Joerg Jenderek
1040# syslinux COM32 or COM32R executable
1041>>1	lelong&0xFFFFFFFe 0x21CD4CFe	COM executable (32-bit COMBOOT
1042# https://www.syslinux.org/wiki/index.php/Comboot_API
1043# Since version 5.00 c32 modules switched from the COM32 object format to ELF
1044!:mime	application/x-c32-comboot-syslinux-exec
1045!:ext c32
1046# https://syslinux.zytor.com/comboot.php
1047# older syslinux version ( <4 )
1048# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
1049# start with assembler instructions mov eax,21cd4cffh
1050>>>1	lelong		0x21CD4CFf	\b)
1051# syslinux:doc/comboot.txt
1052# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
1053# eax,21cd4cfeh) as a magic number.
1054# syslinux version (4.x)
1055# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
1056>>>1	lelong		0x21CD4CFe	\b, relocatable)
1057>>1	default	x
1058# look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x)
1059>>>3	search/118	\xCD
1060# FOR DEBUGGING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux)
1061# 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS)
1062#>>>>&0	ubyte	x			\b, INTERUPT %#x
1063# few examples with interrupt 0x13 instruction
1064>>>>&0	ubyte	=0x13
1065# FOR DEBUGGING!
1066#>>>>>3	ubequad	x			\b, 2nd INSTRUCTION %#16.16llx
1067# skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems
1068# by check for assembler instructions: mov  es,ax ; mov  ax,07c0h ; mov ds,ax
1069>>>>>3	ubequad	!0x8ec0b8c0078ed88d
1070# few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com
1071# http://bootcd.narod.ru/bcdw150z_en.zip
1072>>>>>>0		use		msdos-com
1073# few examples with interrupt 0x16 instruction like flashimg.img
1074>>>>&0	ubyte	=0x16
1075# skip Syslinux 3.71 flashimg.img done as "DOS/MBR boot sector" by ./filesystems
1076# by check for assembler instructions: cmp ax 0xE4E4 (magic); jnz
1077>>>>>8	ubelong	!0x3DE4E475
1078# no DOS executable with interrupt 0x16 found
1079>>>>>>0		use		msdos-com
1080# most examples with interrupt instruction unequal 0x13 and 0x16
1081>>>>&0	default	x
1082#>>>>>&-1 ubyte	x			\b, INTERUPT %#x
1083# like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com
1084>>>>>0		use		msdos-com
1085# few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM
1086# or some EUC-KR text files or one Ulead Imaginfo thumbnail
1087>>>3	default	x
1088# FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM)
1089# or random like: 0x0 (IMAGINFO.PE3 sky_snow) 0xb1 (euckr_.txt)
1090#>>>>3	ubyte	x			\b, 2nd INSTRUCTION %#x
1091# skip 1 Ulead Imaginfo thumbnail (IMAGINFO.PE3 sky_snow)
1092# inside SAMPLES/TEXTURES/SKY_SNOW
1093# from https://archive.org/download/PI3CANON/PI3CANON.iso
1094>>>>3	ubyte	!0x0
1095# skip some EUC-KR text files like: euckr_falsepositive.txt
1096# https://bugs.astron.com/view.php?id=186
1097>>>>>3	ubyte	!0xb1
1098# like: RESTART.COM (DOS 7.10) REBOOT.COM
1099>>>>>>0	use		msdos-com
1100
1101# URL:		https://en.wikipedia.org/wiki/UPX
1102# Reference:	https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/
1103#		src/stub/src/i086-dos16.com.S
1104# Update:	Joerg Jenderek
1105# assembler instructions: cmp sp, offset sp_limit
11060	string/b	\x81\xfc
1107#>2	uleshort	x		\b, sp_limit=%#x
1108# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy
1109>4	string	\x77\x02\xcd\x20\xb9
1110#>9	uleshort	x		\b, [bytes_to_copy]=%#x
1111# at different offsets assembler instructions: push di; jump decomp_start_n2b
1112>0x1e	search/3	\x57\xe9
1113#>>&0	uleshort	x		\b, decomp_start_n2b=%#x
1114# src/stub/src/include/header.S; UPX_MAGIC_LE32
1115>>&2	string		UPX!		FREE-DOS executable (COM), UPX
1116!:mime	application/x-dosexec
1117# UPX compressed *.CPI; See ./fonts
1118>>>&21	string		=FONT		compressed DOS code page font
1119!:ext	cpx
1120>>>&21	string		!FONT		compressed
1121!:ext	com
1122# compressed size?
1123#>>>&14	uleshort+152	x		\b, %u bytes
1124# uncompressed len
1125>>>&12	uleshort	x		\b, uncompressed %u bytes
1126252	string Must\ have\ DOS\ version DR-DOS executable (COM)
1127!:mime	application/x-dosexec
1128!:ext	com
1129# GRR search is not working
1130#2	search/28	\xcd\x21	COM executable for MS-DOS
1131#WHICHFAT.cOM
11322	string	\xcd\x21		COM executable for DOS
1133!:mime	application/x-dosexec
1134!:ext	com
1135#DELTREE.cOM DELTREE2.cOM
11364	string	\xcd\x21		COM executable for DOS
1137!:mime	application/x-dosexec
1138!:ext	com
1139#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
11405	string	\xcd\x21		COM executable for DOS
1141!:mime	application/x-dosexec
1142!:ext	com
1143#DELTMP.COm HASFAT32.cOM
11447	string	\xcd\x21
1145>0	byte	!0xb8			COM executable for DOS
1146!:mime	application/x-dosexec
1147!:ext	com
1148#COMP.cOM MORE.COm
114910	string	\xcd\x21
1150>5	string	!\xcd\x21		COM executable for DOS
1151!:mime	application/x-dosexec
1152!:ext	com
1153#comecho.com
115413	string	\xcd\x21		COM executable for DOS
1155!:mime	application/x-dosexec
1156!:ext	com
1157#HELP.COm EDIT.coM
115818	string	\xcd\x21
1159# not printable before it?
1160>17	byte	>32
1161>>17	byte	<126
1162>>17	default	x			COM executable for MS-DOS
1163!:mime	application/x-dosexec
1164!:ext	com
1165#NWRPLTRM.COm
116623	string	\xcd\x21		COM executable for MS-DOS
1167!:mime	application/x-dosexec
1168!:ext	com
1169#LOADFIX.cOm LOADFIX.cOm
117030	string	\xcd\x21		COM executable for MS-DOS
1171!:mime	application/x-dosexec
1172!:ext	com
1173#syslinux.com 3.11
117470	string	\xcd\x21		COM executable for DOS
1175!:mime	application/x-dosexec
1176!:ext	com
1177# many compressed/converted COMs start with a copy loop instead of a jump
11780x6	search/0xa	\xfc\x57\xf3\xa5\xc3	COM executable for MS-DOS
1179!:mime	application/x-dosexec
1180!:ext	com
11810x6	search/0xa	\xfc\x57\xf3\xa4\xc3	COM executable for DOS
1182!:mime	application/x-dosexec
1183!:ext	com
1184>0x18	search/0x10	\x50\xa4\xff\xd5\x73	\b, aPack compressed
11850x3c	string		W\ Collis\0\0		COM executable for MS-DOS, Compack compressed
1186!:mime	application/x-dosexec
1187!:ext	com
1188# FIXME: missing diet .com compression
1189
1190# miscellaneous formats
11910	string/b	LZ		MS-DOS executable (built-in)
1192#0	byte		0xf0		MS-DOS program library data
1193#
1194
1195# AAF files:
1196# <stuartc@rd.bbc.co.uk> Stuart Cunningham
11970	string/b	\320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377			AAF legacy file using MS Structured Storage
1198>30	byte	9		(512B sectors)
1199>30	byte	12		(4kB sectors)
12000	string/b	\320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001			AAF file using MS Structured Storage
1201>30	byte	9		(512B sectors)
1202>30	byte	12		(4kB sectors)
1203
1204# Popular applications
1205#
1206# Update:	Joerg Jenderek
1207# URL:		http://fileformats.archiveteam.org/wiki/DOC
1208# Reference:	https://web.archive.org/web/20170206041048/
1209#		http://www.msxnet.org/word2rtf/formats/ffh-dosword5
1210# wIdent+dty
12110	belong	0x31be0000
1212# skip droid skeleton like x-fmt-274-signature-id-488.doc
1213>128	ubyte		>0  			Microsoft
1214>>96	uleshort	=0			Word
1215!:mime	application/msword
1216!:apple	MSWDWDBN
1217# DCX is used in the Unix version.
