Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

msdos @ 298

Last change on this file since 298 was 298, checked in by bouyer, 7 years ago
Load . into vendor/netbsd/8.
File size: 44.3 KB

Line
1
2	#------------------------------------------------------------------------------
3	# $File: msdos,v 1.118 2017/05/20 19:55:27 christos Exp $
4	# msdos: file(1) magic for MS-DOS files
5	#
6
7	# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
8	# updated by Joerg Jenderek at Oct 2008,Apr 2011
9	0 string/t @
10	>1 string/cW \ echo\ off DOS batch file text
11	!:mime text/x-msdos-batch
12	>1 string/cW echo\ off DOS batch file text
13	!:mime text/x-msdos-batch
14	>1 string/cW rem DOS batch file text
15	!:mime text/x-msdos-batch
16	>1 string/cW set\ DOS batch file text
17	!:mime text/x-msdos-batch
18
19
20	# OS/2 batch files are REXX. the second regex is a bit generic, oh well
21	# the matched commands seem to be common in REXX and uncommon elsewhere
22	100 search/0xffff rxfuncadd
23	>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text
24	100 search/0xffff say
25	>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text
26
27	# updated by Joerg Jenderek at Oct 2015
28	# https://de.wikipedia.org/wiki/Common_Object_File_Format
29	# http://www.delorie.com/djgpp/doc/coff/filhdr.html
30	# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable"
31	#0 leshort 0x14c MS Windows COFF Intel 80386 object file
32	#>4 ledate x stamp %s
33	0 leshort 0x166 MS Windows COFF MIPS R4000 object file
34	#>4 ledate x stamp %s
35	0 leshort 0x184 MS Windows COFF Alpha object file
36	#>4 ledate x stamp %s
37	0 leshort 0x268 MS Windows COFF Motorola 68000 object file
38	#>4 ledate x stamp %s
39	0 leshort 0x1f0 MS Windows COFF PowerPC object file
40	#>4 ledate x stamp %s
41	0 leshort 0x290 MS Windows COFF PA-RISC object file
42	#>4 ledate x stamp %s
43
44	# Tests for various EXE types.
45	#
46	# Many of the compressed formats were extraced from IDARC 1.23 source code.
47	#
48	0 string/b MZ
49	# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file.
50	>0x18 leshort <0x40 MS-DOS executable
51	!:mime application/x-dosexec
52	# These traditional tests usually work but not always. When test quality support is
53	# implemented these can be turned on.
54	#>>0x18 leshort 0x1c (Borland compiler)
55	#>>0x18 leshort 0x1e (MS compiler)
56
57	# If the relocation table is 0x40 or more bytes into the file, it's definitely
58	# not a DOS EXE.
59	>0x18 leshort >0x3f
60
61	# Maybe it's a PE?
62	>>(0x3c.l) string PE\0\0 PE
63	!:mime application/x-dosexec
64	>>>(0x3c.l+24) leshort 0x010b \b32 executable
65	>>>(0x3c.l+24) leshort 0x020b \b32+ executable
66	>>>(0x3c.l+24) leshort 0x0107 ROM image
67	>>>(0x3c.l+24) default x Unknown PE signature
68	>>>>&0 leshort x 0x%x
69	>>>(0x3c.l+22) leshort&0x2000 >0 (DLL)
70	>>>(0x3c.l+92) leshort 1 (native)
71	>>>(0x3c.l+92) leshort 2 (GUI)
72	>>>(0x3c.l+92) leshort 3 (console)
73	>>>(0x3c.l+92) leshort 7 (POSIX)
74	>>>(0x3c.l+92) leshort 9 (Windows CE)
75	>>>(0x3c.l+92) leshort 10 (EFI application)
76	>>>(0x3c.l+92) leshort 11 (EFI boot service driver)
77	>>>(0x3c.l+92) leshort 12 (EFI runtime driver)
78	>>>(0x3c.l+92) leshort 13 (EFI ROM)
79	>>>(0x3c.l+92) leshort 14 (XBOX)
80	>>>(0x3c.l+92) leshort 15 (Windows boot application)
81	>>>(0x3c.l+92) default x (Unknown subsystem
82	>>>>&0 leshort x 0x%x)
83	>>>(0x3c.l+4) leshort 0x14c Intel 80386
84	>>>(0x3c.l+4) leshort 0x166 MIPS R4000
85	>>>(0x3c.l+4) leshort 0x168 MIPS R10000
86	>>>(0x3c.l+4) leshort 0x184 Alpha
87	>>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3
88	>>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4
89	>>>(0x3c.l+4) leshort 0x1c0 ARM
90	>>>(0x3c.l+4) leshort 0x1c2 ARM Thumb
91	>>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb
92	>>>(0x3c.l+4) leshort 0x1f0 PowerPC
93	>>>(0x3c.l+4) leshort 0x200 Intel Itanium
94	>>>(0x3c.l+4) leshort 0x266 MIPS16
95	>>>(0x3c.l+4) leshort 0x268 Motorola 68000
96	>>>(0x3c.l+4) leshort 0x290 PA-RISC
97	>>>(0x3c.l+4) leshort 0x366 MIPSIV
98	>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU
99	>>>(0x3c.l+4) leshort 0xebc EFI byte code
100	>>>(0x3c.l+4) leshort 0x8664 x86-64
101	>>>(0x3c.l+4) leshort 0xc0ee MSIL
102	>>>(0x3c.l+4) default x Unknown processor type
103	>>>>&0 leshort x 0x%x
104	>>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB)
105	>>>(0x3c.l+22) leshort&0x1000 >0 system file
106	>>>(0x3c.l+24) leshort 0x010b
107	>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly
108	>>>(0x3c.l+24) leshort 0x020b
109	>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly
110
111	# hooray, there's a DOS extender using the PE format, with a valid PE
112	# executable inside (which just prints a message and exits if run in win)
113	>>>(8.s*16) string 32STUB \b, 32rtm DOS extender
114	>>>(8.s*16) string !32STUB \b, for MS Windows
115	>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed
116	>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed
117	>>>(0x3c.l+0xf8) search/0x140 UPX2
118	>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
119	>>>(0x3c.l+0xf8) search/0x140 .idata
120	>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
121	>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive
122	>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive
123	>>>(0x3c.l+0xf8) search/0x140 .rsrc
124	>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive
125	>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive
126	>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive
127	>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive
128	>>>(0x3c.l+0xf8) search/0x140 .data
129	>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive
130	>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed
131	>>>>(0x3c.l+0xf7) byte x
132	>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive
133	>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive
134	>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive
135	>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip)
136	>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive
137	>>>0x30 string Inno \b, InnoSetup self-extracting archive
138
139	# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
140	# must be one of the unusual subformats.
