msdos revision 169942
1 2#------------------------------------------------------------------------------ 3# msdos: file(1) magic for MS-DOS files 4# 5 6# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 7# updated by Joerg Jenderek 80 string @ 9>1 string/cB \ echo\ off MS-DOS batch file text 10>1 string/cB echo\ off MS-DOS batch file text 11>1 string/cB rem\ MS-DOS batch file text 12>1 string/cB set\ MS-DOS batch file text 13 14 15# OS/2 batch files are REXX. the second regex is a bit generic, oh well 16# the matched commands seem to be common in REXX and uncommon elsewhere 17100 regex/c =^\\s*call\s+rxfuncadd.*sysloadfu OS/2 REXX batch file text 18100 regex/c =^\\s*say\ ['"] OS/2 REXX batch file text 19 200 leshort 0x14c MS Windows COFF Intel 80386 object file 21#>4 ledate x stamp %s 220 leshort 0x166 MS Windows COFF MIPS R4000 object file 23#>4 ledate x stamp %s 240 leshort 0x184 MS Windows COFF Alpha object file 25#>4 ledate x stamp %s 260 leshort 0x268 MS Windows COFF Motorola 68000 object file 27#>4 ledate x stamp %s 280 leshort 0x1f0 MS Windows COFF PowerPC object file 29#>4 ledate x stamp %s 300 leshort 0x290 MS Windows COFF PA-RISC object file 31#>4 ledate x stamp %s 32 33# XXX - according to Microsoft's spec, at an offset of 0x3c in a 34# PE-format executable is the offset in the file of the PE header; 35# unfortunately, that's a little-endian offset, and there's no way 36# to specify an indirect offset with a specified byte order. 37# So, for now, we assume the standard MS-DOS stub, which puts the 38# PE header at 0x80 = 128. 39# 40# Required OS version and subsystem version were 4.0 on some NT 3.51 41# executables built with Visual C++ 4.0, so it's not clear that 42# they're interesting. The user version was 0.0, but there's 43# probably some linker directive to set it. The linker version was 44# 3.0, except for one ".exe" which had it as 4.20 (same damn linker!). 45# 46# many of the compressed formats were extraced from IDARC 1.23 source code 47# 480 string MZ MS-DOS executable 49>0 string MZ\0\0\0\0\0\0\0\0\0\0PE\0\0 \b, PE for MS Windows 50>>&18 leshort&0x2000 >0 (DLL) 51>>&88 leshort 0 (unknown subsystem) 52>>&88 leshort 1 (native) 53>>&88 leshort 2 (GUI) 54>>&88 leshort 3 (console) 55>>&88 leshort 7 (POSIX) 56>>&0 leshort 0x0 unknown processor 57>>&0 leshort 0x14c Intel 80386 58>>&0 leshort 0x166 MIPS R4000 59>>&0 leshort 0x184 Alpha 60>>&0 leshort 0x268 Motorola 68000 61>>&0 leshort 0x1f0 PowerPC 62>>&0 leshort 0x290 PA-RISC 63>>&18 leshort&0x0100 >0 32-bit 64>>&18 leshort&0x1000 >0 system file 65>>&0xf4 search/0x140 \x0\x40\x1\x0 66>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 67 68>0x18 leshort >0x3f 69>>(0x3c.l) string PE\0\0 PE 70# hooray, there's a DOS extender using the PE format, with a valid PE 71# executable inside (which just prints a message and exits if run in win) 72>>>(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender 73>>>(8.s*16) string !32STUB for MS Windows 74>>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 75>>>>(0x3c.l+92) leshort 0 (unknown subsystem) 76>>>>(0x3c.l+92) leshort 1 (native) 77>>>>(0x3c.l+92) leshort 2 (GUI) 78>>>>(0x3c.l+92) leshort 3 (console) 79>>>>(0x3c.l+92) leshort 7 (POSIX) 80>>>>(0x3c.l+4) leshort 0x0 unknown processor 81>>>>(0x3c.l+4) leshort 0x14c Intel 80386 82>>>>(0x3c.l+4) leshort 0x166 MIPS R4000 83>>>>(0x3c.l+4) leshort 0x184 Alpha 84>>>>(0x3c.l+4) leshort 0x268 Motorola 68000 85>>>>(0x3c.l+4) leshort 0x1f0 PowerPC 86>>>>(0x3c.l+4) leshort 0x290 PA-RISC 87>>>>(0x3c.l+22) leshort&0x0100 >0 32-bit 88>>>>(0x3c.l+22) leshort&0x1000 >0 system file 89>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 90 91>>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 92>>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 93>>>>(0x3c.l+0xf8) search/0x140 UPX2 94>>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 95>>>>(0x3c.l+0xf8) search/0x140 .idata 96>>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 97>>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 