1218!:ext	doc/dcx
1219>>>0x6E	ulequad		=0			1.0-4.0
1220>>>0x6E	ulequad		!0			5.0-6.0
1221>>>0x6E	ulequad		x			(DOS) Document
1222# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt
1223>>96	uleshort	!0			Write 3.0 (Windows) Document
1224!:mime	application/x-mswrite
1225!:apple	MSWDWDBN
1226# sometimes also doc like in splitter.doc srchtest.doc
1227!:ext	wri/doc
1228# wTool must be 0125400 octal
1229#>>4	uleshort	!0xAB00			\b, wTool %o
1230# reserved; must be zero
1231#>>6	ulelong		!0			\b, reserved %u
1232# block pointer to the block containing optional file manager information
1233#>>0x1C	uleshort	x			\b, at %#x info block
1234# jump to File manager information block
1235>>(0x1C.s*128)	uleshort x
1236# test for valid information start; maybe also 0012h
1237>>>&-2		uleshort	=0x0014
1238# Document ASCIIZ name
1239>>>>&0x12	string		x		%s
1240# author name
1241>>>>>&1		string		x		\b, author %s
1242# reviser name
1243>>>>>>&1	string		x		\b, reviser %s
1244# keywords
1245>>>>>>>&1	string		x		\b, keywords %s
1246# comment
1247>>>>>>>>&1	string		x		\b, comment %s
1248# version number
1249>>>>>>>>>&1	string		x		\b, version %s
1250# date of last change MM/DD/YY
1251>>>>>>>>>>&1	string		x		\b, %-.8s
1252# creation date MM/DD/YY
1253>>>>>>>>>>&9	string		x		created %-.8s
1254# file name of print format like NORMAL.STY
1255>>0x1E	string		>0			\b, formatted by %-.66s
1256# count of pages in whole file for write variant; maybe some times wrong
1257>>96	uleshort	>0			\b, %u pages
1258# name of the printer driver like HPLASMS
1259>>0x62	string		>0			\b, %-.8s printer
1260# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0
1261>>0x6A	uleshort	>0			\b, %u blocks
1262# bit field for corrected text areas
1263#>>0x6C	uleshort	x			\b, %#x bit field
1264# text of document; some times start with 4 non printable characters like CR LF
1265>>128	ubyte		x			\b,
1266>>>128		ubyte	>0x1F
1267>>>>128		string	x			%s
1268>>>128		ubyte	<0x20
1269>>>>129		ubyte	>0x1F
1270>>>>>129	string	x			%s
1271>>>>129		ubyte	<0x20
1272>>>>>130	ubyte	>0x1F
1273>>>>>>130	string	x			%s
1274>>>>>130	ubyte	<0x20
1275>>>>>>131	ubyte	>0x1F
1276>>>>>>>131	string	x			%s
1277>>>>>>131	ubyte	<0x20
1278>>>>>>>132	ubyte	>0x1F
1279>>>>>>>>132	string	x			%s
1280>>>>>>>132	ubyte	<0x20
1281>>>>>>>>133	ubyte	>0x1F
1282>>>>>>>>>133	string	x			%s
1283#
12840	string/b	PO^Q`				Microsoft Word 6.0 Document
1285!:mime	application/msword
1286#
12874   long        0
1288>0  belong      0xfe320000      Microsoft Word for Macintosh 1.0
1289!:mime	application/msword
1290!:ext   mcw
1291>0  belong      0xfe340000      Microsoft Word for Macintosh 3.0
1292!:mime	application/msword
1293!:ext   mcw
1294>0  belong      0xfe37001c      Microsoft Word for Macintosh 4.0
1295!:mime	application/msword
1296!:ext   mcw
1297>0  belong      0xfe370023      Microsoft Word for Macintosh 5.0
1298!:mime	application/msword
1299!:ext   mcw
1300
13010	string/b	\333\245-\0\0\0			Microsoft Word 2.0 Document
1302!:mime	application/msword
1303!:ext   doc
1304# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs
1305#512	string/b	\354\245\301			Microsoft Word Document
1306#!:mime	application/msword
1307
1308#
13090	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
1310!:mime application/msword
1311#
13120	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
1313!:mime application/msword
1314
1315#
13160	string/b	\x09\x04\x06\x00\x00\x00\x10\x00	Microsoft Excel Worksheet
1317!:mime	application/vnd.ms-excel
1318# https://www.macdisk.com/macsigen.php
1319!:apple	XCELXLS4
1320!:ext	xls
1321#
1322# Update: Joerg Jenderek
1323# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3
1324# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf
1325# Note: newer Lotus versions >2 use longer BOF record
1326# record type (BeginningOfFile=0000h) + length (001Ah)
13270	belong	0x00001a00
1328# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3
1329#>18	uleshort&0x73E0	0
1330# Lotus Multi Byte Character Set (LMBCS=1-31)
1331>20	ubyte		>0
1332>>20	ubyte		<32	Lotus 1-2-3
1333#!:mime	application/x-123
1334!:mime	application/vnd.lotus-1-2-3
1335!:apple	????L123
1336# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data"
1337>>>4	uleshort	0x1000	WorKsheet, version 3
1338!:ext	wk3
1339# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data"
1340>>>4	uleshort	0x1002	WorKsheet, version 4
1341# also worksheet template 4 (.wt4)
1342!:ext	wk4/wt4
1343# no example or documentation for wk5
1344#>>4	uleshort	0x????	WorKsheet, version 4
1345#!:ext	wk5
1346# only MacrotoScript.123 example
1347>>>4	uleshort	0x1003	WorKsheet, version 97
1348# also worksheet template Smartmaster (.12M)?
