1 2#------------------------------------------------------------------------------ 3# $File: msdos,v 1.100 2014/06/03 19:17:27 christos Exp $ 4# msdos: file(1) magic for MS-DOS files 5# 6 7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8# updated by Joerg Jenderek at Oct 2008,Apr 2011 90 string/t @ 10>1 string/cW \ echo\ off DOS batch file text 11!:mime text/x-msdos-batch 12>1 string/cW echo\ off DOS batch file text 13!:mime text/x-msdos-batch 14>1 string/cW rem DOS batch file text 15!:mime text/x-msdos-batch 16>1 string/cW set\ DOS batch file text 17!:mime text/x-msdos-batch 18 19 20# OS/2 batch files are REXX. the second regex is a bit generic, oh well 21# the matched commands seem to be common in REXX and uncommon elsewhere 22100 search/0xffff rxfuncadd 23>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 24100 search/0xffff say 25>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 26 270 leshort 0x14c MS Windows COFF Intel 80386 object file 28#>4 ledate x stamp %s 290 leshort 0x166 MS Windows COFF MIPS R4000 object file 30#>4 ledate x stamp %s 310 leshort 0x184 MS Windows COFF Alpha object file 32#>4 ledate x stamp %s 330 leshort 0x268 MS Windows COFF Motorola 68000 object file 34#>4 ledate x stamp %s 350 leshort 0x1f0 MS Windows COFF PowerPC object file 36#>4 ledate x stamp %s 370 leshort 0x290 MS Windows COFF PA-RISC object file 38#>4 ledate x stamp %s 39 40# Tests for various EXE types. 41# 42# Many of the compressed formats were extraced from IDARC 1.23 source code. 43# 440 string/b MZ 45# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 46>0x18 leshort <0x40 MS-DOS executable 47!:mime application/x-dosexec 48# These traditional tests usually work but not always. When test quality support is 49# implemented these can be turned on. 50#>>0x18 leshort 0x1c (Borland compiler) 51#>>0x18 leshort 0x1e (MS compiler) 52 53# If the relocation table is 0x40 or more bytes into the file, it's definitely 54# not a DOS EXE. 55>0x18 leshort >0x3f 56 57# Maybe it's a PE? 58>>(0x3c.l) string PE\0\0 PE 59!:mime application/x-dosexec 60>>>(0x3c.l+24) leshort 0x010b \b32 executable 61>>>(0x3c.l+24) leshort 0x020b \b32+ executable 62>>>(0x3c.l+24) leshort 0x0107 ROM image 63>>>(0x3c.l+24) default x Unknown PE signature 64>>>>&0 leshort x 0x%x 65>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 66>>>(0x3c.l+92) leshort 1 (native) 67>>>(0x3c.l+92) leshort 2 (GUI) 68>>>(0x3c.l+92) leshort 3 (console) 69>>>(0x3c.l+92) leshort 7 (POSIX) 70>>>(0x3c.l+92) leshort 9 (Windows CE) 71>>>(0x3c.l+92) leshort 10 (EFI application) 72>>>(0x3c.l+92) leshort 11 (EFI boot service driver) 73>>>(0x3c.l+92) leshort 12 (EFI runtime driver) 74>>>(0x3c.l+92) leshort 13 (EFI ROM) 75>>>(0x3c.l+92) leshort 14 (XBOX) 76>>>(0x3c.l+92) leshort 15 (Windows boot application) 77>>>(0x3c.l+92) default x (Unknown subsystem 78>>>>&0 leshort x 0x%x) 79>>>(0x3c.l+4) leshort 0x14c Intel 80386 80>>>(0x3c.l+4) leshort 0x166 MIPS R4000 81>>>(0x3c.l+4) leshort 0x168 MIPS R10000 82>>>(0x3c.l+4) leshort 0x184 Alpha 83>>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 84>>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 85>>>(0x3c.l+4) leshort 0x1c0 ARM 86>>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 87>>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 88>>>(0x3c.l+4) leshort 0x1f0 PowerPC 89>>>(0x3c.l+4) leshort 0x200 Intel Itanium 90>>>(0x3c.l+4) leshort 0x266 MIPS16 91>>>(0x3c.l+4) leshort 0x268 Motorola 68000 92>>>(0x3c.l+4) leshort 0x290 PA-RISC 93>>>(0x3c.l+4) leshort 0x366 MIPSIV 94>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 95>>>(0x3c.l+4) leshort 0xebc EFI byte code 96>>>(0x3c.l+4) leshort 0x8664 x86-64 97>>>(0x3c.l+4) leshort 0xc0ee MSIL 98>>>(0x3c.l+4) default x Unknown processor type 99>>>>&0 leshort x 0x%x 100>>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 101>>>(0x3c.l+22) leshort&0x1000 >0 system file 102>>>(0x3c.l+24) leshort 0x010b 103>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 104>>>(0x3c.l+24) leshort 0x020b 105>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 106 107# hooray, there's a DOS extender using the PE format, with a valid PE 108# executable inside (which just prints a message and exits if run in win) 