xref: /freebsd/contrib/file/magic/Magdir/msdos (revision 273c26a3c3bea87a241d6879abd4f991db180bf0)
1
2#------------------------------------------------------------------------------
3# $File: msdos,v 1.106 2016/06/11 00:52:14 christos Exp $
4# msdos:  file(1) magic for MS-DOS files
5#
6
7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
8# updated by Joerg Jenderek at Oct 2008,Apr 2011
90	string/t	@
10>1	string/cW	\ echo\ off	DOS batch file text
11!:mime	text/x-msdos-batch
12>1	string/cW	echo\ off	DOS batch file text
13!:mime	text/x-msdos-batch
14>1	string/cW	rem		DOS batch file text
15!:mime	text/x-msdos-batch
16>1	string/cW	set\ 		DOS batch file text
17!:mime	text/x-msdos-batch
18
19
20# OS/2 batch files are REXX. the second regex is a bit generic, oh well
21# the matched commands seem to be common in REXX and uncommon elsewhere
22100	search/0xffff   rxfuncadd
23>100	regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc	OS/2 REXX batch file text
24100	search/0xffff   say
25>100	regex/c =^[\ \t]{0,10}say\ ['"]			OS/2 REXX batch file text
26
27# updated by Joerg Jenderek at Oct 2015
28# https://de.wikipedia.org/wiki/Common_Object_File_Format
29# http://www.delorie.com/djgpp/doc/coff/filhdr.html
30# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable"
31#0	leshort		0x14c	MS Windows COFF Intel 80386 object file
32#>4	ledate		x	stamp %s
330	leshort		0x166	MS Windows COFF MIPS R4000 object file
34#>4	ledate		x	stamp %s
350	leshort		0x184	MS Windows COFF Alpha object file
36#>4	ledate		x	stamp %s
370	leshort		0x268	MS Windows COFF Motorola 68000 object file
38#>4	ledate		x	stamp %s
390	leshort		0x1f0	MS Windows COFF PowerPC object file
40#>4	ledate		x	stamp %s
410	leshort		0x290	MS Windows COFF PA-RISC object file
42#>4	ledate		x	stamp %s
43
44# Tests for various EXE types.
45#
46# Many of the compressed formats were extraced from IDARC 1.23 source code.
47#
480	string/b	MZ
49# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file.
50>0x18	leshort <0x40 MS-DOS executable
51!:mime	application/x-dosexec
52# These traditional tests usually work but not always.  When test quality support is
53# implemented these can be turned on.
54#>>0x18	leshort	0x1c	(Borland compiler)
55#>>0x18	leshort	0x1e	(MS compiler)
56
57# If the relocation table is 0x40 or more bytes into the file, it's definitely
58# not a DOS EXE.
59>0x18  leshort >0x3f
60
61# Maybe it's a PE?
62>>(0x3c.l) string PE\0\0 PE
63!:mime	application/x-dosexec
64>>>(0x3c.l+24)	leshort		0x010b	\b32 executable
65>>>(0x3c.l+24)	leshort		0x020b	\b32+ executable
66>>>(0x3c.l+24)	leshort		0x0107	ROM image
67>>>(0x3c.l+24)	default		x	Unknown PE signature
68>>>>&0 		leshort		x	0x%x
69>>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
70>>>(0x3c.l+92)	leshort		1	(native)
71>>>(0x3c.l+92)	leshort		2	(GUI)
72>>>(0x3c.l+92)	leshort		3	(console)
73>>>(0x3c.l+92)	leshort		7	(POSIX)
74>>>(0x3c.l+92)	leshort		9	(Windows CE)
75>>>(0x3c.l+92)	leshort		10	(EFI application)
76>>>(0x3c.l+92)	leshort		11	(EFI boot service driver)
77>>>(0x3c.l+92)	leshort		12	(EFI runtime driver)
78>>>(0x3c.l+92)	leshort		13	(EFI ROM)
79>>>(0x3c.l+92)	leshort		14	(XBOX)
80>>>(0x3c.l+92)	leshort		15	(Windows boot application)
81>>>(0x3c.l+92)	default		x	(Unknown subsystem
82>>>>&0		leshort		x	0x%x)
83>>>(0x3c.l+4)	leshort		0x14c	Intel 80386
84>>>(0x3c.l+4)	leshort		0x166	MIPS R4000
85>>>(0x3c.l+4)	leshort		0x168	MIPS R10000
86>>>(0x3c.l+4)	leshort		0x184	Alpha
87>>>(0x3c.l+4)	leshort		0x1a2	Hitachi SH3
88>>>(0x3c.l+4)	leshort		0x1a6	Hitachi SH4
89>>>(0x3c.l+4)	leshort		0x1c0	ARM
90>>>(0x3c.l+4)	leshort		0x1c2	ARM Thumb
91>>>(0x3c.l+4)	leshort		0x1c4	ARMv7 Thumb
92>>>(0x3c.l+4)	leshort		0x1f0	PowerPC
93>>>(0x3c.l+4)	leshort		0x200	Intel Itanium
94>>>(0x3c.l+4)	leshort		0x266	MIPS16
95>>>(0x3c.l+4)	leshort		0x268	Motorola 68000
96>>>(0x3c.l+4)	leshort		0x290	PA-RISC
97>>>(0x3c.l+4)	leshort		0x366	MIPSIV
98>>>(0x3c.l+4)	leshort		0x466	MIPS16 with FPU
99>>>(0x3c.l+4)	leshort		0xebc	EFI byte code
100>>>(0x3c.l+4)	leshort		0x8664	x86-64
101>>>(0x3c.l+4)	leshort		0xc0ee	MSIL
102>>>(0x3c.l+4)	default		x	Unknown processor type
103>>>>&0		leshort		x	0x%x
104>>>(0x3c.l+22)	leshort&0x0200	>0	(stripped to external PDB)
105>>>(0x3c.l+22)	leshort&0x1000	>0	system file
106>>>(0x3c.l+24)	leshort		0x010b
107>>>>(0x3c.l+232) lelong	>0	Mono/.Net assembly
108>>>(0x3c.l+24)	leshort		0x020b
109>>>>(0x3c.l+248) lelong	>0	Mono/.Net assembly
110
111# hooray, there's a DOS extender using the PE format, with a valid PE