1349!:ext	123
1350# only Set_Y2K.123 example
1351>>>4	uleshort	0x1005	WorKsheet, version 9.8 Millennium
1352!:ext	123
1353# no example for this version
1354>>>4	uleshort	0x8001	FoRMatting data
1355!:ext	frm
1356# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data"
1357# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet"
1358>>>4	uleshort	0x8007	ForMatting data, version 3
1359!:ext	fm3
1360>>>4	default		x	unknown
1361# file revision sub code 0004h for worksheets
1362>>>>6	uleshort	=0x0004	worksheet
1363!:ext	wXX
1364>>>>6	uleshort	!0x0004	formatting data
1365!:ext	fXX
1366# main revision number
1367>>>>4	uleshort	x	\b, revision %#x
1368>>>6	uleshort	=0x0004	\b, cell range
1369# active cellcoord range (start row, page,column ; end row, page, column)
1370# start values normally 0~1st sheet A1
1371>>>>8	ulelong		!0
1372>>>>>10	ubyte		>0	\b%d*
1373>>>>>8	uleshort	x	\b%d,
1374>>>>>11	ubyte		x	\b%d-
1375# end page mostly 0
1376>>>>14	ubyte		>0	\b%d*
1377# end raw, column normally not 0
1378>>>>12	uleshort	x	\b%d,
1379>>>>15	ubyte		x	\b%d
1380# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??)
1381>>>>20	ubyte		>1	\b, character set %#x
1382# flags
1383>>>>21	ubyte		x	\b, flags %#x
1384>>>6	uleshort	!0x0004
1385# record type (FONTNAME=00AEh)
1386>>>>30	search/29	\0\xAE
1387# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n)
1388>>>>>&4	string		>\0	\b, 1st font "%s"
1389#
1390# Update: Joerg Jenderek
1391# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3
1392# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
1393# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
1394# record type (BeginningOfFile=0000h) + length (0002h)
13950	belong	0x00000200
1396# GRR: line above is too general as it catches also MS Windows CURsor
1397# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
1398!:strength -1
1399# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
1400>7	ubyte		0
1401# skip Windows cursors with image width 256 and keep Lotus with positive opcode
1402>>6	ubyte		>0	Lotus
1403# !:mime	application/x-123
1404!:mime	application/vnd.lotus-1-2-3
1405!:apple	????L123
1406# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...)
1407# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3"
1408>>>4	uleshort	0x0007	1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF)
1409!:ext	cnf
1410>>>4	uleshort	0x0C05	1-2-3 CoNFiguration, version 2.4J
1411!:ext	cnf
1412>>>4	uleshort	0x0801	1-2-3 CoNFiguration, version 1-2.1
1413!:ext	cnf
1414>>>4	uleshort	0x0802	Symphony CoNFiguration
1415!:ext	cnf
1416>>>4	uleshort	0x0804	1-2-3 CoNFiguration, version 2.2
1417!:ext	cnf
1418>>>4	uleshort	0x080A	1-2-3 CoNFiguration, version 2.3-2.4
1419!:ext	cnf
1420>>>4	uleshort	0x1402	1-2-3 CoNFiguration, version 3.x
1421!:ext	cnf
1422>>>4	uleshort	0x1450	1-2-3 CoNFiguration, version 4.x
1423!:ext	cnf
1424# (version 5.26) labeled the entry as "Lotus 123"
1425# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
1426>>>4	uleshort	0x0404	1-2-3 WorKSheet, version 1
1427# extension "wks" also for Microsoft Works document
1428!:ext	wks
1429# (version 5.26) labeled the entry as "Lotus 123"
1430# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
1431>>>4	uleshort	0x0405	Symphony WoRksheet, version 1.0
1432!:ext	wrk/wr1
1433# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data"
1434# TrID labeles the entry as "Lotus 123 Worksheet (V2)"
1435>>>4	uleshort	0x0406	1-2-3/Symphony worksheet, version 2
1436# Symphony (.wr1)
1437!:ext	wk1/wr1
1438# no example for this japan version
1439>>>4	uleshort	0x0600	1-2-3 WorKsheet, version 1.xJ
1440!:ext	wj1
1441# no example or documentation for wk2
1442#>>>4	uleshort	0x????	1-2-3 WorKsheet, version 2
1443#!:ext	wk2
1444# undocumented japan version
1445>>>4	uleshort	0x0602	1-2-3 worksheet, version 2.4J
1446!:ext	wj3
1447# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data"
1448>>>4	uleshort	0x8006	1-2-3 ForMaTting data, version 2.x
1449# japan version 2.4J (fj3)
1450!:ext	fmt/fj3
1451# no example for this version
1452>>>4	uleshort	0x8007	1-2-3 FoRMatting data, version 2.0
1453!:ext	frm
1454# (version 5.26) labeled the entry as "Lotus 1-2-3"
1455>>>4	default		x	unknown worksheet or configuration
1456!:ext	cnf
1457>>>>4	uleshort	x	\b, revision %#x
1458# 2nd record for most worksheets describes cells range
1459>>>6		use	lotus-cells
1460# 3rd record for most japan worksheets describes cells range
1461>>>(8.s+10)	use	lotus-cells
1462#	check and then display Lotus worksheet cells range
14630	name		lotus-cells
1464# look for type (RANGE=0006h) + length (0008h) at record begin
1465>0	ubelong	0x06000800	\b, cell range
1466# cell range (start column, row, end column, row) start values normally 0,0~A1 cell
1467>>4	ulong		!0
1468>>>4	uleshort	x	\b%d,
1469>>>6	uleshort	x	\b%d-
1470# end of cell range
1471>>8	uleshort	x	\b%d,
1472>>10	uleshort	x	\b%d
1473# EndOfLotus123
14740	string/b		WordPro\0	Lotus WordPro
1475!:mime	application/vnd.lotus-wordpro
14760	string/b		WordPro\r\373	Lotus WordPro
1477!:mime	application/vnd.lotus-wordpro
1478
1479
1480# Summary: Script used by InstallScield to uninstall applications
1481# Extension: .isu
1482# Submitted by: unknown
1483# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
14840		string		\x71\xa8\x00\x00\x01\x02
1485>12		string		Stirling\ Technologies,		InstallShield Uninstall Script
1486
1487# Winamp .avs
1488#0	string	Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
14890	string/b	Nullsoft\ AVS\ Preset\ 	Winamp plug in
1490
1491# Windows Metafile .WMF
1492# URL: 		http://fileformats.archiveteam.org/wiki/Windows_Metafile
1493#		http://en.wikipedia.org/wiki/Windows_Metafile
1494# Reference:	https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WMF%5d.pdf
1495#		http://mark0.net/download/triddefs_xml.7z/defs/w/wmf.trid.xml
1496# Note:		called "Windows Metafile" by TrID and
1497#		verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File)
1498# META_PLACEABLE Record (Aldus Placeable Metafile signature)
14990	string/b	\327\315\306\232
1500# Note:		called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119
1501#		and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Windows Placeable metafile"
1502# skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf with invalid version 3a02h
1503# and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAVERSION300
1504>26	uleshort&0xFDff	=0x0100			Windows metafile
1505# HWmf; resource handle to the metafile; When the metafile is on disk, this field MUST contain 0
1506# seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf
1507>>4	uleshort	!0			\b, resource handle %#x
1508# BoundingBox; the rectangle in the playback context measured in logical units for displaying
1509# sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024)
1510# but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589)
1511#>>6	ubequad		x			\b, bounding box %#16.16llx
1512# Left; x-coordinate of the upper-left corner of the rectangle
1513>>6	leshort		x			\b, bounding box (%d
1514# Top; y-coordinate upper-left corner
1515>>8	leshort		x			\b,%d
1516# Right; x-coordinate lower-right corner
1517>>10	leshort		x			/ %d
1518# Bottom; y-coordinate lower-right corner
1519>>12	leshort		x			\b,%d)
1520# Inch; number of logical units per inch like: 72 96 575 576 1000 1200 1439 1440 2540
1521>>14	uleshort	x			\b, dpi %u
1522# Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf
1523>>16	ulelong		!0			\b, reserved %#x
1524# Checksum; checksum for the previous 10 words
1525>>20	uleshort	x			\b, checksum %#x
1526# META_HEADER Record after META_PLACEABLE Record
1527>>22	use		wmf-head
1528# GRR:		no example for type 2 (DISKMETAFILE) variant found under few thousands WMF
15290	string/b	\002\000\011\000	Windows metafile
1530>0	use		wmf-head
1531# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml
1532# Note:		called "Windows Metafile (old Win 3.x format)" by TrID and
1533#		"Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119
1534#		verified by XnView `nconvert -info *.wmf` as Windows metafile
1535# variant with type=1=MEMORYMETAFILE and valid HeaderSize 9
15360	string/b	\001\000\011\000
1537# skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011)
1538>18	ulelong		>0			Windows metafile
1539# GRR: in version 5.44 unequal and not endian variant not working!
