msdos revision 110949
1 2#------------------------------------------------------------------------------ 3# msdos: file(1) magic for MS-DOS files 4# 5 6# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 70 string @echo\ off MS-DOS batch file text 8 9# XXX - according to Microsoft's spec, at an offset of 0x3c in a 10# PE-format executable is the offset in the file of the PE header; 11# unfortunately, that's a little-endian offset, and there's no way 12# to specify an indirect offset with a specified byte order. 13# So, for now, we assume the standard MS-DOS stub, which puts the 14# PE header at 0x80 = 128. 15# 16# Required OS version and subsystem version were 4.0 on some NT 3.51 17# executables built with Visual C++ 4.0, so it's not clear that 18# they're interesting. The user version was 0.0, but there's 19# probably some linker directive to set it. The linker version was 20# 3.0, except for one ".exe" which had it as 4.20 (same damn linker!). 21# 22128 string PE\0\0 MS Windows PE 23>150 leshort&0x0100 >0 32-bit 24>132 leshort 0x0 unknown processor 25>132 leshort 0x14c Intel 80386 26>132 leshort 0x166 MIPS R4000 27>132 leshort 0x184 Alpha 28>132 leshort 0x268 Motorola 68000 29>132 leshort 0x1f0 PowerPC 30>132 leshort 0x290 PA-RISC 31>148 leshort >27 32>>220 leshort 0 unknown subsystem 33>>220 leshort 1 native 34>>220 leshort 2 GUI 35>>220 leshort 3 console 36>>220 leshort 7 POSIX 37>150 leshort&0x2000 =0 executable 38#>>136 ledate x stamp %s, 39>>150 leshort&0x0001 >0 not relocatable 40#>>150 leshort&0x0004 =0 with line numbers, 41#>>150 leshort&0x0008 =0 with local symbols, 42#>>150 leshort&0x0200 =0 with debug symbols, 43>>150 leshort&0x1000 >0 system file 44#>>148 leshort >0 45#>>>154 byte x linker %d 46#>>>155 byte x \b.%d, 47#>>148 leshort >27 48#>>>192 leshort x requires OS %d 49#>>>194 leshort x \b.%d, 50#>>>196 leshort x user version %d 51#>>>198 leshort x \b.%d, 52#>>>200 leshort x subsystem version %d 53#>>>202 leshort x \b.%d, 54>150 leshort&0x2000 >0 DLL 55#>>136 ledate x stamp %s, 56>>150 leshort&0x0001 >0 not relocatable 57#>>150 leshort&0x0004 =0 with line numbers, 58#>>150 leshort&0x0008 =0 with local symbols, 59#>>150 leshort&0x0200 =0 with debug symbols, 60>>150 leshort&0x1000 >0 system file 61#>>148 leshort >0 62#>>>154 byte x linker %d 63#>>>155 byte x \b.%d, 64#>>148 leshort >27 65#>>>192 leshort x requires OS %d 66#>>>194 leshort x \b.%d, 67#>>>196 leshort x user version %d 68#>>>198 leshort x \b.%d, 69#>>>200 leshort x subsystem version %d 70#>>>202 leshort x \b.%d, 710 leshort 0x14c MS Windows COFF Intel 80386 object file 72#>4 ledate x stamp %s 730 leshort 0x166 MS Windows COFF MIPS R4000 object file 74#>4 ledate x stamp %s 750 leshort 0x184 MS Windows COFF Alpha object file 76#>4 ledate x stamp %s 770 leshort 0x268 MS Windows COFF Motorola 68000 object file 78#>4 ledate x stamp %s 790 leshort 0x1f0 MS Windows COFF PowerPC object file 80#>4 ledate x stamp %s 810 leshort 0x290 MS Windows COFF PA-RISC object file 82#>4 ledate x stamp %s 83 84# .EXE formats (Greg Roelofs, newt@uchicago.edu) 85# 860 string MZ MS-DOS executable (EXE) 87>24 string @ \b, OS/2 or MS Windows 88>>0xe7 string LH/2\ Self-Extract \b, %s 89>>0xe9 string PKSFX2 \b, %s 90>>122 string Windows\ self-extracting\ ZIP \b, %s 91>0x1c string RJSX\xff\xff \b, ARJ SFX 92>0x1c string diet\xf9\x9c \b, diet compressed 93>0x1c string LZ09 \b, LZEXE v0.90 compressed 94>0x1c string LZ91 \b, LZEXE v0.91 compressed 95>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. \b, PKSFX 96# JM: 0x1e "PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved\7\0\0\0" 97>0x1e string PKLITE\ Copr. \b, %.6s compressed 98>0x24 string LHa's\ SFX \b, %.15s 99>0x24 string LHA's\ SFX \b, %.15s 100>1638 string -lh5- \b, LHa SFX archive v2.13S 101>7195 string Rar! \b, RAR self-extracting archive 102# 103# [GRR 950118: file 3.15 has a buffer-size limitation; offsets bigger than 104# 8161 bytes are ignored. To make the following entries work, increase 105# HOWMANY in file.h to 32K at least, and maybe to 70K or more for OS/2, 106# NT/Win32 and VMS.] 107# [GRR: some company sells a self-extractor/displayer for image data(!)] 