112# executable inside (which just prints a message and exits if run in win)
113>>>(8.s*16)		string		32STUB	\b, 32rtm DOS extender
114>>>(8.s*16)		string		!32STUB	\b, for MS Windows
115>>>(0x3c.l+0xf8)	string		UPX0 \b, UPX compressed
116>>>(0x3c.l+0xf8)	search/0x140	PEC2 \b, PECompact2 compressed
117>>>(0x3c.l+0xf8)	search/0x140	UPX2
118>>>>(&0x10.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
119>>>(0x3c.l+0xf8)	search/0x140	.idata
120>>>>(&0xe.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
121>>>>(&0xe.l+(-4))	string		ZZ0 \b, ZZip self-extracting archive
122>>>>(&0xe.l+(-4))	string		ZZ1 \b, ZZip self-extracting archive
123>>>(0x3c.l+0xf8)	search/0x140	.rsrc
124>>>>(&0x0f.l+(-4))	string		a\\\4\5 \b, WinHKI self-extracting archive
125>>>>(&0x0f.l+(-4))	string		Rar! \b, RAR self-extracting archive
126>>>>(&0x0f.l+(-4))	search/0x3000	MSCF \b, InstallShield self-extracting archive
127>>>>(&0x0f.l+(-4))	search/32	Nullsoft \b, Nullsoft Installer self-extracting archive
128>>>(0x3c.l+0xf8)	search/0x140	.data
129>>>>(&0x0f.l)		string		WEXTRACT \b, MS CAB-Installer self-extracting archive
130>>>(0x3c.l+0xf8)	search/0x140	.petite\0 \b, Petite compressed
131>>>>(0x3c.l+0xf7)	byte		x
132>>>>>(&0x104.l+(-4))	string		=!sfx! \b, ACE self-extracting archive
133>>>(0x3c.l+0xf8)	search/0x140	.WISE \b, WISE installer self-extracting archive
134>>>(0x3c.l+0xf8)	search/0x140	.dz\0\0\0 \b, Dzip self-extracting archive
135>>>&(0x3c.l+0xf8)	search/0x100	_winzip_ \b, ZIP self-extracting archive (WinZip)
136>>>&(0x3c.l+0xf8)	search/0x100	SharedD \b, Microsoft Installer self-extracting archive
137>>>0x30			string		Inno \b, InnoSetup self-extracting archive
138
139# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
140# must be one of the unusual subformats.
141>>(0x3c.l) string !PE\0\0 MS-DOS executable
142!:mime	application/x-dosexec
143
144>>(0x3c.l)		string		NE \b, NE
145!:mime	application/x-dosexec
146>>>(0x3c.l+0x36)	byte		1 for OS/2 1.x
147>>>(0x3c.l+0x36)	byte		2 for MS Windows 3.x
148>>>(0x3c.l+0x36)	byte		3 for MS-DOS
149>>>(0x3c.l+0x36)	byte		4 for Windows 386
150>>>(0x3c.l+0x36)	byte		5 for Borland Operating System Services
151>>>(0x3c.l+0x36)	default		x
152>>>>(0x3c.l+0x36)	byte		x (unknown OS %x)
153>>>(0x3c.l+0x36)	byte		0x81 for MS-DOS, Phar Lap DOS extender
154>>>(0x3c.l+0x0c)	leshort&0x8003	0x8002 (DLL)
155>>>(0x3c.l+0x0c)	leshort&0x8003	0x8001 (driver)
156>>>&(&0x24.s-1)		string		ARJSFX \b, ARJ self-extracting archive
157>>>(0x3c.l+0x70)	search/0x80	WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
158
159>>(0x3c.l)		string		LX\0\0 \b, LX
160!:mime	application/x-dosexec
161>>>(0x3c.l+0x0a)	leshort		<1 (unknown OS)
162>>>(0x3c.l+0x0a)	leshort		1 for OS/2
163>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
164>>>(0x3c.l+0x0a)	leshort		3 for DOS
165>>>(0x3c.l+0x0a)	leshort		>3 (unknown OS)
166>>>(0x3c.l+0x10)	lelong&0x28000	=0x8000 (DLL)
167>>>(0x3c.l+0x10)	lelong&0x20000	>0 (device driver)
168>>>(0x3c.l+0x10)	lelong&0x300	0x300 (GUI)
169>>>(0x3c.l+0x10)	lelong&0x28300	<0x300 (console)
170>>>(0x3c.l+0x08)	leshort		1 i80286
171>>>(0x3c.l+0x08)	leshort		2 i80386
172>>>(0x3c.l+0x08)	leshort		3 i80486
173>>>(8.s*16)		string		emx \b, emx
174>>>>&1			string		x %s
175>>>&(&0x54.l-3)		string		arjsfx \b, ARJ self-extracting archive
176
177# MS Windows system file, supposedly a collection of LE executables
178>>(0x3c.l)		string		W3 \b, W3 for MS Windows
179!:mime	application/x-dosexec
180
181>>(0x3c.l)		string		LE\0\0 \b, LE executable
182!:mime	application/x-dosexec
183>>>(0x3c.l+0x0a)	leshort		1
184# some DOS extenders use LE files with OS/2 header
185>>>>0x240		search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
186>>>>0x240		search/0x200	WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
187>>>>0x440		search/0x100	CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
188>>>>0x40		search/0x40	PMODE/W for MS-DOS, PMODE/W DOS extender
189>>>>0x40		search/0x40	STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
190>>>>0x40		search/0x80	STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
191>>>>0x40		search/0x80	DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
192# this is a wild guess; hopefully it is a specific signature
193>>>>&0x24		lelong		<0x50
194>>>>>(&0x4c.l)		string		\xfc\xb8WATCOM
195>>>>>>&0		search/8	3\xdbf\xb9 \b, 32Lite compressed
196# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
197#>>>>(0x3c.l+0x1c)	lelong		>0x10000 for OS/2
198# fails with DOS-Extenders.