1540#>18	ulelong		!0			THIS_SHOULD_NOT_HAPPEN
1541#>18	long		!0			THIS_SHOULD_NOT_HAPPEN
1542>>0	use		wmf-head
1543#	display information of Windows metafile header (type, size, objects)
15440	name		wmf-head
1545# MetafileType: 0001h=MEMORYMETAFILE~Metafile is stored in memory 0002h=DISKMETAFILE~Metafile is stored on disk
1546>0	uleshort	!0x0001			\b, type %#x
1547# HeaderSize; the number of WORDs in header record; seems to be always 9 (18 bytes)
1548>2	uleshort*2	!18			\b, header size %u
1549# MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAVERSION300~DIBs are supported
1550# but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf
1551>4	uleshort	=0x0100			\b, DIBs not supported
1552>4	uleshort	=0x0300
1553#>4	uleshort	=0x0300			\b, DIBs supported
1554# this should not happen!
1555>4	default		x			\b, version
1556>>4	uleshort	x			%#x
1557# Size; the number of WORDs in the entire metafile
1558>6	ulelong	x				\b, size %u words
1559#>6	ulelong*2	x			\b, size %u bytes
1560!:mime	image/wmf
1561!:ext	wmf
1562# NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8 9 12 13 14 16 17 20 27 110 PERSGRID.WMF
1563>10	uleshort	x			\b, %u objects
1564# MaxRecord: the size of the largest record in the metafile in WORDs like: 78h b0h 1f4h 310h 63fh 1e0022h 3fcc21h
1565>12	ulelong		x			\b, largest record size %#x
1566# NumberOfMembers: It SHOULD be 0x0000, but 5 TestBitBltStretchBlt.wmf 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-2.wmf
1567>16	uleshort	!0			\b, %u members
1568
1569#tz3 files whatever that is (MS Works files)
15700	string/b	\003\001\001\004\070\001\000\000	tz3 ms-works file
15710	string/b	\003\002\001\004\070\001\000\000	tz3 ms-works file
15720	string/b	\003\003\001\004\070\001\000\000	tz3 ms-works file
1573
1574# PGP sig files .sig
1575#0 string \211\000\077\003\005\000\063\237\127 065 to  \027\266\151\064\005\045\101\233\021\002 PGP sig
15760 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
15770 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
15780 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
15790 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
15800 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
15810 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
1582
1583# windows zips files .dmf
15840	string/b	MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
1585
1586# Windows icons
1587# Update: Joerg Jenderek
1588# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
1589# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG
15900   belong  0x00000100
1591>9  byte    0
1592>>0 byte    x
1593>>0 use     cur-ico-dir
1594>9  ubyte   0xff
1595>>0 byte    x
1596>>0 use     cur-ico-dir
1597#	displays number of icons and information for icon or cursor
15980	name		cur-ico-dir
1599# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
1600# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
1601>18		ulelong		&0x00000006
1602# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
1603>>(18.l)	ulelong		x		MS Windows
1604>>>0		ubelong		0x00000100	icon resource
1605# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon
1606!:mime		image/vnd.microsoft.icon
1607#!:mime		image/x-icon
1608!:ext		ico
1609>>>>4 		uleshort	x		- %d icon
1610# plural s
1611>>>>4 		uleshort	>1		\bs
1612# 1st icon
1613>>>>0x06	use		ico-entry
1614# 2nd icon
1615>>>>4 		uleshort	>1
1616>>>>>0x16	use		ico-entry
1617>>>0		ubelong		0x00000200	cursor resource
1618#!:mime		image/x-cur
1619!:mime		image/x-win-bitmap
1620!:ext		cur
1621>>>>4 		uleshort	x		- %d icon
1622>>>>4 		uleshort	>1		\bs
1623# 1st cursor
1624>>>>0x06	use		cur-entry
1625#>>>>0x16	use		cur-entry
1626#	display information of one cursor entry
16270	name		cur-entry
1628>0	use		cur-ico-entry
1629>4	uleshort	x	\b, hotspot @%dx
1630>6	uleshort	x	\b%d
1631#	display information of one icon entry
16320	name		ico-entry
1633>0			use	cur-ico-entry
1634# normally 0 1 but also found 14
1635>4	uleshort	>1	\b, %d planes
1636# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256
1637>6	uleshort	>1	\b, %d bits/pixel
1638#	display shared information of cursor or icon entry
16390		name		cur-ico-entry
1640>0		byte		=0		\b, 256x
1641>0		byte		!0		\b, %dx
1642>1		byte        	=0		\b256
1643>1		byte        	!0		\b%d
1644# number of colors in palette
1645>2		ubyte		!0		\b, %d colors
1646# reserved 0 FFh
1647#>3		ubyte        	x		\b, reserved %x
1648#>8		ulelong		x		\b, image size %d
1649# offset of PNG or DIB image
1650#>12		ulelong		x		\b, offset %#x
1651# PNG header (\x89PNG)
1652>(12.l)		ubelong		=0x89504e47
1653# 1 space char after "with" to get phrase "with PNG image" by magic in ./images
1654>>&-4		indirect	x	\b with
1655# DIB image
1656>(12.l)		ubelong		!0x89504e47
1657#>>&-4		use     	dib-image
1658
1659# Windows non-animated cursors
1660# Update: Joerg Jenderek
1661# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
1662# Note: similar to Windows ICOn. container for BMP ( only DIB part)
1663# GRR: line below is too general as it catches also Lotus 1-2-3 files
16640   belong  0x00000200
1665>9  byte    0
1666>>0 use     cur-ico-dir
1667>9  ubyte   0xff
1668>>0 use     cur-ico-dir
1669
1670# .chr files
16710	string/b	PK\010\010BGI	Borland font
1672>4	string	>\0	%s
1673# then there is a copyright notice
1674
1675
1676# .bgi files
16770	string/b	pk\010\010BGI	Borland device
1678>4	string	>\0	%s
1679# then there is a copyright notice
1680
1681
1682# Windows Recycle Bin record file (named INFO2)
1683# By Abel Cheung (abelcheung AT gmail dot com)
1684# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
1685# Since Vista uses another structure, INFO2 structure probably won't change
1686# anymore. Detailed analysis in:
1687# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
16880	lelong		0x00000004
1689>12	lelong		0x00000118	Windows Recycle Bin INFO2 file (Win98 or below)
1690
16910	lelong		0x00000005
1692>12	lelong		0x00000320	Windows Recycle Bin INFO2 file (Win2k - WinXP)
1693
1694# From Doug Lee via a FreeBSD pr
16959	string		GERBILDOC	First Choice document
16969	string		GERBILDB	First Choice database
16979	string		GERBILCLIP	First Choice database
16980	string		GERBIL		First Choice device file
16999	string		RABBITGRAPH	RabbitGraph file
17000	string		DCU1		Borland Delphi .DCU file
17010	string		=!<spell>	MKS Spell hash list (old format)
17020	string		=!<spell2>	MKS Spell hash list
1703# Too simple - MPi
1704#0	string		AH		Halo(TM) bitmapped font file
17050	lelong		0x08086b70	TurboC BGI file
17060	lelong		0x08084b50	TurboC Font file
1707
1708# Debian#712046: The magic below identifies "Delphi compiled form data".
