msdos revision 69216
1 2#------------------------------------------------------------------------------ 3# msdos: file(1) magic for MS-DOS files 4# 5 6# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 70 string @echo\ off MS-DOS batch file text 8 9# XXX - according to Microsoft's spec, at an offset of 0x3c in a 10# PE-format executable is the offset in the file of the PE header; 11# unfortunately, that's a little-endian offset, and there's no way 12# to specify an indirect offset with a specified byte order. 13# So, for now, we assume the standard MS-DOS stub, which puts the 14# PE header at 0x80 = 128. 15# 16# Required OS version and subsystem version were 4.0 on some NT 3.51 17# executables built with Visual C++ 4.0, so it's not clear that 18# they're interesting. The user version was 0.0, but there's 19# probably some linker directive to set it. The linker version was 20# 3.0, except for one ".exe" which had it as 4.20 (same damn linker!). 21# 22128 string PE\0\0 MS Windows PE 23>150 leshort&0x0100 >0 32-bit 24>132 leshort 0x0 unknown processor 25>132 leshort 0x14c Intel 80386 26>132 leshort 0x166 MIPS R4000 27>132 leshort 0x184 Alpha 28>132 leshort 0x268 Motorola 68000 29>132 leshort 0x1f0 PowerPC 30>132 leshort 0x290 PA-RISC 31>148 leshort >27 32>>220 leshort 0 unknown subsystem 33>>220 leshort 1 native 34>>220 leshort 2 GUI 35>>220 leshort 3 console 36>>220 leshort 7 POSIX 37>150 leshort&0x2000 =0 executable 38#>>136 ledate x stamp %s, 39>>150 leshort&0x0001 >0 not relocatable 40#>>150 leshort&0x0004 =0 with line numbers, 41#>>150 leshort&0x0008 =0 with local symbols, 42#>>150 leshort&0x0200 =0 with debug symbols, 43>>150 leshort&0x1000 >0 system file 44#>>148 leshort >0 45#>>>154 byte x linker %d 46#>>>155 byte x \b.%d, 47#>>148 leshort >27 48#>>>192 leshort x requires OS %d 49#>>>194 leshort x \b.%d, 50#>>>196 leshort x user version %d 51#>>>198 leshort x \b.%d, 52#>>>200 leshort x subsystem version %d 53#>>>202 leshort x \b.%d, 54>150 leshort&0x2000 >0 DLL 55#>>136 ledate x stamp %s, 56>>150 leshort&0x0001 >0 not relocatable 57#>>150 leshort&0x0004 =0 with line numbers, 58#>>150 leshort&0x0008 =0 with local symbols, 59#>>150 leshort&0x0200 =0 with debug symbols, 60>>150 leshort&0x1000 >0 system file 61#>>148 leshort >0 62#>>>154 byte x linker %d 63#>>>155 byte x \b.%d, 64#>>148 leshort >27 65#>>>192 leshort x requires OS %d 66#>>>194 leshort x \b.%d, 67#>>>196 leshort x user version %d 68#>>>198 leshort x \b.%d, 69#>>>200 leshort x subsystem version %d 70#>>>202 leshort x \b.%d, 710 leshort 0x14c MS Windows COFF Intel 80386 object file 72#>4 ledate x stamp %s 730 leshort 0x166 MS Windows COFF MIPS R4000 object file 74#>4 ledate x stamp %s 750 leshort 0x184 MS Windows COFF Alpha object file 76#>4 ledate x stamp %s 770 leshort 0x268 MS Windows COFF Motorola 68000 object file 78#>4 ledate x stamp %s 790 leshort 0x1f0 MS Windows COFF PowerPC object file 80#>4 ledate x stamp %s 810 leshort 0x290 MS Windows COFF PA-RISC object file 82#>4 ledate x stamp %s 83 84# .EXE formats (Greg Roelofs, newt@uchicago.edu) 85# 860 string MZ MS-DOS executable (EXE) 87>24 string @ \b, OS/2 or MS Windows 88>>0xe7 string LH/2\ Self-Extract \b, %s 89>>0xe9 string PKSFX2 \b, %s 90>>122 string Windows\ self-extracting\ ZIP \b, %s 91>0x1c string RJSX\xff\xff \b, ARJ SFX 92>0x1c string diet\xf9\x9c \b, diet compressed 93>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. \b, PKSFX 94# JM: 0x1e "PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved\7\0\0\0" 95>0x1e string PKLITE\ Copr. \b, %.6s compressed 96>0x24 string LHa's\ SFX \b, %.15s 97>0x24 string LHA's\ SFX \b, %.15s 98>1638 string -lh5- \b, LHa SFX archive v2.13S 99>7195 string Rar! \b, RAR self-extracting archive 100# 101# [GRR 950118: file 3.15 has a buffer-size limitation; offsets bigger than 102# 8161 bytes are ignored. To make the following entries work, increase 103# HOWMANY in file.h to 32K at least, and maybe to 70K or more for OS/2, 104# NT/Win32 and VMS.] 105# [GRR: some company sells a self-extractor/displayer for image data(!)] 