108# 109>11696 string PK\003\004 \b, PKZIP SFX archive v1.1 110>13297 string PK\003\004 \b, PKZIP SFX archive v1.93a 111>15588 string PK\003\004 \b, PKZIP2 SFX archive v1.09 112>15770 string PK\003\004 \b, PKZIP SFX archive v2.04g 113>28374 string PK\003\004 \b, PKZIP2 SFX archive v1.02 114# 115# Info-ZIP self-extractors 116# these are the DOS versions: 117>25115 string PK\003\004 \b, Info-ZIP SFX archive v5.12 118>26331 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption 119# these are the OS/2 versions (OS/2 is flagged above): 120>47031 string PK\003\004 \b, Info-ZIP SFX archive v5.12 121>49845 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption 122# this is the NT/Win32 version: 123>69120 string PK\003\004 \b, Info-ZIP NT SFX archive v5.12 w/decryption 124# 125# TELVOX Teleinformatica CODEC self-extractor for OS/2: 126>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 127>>49824 leshort =1 \b, 1 file 128>>49824 leshort >1 \b, %u files 129 130# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) 131# Uncommenting only the first two lines will cover about 2/3 of COM files, 132# but it isn't feasible to match all COM files since there must be at least 133# two dozen different one-byte "magics". 134#0 byte 0xe9 MS-DOS executable (COM) 135#>6 string SFX\ of\ LHarc (%s) 136#0 byte 0x8c MS-DOS executable (COM) 137# 0xeb conflicts with "sequent" magic 138#0 byte 0xeb MS-DOS executable (COM) 139#0 byte 0xb8 MS-DOS executable (COM) 140 141# miscellaneous formats 1420 string LZ MS-DOS executable (built-in) 143#0 byte 0xf0 MS-DOS program library data 144# 145 146# 147# Windows NT Registry files. 148# 1490 string regf Windows NT Registry file 150 151# Popular applications 1522080 string Microsoft\ Word\ 6.0\ Document %s 1532080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 154# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 1552112 string MSWordDoc Microsoft Word document data 156# 1570 belong 0x31be0000 Microsoft Word Document 158# 1590 string PO^Q` Microsoft Word 6.0 Document 160# 1610 string \376\067\0\043 Microsoft Office Document 1620 string \320\317\021\340\241\261 Microsoft Office Document 1630 string \333\245-\0\0\0 Microsoft Office Document 164# 1652080 string Microsoft\ Excel\ 5.0\ Worksheet %s 166# 167# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 1682114 string Biff5 Microsoft Excel 5.0 Worksheet 169# 1700 belong 0x00001a00 Lotus 1-2-3 171>4 belong 0x00100400 wk3 document data 172>4 belong 0x02100400 wk4 document data 173>4 belong 0x07800100 fm3 or fmb document data 174>4 belong 0x07800000 fm3 or fmb document data 175# 1760 belong 0x00000200 Lotus 1-2-3 177>4 belong 0x06040600 wk1 document data 178>4 belong 0x06800200 fmt document data 179 180# Help files 1810 string ?_\3\0 MS Windows Help Data 182 183# Microsoft CAB distribution format Dale Worley <root@dworley.ny.mediaone.net> 1840 string MSCF\000\000\000\000 Microsoft CAB file 185 186# DeIsL1.isu what this is I don't know 1870 string \161\250\000\000\001\002 DeIsL1.isu whatever that is 188 189# Winamp .avs 190#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 1910 string Nullsoft\ AVS\ Preset\ Winamp plug in 192 193# Hyper terminal: 1940 string HyperTerminal\ hyperterm 195>15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows Hyperterminal 196 197# Windows Metafont .WMF 1980 string \327\315\306\232\000\000\000\000\000\000 ms-windows metafont .wmf 199 200#tz3 files whatever that is (MS Works files) 2010 string \003\001\001\004\070\001\000\000 