98>>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 99>>>>(0x3c.l+0xf8) search/0x140 .rsrc 100>>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 101>>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 102>>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 103>>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 104>>>>(0x3c.l+0xf8) search/0x140 .data 105>>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 106>>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 107>>>>>(0x3c.l+0xf7) byte x 108>>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 109>>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 110>>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 111>>>>(0x3c.l+0xf8) search/0x140 .reloc 112>>>>>(&0xe.l+(-4)) search/0x180 PK\3\4 \b, ZIP self-extracting archive (WinZip) 113 114>>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 115>>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 116>>>>0x30 string Inno \b, InnoSetup self-extracting archive 117 118>>(0x3c.l) string NE \b, NE 119>>>(0x3c.l+0x36) byte 0 (unknown OS) 120>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 121>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 122>>>(0x3c.l+0x36) byte 3 for MS-DOS 123>>>(0x3c.l+0x36) byte >3 (unknown OS) 124>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 125>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) 126>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) 127>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 128>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 129 130>>(0x3c.l) string LX\0\0 \b, LX 131>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 132>>>(0x3c.l+0x0a) leshort 1 for OS/2 133>>>(0x3c.l+0x0a) leshort 2 for MS Windows 134>>>(0x3c.l+0x0a) leshort 3 for DOS 135>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 136>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 137>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 138>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 139>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 140>>>(0x3c.l+0x08) leshort 1 i80286 141>>>(0x3c.l+0x08) leshort 2 i80386 142>>>(0x3c.l+0x08) leshort 3 i80486 143>>>(8.s*16) string emx \b, emx 144>>>>&1 string x %s 145>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 146 147# MS Windows system file, supposedly a collection of LE executables 148>>(0x3c.l) string W3 \b, W3 for MS Windows 149 150>>(0x3c.l) string LE\0\0 \b, LE executable 151>>>(0x3c.l+0x0a) leshort 1 152# some DOS extenders use LE files with OS/2 header 153>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 154>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 155>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 156>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 157>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 158>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 159>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 160# this is a wild guess; hopefully it is a specific signature 161>>>>&0x24 lelong <0x50 162>>>>>(&0x4c.l) string \xfc\xb8WATCOM 163>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 164# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 165#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 166# fails with DOS-Extenders. 167>>>(0x3c.l+0x0a) leshort 2 for MS Windows 168>>>(0x3c.l+0x0a) leshort 3 for DOS 169>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 170>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 171>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 172 173# looks like ASCII, probably some embedded copyright message. 