199>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
200>>>(0x3c.l+0x0a)	leshort		3 for DOS
201>>>(0x3c.l+0x0a)	leshort		4 for MS Windows (VxD)
202>>>(&0x7c.l+0x26)	string		UPX \b, UPX compressed
203>>>&(&0x54.l-3)		string		UNACE \b, ACE self-extracting archive
204
205# looks like ASCII, probably some embedded copyright message.
206# and definitely not NE/LE/LX/PE
207>>0x3c		lelong	>0x20000000
208>>>(4.s*512)	leshort !0x014c \b, MZ for MS-DOS
209!:mime	application/x-dosexec
210# header data too small for extended executable
211>2		long	!0
212>>0x18		leshort <0x40
213>>>(4.s*512)	leshort !0x014c
214
215>>>>&(2.s-514)	string	!LE
216>>>>>&-2	string	!BW \b, MZ for MS-DOS
217!:mime	application/x-dosexec
218>>>>&(2.s-514)	string	LE \b, LE
219>>>>>0x240	search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
220# educated guess since indirection is still not capable enough for complex offset
221# calculations (next embedded executable would be at &(&2*512+&0-2)
222# I suspect there are only LE executables in these multi-exe files
223>>>>&(2.s-514)	string	BW
224>>>>>0x240	search/0x100	DOS/4G	\b, LE for MS-DOS, DOS4GW DOS extender (embedded)
225>>>>>0x240	search/0x100	!DOS/4G	\b, BW collection for MS-DOS
226
227# This sequence skips to the first COFF segment, usually .text
228>(4.s*512)	leshort		0x014c \b, COFF
229!:mime	application/x-dosexec
230>>(8.s*16)	string		go32stub for MS-DOS, DJGPP go32 DOS extender
231>>(8.s*16)	string		emx
232>>>&1		string		x for DOS, Win or OS/2, emx %s
233>>&(&0x42.l-3)	byte		x
234>>>&0x26	string		UPX \b, UPX compressed
235# and yet another guess: small .text, and after large .data is unusal, could be 32lite
236>>&0x2c		search/0xa0	.text
237>>>&0x0b	lelong		<0x2000
238>>>>&0		lelong		>0x6000 \b, 32lite compressed
239
240>(8.s*16) string $WdX \b, WDos/X DOS extender
241
242# By now an executable type should have been printed out.  The executable
243# may be a self-uncompressing archive, so look for evidence of that and
244# print it out.
245#
246# Some signatures below from Greg Roelofs, newt@uchicago.edu.
247#
248>0x35	string	\x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
249>0xe7	string	LH/2\ 	Self-Extract \b, %s
250>0x1c	string	UC2X	\b, UCEXE compressed
251>0x1c	string	WWP\ 	\b, WWPACK compressed
252>0x1c	string	RJSX 	\b, ARJ self-extracting archive
253>0x1c	string	diet 	\b, diet compressed
254>0x1c	string	LZ09 	\b, LZEXE v0.90 compressed
255>0x1c	string	LZ91 	\b, LZEXE v0.91 compressed
256>0x1c	string	tz 	\b, TinyProg compressed
257>0x1e	string	Copyright\ 1989-1990\ PKWARE\ Inc.	Self-extracting PKZIP archive
258!:mime	application/zip
259# Yes, this really is "Copr", not "Corp."
260>0x1e	string	PKLITE\ Copr.	Self-extracting PKZIP archive
261!:mime	application/zip
262# winarj stores a message in the stub instead of the sig in the MZ header
263>0x20	search/0xe0	aRJsfX \b, ARJ self-extracting archive
264>0x20	string AIN
265>>0x23	string 2	\b, AIN 2.x compressed
266>>0x23	string <2	\b, AIN 1.x compressed
267>>0x23	string >2	\b, AIN 1.x compressed
268>0x24	string	LHa's\ SFX \b, LHa self-extracting archive
269!:mime	application/x-lha
270>0x24	string	LHA's\ SFX \b, LHa self-extracting archive
271!:mime	application/x-lha
272>0x24	string	\ $ARX \b, ARX self-extracting archive
273>0x24	string	\ $LHarc \b, LHarc self-extracting archive
274>0x20	string	SFX\ by\ LARC \b, LARC self-extracting archive
275>0x40	string aPKG \b, aPackage self-extracting archive
276>0x64	string	W\ Collis\0\0 \b, Compack compressed
277>0x7a	string		Windows\ self-extracting\ ZIP	\b, ZIP self-extracting archive
278>>&0xf4 search/0x140 \x0\x40\x1\x0
279>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
280>1638	string	-lh5- \b, LHa self-extracting archive v2.13S
281>0x17888 string Rar! \b, RAR self-extracting archive
282
283# Skip to the end of the EXE.  This will usually work fine in the PE case
284# because the MZ image is hardcoded into the toolchain and almost certainly
285# won't match any of these signatures.