141	>>(0x3c.l) string !PE\0\0 MS-DOS executable
142	!:mime application/x-dosexec
143
144	>>(0x3c.l) string NE \b, NE
145	!:mime application/x-dosexec
146	>>>(0x3c.l+0x36) byte 1 for OS/2 1.x
147	>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x
148	>>>(0x3c.l+0x36) byte 3 for MS-DOS
149	>>>(0x3c.l+0x36) byte 4 for Windows 386
150	>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services
151	>>>(0x3c.l+0x36) default x
152	>>>>(0x3c.l+0x36) byte x (unknown OS %x)
153	>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender
154	>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL)
155	>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver)
156	>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive
157	>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
158
159	>>(0x3c.l) string LX\0\0 \b, LX
160	!:mime application/x-dosexec
161	>>>(0x3c.l+0x0a) leshort <1 (unknown OS)
162	>>>(0x3c.l+0x0a) leshort 1 for OS/2
163	>>>(0x3c.l+0x0a) leshort 2 for MS Windows
164	>>>(0x3c.l+0x0a) leshort 3 for DOS
165	>>>(0x3c.l+0x0a) leshort >3 (unknown OS)
166	>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL)
167	>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver)
168	>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI)
169	>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console)
170	>>>(0x3c.l+0x08) leshort 1 i80286
171	>>>(0x3c.l+0x08) leshort 2 i80386
172	>>>(0x3c.l+0x08) leshort 3 i80486
173	>>>(8.s*16) string emx \b, emx
174	>>>>&1 string x %s
175	>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive
176
177	# MS Windows system file, supposedly a collection of LE executables
178	>>(0x3c.l) string W3 \b, W3 for MS Windows
179	!:mime application/x-dosexec
180
181	>>(0x3c.l) string LE\0\0 \b, LE executable
182	!:mime application/x-dosexec
183	>>>(0x3c.l+0x0a) leshort 1
184	# some DOS extenders use LE files with OS/2 header
185	>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender
186	>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
187	>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
188	>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender
189	>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
190	>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
191	>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
192	# this is a wild guess; hopefully it is a specific signature
193	>>>>&0x24 lelong <0x50
194	>>>>>(&0x4c.l) string \xfc\xb8WATCOM
195	>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed
196	# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
197	#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2
198	# fails with DOS-Extenders.
199	>>>(0x3c.l+0x0a) leshort 2 for MS Windows
200	>>>(0x3c.l+0x0a) leshort 3 for DOS
201	>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD)
202	>>>(&0x7c.l+0x26) string UPX \b, UPX compressed
203	>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive
204
205	# looks like ASCII, probably some embedded copyright message.
206	# and definitely not NE/LE/LX/PE
207	>>0x3c lelong >0x20000000
208	>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS
209	!:mime application/x-dosexec
210	# header data too small for extended executable
211	>2 long !0
212	>>0x18 leshort <0x40
213	>>>(4.s*512) leshort !0x014c
214
215	>>>>&(2.s-514) string !LE
216	>>>>>&-2 string !BW \b, MZ for MS-DOS
217	!:mime application/x-dosexec
218	>>>>&(2.s-514) string LE \b, LE
219	>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender
220	# educated guess since indirection is still not capable enough for complex offset
221	# calculations (next embedded executable would be at &(&2*512+&0-2)
222	# I suspect there are only LE executables in these multi-exe files
223	>>>>&(2.s-514) string BW
224	>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded)
225	>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS
226
227	# This sequence skips to the first COFF segment, usually .text
228	>(4.s*512) leshort 0x014c \b, COFF
229	!:mime application/x-dosexec
230	>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender
231	>>(8.s*16) string emx
232	>>>&1 string x for DOS, Win or OS/2, emx %s
233	>>&(&0x42.l-3) byte x
234	>>>&0x26 string UPX \b, UPX compressed
235	# and yet another guess: small .text, and after large .data is unusal, could be 32lite
236	>>&0x2c search/0xa0 .text
237	>>>&0x0b lelong <0x2000
238	>>>>&0 lelong >0x6000 \b, 32lite compressed
239
240	>(8.s*16) string $WdX \b, WDos/X DOS extender
241
242	# By now an executable type should have been printed out. The executable
243	# may be a self-uncompressing archive, so look for evidence of that and
244	# print it out.
245	#
246	# Some signatures below from Greg Roelofs, newt@uchicago.edu.
247	#
248	>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
249	>0xe7 string LH/2\ Self-Extract \b, %s
250	>0x1c string UC2X \b, UCEXE compressed
251	>0x1c string WWP\ \b, WWPACK compressed
252	>0x1c string RJSX \b, ARJ self-extracting archive
253	>0x1c string diet \b, diet compressed
254	>0x1c string LZ09 \b, LZEXE v0.90 compressed
255	>0x1c string LZ91 \b, LZEXE v0.91 compressed
256	>0x1c string tz \b, TinyProg compressed
257	>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive
258	!:mime application/zip
259	# Yes, this really is "Copr", not "Corp."