tz3 ms-works file 2020 string \003\002\001\004\070\001\000\000 tz3 ms-works file 2030 string \003\003\001\004\070\001\000\000 tz3 ms-works file 204 205# PGP sig files .sig 206#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 2070 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 2080 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 2090 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 2100 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 2110 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 2120 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 213 214# windows zips files .dmf 2150 string MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 Ms-windows special zipped file 216 217 218# Windows help file FTG FTS 2190 string \164\146\115\122\012\000\000\000\001\000\000\000 ms-windows help cache 220 221# grp old windows 3.1 group files 2220 string \120\115\103\103 Ms-windows 3.1 group files 223 224 225# lnk files windows symlinks 2260 string \114\000\000\000\001\024\002\000\000\000\000\000\300\000\000\000\000\000\000\106 ms-Windows shortcut 227 228#ico files 2290 string \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for ms-windows 230 231# Windows icons (Ian Springer <ips@fpk.hp.com>) 2320 string \000\000\001\000 ms-windows icon resource 233>4 byte 1 - 1 icon 234>4 byte >1 - %d icons 235>>6 byte >0 \b, %dx 236>>>7 byte >0 \b%d 237>>8 byte 0 \b, 256-colors 238>>8 byte >0 \b, %d-colors 239 240 241# True Type fonts currently misidentified as raw G3 data 242 2430 string \000\001\000\000\000 MS-Windows true type font .ttf 244 245 246# .chr files 2470 string PK\010\010BGI Borland font 248>4 string >\0 %s 249# then there is a copyright notice 250 251 252# .bgi files 2530 string pk\010\010BGI Borland device 254>4 string >\0 %s 255# then there is a copyright notice 256 257 258# recycled/info the windows trash bin index 2599 string \000\000\000\030\001\000\000\000 ms-windows recycled bin info 260 261 262##### put in Either Magic/font or Magic/news 263# Acroread or something files wrongly identified as G3 .pfm 264# these have the form \000 \001 any? \002 \000 \000 265# or \000 \001 any? \022 \000 \000 2660 string \000\001 pfm? 267>3 string \022\000\000Copyright\ yes 268>3 string \002\000\000Copyright\ yes 269#>3 string >\0 oops, not a font file. Cancel that. 270#it clashes with ttf files so put it lower down. 271 272# From Doug Lee via a FreeBSD pr 2739 string GERBILDOC First Choice document 2749 string GERBILDB First Choice database 2759 string GERBILCLIP First Choice database 2760 string GERBIL First Choice device file 2779 string RABBITGRAPH RabbitGraph file 2780 string DCU1 Borland Delphi .DCU file 2790 string !<spell> MKS Spell hash list (old format) 2800 string !<spell2> MKS Spell hash list 2810 string AH Halo(TM) bitmapped font file 2820 lelong 0x08086b70 TurboC BGI file 2830 lelong 0x08084b50 TurboC Font file 284 285# WARNING: below line conflicts with Infocom game data Z-machine 3 2860 byte 0x03 DBase 3 data file 287>0x04 lelong 0 (no records) 288>0x04 lelong >0 (%ld records) 2890 byte 0x83 DBase 3 data file with memo(s) 290>0x04 lelong 0 (no records) 291>0x04 lelong >0 (%ld records) 2920 leshort 0x0006 DBase 3 index file 2930 string PMCC Windows 3.x .GRP file 2941 string RDC-meg MegaDots 295>8 byte >0x2F version %c 296>9 byte >0x2F \b.%c file 2970 lelong 0x4C 298>4 lelong 0x00021401 Windows shortcut file 299 300# DOS EPS Binary File Header 301# From: Ed Sznyter <ews@Black.Market.NET> 3020 belong 0xC5D0D3C6 DOS EPS Binary File 303>4 long >0 Postscript starts at byte %d 304>>8 long >0 length %d 305>>>12 long >0 Metafile starts at byte %d 306>>>>16 long >0 length %d 307>>>20 long >0 TIFF starts at byte %d 308>>>>24 long >0 length %d 309 310# TNEF magic From "Joomy" <joomy@se-ed.net> 3110 leshort 0x223e9f78 TNEF 312