286>(4.s*512)	long	x
287>>&(2.s-517)	byte	x
288>>>&0	string		PK\3\4 \b, ZIP self-extracting archive
289>>>&0	string		Rar! \b, RAR self-extracting archive
290>>>&0	string		=!\x11 \b, AIN 2.x self-extracting archive
291>>>&0	string		=!\x12 \b, AIN 2.x self-extracting archive
292>>>&0	string		=!\x17 \b, AIN 1.x self-extracting archive
293>>>&0	string		=!\x18 \b, AIN 1.x self-extracting archive
294>>>&7	search/400	**ACE** \b, ACE self-extracting archive
295>>>&0	search/0x480	UC2SFX\ Header \b, UC2 self-extracting archive
296
297# a few unknown ZIP sfxes, no idea if they are needed or if they are
298# already captured by the generic patterns above
299>(8.s*16)	search/0x20	PKSFX \b, ZIP self-extracting archive (PKZIP)
300# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
301#
302
303# TELVOX Teleinformatica CODEC self-extractor for OS/2:
304>49801	string	\x79\xff\x80\xff\x76\xff	\b, CODEC archive v3.21
305>>49824 leshort		=1			\b, 1 file
306>>49824 leshort		>1			\b, %u files
307
308# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc
309# and http://www.freedos.org/software/?prog=kpdos
310# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
3110	string/b	KCF		FreeDOS KEYBoard Layout collection
312# only version=0x100 found
313>3	uleshort	x		\b, version 0x%x
314# length of string containing author,info and special characters
315>6	ubyte		>0
316#>>6	pstring		x		\b, name=%s
317>>7	string		>\0		\b, author=%-.14s
318>>7	search/254	\xff		\b, info=
319#>>>&0	string		x		\b%-s
320>>>&0	string		x		\b%-.15s
321# for FreeDOS *.KL files
3220	string/b	KLF		FreeDOS KEYBoard Layout file
323# only version=0x100 or 0x101 found
324>3	uleshort	x		\b, version 0x%x
325# stringlength
326>5	ubyte		>0
327>>8	string		x		\b, name=%-.2s
3280	string	\xffKEYB\ \ \ \0\0\0\0
329>12	string	\0\0\0\0`\004\360	MS-DOS KEYBoard Layout file
330
331# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com)
332# Uncommenting only the first two lines will cover about 2/3 of COM files,
333# but it isn't feasible to match all COM files since there must be at least
334# two dozen different one-byte "magics".
335# test too generic ?
3360	byte		0xe9		DOS executable (COM)
337>0x1FE leshort		0xAA55		\b, boot code
338>6	string		SFX\ of\ LHarc	(%s)
339
340# DOS device driver updated by Joerg Jenderek at May 2011
341# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
3420	ulequad&0x07a0ffffffff		0xffffffff		DOS executable (
343>40	search/7			UPX!			\bUPX compressed
344# DOS device driver attributes
345>4	uleshort&0x8000			0x0000			\bblock device driver
346# character device
347>4	uleshort&0x8000			0x8000			\b
348>>4	uleshort&0x0008			0x0008			\bclock
349# fast video output by int 29h
350>>4	uleshort&0x0010			0x0010			\bfast
351# standard input/output device
352>>4	uleshort&0x0003			>0			\bstandard
353>>>4	uleshort&0x0001			0x0001			\binput
354>>>4	uleshort&0x0003			0x0003			\b/
355>>>4	uleshort&0x0002			0x0002			\boutput
356>>4	uleshort&0x8000			0x8000			\bcharacter device driver
357>0	ubyte				x
358# upx compressed device driver has garbage instead of real in name field of header
359>>40	search/7			UPX!
360>>40	default				x
361# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
362>>>12		ubyte			>0x27			\b
363>>>>10		ubyte			>0x20
364>>>>>10		ubyte			!0x2E
365>>>>>>10	ubyte			!0x2A			\b%c
366>>>>11		ubyte			>0x20
367>>>>>11		ubyte			!0x2E			\b%c
368>>>>12		ubyte			>0x20
369>>>>>12		ubyte			!0x39
370>>>>>>12	ubyte			!0x2E			\b%c
371>>>13		ubyte			>0x20
372>>>>13		ubyte			!0x2E			\b%c
373>>>>14		ubyte			>0x20
374>>>>>14		ubyte			!0x2E			\b%c
375>>>>15		ubyte			>0x20
376>>>>>15		ubyte			!0x2E			\b%c
377>>>>16		ubyte			>0x20
378>>>>>16		ubyte			!0x2E
379>>>>>>16	ubyte			<0xCB			\b%c
380>>>>17		ubyte			>0x20
381>>>>>17		ubyte			!0x2E
382>>>>>>17	ubyte			<0x90			\b%c
383# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
384>>>4		uleshort&0x8000		0x8000
385>>>>12		ubyte			<0x2F
386# they have their real name at offset 22
387>>>>>22		string			>\0			\b%-.5s
388>4	uleshort&0x8000			0x0000
389# 32 bit sector addressing ( > 32 MB) for block devices
390>>4	uleshort&0x0002			0x0002			\b,32-bit sector-
391# support by driver functions 13h, 17h, 18h
392>4	uleshort&0x0040			0x0040			\b,IOCTL-
393# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
394>4	uleshort&0x0800			0x0800			\b,close media-
395# output until busy support by int 10h for character device driver
396>4	uleshort&0x8000			0x8000
397>>4	uleshort&0x2000			0x2000			\b,until busy-
398# direct read/write support by driver functions 03h,0Ch
399>4	uleshort&0x4000			0x4000			\b,control strings-
400>4	uleshort&0x8000			0x8000
401>>4	uleshort&0x6840			>0			\bsupport
402>4	uleshort&0x8000			0x0000
403>>4	uleshort&0x4842			>0			\bsupport
404>0	ubyte				x			\b)
405# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
406# Too weak, matches files that only contain 0's
407#0	ulequad&0x000007a0ffffffed	0x0000000000000000	DOS-executable (
408#>4	uleshort&0x8000			0x8000			\bcharacter device driver
409#>>10	string				x			%-.8s
410#>4	uleshort&0x4000			0x4000			\b,control strings-support)
411
412# updated by Joerg Jenderek
413# GRR: line below too general as it catches also
414# rt.lib DYADISKS.PIC and many more
415# start with assembler instruction MOV
4160	ubyte		0x8c
417# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
418>4	string			!O====
419# skip some unknown basic binaries like RocketRnger.SHR
420>>5	string			!MAIN
421# skip "GPG symmetrically encrypted data" ./gnu
422# skip "PGP symmetric key encrypted data" ./pgp
423# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
424>>>4	ubyte			>13	DOS executable (COM, 0x8C-variant)
425# the remaining files should be DOS *.COM executables
426# dosshell.COM	8cc0 2ea35f07 e85211 e88a11 b80058 cd
427# hmload.COM	8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
428# UNDELETE.COM	8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
429# BOOTFIX.COM	8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
430# RAWRITE3.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