1709# An additional source of information is available at:
1710# http://www.woodmann.com/fravia/dafix_t1.htm
17110	string		TPF0
1712>4	pstring		>\0		Delphi compiled form '%s'
1713
1714# tests for DBase files moved, updated and merged to database
1715
17160	string		PMCC		Windows 3.x .GRP file
17171	string		RDC-meg		MegaDots
1718>8	byte		>0x2F		version %c
1719>9	byte		>0x2F		\b.%c file
1720
1721# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm
1722# only for windows versions equal or greater 3.0
17230x171	string	MICROSOFT\ PIFEX\0	Windows Program Information File
1724!:mime	application/x-dosexec
1725!:ext	pif
1726#>2	string	 	>\0		\b, Title:%.30s
1727>0x24	string		>\0		\b for %.63s
1728>0x65	string		>\0		\b, directory=%.64s
1729>0xA5	string		>\0		\b, parameters=%.64s
1730#>0x181	leshort	x	\b, offset %x
1731#>0x183	leshort	x	\b, offsetdata %x
1732#>0x185	leshort	x	\b, section length %x
1733>0x187	search/0xB55	WINDOWS\ VMM\ 4.0\0
1734>>&0x5e		ubyte	>0
1735>>>&-1		string	<PIFMGR.DLL		\b, icon=%s
1736#>>>&-1		string	PIFMGR.DLL		\b, icon=%s
1737>>>&-1		string	>PIFMGR.DLL		\b, icon=%s
1738>>&0xF0		ubyte	>0
1739>>>&-1		string	<Terminal		\b, font=%.32s
1740#>>>&-1		string	=Terminal		\b, font=%.32s
1741>>>&-1		string	>Terminal		\b, font=%.32s
1742>>&0x110	ubyte	>0
1743>>>&-1		string	<Lucida\ Console	\b, TrueTypeFont=%.32s
1744#>>>&-1		string	=Lucida\ Console	\b, TrueTypeFont=%.32s
1745>>>&-1		string	>Lucida\ Console	\b, TrueTypeFont=%.32s
1746#>0x187	search/0xB55	WINDOWS\ 286\ 3.0\0	\b, Windows 3.X standard mode-style
1747#>0x187	search/0xB55	WINDOWS\ 386\ 3.0\0	\b, Windows 3.X enhanced mode-style
1748>0x187	search/0xB55	WINDOWS\ NT\ \ 3.1\0	\b, Windows NT-style
1749#>0x187	search/0xB55	WINDOWS\ NT\ \ 4.0\0	\b, Windows NT-style
1750>0x187	search/0xB55	CONFIG\ \ SYS\ 4.0\0	\b +CONFIG.SYS
1751#>>&06		string	x			\b:%s
1752>0x187	search/0xB55	AUTOEXECBAT\ 4.0\0	\b +AUTOEXEC.BAT
1753#>>&06		string	x			\b:%s
1754
1755# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
1756# of http://www.davep.org/norton-guides/ng2h-105.tgz
1757# https://en.wikipedia.org/wiki/Norton_Guides
17580	string		NG\0\001
1759# only value 0x100 found at offset 2
1760>2	ulelong		0x00000100	Norton Guide
1761!:mime	application/x-norton-guide
1762# often like NORTON.NG but some times like NC.HLP
1763!:ext	ng/hlp
1764# Title[40]
1765>>8	string		>\0		"%-.40s"
1766#>>6	uleshort	x		\b, MenuCount=%u
1767# szCredits[5][66]
1768>>48	string		>\0		\b, %-.66s
1769>>114	string		>\0		%-.66s
1770
1771# URL:		https://en.wikipedia.org/wiki/Norton_Commander
1772# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml
1773# From:		Joerg Jenderek
1774# Note:		Message file is used by executable with same main name.
1775#		Only tested with version 5.50 (english) and 2.01 (Windows)
17760	string		Abort
1777# \0 or i
1778#>5	ubyte		x		%x
1779# skip ASCII Abort text by looking for error message like in NCVIEW.MSG
1780>6	search/7089	Non-DOS\ disk	Norton Commander module message
1781!:mime	application/x-norton-msg
1782!:ext	msg
1783
1784# URL:		http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm
1785# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml
1786# From:		Joerg Jenderek
17870	string	DOS\ Client\ Message\ File:	Novell DOS client message
1788#!:mime	application/octet-stream
1789#!:mime	application/x-novell-msg
1790!:ext	msg
1791# look for second letter instead space character
1792>26	ubyte		>0x20
1793# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr
1794>>25		ubyte	!0x20			%c
1795>>>26		ubyte	!0x20			\b%c
1796>>>>27		ubyte	!0x20			\b%c
1797>>>>>28		ubyte	!0x20			\b%c
1798>>>>>>29	ubyte	!0x20			\b%c
1799>>>>>>>30	ubyte	!0x20			\b%c
1800>>>>>>>>31	ubyte	!0x20			\b%c
1801>>>>>>>>>32	ubyte	!0x20			\b%c
1802>>>>>>>>>>33	ubyte	!0x20			\b%c
1803>>>>>>>>>>>34	ubyte	!0x20			\b%c
1804>>>>>>>>>>>>35	ubyte	!0x20			\b%c
1805>>>>>>>>>>>>>36	ubyte	!0x20			\b%c
1806# followed by string like: 0 v.10 V1.20
1807#
1808# followed by ,\040Tran
1809>28	search/14	,\040Tran
1810# probably translated version string like: 0 v1.00
1811>>&0	string	x				\b, tran version %s
1812# followed by Ctrl-J Ctrl-Z
1813>>>&0	ubyte		!0xa			\b, terminated by %#2.2x
1814>>>>&0	ubyte		x			\b%2.2x
1815# Ctrl-Z
1816>0x65	ubyte		!0x1A			\b, at 0x65 %#x
1817# one
1818>0x66	ubyte		!0x01			\b, at 0x66 %#x
1819# URL:		https://en.wikipedia.org/wiki/NetWare
1820# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml
1821# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html
1822# From:		Joerg Jenderek
18230	string	Novell\ Message\ Librarian\ Data\ File	Novell message librarian data
1824#>35	string	Version\ 1.00
1825#>49	string	COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc.