174# and definitely not NE/LE/LX/PE 175>>0x3c lelong >0x20000000 176>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 177# header data too small for extended executable 178>2 long !0 179>>0x18 leshort <0x40 180>>>(4.s*512) leshort !0x014c 181 182>>>>&(2.s-514) string !LE 183>>>>>&-2 string !BW \b, MZ for MS-DOS 184>>>>&(2.s-514) string LE \b, LE 185>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 186# educated guess since indirection is still not capable enough for complex offset 187# calculations (next embedded executable would be at &(&2*512+&0-2) 188# I suspect there are only LE executables in these multi-exe files 189>>>>&(2.s-514) string BW 190>>>>>0x240 search/0x100 DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded) 191>>>>>0x240 search/0x100 !DOS/4G ,\b BW collection for MS-DOS 192 193# This sequence skips to the first COFF segment, usually .text 194>(4.s*512) leshort 0x014c \b, COFF 195>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 196>>(8.s*16) string emx 197>>>&1 string x for DOS, Win or OS/2, emx %s 198>>&(&0x42.l-3) byte x 199>>>&0x26 string UPX \b, UPX compressed 200# and yet another guess: small .text, and after large .data is unusal, could be 32lite 201>>&0x2c search/0xa0 .text 202>>>&0x0b lelong <0x2000 203>>>>&0 lelong >0x6000 \b, 32lite compressed 204 205>(8.s*16) string $WdX \b, WDos/X DOS extender 206 207# .EXE formats (Greg Roelofs, newt@uchicago.edu) 208# 209>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 210>0xe7 string LH/2\ Self-Extract \b, %s 211>0x1c string diet \b, diet compressed 212>0x1c string LZ09 \b, LZEXE v0.90 compressed 213>0x1c string LZ91 \b, LZEXE v0.91 compressed 214>0x1c string tz \b, TinyProg compressed 215>0x1e string PKLITE \b, %s compressed 216>0x64 string W\ Collis\0\0 \b, Compack compressed 217>0x24 string LHa's\ SFX \b, LHa self-extracting archive 218>0x24 string LHA's\ SFX \b, LHa self-extracting archive 219>0x24 string \ $ARX \b, ARX self-extracting archive 220>0x24 string \ $LHarc \b, LHarc self-extracting archive 221>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 222>1638 string -lh5- \b, LHa self-extracting archive v2.13S 223>0x17888 string Rar! \b, RAR self-extracting archive 224>0x40 string aPKG \b, aPackage self-extracting archive 225 226>32 string AIN 227>>35 string 2 \b, AIN 2.x compressed 228>>35 string <2 \b, AIN 1.x compressed 229>>35 string >2 \b, AIN 1.x compressed 230>28 string UC2X \b, UCEXE compressed 231>28 string WWP\ \b, WWPACK compressed 232 233# skip to the end of the exe 234>(4.s*512) long x 235>>&(2.s-517) byte x 236>>>&0 string PK\3\4 \b, ZIP self-extracting archive 237>>>&0 string Rar! \b, RAR self-extracting archive 238>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 239>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 240>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 241>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 242>>>&7 search/400 **ACE** \b, ACE self-extracting archive 243>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 244 245>0x1c string RJSX \b, ARJ self-extracting archive 246# winarj stores a message in the stub instead of the sig in the MZ header 247>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 248 249# a few unknown ZIP sfxes, no idea if they are needed or if they are 250# already captured by the generic patterns above 251>122 string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 252>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 253# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 254# 255 256# TELVOX Teleinformatica CODEC self-extractor for OS/2: 257>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 258>>49824 leshort =1 \b, 1 file 259>>49824 leshort >1 \b, %u files 260 261# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) 262# Uncommenting only the first two lines will cover about 2/3 of COM files, 263# but it isn't feasible to match all COM files since there must be at least 264# two dozen different one-byte "magics". 2650 byte 0xe9 DOS executable (COM) 266>0x1FE leshort 0xAA55 \b, boot code 267>6 string SFX\ of\ LHarc (%s) 2680 belong 0xffffffff DOS executable (device driver) 269#CMD640X2.SYS 270>10 string >\x23 271>>10 string !\x2e 272>>>17 string <\x5B 273>>>>10 string x \b, name: %.8s 274#UDMA.SYS KEYB.SYS CMD640X2.SYS 275>10 string <\x41 276>>12 string >\x40 277>>>10 string !