260	>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive
261	!:mime application/zip
262	# winarj stores a message in the stub instead of the sig in the MZ header
263	>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive
264	>0x20 string AIN
265	>>0x23 string 2 \b, AIN 2.x compressed
266	>>0x23 string <2 \b, AIN 1.x compressed
267	>>0x23 string >2 \b, AIN 1.x compressed
268	>0x24 string LHa's\ SFX \b, LHa self-extracting archive
269	!:mime application/x-lha
270	>0x24 string LHA's\ SFX \b, LHa self-extracting archive
271	!:mime application/x-lha
272	>0x24 string \ $ARX \b, ARX self-extracting archive
273	>0x24 string \ $LHarc \b, LHarc self-extracting archive
274	>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive
275	>0x40 string aPKG \b, aPackage self-extracting archive
276	>0x64 string W\ Collis\0\0 \b, Compack compressed
277	>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive
278	>>&0xf4 search/0x140 \x0\x40\x1\x0
279	>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
280	>1638 string -lh5- \b, LHa self-extracting archive v2.13S
281	>0x17888 string Rar! \b, RAR self-extracting archive
282
283	# Skip to the end of the EXE. This will usually work fine in the PE case
284	# because the MZ image is hardcoded into the toolchain and almost certainly
285	# won't match any of these signatures.
286	>(4.s*512) long x
287	>>&(2.s-517) byte x
288	>>>&0 string PK\3\4 \b, ZIP self-extracting archive
289	>>>&0 string Rar! \b, RAR self-extracting archive
290	>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive
291	>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive
292	>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive
293	>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive
294	>>>&7 search/400 ACE \b, ACE self-extracting archive
295	>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive
296
297	# a few unknown ZIP sfxes, no idea if they are needed or if they are
298	# already captured by the generic patterns above
299	>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP)
300	# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
301	#
302
303	# TELVOX Teleinformatica CODEC self-extractor for OS/2:
304	>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21
305	>>49824 leshort =1 \b, 1 file
306	>>49824 leshort >1 \b, %u files
307
308	# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc
309	# and http://www.freedos.org/software/?prog=kpdos
310	# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
311	0 string/b KCF FreeDOS KEYBoard Layout collection
312	# only version=0x100 found
313	>3 uleshort x \b, version 0x%x
314	# length of string containing author,info and special characters
315	>6 ubyte >0
316	#>>6 pstring x \b, name=%s
317	>>7 string >\0 \b, author=%-.14s
318	>>7 search/254 \xff \b, info=
319	#>>>&0 string x \b%-s
320	>>>&0 string x \b%-.15s
321	# for FreeDOS *.KL files
322	0 string/b KLF FreeDOS KEYBoard Layout file
323	# only version=0x100 or 0x101 found
324	>3 uleshort x \b, version 0x%x
325	# stringlength
326	>5 ubyte >0
327	>>8 string x \b, name=%-.2s
328	0 string \xffKEYB\ \ \ \0\0\0\0
329	>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file
330
331	# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017
332	# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
333	0 ulequad&0x07a0ffffffff 0xffffffff
334	>0 use msdos-driver
335	0 name msdos-driver DOS executable (
336	#!:mime application/octet-stream
337	!:mime application/x-dosdriver
338	# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN
339	!:ext sys/dev/bin
340	>40 search/7 UPX! \bUPX compressed
341	# DOS device driver attributes
342	>4 uleshort&0x8000 0x0000 \bblock device driver
343	# character device
344	>4 uleshort&0x8000 0x8000 \b
345	>>4 uleshort&0x0008 0x0008 \bclock
346	# fast video output by int 29h
347	>>4 uleshort&0x0010 0x0010 \bfast
348	# standard input/output device
349	>>4 uleshort&0x0003 >0 \bstandard
350	>>>4 uleshort&0x0001 0x0001 \binput
351	>>>4 uleshort&0x0003 0x0003 \b/
352	>>>4 uleshort&0x0002 0x0002 \boutput
353	>>4 uleshort&0x8000 0x8000 \bcharacter device driver
354	>0 ubyte x
355	# upx compressed device driver has garbage instead of real in name field of header
356	>>40 search/7 UPX!
357	>>40 default x
358	# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
359	>>>12 ubyte >0x2E \b
360	>>>>10 ubyte >0x20
361	>>>>>10 ubyte !0x2E
362	>>>>>>10 ubyte !0x2A \b%c
363	>>>>11 ubyte >0x20
364	>>>>>11 ubyte !0x2E \b%c
365	>>>>12 ubyte >0x20
366	>>>>>12 ubyte !0x39
367	>>>>>>12 ubyte !0x2E \b%c
368	>>>13 ubyte >0x20
369	>>>>13 ubyte !0x2E \b%c
370	>>>>14 ubyte >0x20
371	>>>>>14 ubyte !0x2E \b%c
372	>>>>15 ubyte >0x20
373	>>>>>15 ubyte !0x2E \b%c
374	>>>>16 ubyte >0x20
375	>>>>>16 ubyte !0x2E
376	>>>>>>16 ubyte <0xCB \b%c
377	>>>>17 ubyte >0x20
378	>>>>>17 ubyte !0x2E
379	>>>>>>17 ubyte <0x90 \b%c
380	# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
381	>>>12 ubyte <0x2F
382	# they have their real name at offset 22
383	# also block device drivers like DUMBDRV.SYS
384	>>>>22 string >\056 %-.6s
385	>4 uleshort&0x8000 0x0000
386	# 32 bit sector addressing ( > 32 MB) for block devices
387	>>4 uleshort&0x0002 0x0002 \b,32-bit sector-
388	# support by driver functions 13h, 17h, 18h
389	>4 uleshort&0x0040 0x0040 \b,IOCTL-
390	# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
391	>4 uleshort&0x0800 0x0800 \b,close media-
392	# output until busy support by int 10h for character device driver
393	>4 uleshort&0x8000 0x8000
394	>>4 uleshort&0x2000 0x2000 \b,until busy-
395	# direct read/write support by driver functions 03h,0Ch
396	>4 uleshort&0x4000 0x4000 \b,control strings-
397	>4 uleshort&0x8000 0x8000
398	>>4 uleshort&0x6840 >0 \bsupport
399	>4 uleshort&0x8000 0x0000
400	>>4 uleshort&0x4842 >0 \bsupport
401	>0 ubyte x \b)