431# SHARE.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
432# validchr.COM	8cca 2e8916 9603 b430 cd21 8b 2e028b1e
433# devload.COM	8cca 8916ad01 b430 cd21 8b2e0200 892e
434!:mime	application/x-dosexec
435!:ext com
436
437# updated by Joerg Jenderek at Oct 2008
4380	ulelong		0xffff10eb	DR-DOS executable (COM)
439# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
4400	ubeshort&0xeb8d	>0xeb00
441# DR-DOS STACKER.COM SCREATE.SYS missed
442>0	byte		0xeb
443>>0x1FE leshort		0xAA55		DOS executable (COM), boot code
444>>85	string		UPX		DOS executable (COM), UPX compressed
445>>4	string		\ $ARX		DOS executable (COM), ARX self-extracting archive
446>>4	string		\ $LHarc	DOS executable (COM), LHarc self-extracting archive
447>>0x20e string		SFX\ by\ LARC	DOS executable (COM), LARC self-extracting archive
448# updated by Joerg Jenderek at Oct 2008,2015
449# following line is too general
4500	ubyte		0xb8
451# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
452>0	string		!\xb8\xc0\x07\x8e
453# modified by Joerg Jenderek
454# syslinux COM32 or COM32R executable
455>>1	lelong&0xFFFFFFFe 0x21CD4CFe	COM executable (32-bit COMBOOT
456# http://www.syslinux.org/wiki/index.php/Comboot_API
457# Since version 5.00 c32 modules switched from the COM32 object format to ELF
458!:mime	application/x-c32-comboot-syslinux-exec
459!:ext c32
460# http://syslinux.zytor.com/comboot.php
461# older syslinux version ( <4 )
462# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
463# start with assembler instructions mov eax,21cd4cffh
464>>>1	lelong		0x21CD4CFf	\b)
465# syslinux:doc/comboot.txt
466# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
467# eax,21cd4cfeh) as a magic number.
468# syslinux version (4.x)
469# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
470>>>1	lelong		0x21CD4CFe	\b, relocatable)
471# remaining are DOS COM executables starting with assembler instruction MOV
472# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM
473# MS-DOS SYS.COM RESTART.COM
474# SYSLINUX.COM (version 1.40 - 2.13)
475# GFXBOOT.COM (version 3.75)
476# COPYBS.COM POWEROFF.COM INT18.COM
477>>1	default	x			COM executable for DOS
478!:mime	application/x-dosexec
479#!:mime	application/x-ms-dos-executable
480#!:mime	application/x-msdos-program
481!:ext com
482
4830	string/b	\x81\xfc
484>4	string	\x77\x02\xcd\x20\xb9
485>>36	string	UPX!			FREE-DOS executable (COM), UPX compressed
486252	string Must\ have\ DOS\ version DR-DOS executable (COM)
487# added by Joerg Jenderek at Oct 2008
488# GRR search is not working
489#34	search/2	UPX!		FREE-DOS executable (COM), UPX compressed
49034	string	UPX!			FREE-DOS executable (COM), UPX compressed
49135	string	UPX!			FREE-DOS executable (COM), UPX compressed
492# GRR search is not working
493#2	search/28	\xcd\x21	COM executable for MS-DOS
494#WHICHFAT.cOM
4952	string	\xcd\x21		COM executable for DOS
496#DELTREE.cOM DELTREE2.cOM
4974	string	\xcd\x21		COM executable for DOS
498#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
4995	string	\xcd\x21		COM executable for DOS
500#DELTMP.COm HASFAT32.cOM
5017	string	\xcd\x21
502>0	byte	!0xb8			COM executable for DOS
503#COMP.cOM MORE.COm
50410	string	\xcd\x21
505>5	string	!\xcd\x21		COM executable for DOS
506#comecho.com
50713	string	\xcd\x21		COM executable for DOS
508#HELP.COm EDIT.coM
50918	string	\xcd\x21		COM executable for MS-DOS
510#NWRPLTRM.COm
51123	string	\xcd\x21		COM executable for MS-DOS
512#LOADFIX.cOm LOADFIX.cOm
51330	string	\xcd\x21		COM executable for MS-DOS
514#syslinux.com 3.11
51570	string	\xcd\x21		COM executable for DOS
516# many compressed/converted COMs start with a copy loop instead of a jump
5170x6	search/0xa	\xfc\x57\xf3\xa5\xc3	COM executable for MS-DOS
5180x6	search/0xa	\xfc\x57\xf3\xa4\xc3	COM executable for DOS
519>0x18	search/0x10	\x50\xa4\xff\xd5\x73	\b, aPack compressed
5200x3c	string		W\ Collis\0\0		COM executable for MS-DOS, Compack compressed
521# FIXME: missing diet .com compression
522
523# miscellaneous formats
5240	string/b	LZ		MS-DOS executable (built-in)
525#0	byte		0xf0		MS-DOS program library data
526#
527
528# AAF files:
529# <stuartc@rd.bbc.co.uk> Stuart Cunningham
5300	string/b	\320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377			AAF legacy file using MS Structured Storage
531>30	byte	9		(512B sectors)
532>30	byte	12		(4kB sectors)
5330	string/b	\320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001			AAF file using MS Structured Storage
534>30	byte	9		(512B sectors)
535>30	byte	12		(4kB sectors)
536
537# Popular applications
5382080	string	Microsoft\ Word\ 6.0\ Document	%s
539!:mime	application/msword
5402080	string	Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data
541!:mime	application/msword
542# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word)
5432112	string	MSWordDoc			Microsoft Word document data
544!:mime	application/msword
545#
5460	belong	0x31be0000			Microsoft Word Document
547!:mime	application/msword
548#
5490	string/b	PO^Q`				Microsoft Word 6.0 Document
550!:mime	application/msword
551#
5520	string/b	\376\067\0\043			Microsoft Office Document
553!:mime	application/msword
5540	string/b	\333\245-\0\0\0			Microsoft Office Document
555!:mime	application/msword
556512	string/b	\354\245\301			Microsoft Word Document
557!:mime	application/msword
558
559#
5600	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
561!:mime application/msword
562#
5632080	string	Microsoft\ Excel\ 5.0\ Worksheet	%s
564!:mime	application/vnd.ms-excel
565#
5660	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
567!:mime application/msword
568
5692080	string	Foglio\ di\ lavoro\ Microsoft\ Exce	%s
570!:mime	application/vnd.ms-excel
571#
572# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel)
5732114	string	Biff5		Microsoft Excel 5.0 Worksheet
574!:mime	application/vnd.ms-excel
575# Italian MS-Excel
5762121	string	Biff5		Microsoft Excel 5.0 Worksheet
577!:mime	application/vnd.ms-excel
5780	string/b	\x09\x04\x06\x00\x00\x00\x10\x00	Microsoft Excel Worksheet