109>>>(8.s*16) string 32STUB \b, 32rtm DOS extender 110>>>(8.s*16) string !32STUB \b, for MS Windows 111>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 112>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 113>>>(0x3c.l+0xf8) search/0x140 UPX2 114>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 115>>>(0x3c.l+0xf8) search/0x140 .idata 116>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 117>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 118>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 119>>>(0x3c.l+0xf8) search/0x140 .rsrc 120>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 121>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 122>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 123>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 124>>>(0x3c.l+0xf8) search/0x140 .data 125>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 126>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 127>>>>(0x3c.l+0xf7) byte x 128>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 129>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 130>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 131>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 132>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 133>>>0x30 string Inno \b, InnoSetup self-extracting archive 134 135# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 136# must be one of the unusual subformats. 137>>(0x3c.l) string !PE\0\0 MS-DOS executable 138!:mime application/x-dosexec 139 140>>(0x3c.l) string NE \b, NE 141!:mime application/x-dosexec 142>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 143>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 144>>>(0x3c.l+0x36) byte 3 for MS-DOS 145>>>(0x3c.l+0x36) byte 4 for Windows 386 146>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 147>>>(0x3c.l+0x36) default x 148>>>>(0x3c.l+0x36) byte x (unknown OS %x) 149>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 150>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) 151>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) 152>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 153>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 154 155>>(0x3c.l) string LX\0\0 \b, LX 156!:mime application/x-dosexec 157>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 158>>>(0x3c.l+0x0a) leshort 1 for OS/2 159>>>(0x3c.l+0x0a) leshort 2 for MS Windows 160>>>(0x3c.l+0x0a) leshort 3 for DOS 161>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 162>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 163>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 164>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 165>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 166>>>(0x3c.l+0x08) leshort 1 i80286 167>>>(0x3c.l+0x08) leshort 2 i80386 168>>>(0x3c.l+0x08) leshort 3 i80486 169>>>(8.s*16) string emx \b, emx 170>>>>&1 string x %s 171>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 172 173# MS Windows system file, supposedly a collection of LE executables 174>>(0x3c.l) string W3 \b, W3 for MS Windows 175!:mime application/x-dosexec 176 177>>(0x3c.l) string LE\0\0 \b, LE executable 178!:mime application/x-dosexec 179>>>(0x3c.l+0x0a) leshort 1 180# some DOS extenders use LE files with OS/2 header 181>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 182>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 183>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 184>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 185>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 186>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 187>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 188# this is a wild guess; hopefully it is a specific signature 189>>>>&0x24 lelong <0x50 190>>>>>(&0x4c.l) string \xfc\xb8WATCOM 191>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 192# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 193#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 194# fails with DOS-Extenders. 195>>>(0x3c.l+0x0a) leshort 2 for MS Windows 196>>>(0x3c.l+0x0a) leshort 3 for DOS 197>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 198>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 199>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 200 201# looks like ASCII, probably some embedded copyright message. 