1826#>83	string	\ \ All\ Rights\ Reserved
1827#!:mime	application/octet-stream
1828#!:mime	application/x-novell-msg
1829!:ext	msg
1830#!:ext	msg/dat
1831# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
1832# of https://www.4dos.info/
1833# pointer,HelpID[8]=4DHnnnmm
18340	ulelong	0x48443408		4DOS help file
1835>4	string	x			\b, version %-4.4s
1836
1837# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp
18380	ulequad	0x3a000000024e4c	MS Advisor help file
1839
1840# HtmlHelp files (.chm)
18410	string/b	ITSF\003\000\000\000\x60\000\000\000	MS Windows HtmlHelp Data
1842!:mime	application/vnd.ms-htmlhelp
1843!:ext	chm
1844
1845# GFA-BASIC (Wolfram Kleff)
18462	string/b	GFA-BASIC3	GFA-BASIC 3 data
1847
1848#------------------------------------------------------------------------------
1849# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
1850# Update: Joerg Jenderek
1851# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format)
1852# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx
1853# Note: verified by `7z l *.cab`
1854# Microsoft Cabinet files
18550	string/b	MSCF\0\0\0\0	Microsoft Cabinet archive data
1856#
1857# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool
1858# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE
1859# because some archive does not have *.diag* as 1st or 2nd archive member like
1860# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab
1861# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section
1862>0x2c	search/980/c	.diag		\b, Diagnostic
1863!:mime	application/vnd.ms-cab-compressed
1864!:ext	diagcab
1865# http://fileformats.archiveteam.org/wiki/PUZ
1866# Microsoft Publisher version about 2003 has a "Pack and Go" feature that
1867# bundles a Publisher document *PNG.pub with all links into a CAB
1868>0x2c	search/300/c	png.pub\0		\b, Publisher Packed and Go
1869!:mime	application/vnd.ms-cab-compressed
1870!:ext	puz
1871# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation
1872>0x2c	search/17/c	ppview32.exe\0		\b, PowerPoint Viewer Packed and Go
1873!:mime	application/vnd.ms-powerpoint
1874#!:mime	application/mspowerpoint
1875!:ext	ppz
1876# URL:		https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets
1877# Reference:	https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/
1878# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget
1879>0x2c	search/968/c	gadget.xml		\b, Windows Desktop Gadget
1880#!:mime	application/vnd.ms-cab-compressed
1881# http://extension.nirsoft.net/gadget
1882!:mime	application/x-windows-gadget
1883!:ext	gadget
1884# http://www.incredimail.com/
1885# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims
1886>0x2c	search/3369/c	content.ini\0	\b, IncrediMail
1887!:mime	application/x-incredimail
1888# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf
1889>>0x2c	search/83/c	Flavor.htm\0	ecard
1890!:ext	imf
1891# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims
1892>>0x2c	search/211/c	.swf\0		skin
1893!:ext	ims
1894# member anim.im3 implies IncrediMail animation like in letter_fold.ima
1895>>0x2c	search/92/c	anim.im3\0	animation
1896!:ext	ima
1897# other IncrediMail cab archive
1898>>0x2c	default		x
1899>>>0x2c	search/116/c	thumb		ecard, image, notifier or skin
1900!:ext	imf/imi/imn/ims
1901# http://file-extension.net/seeker/file_extension_ime
1902>>>0x2c	default		x		emoticons or sound
1903!:ext	ime/imw
1904# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail
1905>0x2c	default		x
1906# look for 1st member name
1907>>(16.l+16)	ubyte	x
1908# From:		Joerg Jenderek
1909# URL:		https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-packages
1910# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml
1911>>>&-1	string 		PackageInfo.xml	\b, Device Metadata Package
1912!:mime	application/vnd.ms-cab-compressed
1913!:ext	devicemetadata-ms
1914# https://en.wikipedia.org/wiki/SNP_file_format
1915>>>&-1	string/c 	_accrpt_.snp	\b, Access report snapshot
1916!:mime	application/msaccess
1917!:ext	snp
1918# https://en.wikipedia.org/wiki/Microsoft_InfoPath
1919>>>&-1	string 		manifest.xsf	\b, InfoPath Form Template
1920!:mime	application/vnd.ms-cab-compressed
1921#!:mime	application/vnd.ms-infopath
1922!:ext	xsn
1923# https://www.cabextract.org.uk/wince_cab_format/
1924# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer
1925>>>&7	string 		=.000		\b, WinCE install
1926!:mime	application/vnd.ms-cab-compressed
1927!:ext	cab
1928
1929# https://support.microsoft.com/kb/934307/en-US
1930# All inspected MSU contain a file with name WSUSSCAN.cab
1931# that is called "Windows Update meta data" by Microsoft
1932>>>&-1	string/c 	wsusscan.cab	\b, Microsoft Standalone Update
1933!:mime	application/vnd.ms-cab-compressed
1934!:ext	msu
1935>>>&-1	default		x
1936# look at point character of 1st archive member name for file name extension
1937# GRR: search range is maybe too large and match point else where like in EN600x64.cab!
1938>>>>&-1	search/255 	.
1939# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm
1940# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002
1941# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB
1942>>>>>&0	string/c	ppt\0
1943>>>>>>28 uleshort	>1		\b, PowerPoint Packed and Go
1944!:mime	application/vnd.ms-powerpoint
1945#!:mime	application/mspowerpoint
1946!:ext	ppz
1947# or POWERPNT.PPT packed as POWERPNT.PP_ found on Windows 2000,XP setup CD in directory i386
1948>>>>>>28 uleshort	=1		\b, one packed PowerPoint
1949!:mime	application/vnd.ms-cab-compressed
1950!:ext	pp_
1951# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx
1952# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack
1953# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack
1954>>>>>&0	string/c	theme		\b, Windows
1955!:mime	application/x-windows-themepack
1956# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8
1957# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack
1958# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme
1959>>>>>>(16.l+16)	string	=Panoram	8
1960!:ext	deskthemepack
1961>>>>>>(16.l+16)	string	!Panoram	7 or 8
1962!:ext	themepack/deskthemepack
1963>>>>>>(16.l+16)	ubyte	x		Theme Pack
1964# URL:		https://en.wikipedia.org/wiki/Microsoft_OneNote#File_format
1965#		http://fileformats.archiveteam.org/wiki/OneNote
1966# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/o/onepkg.trid.xml
1967# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor �ffnen.onetoc2"
1968>>>>>&0	string/c	one		\b, OneNote Package
1969!:mime	application/msonenote
1970!:ext	onepkg
1971>>>>>&0	default		x
1972# look for null terminator of 1st member name
1973>>>>>>&0	search/255 	\0
1974# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu
1975>>>>>>>&16	string/c 	wsusscan.cab	\b, Microsoft Standalone Update
1976!:mime	application/vnd.ms-cab-compressed
1977!:ext	msu
1978>>>>>>>&16	default	x
1979# archive with more then one file need some output in version 5.32 to avoid error message like
1980# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type
1981# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type
1982# file: could not find any valid magic files!