579!:mime	application/vnd.ms-excel
580#
5810	belong	0x00001a00	Lotus 1-2-3
582!:mime	application/x-123
583>4	belong	0x00100400	wk3 document data
584>4	belong	0x02100400	wk4 document data
585>4	belong	0x07800100	fm3 or fmb document data
586>4	belong	0x07800000	fm3 or fmb document data
587#
5880	belong	0x00000200	Lotus 1-2-3
589!:mime	application/x-123
590>4	belong	0x06040600	wk1 document data
591>4	belong	0x06800200	fmt document data
5920	string/b		WordPro\0	Lotus WordPro
593!:mime	application/vnd.lotus-wordpro
5940	string/b		WordPro\r\373	Lotus WordPro
595!:mime	application/vnd.lotus-wordpro
596
597
598# Summary: Script used by InstallScield to uninstall applications
599# Extension: .isu
600# Submitted by: unknown
601# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
6020		string		\x71\xa8\x00\x00\x01\x02
603>12		string		Stirling\ Technologies,		InstallShield Uninstall Script
604
605# Winamp .avs
606#0	string	Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
6070	string/b	Nullsoft\ AVS\ Preset\ 	Winamp plug in
608
609# Windows Metafont .WMF
6100	string/b	\327\315\306\232	ms-windows metafont .wmf
6110	string/b	\002\000\011\000	ms-windows metafont .wmf
6120	string/b	\001\000\011\000	ms-windows metafont .wmf
613
614#tz3 files whatever that is (MS Works files)
6150	string/b	\003\001\001\004\070\001\000\000	tz3 ms-works file
6160	string/b	\003\002\001\004\070\001\000\000	tz3 ms-works file
6170	string/b	\003\003\001\004\070\001\000\000	tz3 ms-works file
618
619# PGP sig files .sig
620#0 string \211\000\077\003\005\000\063\237\127 065 to  \027\266\151\064\005\045\101\233\021\002 PGP sig
6210 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
6220 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
6230 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
6240 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
6250 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
6260 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
627
628# windows zips files .dmf
6290	string/b	MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
630
631
632#ico files
6330	string/b	\102\101\050\000\000\000\056\000\000\000\000\000\000\000	Icon for MS Windows
634
635# Windows icons
636# Update: Joerg Jenderek
637# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
638# Note: similiar to Windows CURsor. container for BMP (only DIB part) or PNG
6390   belong  0x00000100
640>9  byte    0
641>>0 byte    x
642>>0 use     cur-ico-dir
643>9  ubyte   0xff
644>>0 byte    x
645>>0 use     cur-ico-dir
646#	displays number of icons and information for icon or cursor
6470	name		cur-ico-dir
648# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
649# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
650>18		ulelong		&0x00000006
651# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
652>>(18.l)	ulelong		x		MS Windows
653>>>0		ubelong		0x00000100	icon resource
654#!:mime		image/vnd.microsoft.icon
655!:mime		image/x-icon
656!:ext		ico
657>>>>4 		uleshort	x		- %d icon
658# plural s
659>>>>4 		uleshort	>1		\bs
660# 1st icon
661>>>>0x06	use		ico-entry
662# 2nd icon
663>>>>4 		uleshort	>1
664>>>>>0x16	use		ico-entry
665>>>0		ubelong		0x00000200	cursor resource
666#!:mime		image/x-cur
667!:mime		image/x-win-bitmap
668!:ext		cur
669>>>>4 		uleshort	x		- %d icon
670>>>>4 		uleshort	>1		\bs
671# 1st cursor
672>>>>0x06	use		cur-entry
673#>>>>0x16	use		cur-entry
674#	display information of one cursor entry
6750	name		cur-entry
676>0	use		cur-ico-entry
677>4	uleshort	x	\b, hotspot @%dx
678>6	uleshort	x	\b%d
679#	display information of one icon entry
6800	name		ico-entry
681>0			use	cur-ico-entry
682# normally 0 1 but also found 14
683>4	uleshort	>1	\b, %d planes
684# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256
685>6	uleshort	>1	\b, %d bits/pixel
686#	display shared information of cursor or icon entry
6870		name		cur-ico-entry
688>0		byte		=0		\b, 256x
689>0		byte		!0		\b, %dx
690>1		byte        	=0		\b256
691>1		byte        	!0		\b%d
692# number of colors in palette
693>2		ubyte		!0		\b, %d colors
694# reserved 0 FFh
695#>3		ubyte        	x		\b, reserved %x
696#>8		ulelong		x		\b, image size %d
697# offset of PNG or DIB image
698#>12		ulelong		x		\b, offset 0x%x
699# PNG header (\x89PNG)
700>(12.l)		ubelong		=0x89504e47
701>>&-4		indirect	x	\b with
702# DIB image
703>(12.l)		ubelong		!0x89504e47
704#>>&-4		use     	dib-image
705
706# Windows non-animated cursors
707# Update: Joerg Jenderek
708# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
709# Note: similiar to Windows ICOn. container for BMP ( only DIB part)
710# GRR: line below is too general as it catches also Lotus 1-2-3 files
7110   belong  0x00000200
712>9  byte    0
713>>0 use     cur-ico-dir
714>9  ubyte   0xff
715>>0 use     cur-ico-dir
716
717# .chr files
7180	string/b	PK\010\010BGI	Borland font
719>4	string	>\0	%s
720# then there is a copyright notice
721
722
723# .bgi files
7240	string/b	pk\010\010BGI	Borland device
725>4	string	>\0	%s
726# then there is a copyright notice
727
728
729# Windows Recycle Bin record file (named INFO2)
730# By Abel Cheung (abelcheung AT gmail dot com)
731# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
732# Since Vista uses another structure, INFO2 structure probably won't change
733# anymore. Detailed analysis in:
734# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
7350	lelong		0x00000004
736>12	lelong		0x00000118	Windows Recycle Bin INFO2 file (Win98 or below)
737
7380	lelong		0x00000005
739>12	lelong		0x00000320	Windows Recycle Bin INFO2 file (Win2k - WinXP)
740
741
742##### put in Either Magic/font or Magic/news
743# Acroread or something	 files wrongly identified as G3	 .pfm
744# these have the form \000 \001 any? \002 \000 \000
745# or \000 \001 any? \022 \000 \000
7460	belong&0xffff00ff	0x00010012	PFM data
747>4	string			\000\000
748>6	string			>\060		- %s
749
7500	belong&0xffff00ff	0x00010002	PFM data
751>4	string			\000\000
752>6	string			>\060		- %s
753#0	string	\000\001 pfm?