202# and definitely not NE/LE/LX/PE 203>>0x3c lelong >0x20000000 204>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 205!:mime application/x-dosexec 206# header data too small for extended executable 207>2 long !0 208>>0x18 leshort <0x40 209>>>(4.s*512) leshort !0x014c 210 211>>>>&(2.s-514) string !LE 212>>>>>&-2 string !BW \b, MZ for MS-DOS 213!:mime application/x-dosexec 214>>>>&(2.s-514) string LE \b, LE 215>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 216# educated guess since indirection is still not capable enough for complex offset 217# calculations (next embedded executable would be at &(&2*512+&0-2) 218# I suspect there are only LE executables in these multi-exe files 219>>>>&(2.s-514) string BW 220>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 221>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 222 223# This sequence skips to the first COFF segment, usually .text 224>(4.s*512) leshort 0x014c \b, COFF 225!:mime application/x-dosexec 226>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 227>>(8.s*16) string emx 228>>>&1 string x for DOS, Win or OS/2, emx %s 229>>&(&0x42.l-3) byte x 230>>>&0x26 string UPX \b, UPX compressed 231# and yet another guess: small .text, and after large .data is unusal, could be 32lite 232>>&0x2c search/0xa0 .text 233>>>&0x0b lelong <0x2000 234>>>>&0 lelong >0x6000 \b, 32lite compressed 235 236>(8.s*16) string $WdX \b, WDos/X DOS extender 237 238# By now an executable type should have been printed out. The executable 239# may be a self-uncompressing archive, so look for evidence of that and 240# print it out. 241# 242# Some signatures below from Greg Roelofs, newt@uchicago.edu. 243# 244>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 245>0xe7 string LH/2\ Self-Extract \b, %s 246>0x1c string UC2X \b, UCEXE compressed 247>0x1c string WWP\ \b, WWPACK compressed 248>0x1c string RJSX \b, ARJ self-extracting archive 249>0x1c string diet \b, diet compressed 250>0x1c string LZ09 \b, LZEXE v0.90 compressed 251>0x1c string LZ91 \b, LZEXE v0.91 compressed 252>0x1c string tz \b, TinyProg compressed 253>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 254!:mime application/zip 255# Yes, this really is "Copr", not "Corp." 256>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 257!:mime application/zip 258# winarj stores a message in the stub instead of the sig in the MZ header 259>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 260>0x20 string AIN 261>>0x23 string 2 \b, AIN 2.x compressed 262>>0x23 string <2 \b, AIN 1.x compressed 263>>0x23 string >2 \b, AIN 1.x compressed 264>0x24 string LHa's\ SFX \b, LHa self-extracting archive 265!:mime application/x-lha 266>0x24 string LHA's\ SFX \b, LHa self-extracting archive 267!:mime application/x-lha 268>0x24 string \ $ARX \b, ARX self-extracting archive 269>0x24 string \ $LHarc \b, LHarc self-extracting archive 270>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 271>0x40 string aPKG \b, aPackage self-extracting archive 272>0x64 string W\ Collis\0\0 \b, Compack compressed 273>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 274>>&0xf4 search/0x140 \x0\x40\x1\x0 275>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 276>1638 string -lh5- \b, LHa self-extracting archive v2.13S 277>0x17888 string Rar! \b, RAR self-extracting archive 278 279# Skip to the end of the EXE. This will usually work fine in the PE case 280# because the MZ image is hardcoded into the toolchain and almost certainly 281# won't match any of these signatures. 