$ 278>>>>12 string x \b, name: %.8s 279#BTCDROM.SYS ASPICD.SYS 280>22 string >\x40 281>>22 string <\x5B 282>>>23 string <\x5B 283>>>>22 string x \b, name: %.8s 284#ATAPICD.SYS 285>76 string \0 286>>77 string >\x40 287>>>77 string <\x5B 288>>>>77 string x \b, name: %.8s 2890 byte 0x8c DOS executable (COM) 290# 0xeb conflicts with "sequent" magic 2910 byte 0xeb DOS executable (COM) 292>0x1FE leshort 0xAA55 \b, boot code 293>85 string UPX \b, UPX compressed 294>4 string \ $ARX \b, ARX self-extracting archive 295>4 string \ $LHarc \b, LHarc self-extracting archive 296>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 2970 byte 0xb8 COM executable 298# modified by Joerg Jenderek 299>1 lelong !0x21cd4cff for DOS 300# http://syslinux.zytor.com/comboot.php 301# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 302# start with assembler instructions mov eax,21cd4cffh 303>1 lelong 0x21cd4cff (32-bit COMBOOT) 3040 string \x81\xfc 305>4 string \x77\x02\xcd\x20\xb9 306>>36 string UPX! FREE-DOS executable (COM), UPX compressed 307252 string Must\ have\ DOS\ version DR-DOS executable (COM) 308# GRR search is not working 309#2 search/28 \xcd\x21 COM executable for MS-DOS 310#WHICHFAT.cOM 3112 string \xcd\x21 COM executable for DOS 312#DELTREE.cOM DELTREE2.cOM 3134 string \xcd\x21 COM executable for DOS 314#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 3155 string \xcd\x21 COM executable for DOS 316#DELTMP.COm HASFAT32.cOM 3177 string \xcd\x21 318>0 byte !0xb8 COM executable for DOS 319#COMP.cOM MORE.COm 32010 string \xcd\x21 321>5 string !\xcd\x21 COM executable for DOS 322#comecho.com 32313 string \xcd\x21 COM executable for DOS 324#HELP.COm EDIT.coM 32518 string \xcd\x21 COM executable for MS-DOS 326#NWRPLTRM.COm 32723 string \xcd\x21 COM executable for MS-DOS 328#LOADFIX.cOm LOADFIX.cOm 32930 string \xcd\x21 COM executable for MS-DOS 330#syslinux.com 3.11 33170 string \xcd\x21 COM executable for DOS 332# many compressed/converted COMs start with a copy loop instead of a jump 3330x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 3340x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 335>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 3360x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 337# FIXME: missing diet .com compression 338 339# miscellaneous formats 3400 string LZ MS-DOS executable (built-in) 341#0 byte 0xf0 MS-DOS program library data 342# 343 344# 345# Windows Registry files. 346# updated by Joerg Jenderek 3470 string regf Windows NT/XP registry file 3480 string CREG Windows 95/98/ME registry file 3490 string SHCC3 Windows 3.1 registry file 350 351 352# AAF files: 353# <stuartc@rd.bbc.co.uk> Stuart Cunningham 3540 string \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 355>30 byte 9 (512B sectors) 356>30 byte 12 (4kB sectors) 3570 string \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 358>30 byte 9 (512B sectors) 359>30 byte 12 (4kB sectors) 360 361# Popular applications 362# False positive with PPT 363#0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer 3642080 string Microsoft\ Word\ 6.0\ Document %s 3652080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 366# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 3672112 string MSWordDoc Microsoft Word document data 368# 3690 belong 0x31be0000 Microsoft Word Document 370# 3710 string PO^Q` Microsoft Word 6.0 Document 372# 3730 string \376\067\0\043 Microsoft Office Document 3740 string \333\245-\0\0\0 Microsoft Office Document 375# 3762080 string Microsoft\ Excel\ 5.0\ Worksheet %s 3772080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s 378# 379# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 3802114 string Biff5 Microsoft Excel 5.0 Worksheet 381# Italian MS-Excel 3822121 string Biff5 Microsoft Excel 5.0 Worksheet 3830 string \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 384# 3850 belong 0x00001a00 Lotus 1-2-3 386>4 belong 0x00100400 wk3 document data 387>4 belong 0x02100400 wk4 document data 388>4 belong 0x07800100 fm3 or fmb document data 389>4 belong 0x07800000 fm3 or fmb document data 390# 3910 belong 0x00000200 Lotus 1-2-3 392>4 belong 0x06040600 wk1 document data 393>4 belong 0x06800200 fmt document data 394 395# Help files 3960 string ?