402	# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
403	0 ulequad 0x0513c00000000012
404	>0 use msdos-driver
405	# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field
406	0 ulequad 0x32f28000ffff0016
407	>0 use msdos-driver
408	0 ulequad 0x007f00000000ffff
409	>0 use msdos-driver
410	0 ulequad 0x001600000000ffff
411	>0 use msdos-driver
412	# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field
413	0 ulequad 0x0bf708c2ffffffff
414	>0 use msdos-driver
415	0 ulequad 0x07bd08c2ffffffff
416	>0 use msdos-driver
417
418	# updated by Joerg Jenderek
419	# GRR: line below too general as it catches also
420	# rt.lib DYADISKS.PIC and many more
421	# start with assembler instruction MOV
422	0 ubyte 0x8c
423	# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
424	>4 string !O====
425	# skip some unknown basic binaries like RocketRnger.SHR
426	>>5 string !MAIN
427	# skip "GPG symmetrically encrypted data" ./gnu
428	# skip "PGP symmetric key encrypted data" ./pgp
429	# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
430	>>>4 ubyte >13 DOS executable (COM, 0x8C-variant)
431	# the remaining files should be DOS *.COM executables
432	# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd
433	# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
434	# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
435	# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
436	# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
437	# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
438	# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e
439	# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e
440	!:mime application/x-dosexec
441	!:ext com
442
443	# updated by Joerg Jenderek at Oct 2008
444	0 ulelong 0xffff10eb DR-DOS executable (COM)
445	# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
446	0 ubeshort&0xeb8d >0xeb00
447	# DR-DOS STACKER.COM SCREATE.SYS missed
448
449	0 name msdos-com
450	>0 byte x DOS executable (COM)
451	>6 string SFX\ of\ LHarc \b, %s
452	>0x1FE leshort 0xAA55 \b, boot code
453	>85 string UPX \b, UPX compressed
454	>4 string \ $ARX \b, ARX self-extracting archive
455	>4 string \ $LHarc \b, LHarc self-extracting archive
456	>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive
457
458	# JMP 8bit
459	0 byte 0xeb
460	# allow forward jumps only
461	>1 byte >-1
462	# that offset must be accessible
463	>>(1.b+2) byte x
464	>>>0 use msdos-com
465
466	# JMP 16bit
467	0 byte 0xe9
468	# forward jumps
469	>1 short >-1
470	# that offset must be accessible
471	>>(1.s+3) byte x
472	>>>0 use msdos-com
473	# negative offset, must not lead into PSP
474	>1 short <-259
475	# that offset must be accessible
476	>>(1,s+65539) byte x
477	>>>0 use msdos-com
478
479	# updated by Joerg Jenderek at Oct 2008,2015
480	# following line is too general
481	0 ubyte 0xb8
482	# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
483	>0 string !\xb8\xc0\x07\x8e
484	# modified by Joerg Jenderek
485	# syslinux COM32 or COM32R executable
486	>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT
487	# http://www.syslinux.org/wiki/index.php/Comboot_API
488	# Since version 5.00 c32 modules switched from the COM32 object format to ELF
489	!:mime application/x-c32-comboot-syslinux-exec
490	!:ext c32
491	# http://syslinux.zytor.com/comboot.php
492	# older syslinux version ( <4 )
493	# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
494	# start with assembler instructions mov eax,21cd4cffh
495	>>>1 lelong 0x21CD4CFf \b)
496	# syslinux:doc/comboot.txt
497	# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
498	# eax,21cd4cfeh) as a magic number.
499	# syslinux version (4.x)
500	# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
501	>>>1 lelong 0x21CD4CFe \b, relocatable)
502	# remaining are DOS COM executables starting with assembler instruction MOV
503	# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM
504	# MS-DOS SYS.COM RESTART.COM
505	# SYSLINUX.COM (version 1.40 - 2.13)
506	# GFXBOOT.COM (version 3.75)
507	# COPYBS.COM POWEROFF.COM INT18.COM
508	>>1 default x COM executable for DOS
509	!:mime application/x-dosexec
510	#!:mime application/x-ms-dos-executable
511	#!:mime application/x-msdos-program
512	!:ext com
513
514	0 string/b \x81\xfc
515	>4 string \x77\x02\xcd\x20\xb9
516	>>36 string UPX! FREE-DOS executable (COM), UPX compressed
517	252 string Must\ have\ DOS\ version DR-DOS executable (COM)
518	# added by Joerg Jenderek at Oct 2008
519	# GRR search is not working
520	#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed
521	34 string UPX! FREE-DOS executable (COM), UPX compressed
522	35 string UPX! FREE-DOS executable (COM), UPX compressed
523	# GRR search is not working
524	#2 search/28 \xcd\x21 COM executable for MS-DOS
525	#WHICHFAT.cOM
526	2 string \xcd\x21 COM executable for DOS
527	#DELTREE.cOM DELTREE2.cOM
528	4 string \xcd\x21 COM executable for DOS
529	#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
530	5 string \xcd\x21 COM executable for DOS
531	#DELTMP.COm HASFAT32.cOM
532	7 string \xcd\x21
533	>0 byte !0xb8 COM executable for DOS
534	#COMP.cOM MORE.COm
535	10 string \xcd\x21
536	>5 string !\xcd\x21 COM executable for DOS
537	#comecho.com
538	13 string \xcd\x21 COM executable for DOS
539	#HELP.COm EDIT.coM
540	18 string \xcd\x21 COM executable for MS-DOS
541	#NWRPLTRM.COm
542	23 string \xcd\x21 COM executable for MS-DOS
543	#LOADFIX.cOm LOADFIX.cOm
544	30 string \xcd\x21 COM executable for MS-DOS
545	#syslinux.com 3.11
546	70 string \xcd\x21 COM executable for DOS
547	# many compressed/converted COMs start with a copy loop instead of a jump
548	0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS
549	0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS
550	>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed
551	0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed
552	# FIXME: missing diet .com compression
553
554	# miscellaneous formats
555	0 string/b LZ MS-DOS executable (built-in)
556	#0 byte 0xf0 MS-DOS program library data
557	#
558
559	# AAF files:
560	# <stuartc@rd.bbc.co.uk> Stuart Cunningham
561	0 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage
562	>30 byte 9 (512B sectors)
563	>30 byte 12 (4kB sectors)
564	0 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage
565	>30 byte 9 (512B sectors)
566	>30 byte 12 (4kB sectors)
567
568	# Popular applications
569	2080 string Microsoft\ Word\ 6.0\ Document %s
570	!:mime application/msword
571	2080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data
572	!:mime application/msword
573	# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word)
574	2112 string MSWordDoc Microsoft Word document data
575	!:mime application/msword
576	#
577	0 belong 0x31be0000 Microsoft Word Document
578	!:mime application/msword
579	#
580	0 string/b PO^Q` Microsoft Word 6.0 Document
581	!:mime application/msword
582	#
583	4 long 0
584	>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0
585	!:mime application/msword
586	!:ext mcw
587	>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0
588	!:mime application/msword
589	!:ext mcw
590	>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0
591	!:mime application/msword
592	!:ext mcw
593	>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0
594	!:mime application/msword
595	!:ext mcw
596
597	0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document
598	!:mime application/msword
599	!:ext doc
600	512 string/b \354\245\301 Microsoft Word Document
601	!:mime application/msword
602
603	#
604	0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document
605	!:mime application/msword
606	#
607	2080 string Microsoft\ Excel\ 5.0\ Worksheet %s
608	!:mime application/vnd.ms-excel
609	#
610	0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document
611	!:mime application/msword
612
613	2080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s
614	!:mime application/vnd.ms-excel
615	#
616	# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel)
617	2114 string Biff5 Microsoft Excel 5.0 Worksheet
618	!:mime application/vnd.ms-excel
619	# Italian MS-Excel
620	2121 string Biff5 Microsoft Excel 5.0 Worksheet
621	!:mime application/vnd.ms-excel
622	0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet
623	!:mime application/vnd.ms-excel
624	#
625	# Update: Joerg Jenderek
626	# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3
627	# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf
628	# Note: newer Lotus versions >2 use longer BOF record
629	# record type (BeginningOfFile=0000h) + length (001Ah)
630	0 belong 0x00001a00
631	# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3
632	#>18 uleshort&0x73E0 0
633	# Lotus Multi Byte Character Set (LMBCS=1-31)
634	>20 ubyte >0
635	>>20 ubyte <32 Lotus 1-2-3
636	#!:mime application/x-123
637	!:mime application/vnd.lotus-1-2-3
638	!:apple ????L123
639	# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data"
640	>>>4 uleshort 0x1000 WorKsheet, version 3
641	!:ext wk3
642	# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data"
643	>>>4 uleshort 0x1002 WorKsheet, version 4
644	# also worksheet template 4 (.wt4)
645	!:ext wk4/wt4
646	# no example or documentation for wk5
647	#>>4 uleshort 0x???? WorKsheet, version 4
648	#!:ext wk5
649	# only MacrotoScript.123 example
650	>>>4 uleshort 0x1003 WorKsheet, version 97
651	# also worksheet template Smartmaster (.12M)?
652	!:ext 123
653	# only Set_Y2K.123 example
654	>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium
655	!:ext 123
656	# no example for this version
657	>>>4 uleshort 0x8001 FoRMatting data
658	!:ext frm
659	# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data"
660	# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet"
661	>>>4 uleshort 0x8007 ForMatting data, version 3
662	!:ext fm3
663	>>>4 default x unknown
664	# file revision sub code 0004h for worksheets
665	>>>>6 uleshort =0x0004 worksheet
666	!:ext wXX
667	>>>>6 uleshort !0x0004 formatting data
668	!:ext fXX
669	# main revision number
670	>>>>4 uleshort x \b, revision 0x%x
671	>>>6 uleshort =0x0004 \b, cell range
672	# active cellcoord range (start row, page,column ; end row, page, column)
673	# start values normally 0~1st sheet A1
674	>>>>8 ulelong !0
675	>>>>>10 ubyte >0 \b%d*
676	>>>>>8 uleshort x \b%d,
677	>>>>>11 ubyte x \b%d-
678	# end page mostly 0
679	>>>>14 ubyte >0 \b%d*
680	# end raw, column normally not 0
681	>>>>12 uleshort x \b%d,
682	>>>>15 ubyte x \b%d
683	# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??)
684	>>>>20 ubyte >1 \b, character set 0x%x
685	# flags
686	>>>>21 ubyte x \b, flags 0x%x
687	>>>6 uleshort !0x0004
688	# record type (FONTNAME=00AEh)
689	>>>>30 search/29 \0\xAE
690	# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n)
691	>>>>>&4 string >\0 \b, 1st font "%s"
692	#
693	# Update: Joerg Jenderek
694	# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3
695	# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
696	# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
697	# record type (BeginningOfFile=0000h) + length (0002h)
698	0 belong 0x00000200
699	# GRR: line above is too general as it catches also MS Windows CURsor
700	# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
701	!:strength -1
702	# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
703	>7 ubyte 0
704	# skip Windows cursors with image width 256 and keep Lotus with positiv opcode
705	>>6 ubyte >0 Lotus
706	# !:mime application/x-123
707	!:mime application/vnd.lotus-1-2-3
708	!:apple ????L123
709	# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...)