282>(4.s*512) long x 283>>&(2.s-517) byte x 284>>>&0 string PK\3\4 \b, ZIP self-extracting archive 285>>>&0 string Rar! \b, RAR self-extracting archive 286>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 287>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 288>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 289>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 290>>>&7 search/400 **ACE** \b, ACE self-extracting archive 291>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 292 293# a few unknown ZIP sfxes, no idea if they are needed or if they are 294# already captured by the generic patterns above 295>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 296# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 297# 298 299# TELVOX Teleinformatica CODEC self-extractor for OS/2: 300>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 301>>49824 leshort =1 \b, 1 file 302>>49824 leshort >1 \b, %u files 303 304# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc 305# and http://www.freedos.org/software/?prog=kpdos 306# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 3070 string/b KCF FreeDOS KEYBoard Layout collection 308# only version=0x100 found 309>3 uleshort x \b, version 0x%x 310# length of string containing author,info and special characters 311>6 ubyte >0 312#>>6 pstring x \b, name=%s 313>>7 string >\0 \b, author=%-.14s 314>>7 search/254 \xff \b, info= 315#>>>&0 string x \b%-s 316>>>&0 string x \b%-.15s 317# for FreeDOS *.KL files 3180 string/b KLF FreeDOS KEYBoard Layout file 319# only version=0x100 or 0x101 found 320>3 uleshort x \b, version 0x%x 321# stringlength 322>5 ubyte >0 323>>8 string x \b, name=%-.2s 3240 string \xffKEYB\ \ \ \0\0\0\0 325>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 326 327# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) 328# Uncommenting only the first two lines will cover about 2/3 of COM files, 329# but it isn't feasible to match all COM files since there must be at least 330# two dozen different one-byte "magics". 331# test too generic ? 3320 byte 0xe9 DOS executable (COM) 333>0x1FE leshort 0xAA55 \b, boot code 334>6 string SFX\ of\ LHarc (%s) 335 336# DOS device driver updated by Joerg Jenderek at May 2011 337# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 3380 ulequad&0x07a0ffffffff 0xffffffff DOS executable ( 339>40 search/7 UPX! \bUPX compressed 340# DOS device driver attributes 341>4 uleshort&0x8000 0x0000 \bblock device driver 342# character device 343>4 uleshort&0x8000 0x8000 \b 344>>4 uleshort&0x0008 0x0008 \bclock 345# fast video output by int 29h 346>>4 uleshort&0x0010 0x0010 \bfast 347# standard input/output device 348>>4 uleshort&0x0003 >0 \bstandard 349>>>4 uleshort&0x0001 0x0001 \binput 350>>>4 uleshort&0x0003 0x0003 \b/ 351>>>4 uleshort&0x0002 0x0002 \boutput 352>>4 uleshort&0x8000 0x8000 \bcharacter device driver 353>0 ubyte x 354# upx compressed device driver has garbage instead of real in name field of header 355>>40 search/7 UPX! 356>>40 default x 357# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 358>>>12 ubyte >0x27 \b 359>>>>10 ubyte >0x20 360>>>>>10 ubyte !0x2E 361>>>>>>10 ubyte !0x2A \b%c 362>>>>11 ubyte >0x20 363>>>>>11 ubyte !0x2E \b%c 364>>>>12 ubyte >0x20 365>>>>>12 ubyte !0x39 366>>>>>>12 ubyte !0x2E \b%c 367>>>13 ubyte >0x20 368>>>>13 ubyte !0x2E \b%c 369>>>>14 ubyte >0x20 370>>>>>14 ubyte !0x2E \b%c 371>>>>15 ubyte >0x20 372>>>>>15 ubyte !0x2E \b%c 373>>>>16 ubyte >0x20 374>>>>>16 ubyte !0x2E 375>>>>>>16 ubyte <0xCB \b%c 376>>>>17 ubyte >0x20 377>>>>>17 ubyte !0x2E 378>>>>>>17 ubyte <0x90 \b%c 379# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 380>>>4 uleshort&0x8000 0x8000 381>>>>12 ubyte <0x2F 382# they have their real name at offset 22 383>>>>>22 string >\0 \b%-.5s 384>4 uleshort&0x8000 0x0000 385# 32 bit sector addressing ( > 32 MB) for block devices 386>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 387# support by driver functions 13h, 17h, 18h 388>4 uleshort&0x0040 0x0040 \b,IOCTL- 389# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 390>4 uleshort&0x0800 0x0800 \b,close media- 391# output until busy support by int 10h for character device driver 392>4 uleshort&0x8000 0x8000 393>>4 uleshort&0x2000 0x2000 \b,until busy- 394# direct read/write support by driver functions 03h,0Ch 395>4 uleshort&0x4000 0x4000 \b,control strings- 396>4 uleshort&0x8000 0x8000 397>>4 uleshort&0x6840 >0 \bsupport 398>4 uleshort&0x8000 0x0000 399>>4 uleshort&0x4842 >0 \bsupport 400>0 ubyte x \b) 401# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 402# Too weak, matches files that only contain 0's 403#0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable ( 404#>4 uleshort&0x8000 0x8000 \bcharacter device driver 405#>>10 string x %-.8s 406#>4 uleshort&0x4000 0x4000 \b,control strings-support) 407 408# test too generic ? 