754#>3	string	\022\000\000Copyright\	yes
755#>3	string	\002\000\000Copyright\	yes
756#>3	string	>\0	oops, not a font file. Cancel that.
757#it clashes with ttf files so put it lower down.
758
759# From Doug Lee via a FreeBSD pr
7609	string		GERBILDOC	First Choice document
7619	string		GERBILDB	First Choice database
7629	string		GERBILCLIP	First Choice database
7630	string		GERBIL		First Choice device file
7649	string		RABBITGRAPH	RabbitGraph file
7650	string		DCU1		Borland Delphi .DCU file
7660	string		=!<spell>	MKS Spell hash list (old format)
7670	string		=!<spell2>	MKS Spell hash list
768# Too simple - MPi
769#0	string		AH		Halo(TM) bitmapped font file
7700	lelong		0x08086b70	TurboC BGI file
7710	lelong		0x08084b50	TurboC Font file
772
773# Debian#712046: The magic below identifies "Delphi compiled form data".
774# An additional source of information is available at:
775# http://www.woodmann.com/fravia/dafix_t1.htm
7760	string		TPF0
777>4	pstring		>\0		Delphi compiled form '%s'
778
779# tests for DBase files moved, updated and merged to database
780
7810	string		PMCC		Windows 3.x .GRP file
7821	string		RDC-meg		MegaDots
783>8	byte		>0x2F		version %c
784>9	byte		>0x2F		\b.%c file
7850	lelong		0x4C
786>4	lelong		0x00021401	Windows shortcut file
787
788# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm
789# only for windows versions equal or greater 3.0
7900x171	string	MICROSOFT\ PIFEX\0	Windows Program Information File
791!:mime	application/x-dosexec
792#>2	string	 	>\0		\b, Title:%.30s
793>0x24	string		>\0		\b for %.63s
794>0x65	string		>\0		\b, directory=%.64s
795>0xA5	string		>\0		\b, parameters=%.64s
796#>0x181	leshort	x	\b, offset %x
797#>0x183	leshort	x	\b, offsetdata %x
798#>0x185	leshort	x	\b, section length %x
799>0x187	search/0xB55	WINDOWS\ VMM\ 4.0\0
800>>&0x5e		ubyte	>0
801>>>&-1		string	<PIFMGR.DLL		\b, icon=%s
802#>>>&-1		string	PIFMGR.DLL		\b, icon=%s
803>>>&-1		string	>PIFMGR.DLL		\b, icon=%s
804>>&0xF0		ubyte	>0
805>>>&-1		string	<Terminal		\b, font=%.32s
806#>>>&-1		string	=Terminal		\b, font=%.32s
807>>>&-1		string	>Terminal		\b, font=%.32s
808>>&0x110	ubyte	>0
809>>>&-1		string	<Lucida\ Console	\b, TrueTypeFont=%.32s
810#>>>&-1		string	=Lucida\ Console	\b, TrueTypeFont=%.32s
811>>>&-1		string	>Lucida\ Console	\b, TrueTypeFont=%.32s
812#>0x187	search/0xB55	WINDOWS\ 286\ 3.0\0	\b, Windows 3.X standard mode-style
813#>0x187	search/0xB55	WINDOWS\ 386\ 3.0\0	\b, Windows 3.X enhanced mode-style
814>0x187	search/0xB55	WINDOWS\ NT\ \ 3.1\0	\b, Windows NT-style
815#>0x187	search/0xB55	WINDOWS\ NT\ \ 4.0\0	\b, Windows NT-style
816>0x187	search/0xB55	CONFIG\ \ SYS\ 4.0\0	\b +CONFIG.SYS
817#>>&06		string	x			\b:%s
818>0x187	search/0xB55	AUTOEXECBAT\ 4.0\0	\b +AUTOEXEC.BAT
819#>>&06		string	x			\b:%s
820
821# DOS EPS Binary File Header
822# From: Ed Sznyter <ews@Black.Market.NET>
8230	belong		0xC5D0D3C6	DOS EPS Binary File
824>4	long		>0		Postscript starts at byte %d
825>>8	long		>0		length %d
826>>>12	long		>0		Metafile starts at byte %d
827>>>>16	long		>0		length %d
828>>>20	long		>0		TIFF starts at byte %d
829>>>>24	long		>0		length %d
830
831# TNEF magic From "Joomy" <joomy@se-ed.net>
832# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
8330	leshort		0x223e9f78	TNEF
834!:mime	application/vnd.ms-tnef
835
836# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
837# of http://www.davep.org/norton-guides/ng2h-105.tgz
838# http://en.wikipedia.org/wiki/Norton_Guides
8390	string		NG\0\001
840# only value 0x100 found at offset 2
841>2	ulelong		0x00000100	Norton Guide
842# Title[40]
843>>8	string		>\0		"%-.40s"
844#>>6	uleshort	x		\b, MenuCount=%u
845# szCredits[5][66]
846>>48	string		>\0		\b, %-.66s
847>>114	string		>\0		%-.66s
848
849# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
850# of http://www.4dos.info/
851# pointer,HelpID[8]=4DHnnnmm
8520	ulelong	0x48443408		4DOS help file
853>4	string	x			\b, version %-4.4s
854
855# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp
8560	ulequad	0x3a000000024e4c	MS Advisor help file
857
858# HtmlHelp files (.chm)
8590	string/b	ITSF\003\000\000\000\x60\000\000\000	MS Windows HtmlHelp Data