1983>>>>>>>>28	uleshort	>1	\b, many
1984!:mime	application/vnd.ms-cab-compressed
1985!:ext	cab
1986# remaining archives with just one file
1987>>>>>>>>28	uleshort	=1
1988# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386
1989>>>>>>>>>30	uleshort	=0x0000	\b, Windows 2000/XP setup
1990# cut of last char of source extension and add underscore to generate extension
1991# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_
1992!:mime	application/vnd.ms-cab-compressed
1993!:ext	_/?_/??_
1994# archive need some output like "single" in version 5.32 to avoid error messages
1995>>>>>>>>>30	uleshort	!0x0000	\b, single
1996!:mime	application/vnd.ms-cab-compressed
1997!:ext	cab
1998# first archive name without point character
1999>>>>&-1	default		x
2000>>>>>28	uleshort	=1	\b, single
2001!:mime	application/vnd.ms-cab-compressed
2002# on XP_CD\I386\ like: NETWORKS._ PROTOCOL._ QUOTES._ SERVICES._
2003!:ext	_
2004>>>>>28	uleshort	>1	\b, many
2005!:mime	application/vnd.ms-cab-compressed
2006# like: HP Envy 6000 printer driver packages Full_x86.cab Full_x64.cab
2007!:ext	cab
2008# TODO: additional extensions like
2009# .xtp	InfoPath Template Part
2010# .lvf	Logitech Video Effects Face Accessory
2011>8	ulelong		x		\b, %u bytes
2012>28	uleshort		1		\b, 1 file
2013>28	uleshort		>1		\b, %u files
2014# Reserved fields, set to zero
2015#>4	belong		!0		\b, reserved1 %x
2016#>12	belong		!0		\b, reserved2 %x
2017# offset of the first CFFILE entry coffFiles: minimal 2Ch
2018>16	ulelong		x		\b, at %#x
2019>(16.l)	use		cab-file
2020# at least also 2nd member
2021>28	uleshort		>1
2022>>(16.l+16)	ubyte	x
2023>>>&0	search/255 	\0
2024# second member info
2025>>>>&0	use		cab-file
2026#>20	belong		!0		\b, reserved %x
2027# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3
2028>24	ubeshort	!0x0301		\b version %#x
2029# number of CFFOLDER entries
2030>26	uleshort	>1		\b, %u cffolders
2031# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields
2032# only found for flags 0 1 2 3 4 not 7
2033>30	uleshort	>0		\b, flags %#x
2034# Cabinet files have a 16-bit cabinet setID field that is designed for application use.
2035# default is zero, however, the -i option of cabarc can be used to set this field
2036>32	uleshort	>0		\b, ID %u
2037# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet
2038#>34	uleshort	x		\b, iCabinet %u
2039# add one for display because humans start numbering by 1 and also fit to name of disk szDisk*
2040>34	uleshort+1	x		\b, number %u
2041>30	uleshort	&0x0004		\b, extra bytes
2042# cbCFHeader optional size of per-cabinet reserved area 14h 1800h
2043>>36	uleshort	>0		%u in head
2044# cbCFFolder is optional size of per-folder reserved area
2045>>38	ubyte		>0		%u in folder
2046# cbCFData is optional size of per-datablock reserved area
2047>>39	ubyte		>0		%u in data block
2048# optional per-cabinet reserved area abReserve[cbCFHeader]
2049>>36	uleshort	>0
2050# 1st CFFOLDER after reserved area in header
2051>>>(36.s+40)	use			cab-folder
2052# no reserved area in header
2053>30	uleshort	^0x0004
2054# no previous and next cab archive
2055>>30	uleshort		=0x0000
2056>>>36	use				cab-folder
2057# only previous cab archive
2058>>30	uleshort		=0x0001	\b, previous
2059>>>36	use				cab-anchor
2060# only next cab archive
2061>>30	uleshort		=0x0002	\b, next
2062>>>36	use				cab-anchor
2063# previous+next cab archive
2064# can not use sub routine cab-anchor to display previous and next cabinet together
2065#>>>36	use				cab-anchor
2066#>>>>&0	use				cab-anchor
2067>>30	uleshort		=0x0003	\b, previous
2068>>>36	string		x		%s
2069# optional name of previous disk szDisk*
2070>>>>&1	string		x		disk %s
2071>>>>>&1	string		x		\b, next %s
2072# optional name of previous disk szDisk*
2073>>>>>>&1	string		x	disk %s
2074>>>>>>>&1	use			cab-folder
2075#	display filename and disk name of previous or next cabinet
20760       name    			cab-anchor
2077# optional name of previous/next cabinet file szCabinet*[255]
2078>&0	string		x		%s
2079# optional name of previous/next disk szDisk*[255]
2080>>&1	string		x		disk %s
2081#	display folder structure CFFOLDER information like compression of cabinet
20820       name    			cab-folder
2083# offset of the CFDATA block in this folder
2084#>0	ulelong		x		\b, coffCabStart %#x
2085# number of CFDATA blocks in folder
2086>4	uleshort	x		\b, %u datablock
2087# plural s
2088>4	uleshort	>1		\bs
2089# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15
2090>6	uleshort	x		\b, %#x compression
2091# optional per-folder reserved area
2092#>8	ubequad		x		\b, abReserve %#llx
2093#	display member structure CFFILE information like member name of cabinet
20940       name    			cab-file
2095# cbFile is uncompressed size of file in bytes
2096#>0	ulelong		x		\b, cbFile %u
2097# uoffFolderStart is uncompressed offset of file in folder
2098#>4	ulelong		>0		\b, uoffFolderStart %#x
2099# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet
2100# define ifoldCONTINUED_FROM_PREV      (0xFFFD)
2101# define ifoldCONTINUED_TO_NEXT        (0xFFFE)
2102# define ifoldCONTINUED_PREV_AND_NEXT  (0xFFFF)
2103>8	uleshort	>0		\b, iFolder %#x
2104# date stamp for file
2105>10	lemsdosdate	x		last modified %s
2106# time stamp for file
2107>12	lemsdostime	x		%s
2108# attribs is attribute flags for file
2109# define  _A_RDONLY       (0x01)  file is read-only
2110# define  _A_HIDDEN       (0x02)  file is hidden
2111# define  _A_SYSTEM       (0x04)  file is a system file
2112# define  _A_ARCH         (0x20)  file modified since last backup
2113# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab
2114# define  _A_EXEC         (0x40)  run after extraction
2115# define  _A_NAME_IS_UTF  (0x80)  szName[] contains UTF
2116# define  UNKNOWN       (0x0100)  undocumented or accident
2117#>14	uleshort	x		\b, attribs %#x
2118>14	uleshort	>0		+
2119>>14	uleshort	&0x0001		\bR
2120>>14	uleshort	&0x0002		\bH
2121>>14	uleshort	&0x0004		\bS
2122>>14	uleshort	&0x0020		\bA
2123>>14	uleshort	&0x0040		\bX
2124>>14	uleshort	&0x0080		\bUtf
2125# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB
2126>>14	uleshort	&0x0100		\b?