4090 byte 0x8c DOS executable (COM) 410# updated by Joerg Jenderek at Oct 2008 4110 ulelong 0xffff10eb DR-DOS executable (COM) 412# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 4130 ubeshort&0xeb8d >0xeb00 414# DR-DOS STACKER.COM SCREATE.SYS missed 415>0 byte 0xeb 416>>0x1FE leshort 0xAA55 DOS executable (COM), boot code 417>>85 string UPX DOS executable (COM), UPX compressed 418>>4 string \ $ARX DOS executable (COM), ARX self-extracting archive 419>>4 string \ $LHarc DOS executable (COM), LHarc self-extracting archive 420>>0x20e string SFX\ by\ LARC DOS executable (COM), LARC self-extracting archive 421# updated by Joerg Jenderek at Oct 2008 422#0 byte 0xb8 COM executable 4230 uleshort&0x80ff 0x00b8 424# modified by Joerg Jenderek 425>1 lelong !0x21cd4cff COM executable for DOS 426# http://syslinux.zytor.com/comboot.php 427# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 428# start with assembler instructions mov eax,21cd4cffh 4290 uleshort&0xc0ff 0xc0b8 430>1 lelong 0x21cd4cff COM executable (32-bit COMBOOT) 431# syslinux:doc/comboot.txt 432# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 433# eax,21cd4cfeh) as a magic number. 4340 string/b \xb8\xfe\x4c\xcd\x21 COM executable (COM32R) 435# start with assembler instructions mov eax,21cd4cfeh 4360 uleshort&0xc0ff 0xc0b8 437>1 lelong 0x21cd4cfe COM executable (32-bit COMBOOT, relocatable) 4380 string/b \x81\xfc 439>4 string \x77\x02\xcd\x20\xb9 440>>36 string UPX! FREE-DOS executable (COM), UPX compressed 441252 string Must\ have\ DOS\ version DR-DOS executable (COM) 442# added by Joerg Jenderek at Oct 2008 443# GRR search is not working 444#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 44534 string UPX! FREE-DOS executable (COM), UPX compressed 44635 string UPX! FREE-DOS executable (COM), UPX compressed 447# GRR search is not working 448#2 search/28 \xcd\x21 COM executable for MS-DOS 449#WHICHFAT.cOM 4502 string \xcd\x21 COM executable for DOS 451#DELTREE.cOM DELTREE2.cOM 4524 string \xcd\x21 COM executable for DOS 453#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 4545 string \xcd\x21 COM executable for DOS 455#DELTMP.COm HASFAT32.cOM 4567 string \xcd\x21 457>0 byte !0xb8 COM executable for DOS 458#COMP.cOM MORE.COm 45910 string \xcd\x21 460>5 string !\xcd\x21 COM executable for DOS 461#comecho.com 46213 string \xcd\x21 COM executable for DOS 463#HELP.COm EDIT.coM 46418 string \xcd\x21 COM executable for MS-DOS 465#NWRPLTRM.COm 46623 string \xcd\x21 COM executable for MS-DOS 467#LOADFIX.cOm LOADFIX.cOm 46830 string \xcd\x21 COM executable for MS-DOS 469#syslinux.com 3.11 47070 string \xcd\x21 COM executable for DOS 471# many compressed/converted COMs start with a copy loop instead of a jump 4720x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 4730x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 474>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 4750x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 476# FIXME: missing diet .com compression 477 478# miscellaneous formats 4790 string/b LZ MS-DOS executable (built-in) 480#0 byte 0xf0 MS-DOS program library data 481# 482 483# AAF files: 484# <stuartc@rd.bbc.co.uk> Stuart Cunningham 4850 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 486>30 byte 9 (512B sectors) 487>30 byte 12 (4kB sectors) 4880 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 489>30 byte 9 (512B sectors) 490>30 byte 12 (4kB sectors) 491 492# Popular applications 4932080 string Microsoft\ Word\ 6.0\ Document %s 494!:mime application/msword 4952080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 496!:mime application/msword 497# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 4982112 string MSWordDoc Microsoft Word document data 499!:mime application/msword 500# 5010 belong 0x31be0000 Microsoft Word Document 502!:mime application/msword 503# 5040 string/b PO^Q` Microsoft Word 6.0 Document 505!:mime application/msword 506# 5070 string/b \376\067\0\043 Microsoft Office Document 508!:mime application/msword 5090 string/b \333\245-\0\0\0 Microsoft Office Document 510!:mime application/msword 511512 string/b \354\245\301 Microsoft Word Document 512!:mime application/msword 513 514# 5150 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 