860
861# GFA-BASIC (Wolfram Kleff)
8622	string/b	GFA-BASIC3	GFA-BASIC 3 data
863
864#------------------------------------------------------------------------------
865# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
866# Microsoft Cabinet files
8670	string/b	MSCF\0\0\0\0	Microsoft Cabinet archive data
868!:mime application/vnd.ms-cab-compressed
869>8	lelong		x		\b, %u bytes
870>28	leshort		1		\b, 1 file
871>28	leshort		>1		\b, %u files
872
873# InstallShield Cabinet files
8740	string/b	ISc(		InstallShield Cabinet archive data
875>5	byte&0xf0	=0x60		version 6,
876>5	byte&0xf0	!0x60		version 4/5,
877>(12.l+40)	lelong	x		%u files
878
879# Windows CE package files
8800	string/b	MSCE\0\0\0\0	Microsoft WinCE install header
881>20	lelong		0		\b, architecture-independent
882>20	lelong		103		\b, Hitachi SH3
883>20	lelong		104		\b, Hitachi SH4
884>20	lelong		0xA11		\b, StrongARM
885>20	lelong		4000		\b, MIPS R4000
886>20	lelong		10003		\b, Hitachi SH3
887>20	lelong		10004		\b, Hitachi SH3E
888>20	lelong		10005		\b, Hitachi SH4
889>20	lelong		70001		\b, ARM 7TDMI
890>52	leshort		1		\b, 1 file
891>52	leshort		>1		\b, %u files
892>56	leshort		1		\b, 1 registry entry
893>56	leshort		>1		\b, %u registry entries
894
895
896# Windows Enhanced Metafile (EMF)
897# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
898# for further information.
8990	ulelong 1
900>40	string	\ EMF		Windows Enhanced Metafile (EMF) image data
901>>44	ulelong x		version 0x%x
902
903# from http://filext.com by Derek M Jones <derek@knosof.co.uk>
904# False positive with PPT (also currently this string is too long)
905#0	string/b	\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06	Microsoft Installer
9060	string/b	\320\317\021\340\241\261\032\341	Microsoft Office Document
907#>48	byte	0x1B					Excel Document
908#!:mime application/vnd.ms-excel
909>546	string	bjbj			Microsoft Word Document
910!:mime	application/msword
911>546	string	jbjb			Microsoft Word Document
912!:mime	application/msword
913
9140	string/b	\224\246\056		Microsoft Word Document
915!:mime	application/msword
916
917512	string	R\0o\0o\0t\0\ \0E\0n\0t\0r\0y	Microsoft Word Document
918!:mime	application/msword
919
920# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
921# Magic type for Dell's BIOS .hdr files
922# Dell's .hdr
9230	string/b $RBU
924>23	string Dell			%s system BIOS
925>5	byte   2
926>>48	byte   x			version %d.
927>>49	byte   x			\b%d.
928>>50	byte   x			\b%d
929>5	byte   <2
930>>48	string x			version %.3s
931
932# Type: Microsoft DirectDraw Surface
933# URL:	http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp
934# From: Morten Hustveit <morten@debian.org>
9350	string/b	DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS),
936>16	lelong	>0			%d x
937>12	lelong	>0			%d,
938>84	string	x			%.4s
939
940# Type: Microsoft Document Imaging Format (.mdi)
941# URL:	http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
942# From: Daniele Sempione <scrows@oziosi.org>
9430	short	0x5045			Microsoft Document Imaging Format
944
945# MS eBook format (.lit)
9460	string/b	ITOLITLS		Microsoft Reader eBook Data
947>8	lelong	x			\b, version %u
948!:mime					application/x-ms-reader
949
950# Windows CE Binary Image Data Format
951# From: Dr. Jesus <j@hug.gs>
9520	string/b	B000FF\n	Windows Embedded CE binary image
953
954# Windows Imaging (WIM) Image
9550	string/b	MSWIM\000\000\000	Windows imaging (WIM) image
9560	string/b	WLPWM\000\000\000	Windows imaging (WIM) image, wimlib pipable format
957
958# The second byte of these signatures is a file version; I don't know what,
959# if anything, produced files with version numbers 0-2.
960# From: John Elliott <johne@seasip.demon.co.uk>
9610	string	\xfc\x03\x00	Mallard BASIC program data (v1.11)
9620	string	\xfc\x04\x00	Mallard BASIC program data (v1.29+)
9630	string	\xfc\x03\x01	Mallard BASIC protected program data (v1.11)
9640	string	\xfc\x04\x01	Mallard BASIC protected program data (v1.29+)
965
9660	string	MIOPEN		Mallard BASIC Jetsam data
9670	string	Jetsam0		Mallard BASIC Jetsam index data
968
969