2127# szName is name of archive member
2128>16	string		x		"%s"
2129# next archive member name if more files
2130#>>&17	string		>\0		\b, NEXT NAME %-.50s
2131
2132# InstallShield Cabinet files
21330	string/b	ISc(		InstallShield Cabinet archive data
2134>5	byte&0xf0	=0x60		version 6,
2135>5	byte&0xf0	!0x60		version 4/5,
2136>(12.l+40)	lelong	x		%u files
2137
2138# Windows CE package files
21390	string/b	MSCE\0\0\0\0	Microsoft WinCE install header
2140>20	lelong		0		\b, architecture-independent
2141>20	lelong		103		\b, Hitachi SH3
2142>20	lelong		104		\b, Hitachi SH4
2143>20	lelong		0xA11		\b, StrongARM
2144>20	lelong		4000		\b, MIPS R4000
2145>20	lelong		10003		\b, Hitachi SH3
2146>20	lelong		10004		\b, Hitachi SH3E
2147>20	lelong		10005		\b, Hitachi SH4
2148>20	lelong		70001		\b, ARM 7TDMI
2149>52	leshort		1		\b, 1 file
2150>52	leshort		>1		\b, %u files
2151>56	leshort		1		\b, 1 registry entry
2152>56	leshort		>1		\b, %u registry entries
2153
2154
2155# Windows Enhanced Metafile (EMF)
2156# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
2157# for further information.
21580	ulelong 1
2159>40	string	\ EMF		Windows Enhanced Metafile (EMF) image data
2160>>44	ulelong x		version %#x
2161
2162
21630	string/b	\224\246\056		Microsoft Word Document
2164!:mime	application/msword
2165
2166# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
2167# Magic type for Dell's BIOS .hdr files
2168# Dell's .hdr
21690	string/b $RBU
2170>23	string Dell			%s system BIOS
2171>5	byte   2
2172>>48	byte   x			version %d.
2173>>49	byte   x			\b%d.
2174>>50	byte   x			\b%d
2175>5	byte   <2
2176>>48	string x			version %.3s
2177
2178# Type: Microsoft Document Imaging Format (.mdi)
2179# URL:	https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
2180# From: Daniele Sempione <scrows@oziosi.org>
2181# Too weak (EP)
2182#0	short	0x5045			Microsoft Document Imaging Format
2183
2184# MS eBook format (.lit)
21850	string/b	ITOLITLS		Microsoft Reader eBook Data
2186>8	lelong	x			\b, version %u
2187!:mime					application/x-ms-reader
2188
2189# Windows CE Binary Image Data Format
2190# From: Dr. Jesus <j@hug.gs>
21910	string/b	B000FF\n	Windows Embedded CE binary image
2192
2193# The second byte of these signatures is a file version; I don't know what,
2194# if anything, produced files with version numbers 0-2.
2195# From: John Elliott <johne@seasip.demon.co.uk>
21960	string	\xfc\x03\x00	Mallard BASIC program data (v1.11)
21970	string	\xfc\x04\x00	Mallard BASIC program data (v1.29+)
21980	string	\xfc\x03\x01	Mallard BASIC protected program data (v1.11)
21990	string	\xfc\x04\x01	Mallard BASIC protected program data (v1.29+)
2200
22010	string	MIOPEN		Mallard BASIC Jetsam data
22020	string	Jetsam0		Mallard BASIC Jetsam index data
2203
2204# DOS backup 2.0 to 3.2
2205# URL:		http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS)
2206# Reference:	http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm
2207# backupid.@@@
2208
2209# plausibility check for date
22100x3	ushort	>1979
2211>0x5	ubyte-1 <31
2212>>0x6	ubyte-1 <12
2213# actually 121 nul bytes
2214>>>0x7	string	\0\0\0\0\0\0\0\0
2215>>>>0x1 ubyte	x	DOS 2.0 backup id file, sequence %d
2216#!:mime	application/octet-stream
2217!:ext @@@
2218>>>>0x0 ubyte	0xff	\b, last disk
2219
2220# backed up file
2221
2222# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd
2223# by looking for trailing nul of maximal file name string
22240x52	ubyte	0
2225# test for flag byte: FFh~complete file, 00h~split file
2226# FFh -127 =	-1 -127 =	-128
2227# 00h -127 =	 0 -127 =	-127
2228>0	byte-127	<-126
2229# plausibility check for file name length
2230>>0x53	ubyte-1	<78
2231# looking for terminating nul of file name string
2232>>>(0x53.b+4)	ubyte	0
2233# looking if last char of string is valid DOS file name
2234>>>>(0x53.b+3)	ubyte	>0x1F
2235# actually 44 nul bytes
2236# but sometimes garbage according to Ralf Quint. So can not be used as test
2237#>0x54	string	\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
2238# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator
2239# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE
2240>>>>>5	ubyte&0x8C	0x0C
2241# ./msdos (version 5.30) labeled the entry as
2242# "DOS 2.0 backed up file %s, split file, sequence %d" or
2243# "DOS 2.0 backed up file %s, complete file"
2244>>>>>>0	ubyte	x	DOS 2.0-3.2 backed up
2245#>>>>>>0	ubyte	0xff	complete
2246>>>>>>0	ubyte	0
2247>>>>>>>1 uleshort	x	sequence %d of
2248# full file name with path but without drive letter and colon stored from 0x05 til 0x52
2249>>>>>>0x5	string	x	file %s
2250#!:mime	application/octet-stream
2251# backup name is original filename
2252#!:ext	doc/exe/rar/zip
2253#!:ext	*
2254# magic/Magdir/msdos, 1169: Warning: EXTENSION type `     *' has bad char '*'
2255# file: line 1169: Bad magic entry '  *'
2256# after header original file content
2257>>>>>>128	indirect x	\b;
2258
2259
2260# DOS backup 3.3 to 5.x
2261
2262# CONTROL.nnn files
22630	string	\x8bBACKUP\x20
2264# actually 128 nul bytes
2265>0xa	string	\0\0\0\0\0\0\0\0
2266>>0x9	ubyte	x	DOS 3.3 backup control file, sequence %d
2267>>0x8a	ubyte	0xff	\b, last disk
2268
2269# NB: The BACKUP.nnn files consist of the files backed up,
2270# concatenated.
2271
2272# From:		Joerg Jenderek
2273# URL:		http://fileformats.archiveteam.org/wiki/MS-DOS_date/time
2274# Reference:	https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime
2275# Note:		DOS date+time format is different from formats such as Unix epoch
2276#		bit encoded; uses year values relative to 1980 and 2 second precision
22770	name		dos-date
2278# HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2)
2279#>0	uleshort	x	RAW TIME [%#4.4x]
2280# hour part
2281#>0	uleshort/2048	x	hour [%u]
2282# YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31)
2283#>2	uleshort	x	RAW DATE [%#4.4x]
2284# day part
2285>2	uleshort&0x001F	x	%u
2286#>2	uleshort/16	x	MONTH PART [%#x]
2287# GRR: not working
2288#>2	uleshort/16	&0x000F	MONTH [%u]
2289#>2	uleshort&0x01E0	x	MONTH PART [%#4.4x]
2290>2	uleshort&0x01E0	=0x0020	jan
2291>2	uleshort&0x01E0	=0x0040	feb
2292>2	uleshort&0x01E0	=0x0060	mar
2293>2	uleshort&0x01E0	=0x0080	apr
2294>2	uleshort&0x01E0	=0x00A0	may
2295>2	uleshort&0x01E0	=0x00C0	jun
2296>2	uleshort&0x01E0	=0x00E0	jul
2297>2	uleshort&0x01E0	=0x0100	aug
2298>2	uleshort&0x01E0	=0x0120	sep
2299>2	uleshort&0x01E0	=0x0140	oct
2300>2	uleshort&0x01E0	=0x0160	nov
2301>2	uleshort&0x01E0	=0x0180	dec
2302# year part
2303>2	uleshort/512	x	1980+%u
2304#
2305