516!:mime application/msword 517# 5182080 string Microsoft\ Excel\ 5.0\ Worksheet %s 519!:mime application/vnd.ms-excel 520# 5210 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 522!:mime application/msword 523 5242080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s 525!:mime application/vnd.ms-excel 526# 527# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 5282114 string Biff5 Microsoft Excel 5.0 Worksheet 529!:mime application/vnd.ms-excel 530# Italian MS-Excel 5312121 string Biff5 Microsoft Excel 5.0 Worksheet 532!:mime application/vnd.ms-excel 5330 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 534!:mime application/vnd.ms-excel 535# 5360 belong 0x00001a00 Lotus 1-2-3 537!:mime application/x-123 538>4 belong 0x00100400 wk3 document data 539>4 belong 0x02100400 wk4 document data 540>4 belong 0x07800100 fm3 or fmb document data 541>4 belong 0x07800000 fm3 or fmb document data 542# 5430 belong 0x00000200 Lotus 1-2-3 544!:mime application/x-123 545>4 belong 0x06040600 wk1 document data 546>4 belong 0x06800200 fmt document data 5470 string/b WordPro\0 Lotus WordPro 548!:mime application/vnd.lotus-wordpro 5490 string/b WordPro\r\373 Lotus WordPro 550!:mime application/vnd.lotus-wordpro 551 552 553# Summary: Script used by InstallScield to uninstall applications 554# Extension: .isu 555# Submitted by: unknown 556# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 5570 string \x71\xa8\x00\x00\x01\x02 558>12 string Stirling\ Technologies, InstallShield Uninstall Script 559 560# Winamp .avs 561#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 5620 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 563 564# Windows Metafont .WMF 5650 string/b \327\315\306\232 ms-windows metafont .wmf 5660 string/b \002\000\011\000 ms-windows metafont .wmf 5670 string/b \001\000\011\000 ms-windows metafont .wmf 568 569#tz3 files whatever that is (MS Works files) 5700 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 5710 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 5720 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 573 574# PGP sig files .sig 575#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 5760 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 5770 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 5780 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 5790 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 5800 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 5810 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 582 583# windows zips files .dmf 5840 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 585 586 587#ico files 5880 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows 589 590# Windows icons 5910 name ico-dir 592# not entirely accurate, the number of icons is part of the header 593>0 byte 1 - 1 icon 594>0 ubyte >1 - %d icons 595>2 byte 0 \b, 256x 596>2 byte !0 \b, %dx 597>3 byte 0 \b256 598>3 byte !0 \b%d 599>4 ubyte !0 \b, %d colors 600 6010 belong 0x00000100 602>9 byte 0 603>>0 byte x MS Windows icon resource 604!:mime image/x-icon 605>>4 use ico-dir 606>9 ubyte 0xff 607>>0 byte x MS Windows icon resource 608!:mime image/x-icon 609>>4 use ico-dir 610 611# Windows non-animated cursors 6120 name cur-dir 613# not entirely accurate, the number of icons is part of the header 614>0 byte 1 - 1 icon 615>0 ubyte >1 - %d icons 616>2 byte 0 \b, 256x 617>2 byte !0 \b, %dx 618>3 byte 0 \b256 619>3 byte !0 \b%d 620>6 uleshort x \b, hotspot @%dx 621>8 uleshort x \b%d 622 6230 belong 0x00000200 624>9 byte 0 625>>0 byte x MS Windows cursor resource 626!:mime image/x-cur 627>>4 use cur-dir 628>9 ubyte 0xff 629>>0 byte x MS Windows cursor resource 630!:mime image/x-cur 631>>4 use cur-dir 632 633# .chr files 6340 string/b PK\010\010BGI Borland font 635>4 string >\0 %s 636# then there is a copyright notice 637 638 639# .bgi files 6400 string/b pk\010\010BGI Borland device 641>4 string >\0 %s 642# then there is a copyright notice 643 644 645# Windows Recycle Bin record file (named INFO2) 646# By Abel Cheung (abelcheung AT gmail dot com) 647# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 648# Since Vista uses another structure, INFO2 structure probably won't change 