_\3\0 MS Windows Help Data 397 398# DeIsL1.isu what this is I don't know 3990 string \161\250\000\000\001\002 DeIsL1.isu whatever that is 400 401# Winamp .avs 402#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 4030 string Nullsoft\ AVS\ Preset\ Winamp plug in 404 405# Hyper terminal: 4060 string HyperTerminal\ hyperterm 407>15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows Hyperterminal 408 409# Windows Metafont .WMF 4100 string \327\315\306\232 ms-windows metafont .wmf 4110 string \002\000\011\000 ms-windows metafont .wmf 4120 string \001\000\011\000 ms-windows metafont .wmf 413 414#tz3 files whatever that is (MS Works files) 4150 string \003\001\001\004\070\001\000\000 tz3 ms-works file 4160 string \003\002\001\004\070\001\000\000 tz3 ms-works file 4170 string \003\003\001\004\070\001\000\000 tz3 ms-works file 418 419# PGP sig files .sig 420#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 4210 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 4220 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 4230 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 4240 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 4250 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 4260 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 427 428# windows zips files .dmf 4290 string MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 430 431 432# Windows help file FTG FTS 4330 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache 434 435# grp old windows 3.1 group files 4360 string \120\115\103\103 MS Windows 3.1 group files 437 438 439# lnk files windows symlinks 4400 string \114\000\000\000\001\024\002\000\000\000\000\000\300\000\000\000\000\000\000\106 MS Windows shortcut 441 442#ico files 4430 string \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows 444 445# Windows icons (Ian Springer <ips@fpk.hp.com>) 4460 string \000\000\001\000 MS Windows icon resource 447>4 byte 1 - 1 icon 448>4 byte >1 - %d icons 449>>6 byte >0 \b, %dx 450>>>7 byte >0 \b%d 451>>8 byte 0 \b, 256-colors 452>>8 byte >0 \b, %d-colors 453 454 455# .chr files 4560 string PK\010\010BGI Borland font 457>4 string >\0 %s 458# then there is a copyright notice 459 460 461# .bgi files 4620 string pk\010\010BGI Borland device 463>4 string >\0 %s 464# then there is a copyright notice 465 466 467# recycled/info the windows trash bin index 4689 string \000\000\000\030\001\000\000\000 MS Windows recycled bin info 469 470 471##### put in Either Magic/font or Magic/news 472# Acroread or something files wrongly identified as G3 .pfm 473# these have the form \000 \001 any? \002 \000 \000 474# or \000 \001 any? \022 \000 \000 475#0 string \000\001 pfm? 476#>3 string \022\000\000Copyright\ yes 477#>3 string \002\000\000Copyright\ yes 478#>3 string >\0 oops, not a font file. Cancel that. 479#it clashes with ttf files so put it lower down. 480 481# From Doug Lee via a FreeBSD pr 4829 string GERBILDOC First Choice document 4839 string GERBILDB First Choice database 4849 string GERBILCLIP First Choice database 4850 string GERBIL First Choice device file 4869 string RABBITGRAPH RabbitGraph file 4870 string DCU1 Borland Delphi .DCU file 4880 string =!<spell> MKS Spell hash list (old format) 4890 string =!<spell2> MKS Spell hash list 490# Too simple - MPi 491#0 string AH Halo(TM) bitmapped font file 4920 lelong 0x08086b70 TurboC BGI file 4930 lelong 0x08084b50 TurboC Font file 494 495# WARNING: below line conflicts with Infocom game data Z-machine 3 4960 byte 0x03 DBase 3 data file 497>0x04 lelong 0 (no records) 498>0x04 lelong >0 (%ld records) 4990 byte 0x83 DBase 3 data file with memo(s) 500>0x04 lelong 0 (no records) 501>0x04 lelong >0 (%ld records) 5020 leshort 0x0006 DBase 3 index file 5030 string PMCC Windows 3.x .GRP file 5041 string RDC-meg MegaDots 505>8 byte >0x2F version %c 506>9 byte >0x2F \b.