106# 107>11696 string PK\003\004 \b, PKZIP SFX archive v1.1 108>13297 string PK\003\004 \b, PKZIP SFX archive v1.93a 109>15588 string PK\003\004 \b, PKZIP2 SFX archive v1.09 110>15770 string PK\003\004 \b, PKZIP SFX archive v2.04g 111>28374 string PK\003\004 \b, PKZIP2 SFX archive v1.02 112# 113# Info-ZIP self-extractors 114# these are the DOS versions: 115>25115 string PK\003\004 \b, Info-ZIP SFX archive v5.12 116>26331 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption 117# these are the OS/2 versions (OS/2 is flagged above): 118>47031 string PK\003\004 \b, Info-ZIP SFX archive v5.12 119>49845 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption 120# this is the NT/Win32 version: 121>69120 string PK\003\004 \b, Info-ZIP NT SFX archive v5.12 w/decryption 122# 123# TELVOX Teleinformatica CODEC self-extractor for OS/2: 124>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 125>>49824 leshort =1 \b, 1 file 126>>49824 leshort >1 \b, %u files 127 128# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) 129# Uncommenting only the first two lines will cover about 2/3 of COM files, 130# but it isn't feasible to match all COM files since there must be at least 131# two dozen different one-byte "magics". 132#0 byte 0xe9 MS-DOS executable (COM) 133#>6 string SFX\ of\ LHarc (%s) 134#0 byte 0x8c MS-DOS executable (COM) 135# 0xeb conflicts with "sequent" magic 136#0 byte 0xeb MS-DOS executable (COM) 137#0 byte 0xb8 MS-DOS executable (COM) 138 139# miscellaneous formats 1400 string LZ MS-DOS executable (built-in) 141#0 byte 0xf0 MS-DOS program library data 142# 143 144# 145# Windows NT Registry files. 146# 1470 string regf Windows NT Registry file 148 149# Popular applications 1502080 string Microsoft\ Word\ 6.0\ Document %s 1512080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 152# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 1532112 string MSWordDoc Microsoft Word document data 154# 1550 belong 0x31be0000 Microsoft Word Document 156# 1570 string PO^Q` Microsoft Word 6.0 Document 158# 1590 string \376\067\0\043 Microsoft Office Document 1600 string \320\317\021\340\241\261 Microsoft Office Document 1610 string \333\245-\0\0\0 Microsoft Office Document 162# 1632080 string Microsoft\ Excel\ 5.0\ Worksheet %s 164# 165# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 1662114 string Biff5 Microsoft Excel 5.0 Worksheet 167# 1680 belong 0x00001a00 Lotus 1-2-3 169>4 belong 0x00100400 wk3 document data 170>4 belong 0x02100400 wk4 document data 171>4 belong 0x07800100 fm3 or fmb document data 172>4 belong 0x07800000 fm3 or fmb document data 173# 1740 belong 0x00000200 Lotus 1-2-3 175>4 belong 0x06040600 wk1 document data 176>4 belong 0x06800200 fmt document data 177 178# Help files 1790 string ?_\3\0 MS Windows Help Data 180 181# Microsoft CAB distribution format Dale Worley <root@dworley.ny.mediaone.net> 1820 string MSCF\000\000\000\000 Microsoft CAB file 183 184# DeIsL1.isu what this is I don't know 1850 string \161\250\000\000\001\002 DeIsL1.isu whatever that is 186 187# Winamp .avs 188#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 1890 string Nullsoft\ AVS\ Preset\ Winamp plug in 190 191# Hyper terminal: 1920 string HyperTerminal\ hyperterm 193>15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows Hyperterminal 194 195# Windows Metafont .WMF 1960 string \327\315\306\232\000\000\000\000\000\000 ms-windows metafont .wmf 197 198#tz3 files whatever that is (MS Works files) 1990 string \003\001\001\004\070\001\000\000 tz3 ms-works file 2000 string \003\002\001\004\070\001\000\000 tz3 ms-works file 2010 string \003\003\001\004\070\001\000\000 tz3 ms-works file 202 203# PGP sig files .sig 204#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 2050 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 