649# anymore. Detailed analysis in: 650# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 6510 lelong 0x00000004 652>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 653 6540 lelong 0x00000005 655>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 656 657 658##### put in Either Magic/font or Magic/news 659# Acroread or something files wrongly identified as G3 .pfm 660# these have the form \000 \001 any? \002 \000 \000 661# or \000 \001 any? \022 \000 \000 6620 belong&0xffff00ff 0x00010012 PFM data 663>4 string \000\000 664>6 string >\060 - %s 665 6660 belong&0xffff00ff 0x00010002 PFM data 667>4 string \000\000 668>6 string >\060 - %s 669#0 string \000\001 pfm? 670#>3 string \022\000\000Copyright\ yes 671#>3 string \002\000\000Copyright\ yes 672#>3 string >\0 oops, not a font file. Cancel that. 673#it clashes with ttf files so put it lower down. 674 675# From Doug Lee via a FreeBSD pr 6769 string GERBILDOC First Choice document 6779 string GERBILDB First Choice database 6789 string GERBILCLIP First Choice database 6790 string GERBIL First Choice device file 6809 string RABBITGRAPH RabbitGraph file 6810 string DCU1 Borland Delphi .DCU file 6820 string =!<spell> MKS Spell hash list (old format) 6830 string =!<spell2> MKS Spell hash list 684# Too simple - MPi 685#0 string AH Halo(TM) bitmapped font file 6860 lelong 0x08086b70 TurboC BGI file 6870 lelong 0x08084b50 TurboC Font file 688 689# Debian#712046: The magic below identifies "Delphi compiled form data". 690# An additional source of information is available at: 691# http://www.woodmann.com/fravia/dafix_t1.htm 6920 string TPF0 693>4 pstring >\0 Delphi compiled form '%s' 694 695# tests for DBase files moved, updated and merged to database 696 6970 string PMCC Windows 3.x .GRP file 6981 string RDC-meg MegaDots 699>8 byte >0x2F version %c 700>9 byte >0x2F \b.%c file 7010 lelong 0x4C 702>4 lelong 0x00021401 Windows shortcut file 703 704# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm 705# only for windows versions equal or greater 3.0 7060x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 707!:mime application/x-dosexec 708#>2 string >\0 \b, Title:%.30s 709>0x24 string >\0 \b for %.63s 710>0x65 string >\0 \b, directory=%.64s 711>0xA5 string >\0 \b, parameters=%.64s 712#>0x181 leshort x \b, offset %x 713#>0x183 leshort x \b, offsetdata %x 714#>0x185 leshort x \b, section length %x 715>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 716>>&0x5e ubyte >0 717>>>&-1 string <PIFMGR.DLL \b, icon=%s 718#>>>&-1 string PIFMGR.DLL \b, icon=%s 719>>>&-1 string >PIFMGR.DLL \b, icon=%s 720>>&0xF0 ubyte >0 721>>>&-1 string <Terminal \b, font=%.32s 722#>>>&-1 string =Terminal \b, font=%.32s 723>>>&-1 string >Terminal \b, font=%.32s 724>>&0x110 ubyte >0 725>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 726#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 727>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 728#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 729#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 730>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 731#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 732>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 733#>>&06 string x \b:%s 734>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 735#>>&06 string x \b:%s 736 737# DOS EPS Binary File Header 738# From: Ed Sznyter <ews@Black.Market.NET> 7390 belong 0xC5D0D3C6 DOS EPS Binary File 740>4 long >0 Postscript starts at byte %d 741>>8 long >0 length %d 742>>>12 long >0 Metafile starts at byte %d 743>>>>16 long >0 length %d 744>>>20 long >0 TIFF starts at byte %d 745>>>>24 long >0 length %d 746 747# TNEF magic From "Joomy" <joomy@se-ed.net> 748# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 7490 leshort 0x223e9f78 TNEF 750!:mime application/vnd.ms-tnef 751 752# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 753# of http://www.davep.org/norton-guides/ng2h-105.tgz 754# http://en.wikipedia.org/wiki/Norton_Guides 7550 string NG\0\001 756# only value 0x100 found at offset 2 757>2 ulelong 0x00000100 Norton Guide 758# Title[40] 759>>8 string >\0 "%-.40s" 760#>>6 uleshort x \b, MenuCount=%u 761# szCredits[5][66] 762>>48 string >\0 \b, %-.66s 763>>114 