710	# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3"
711	>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF)
712	!:ext cnf
713	>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J
714	!:ext cnf
715	>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1
716	!:ext cnf
717	>>>4 uleshort 0x0802 Symphony CoNFiguration
718	!:ext cnf
719	>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2
720	!:ext cnf
721	>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4
722	!:ext cnf
723	>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x
724	!:ext cnf
725	>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x
726	!:ext cnf
727	# (version 5.26) labeled the entry as "Lotus 123"
728	# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
729	>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1
730	# extension "wks" also for Microsoft Works document
731	!:ext wks
732	# (version 5.26) labeled the entry as "Lotus 123"
733	# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
734	>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0
735	!:ext wrk/wr1
736	# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data"
737	# TrID labeles the entry as "Lotus 123 Worksheet (V2)"
738	>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2
739	# Symphony (.wr1)
740	!:ext wk1/wr1
741	# no example for this japan version
742	>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ
743	!:ext wj1
744	# no example or documentation for wk2
745	#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2
746	#!:ext wk2
747	# undocumented japan version
748	>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J
749	!:ext wj3
750	# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data"
751	>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x
752	# japan version 2.4J (fj3)
753	!:ext fmt/fj3
754	# no example for this version
755	>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0
756	!:ext frm
757	# (version 5.26) labeled the entry as "Lotus 1-2-3"
758	>>>4 default x unknown worksheet or configuration
759	!:ext cnf
760	>>>>4 uleshort x \b, revision 0x%x
761	# 2nd record for most worksheets describes cells range
762	>>>6 use lotus-cells
763	# 3nd record for most japan worksheets describes cells range
764	>>>(8.s+10) use lotus-cells
765	# check and then display Lotus worksheet cells range
766	0 name lotus-cells
767	# look for type (RANGE=0006h) + length (0008h) at record begin
768	>0 ubelong 0x06000800 \b, cell range
769	# cell range (start column, row, end column, row) start values normally 0,0~A1 cell
770	>>4 ulong !0
771	>>>4 uleshort x \b%d,
772	>>>6 uleshort x \b%d-
773	# end of cell range
774	>>8 uleshort x \b%d,
775	>>10 uleshort x \b%d
776	# EndOfLotus123
777	0 string/b WordPro\0 Lotus WordPro
778	!:mime application/vnd.lotus-wordpro
779	0 string/b WordPro\r\373 Lotus WordPro
780	!:mime application/vnd.lotus-wordpro
781
782
783	# Summary: Script used by InstallScield to uninstall applications
784	# Extension: .isu
785	# Submitted by: unknown
786	# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
787	0 string \x71\xa8\x00\x00\x01\x02
788	>12 string Stirling\ Technologies, InstallShield Uninstall Script
789
790	# Winamp .avs
791	#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
792	0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in
793
794	# Windows Metafont .WMF
795	0 string/b \327\315\306\232 ms-windows metafont .wmf
796	0 string/b \002\000\011\000 ms-windows metafont .wmf
797	0 string/b \001\000\011\000 ms-windows metafont .wmf
798
799	#tz3 files whatever that is (MS Works files)
800	0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file
801	0 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file
802	0 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file
803
804	# PGP sig files .sig
805	#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig
806	0 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
807	0 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
808	0 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
809	0 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
810	0 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
811	0 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
812
813	# windows zips files .dmf
814	0 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
815
816
817	#ico files
818	0 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows
819
820	# Windows icons
821	# Update: Joerg Jenderek
822	# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
823	# Note: similiar to Windows CURsor. container for BMP (only DIB part) or PNG
824	0 belong 0x00000100
825	>9 byte 0
826	>>0 byte x
827	>>0 use cur-ico-dir
828	>9 ubyte 0xff
829	>>0 byte x
830	>>0 use cur-ico-dir
831	# displays number of icons and information for icon or cursor
832	0 name cur-ico-dir
833	# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
834	# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
835	>18 ulelong &0x00000006
836	# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
837	>>(18.l) ulelong x MS Windows
838	>>>0 ubelong 0x00000100 icon resource
839	#!:mime image/vnd.microsoft.icon
840	!:mime image/x-icon
841	!:ext ico
842	>>>>4 uleshort x - %d icon
843	# plural s
844	>>>>4 uleshort >1 \bs
845	# 1st icon
846	>>>>0x06 use ico-entry
847	# 2nd icon
848	>>>>4 uleshort >1
849	>>>>>0x16 use ico-entry
850	>>>0 ubelong 0x00000200 cursor resource
851	#!:mime image/x-cur
852	!:mime image/x-win-bitmap
853	!:ext cur
854	>>>>4 uleshort x - %d icon
855	>>>>4 uleshort >1 \bs
856	# 1st cursor
857	>>>>0x06 use cur-entry
858	#>>>>0x16 use cur-entry
859	# display information of one cursor entry
860	0 name cur-entry
861	>0 use cur-ico-entry
862	>4 uleshort x \b, hotspot @%dx
863	>6 uleshort x \b%d
864	# display information of one icon entry
865	0 name ico-entry
866	>0 use cur-ico-entry
867	# normally 0 1 but also found 14
868	>4 uleshort >1 \b, %d planes
869	# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256
870	>6 uleshort >1 \b, %d bits/pixel
871	# display shared information of cursor or icon entry
872	0 name cur-ico-entry
873	>0 byte =0 \b, 256x
874	>0 byte !0 \b, %dx
875	>1 byte =0 \b256
876	>1 byte !0 \b%d
877	# number of colors in palette
878	>2 ubyte !0 \b, %d colors
879	# reserved 0 FFh
880	#>3 ubyte x \b, reserved %x
881	#>8 ulelong x \b, image size %d
882	# offset of PNG or DIB image
883	#>12 ulelong x \b, offset 0x%x
884	# PNG header (\x89PNG)
885	>(12.l) ubelong =0x89504e47
886	>>&-4 indirect x \b with
887	# DIB image
888	>(12.l) ubelong !0x89504e47
889	#>>&-4 use dib-image
890
891	# Windows non-animated cursors
892	# Update: Joerg Jenderek
893	# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
894	# Note: similiar to Windows ICOn. container for BMP ( only DIB part)
895	# GRR: line below is too general as it catches also Lotus 1-2-3 files
896	0 belong 0x00000200
897	>9 byte 0
898	>>0 use cur-ico-dir
899	>9 ubyte 0xff
900	>>0 use cur-ico-dir
901
902	# .chr files
903	0 string/b PK\010\010BGI Borland font
904	>4 string >\0 %s
905	# then there is a copyright notice
906
907
908	# .bgi files
909	0 string/b pk\010\010BGI Borland device
910	>4 string >\0 %s
911	# then there is a copyright notice
912
913
914	# Windows Recycle Bin record file (named INFO2)
915	# By Abel Cheung (abelcheung AT gmail dot com)
916	# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
917	# Since Vista uses another structure, INFO2 structure probably won't change
918	# anymore. Detailed analysis in:
919	# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
920	0 lelong 0x00000004
921	>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below)
922
923	0 lelong 0x00000005
924	>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP)
925
926	# From Doug Lee via a FreeBSD pr
927	9 string GERBILDOC First Choice document
928	9 string GERBILDB First Choice database
929	9 string GERBILCLIP First Choice database
930	0 string GERBIL First Choice device file
931	9 string RABBITGRAPH RabbitGraph file
932	0 string DCU1 Borland Delphi .DCU file
933	0 string =!<spell> MKS Spell hash list (old format)
934	0 string =!<spell2> MKS Spell hash list
935	# Too simple - MPi
936	#0 string AH Halo(TM) bitmapped font file
937	0 lelong 0x08086b70 TurboC BGI file
938	0 lelong 0x08084b50 TurboC Font file
939
940	# Debian#712046: The magic below identifies "Delphi compiled form data".