2060 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 2070 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 2080 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 2090 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 2100 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 211 212# windows zips files .dmf 2130 string MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 Ms-windows special zipped file 214 215 216# Windows help file FTG FTS 2170 string \164\146\115\122\012\000\000\000\001\000\000\000 ms-windows help cache 218 219# grp old windows 3.1 group files 2200 string \120\115\103\103 Ms-windows 3.1 group files 221 222 223# lnk files windows symlinks 2240 string \114\000\000\000\001\024\002\000\000\000\000\000\300\000\000\000\000\000\000\106 ms-Windows shortcut 225 226#ico files 2270 string \000\000\001\000\001\000\040\040\020\000\000\000\000\000\350\002\000\000 Icon for ms-windows 2280 string \000\000\001\000\004\000\040\040\020\000\000\000\000\000\350\002 Icon for ms-windows 2290 string \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for ms-windows 2300 string \000\000\001\000\002\000\040\040\010\000\000\000\000\000\350\002 Icon for ms-windows 2310 string \000\000\001\000\006\000\020\020\020\000\000\000\000\000\050\001 Icon for ms-windows 2320 string \000\000\001\000\002\000\020\020\020\000\000\000\000\000\050\001 Icon for ms-windows 233 234 235# True Type fonts currently misidentified as raw G3 data 236 2370 string \000\001\000\000\000 MS-Windows true type font .ttf 238 239 240# .chr files 2410 string PK\010\010BGI Borland font 242>4 string >\0 %s 243# then there is a copyright notice 244 245 246# .bgi files 2470 string pk\010\010BGI Borland device 248>4 string >\0 %s 249# then there is a copyright notice 250 251 252# recycled/info the windows trash bin index 2539 string \000\000\000\030\001\000\000\000 ms-windows recycled bin info 254 255 256##### put in Either Magic/font or Magic/news 257# Acroread or something files wrongly identified as G3 .pfm 258# these have the form \000 \001 any? \002 \000 \000 259# or \000 \001 any? \022 \000 \000 2600 string \000\001 pfm? 261>3 string \022\000\000Copyright\ yes 262>3 string \002\000\000Copyright\ yes 263#>3 string >\0 oops, not a font file. Cancel that. 264#it clashes with ttf files so put it lower down. 265 266# From Doug Lee via a FreeBSD pr 2679 string GERBILDOC First Choice document 2689 string GERBILDB First Choice database 2699 string GERBILCLIP First Choice database 2700 string GERBIL First Choice device file 2719 string RABBITGRAPH RabbitGraph file 2720 string DCU1 Borland Delphi .DCU file 2730 string !<spell> MKS Spell hash list (old format) 2740 string !<spell2> MKS Spell hash list 2750 string AH Halo(TM) bitmapped font file 2760 leshort 0x601A Atari ST contiguous executable 277>14 lelong >0 - not stripped 2780 leshort 0x601B Atari ST non-contig executable 279>14 lelong >0 - not stripped 2800 lelong 0x08086b70 TurboC BGI file 2810 lelong 0x08084b50 TurboC Font file 282 283# WARNING: below line conflicts with Infocom game data Z-machine 3 2840 byte 0x03 DBase 3 data file 285>0x04 lelong 0 (no records) 286>0x04 lelong >0 (%ld records) 2870 byte 0x83 DBase 3 data file with memo(s) 288>0x04 lelong 0 (no records) 289>0x04 lelong >0 (%ld records) 2900 leshort 0x0006 DBase 3 index file 2910 string PMCC Windows 3.x .GRP file 2921 string RDC-meg MegaDots 293>8 byte >0x2F version %c 294>9 byte >0x2F \b.%c file 2950 lelong 0x4C 296>4 lelong 0x00021401 Windows shortcut file 297 298# DOS EPS Binary File Header 299# From: Ed Sznyter <ews@Black.Market.NET> 3000 belong 0xC5D0D3C6 DOS EPS Binary File 301>4 long >0 Postscript starts at byte %d 302>>8 long >0 length %d 303>>>12 long >0 Metafile starts at byte %d 304>>>>16 long >0 length %d 305>>>20 long >0 TIFF starts at byte %d 306>>>>24 long >0 length %d 307 308# TNEF magic From "Joomy" <joomy@se-ed.net> 3090 leshort 0x223e9f78 TNEF 310