string >\0 %-.66s 764 765# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 766# of http://www.4dos.info/ 767# pointer,HelpID[8]=4DHnnnmm 7680 ulelong 0x48443408 4DOS help file 769>4 string x \b, version %-4.4s 770 771# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 7720 ulequad 0x3a000000024e4c MS Advisor help file 773 774# HtmlHelp files (.chm) 7750 string/b ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data 776 777# GFA-BASIC (Wolfram Kleff) 7782 string/b GFA-BASIC3 GFA-BASIC 3 data 779 780#------------------------------------------------------------------------------ 781# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 782# Microsoft Cabinet files 7830 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 784!:mime application/vnd.ms-cab-compressed 785>8 lelong x \b, %u bytes 786>28 leshort 1 \b, 1 file 787>28 leshort >1 \b, %u files 788 789# InstallShield Cabinet files 7900 string/b ISc( InstallShield Cabinet archive data 791>5 byte&0xf0 =0x60 version 6, 792>5 byte&0xf0 !0x60 version 4/5, 793>(12.l+40) lelong x %u files 794 795# Windows CE package files 7960 string/b MSCE\0\0\0\0 Microsoft WinCE install header 797>20 lelong 0 \b, architecture-independent 798>20 lelong 103 \b, Hitachi SH3 799>20 lelong 104 \b, Hitachi SH4 800>20 lelong 0xA11 \b, StrongARM 801>20 lelong 4000 \b, MIPS R4000 802>20 lelong 10003 \b, Hitachi SH3 803>20 lelong 10004 \b, Hitachi SH3E 804>20 lelong 10005 \b, Hitachi SH4 805>20 lelong 70001 \b, ARM 7TDMI 806>52 leshort 1 \b, 1 file 807>52 leshort >1 \b, %u files 808>56 leshort 1 \b, 1 registry entry 809>56 leshort >1 \b, %u registry entries 810 811 812# Windows Enhanced Metafile (EMF) 813# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 814# for further information. 8150 ulelong 1 816>40 string \ EMF Windows Enhanced Metafile (EMF) image data 817>>44 ulelong x version 0x%x 818 819# from http://filext.com by Derek M Jones <derek@knosof.co.uk> 820# False positive with PPT (also currently this string is too long) 821#0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer 8220 string/b \320\317\021\340\241\261\032\341 Microsoft Office Document 823#>48 byte 0x1B Excel Document 824#!:mime application/vnd.ms-excel 825>546 string bjbj Microsoft Word Document 826!:mime application/msword 827>546 string jbjb Microsoft Word Document 828!:mime application/msword 829 8300 string/b \224\246\056 Microsoft Word Document 831!:mime application/msword 832 833512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document 834!:mime application/msword 835 836# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 837# Magic type for Dell's BIOS .hdr files 838# Dell's .hdr 8390 string/b $RBU 840>23 string Dell %s system BIOS 841>5 byte 2 842>>48 byte x version %d. 843>>49 byte x \b%d. 844>>50 byte x \b%d 845>5 byte <2 846>>48 string x version %.3s 847 848# Type: Microsoft DirectDraw Surface 849# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp 850# From: Morten Hustveit <morten@debian.org> 8510 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), 852>16 lelong >0 %d x 853>12 lelong >0 %d, 854>84 string x %.4s 855 856# Type: Microsoft Document Imaging Format (.mdi) 857# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 858# From: Daniele Sempione <scrows@oziosi.org> 8590 short 0x5045 Microsoft Document Imaging Format 860 861# MS eBook format (.lit) 8620 string/b ITOLITLS Microsoft Reader eBook Data 863>8 lelong x \b, version %u 864!:mime application/x-ms-reader 865 866# Windows CE Binary Image Data Format 867# From: Dr. Jesus <j@hug.gs> 8680 string/b B000FF\n Windows Embedded CE binary image 869 870# Windows Imaging (WIM) Image 8710 string/b MSWIM\000\000\000 Windows imaging (WIM) image 872 873# The second byte of these signatures is a file version; I don't know what, 874# if anything, produced files with version numbers 0-2. 875# From: John Elliott <johne@seasip.demon.co.uk> 8760 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 8770 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 8780 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 8790 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 880 8810 string MIOPEN Mallard BASIC Jetsam data 8820 string Jetsam0 Mallard BASIC Jetsam index data 883 884