941	# An additional source of information is available at:
942	# http://www.woodmann.com/fravia/dafix_t1.htm
943	0 string TPF0
944	>4 pstring >\0 Delphi compiled form '%s'
945
946	# tests for DBase files moved, updated and merged to database
947
948	0 string PMCC Windows 3.x .GRP file
949	1 string RDC-meg MegaDots
950	>8 byte >0x2F version %c
951	>9 byte >0x2F \b.%c file
952	0 lelong 0x4C
953	>4 lelong 0x00021401 Windows shortcut file
954
955	# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm
956	# only for windows versions equal or greater 3.0
957	0x171 string MICROSOFT\ PIFEX\0 Windows Program Information File
958	!:mime application/x-dosexec
959	#>2 string >\0 \b, Title:%.30s
960	>0x24 string >\0 \b for %.63s
961	>0x65 string >\0 \b, directory=%.64s
962	>0xA5 string >\0 \b, parameters=%.64s
963	#>0x181 leshort x \b, offset %x
964	#>0x183 leshort x \b, offsetdata %x
965	#>0x185 leshort x \b, section length %x
966	>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0
967	>>&0x5e ubyte >0
968	>>>&-1 string <PIFMGR.DLL \b, icon=%s
969	#>>>&-1 string PIFMGR.DLL \b, icon=%s
970	>>>&-1 string >PIFMGR.DLL \b, icon=%s
971	>>&0xF0 ubyte >0
972	>>>&-1 string <Terminal \b, font=%.32s
973	#>>>&-1 string =Terminal \b, font=%.32s
974	>>>&-1 string >Terminal \b, font=%.32s
975	>>&0x110 ubyte >0
976	>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s
977	#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s
978	>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s
979	#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style
980	#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style
981	>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style
982	#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style
983	>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS
984	#>>&06 string x \b:%s
985	>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT
986	#>>&06 string x \b:%s
987
988	# DOS EPS Binary File Header
989	# From: Ed Sznyter <ews@Black.Market.NET>
990	0 belong 0xC5D0D3C6 DOS EPS Binary File
991	!:mime image/x-eps
992	>4 long >0 Postscript starts at byte %d
993	>>8 long >0 length %d
994	>>>12 long >0 Metafile starts at byte %d
995	>>>>16 long >0 length %d
996	>>>20 long >0 TIFF starts at byte %d
997	>>>>24 long >0 length %d
998
999	# TNEF magic From "Joomy" <joomy@se-ed.net>
1000	# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
1001	0 leshort 0x223e9f78 TNEF
1002	!:mime application/vnd.ms-tnef
1003
1004	# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
1005	# of http://www.davep.org/norton-guides/ng2h-105.tgz
1006	# http://en.wikipedia.org/wiki/Norton_Guides
1007	0 string NG\0\001
1008	# only value 0x100 found at offset 2
1009	>2 ulelong 0x00000100 Norton Guide
1010	# Title[40]
1011	>>8 string >\0 "%-.40s"
1012	#>>6 uleshort x \b, MenuCount=%u
1013	# szCredits[5][66]
1014	>>48 string >\0 \b, %-.66s
1015	>>114 string >\0 %-.66s
1016
1017	# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
1018	# of http://www.4dos.info/
1019	# pointer,HelpID[8]=4DHnnnmm
1020	0 ulelong 0x48443408 4DOS help file
1021	>4 string x \b, version %-4.4s
1022
1023	# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp
1024	0 ulequad 0x3a000000024e4c MS Advisor help file
1025
1026	# HtmlHelp files (.chm)
1027	0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data
1028
1029	# GFA-BASIC (Wolfram Kleff)
1030	2 string/b GFA-BASIC3 GFA-BASIC 3 data
1031
1032	#------------------------------------------------------------------------------
1033	# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
1034	# Microsoft Cabinet files
1035	0 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data
1036	!:mime application/vnd.ms-cab-compressed
1037	>8 lelong x \b, %u bytes
1038	>28 leshort 1 \b, 1 file
1039	>28 leshort >1 \b, %u files
1040
1041	# InstallShield Cabinet files
1042	0 string/b ISc( InstallShield Cabinet archive data
1043	>5 byte&0xf0 =0x60 version 6,
1044	>5 byte&0xf0 !0x60 version 4/5,
1045	>(12.l+40) lelong x %u files
1046
1047	# Windows CE package files
1048	0 string/b MSCE\0\0\0\0 Microsoft WinCE install header
1049	>20 lelong 0 \b, architecture-independent
1050	>20 lelong 103 \b, Hitachi SH3
1051	>20 lelong 104 \b, Hitachi SH4
1052	>20 lelong 0xA11 \b, StrongARM
1053	>20 lelong 4000 \b, MIPS R4000
1054	>20 lelong 10003 \b, Hitachi SH3
1055	>20 lelong 10004 \b, Hitachi SH3E
1056	>20 lelong 10005 \b, Hitachi SH4
1057	>20 lelong 70001 \b, ARM 7TDMI
1058	>52 leshort 1 \b, 1 file
1059	>52 leshort >1 \b, %u files
1060	>56 leshort 1 \b, 1 registry entry
1061	>56 leshort >1 \b, %u registry entries
1062
1063
1064	# Windows Enhanced Metafile (EMF)
1065	# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
1066	# for further information.