%c file 5070 lelong 0x4C 508>4 lelong 0x00021401 Windows shortcut file 509 510# DOS EPS Binary File Header 511# From: Ed Sznyter <ews@Black.Market.NET> 5120 belong 0xC5D0D3C6 DOS EPS Binary File 513>4 long >0 Postscript starts at byte %d 514>>8 long >0 length %d 515>>>12 long >0 Metafile starts at byte %d 516>>>>16 long >0 length %d 517>>>20 long >0 TIFF starts at byte %d 518>>>>24 long >0 length %d 519 520# TNEF magic From "Joomy" <joomy@se-ed.net> 5210 leshort 0x223e9f78 TNEF 522 523# HtmlHelp files (.chm) 5240 string ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data 525 526# GFA-BASIC (Wolfram Kleff) 5272 string GFA-BASIC3 GFA-BASIC 3 data 528 529#------------------------------------------------------------------------------ 530# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 531# Microsoft Cabinet files 5320 string MSCF\0\0\0\0 Microsoft Cabinet archive data 533>8 lelong x \b, %u bytes 534>28 leshort 1 \b, 1 file 535>28 leshort >1 \b, %u files 536 537# InstallShield Cabinet files 5380 string ISc( InstallShield Cabinet archive data 539>5 byte&0xf0 =0x60 version 6, 540>5 byte&0xf0 !0x60 version 4/5, 541>(12.l+40) lelong x %u files 542 543# Windows CE package files 5440 string MSCE\0\0\0\0 Microsoft WinCE install header 545>20 lelong 0 \b, architecture-independent 546>20 lelong 103 \b, Hitachi SH3 547>20 lelong 104 \b, Hitachi SH4 548>20 lelong 0xA11 \b, StrongARM 549>20 lelong 4000 \b, MIPS R4000 550>20 lelong 10003 \b, Hitachi SH3 551>20 lelong 10004 \b, Hitachi SH3E 552>20 lelong 10005 \b, Hitachi SH4 553>20 lelong 70001 \b, ARM 7TDMI 554>52 leshort 1 \b, 1 file 555>52 leshort >1 \b, %u files 556>56 leshort 1 \b, 1 registry entry 557>56 leshort >1 \b, %u registry entries 558 559# Outlook Personal Folders 5600 lelong 0x4E444221 Microsoft Outlook binary email folder 561 562# From: Dirk Jagdmann <doj@cubic.org> 5630 lelong 0x00035f3f Windows 3.x help file 564 565# Christophe Monniez 5660 string Client\ UrlCache\ MMF Microsoft Internet Explorer Cache File 567>20 string >\0 Version %s 5680 string \xCF\xAD\x12\xFE Microsoft Outlook Express DBX File 569>4 byte =0xC5 Message database 570>4 byte =0xC6 Folder database 571>4 byte =0xC7 Accounts informations 572>4 byte =0x30 Offline database 573 574 575# Windows Enhanced Metafile (EMF) 576# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 577# for further information. Note that "0 lelong 1" should be true i.e. 578# the first double word in the file should be 1. With the extended 579# syntax available by some file commands you could write: 580# 0 lelong 1 581# &40 ulelong 0x464D4520 Windows Enhanced Metafile (EMF) image data 58240 ulelong 0x464D4520 Windows Enhanced Metafile (EMF) image data 583>44 ulelong x version 0x%x. 584# If the description has a length greater than zero, it exists and is 585# found at offset (*64). 586>64 ulelong >0 Description available at offset 0x%x 587>>60 ulelong >0 (length 0x%x) 588# Note it would be better to print out the description, which is found 589# as below. Unfortunately the following only prints out the first couple 590# of characters instead of all the "description length" 591# number of characters -- indicated by the ulelong at offset 60. 592>>(64.l) lestring16 >0 Description: %15.15s 593 594# From: Alex Beregszaszi <alex@fsn.hu> 5950 string COWD VMWare3 596>4 byte 3 disk image 597>>32 lelong x (%d/ 598>>36 lelong x \b%d/ 599>>40 lelong x \b%d) 600>4 byte 2 undoable disk image 601>>32 string >\0 (%s) 602 6030 string VMDK VMware4 disk image 6040 string KDMV VMware4 disk image 605 6060 belong 0x514649fb QEMU Copy-On-Write disk image 607>4 belong x version %d, 608>24 belong x size %d + 609>28 belong x %d 610 6110 string QEVM QEMU's suspend to disk image 612 6130 string Bochs\ Virtual\ HD\ Image Bochs disk image, 614>32 string x type %s, 615>48 string x subtype %s 616 6170 lelong 0x02468ace Bochs Sparse disk image 618 619# from http://filext.com by Derek M Jones <derek@knosof.co.uk> 6200 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer 6210 string \320\317\021\340\241\261\032\341 Microsoft Office Document 622