1067	0 ulelong 1
1068	>40 string \ EMF Windows Enhanced Metafile (EMF) image data
1069	>>44 ulelong x version 0x%x
1070
1071	# from http://filext.com by Derek M Jones <derek@knosof.co.uk>
1072	# False positive with PPT (also currently this string is too long)
1073	#0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer
1074	0 string/b \320\317\021\340\241\261\032\341 Microsoft Office Document
1075	#>48 byte 0x1B Excel Document
1076	#!:mime application/vnd.ms-excel
1077	>546 string bjbj Microsoft Word Document
1078	!:mime application/msword
1079	>546 string jbjb Microsoft Word Document
1080	!:mime application/msword
1081
1082	0 string/b \224\246\056 Microsoft Word Document
1083	!:mime application/msword
1084
1085	512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document
1086	!:mime application/msword
1087
1088	# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
1089	# Magic type for Dell's BIOS .hdr files
1090	# Dell's .hdr
1091	0 string/b $RBU
1092	>23 string Dell %s system BIOS
1093	>5 byte 2
1094	>>48 byte x version %d.
1095	>>49 byte x \b%d.
1096	>>50 byte x \b%d
1097	>5 byte <2
1098	>>48 string x version %.3s
1099
1100	# Type: Microsoft DirectDraw Surface
1101	# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp
1102	# From: Morten Hustveit <morten@debian.org>
1103	0 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS),
1104	>16 lelong >0 %d x
1105	>12 lelong >0 %d,
1106	>84 string x %.4s
1107
1108	# Type: Microsoft Document Imaging Format (.mdi)
1109	# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
1110	# From: Daniele Sempione <scrows@oziosi.org>
1111	# Too weak (EP)
1112	#0 short 0x5045 Microsoft Document Imaging Format
1113
1114	# MS eBook format (.lit)
1115	0 string/b ITOLITLS Microsoft Reader eBook Data
1116	>8 lelong x \b, version %u
1117	!:mime application/x-ms-reader
1118
1119	# Windows CE Binary Image Data Format
1120	# From: Dr. Jesus <j@hug.gs>
1121	0 string/b B000FF\n Windows Embedded CE binary image
1122
1123	# Windows Imaging (WIM) Image
1124	0 string/b MSWIM\000\000\000 Windows imaging (WIM) image
1125	0 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format
1126
1127	# The second byte of these signatures is a file version; I don't know what,
1128	# if anything, produced files with version numbers 0-2.
1129	# From: John Elliott <johne@seasip.demon.co.uk>
1130	0 string \xfc\x03\x00 Mallard BASIC program data (v1.11)
1131	0 string \xfc\x04\x00 Mallard BASIC program data (v1.29+)
1132	0 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11)
1133	0 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+)
1134
1135	0 string MIOPEN Mallard BASIC Jetsam data
1136	0 string Jetsam0 Mallard BASIC Jetsam index data
1137
1138	# DOS backup 2.0 to 3.2
1139
1140	# backupid.@@@
1141
1142	# plausibility check for date
1143	0x3 ushort >1979
1144	>0x5 ubyte-1 <31
1145	>>0x6 ubyte-1 <12
1146	# actually 121 nul bytes
1147	>>>0x7 string \0\0\0\0\0\0\0\0
1148	>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d
1149	!:ext @@@
1150	>>>>0x0 ubyte 0xff \b, last disk
1151
1152	# backed up file
1153
1154	# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd
1155	# by looking for trailing nul of maximal file name string
1156	0x52 ubyte 0
1157	# test for flag byte: FFh~complete file, 00h~split file
1158	# FFh -127 = -1 -127 = -128
1159	# 00h -127 = 0 -127 = -127
1160	>0 byte-127 <-126
1161	# plausibility check for file name length
1162	>>0x53 ubyte-1 <78
1163	# looking for terminating nul of file name string
1164	>>>(0x53.b+4) ubyte 0
1165	# looking if last char of string is valid DOS file name
1166	>>>>(0x53.b+3) ubyte >0x1F
1167	# actually 44 nul bytes
1168	# but sometimes garbage according to Ralf Quint. So can not be used as test
1169	#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
1170	# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator
1171	# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE
1172	>>>>>5 ubyte&0x8C 0x0C
1173	# ./msdos (version 5.30) labeled the entry as
1174	# "DOS 2.0 backed up file %s, split file, sequence %d" or
1175	# "DOS 2.0 backed up file %s, complete file"
1176	>>>>>>0 ubyte x DOS 2.0-3.2 backed up
1177	#>>>>>>0 ubyte 0xff complete
1178	>>>>>>0 ubyte 0
1179	>>>>>>>1 uleshort x sequence %d of
1180	# full file name with path but without drive letter and colon stored from 0x05 til 0x52
1181	>>>>>>0x5 string x file %s
1182	# backup name is original filename
1183	#!:ext *
1184	# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` ' has bad char ''
1185	# file: line 1169: Bad magic entry ' *'
1186	# after header original file content
1187	>>>>>>128 indirect x \b;
1188
1189
1190	# DOS backup 3.3 to 5.x
1191
1192	# CONTROL.nnn files
1193	0 string \x8bBACKUP\x20
1194	# actually 128 nul bytes
1195	>0xa string \0\0\0\0\0\0\0\0
1196	>>0x9 ubyte x DOS 3.3 backup control file, sequence %d
1197	>>0x8a ubyte 0xff \b, last disk
1198
1199	# NB: The BACKUP.nnn files consist of the files backed up,
1200	# concatenated.

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format