linux revision 103373
1219820Sjeff 2219820Sjeff#------------------------------------------------------------------------------ 3219820Sjeff# linux: file(1) magic for Linux files 4219820Sjeff# 5219820Sjeff# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> 6219820Sjeff# The following basic Linux magic is useful for reference, but using 7219820Sjeff# "long" magic is a better practice in order to avoid collisions. 8219820Sjeff# 9219820Sjeff# 2 leshort 100 Linux/i386 10219820Sjeff# >0 leshort 0407 impure executable (OMAGIC) 11219820Sjeff# >0 leshort 0410 pure executable (NMAGIC) 12219820Sjeff# >0 leshort 0413 demand-paged executable (ZMAGIC) 13219820Sjeff# >0 leshort 0314 demand-paged executable (QMAGIC) 14219820Sjeff# 15219820Sjeff0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC) 16219820Sjeff>16 lelong 0 \b, stripped 17219820Sjeff0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC) 18219820Sjeff>16 lelong 0 \b, stripped 19219820Sjeff0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC) 20219820Sjeff>16 lelong 0 \b, stripped 21219820Sjeff0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC) 22219820Sjeff>16 lelong 0 \b, stripped 23219820Sjeff# 24219820Sjeff0 string \007\001\000 Linux/i386 object file 25219820Sjeff>20 lelong >0x1020 \b, DLL library 26219820Sjeff# Linux-8086 stuff: 27219820Sjeff0 string \01\03\020\04 Linux-8086 impure executable 28219820Sjeff>28 long !0 not stripped 29219820Sjeff0 string \01\03\040\04 Linux-8086 executable 30219820Sjeff>28 long !0 not stripped 31# 320 string \243\206\001\0 Linux-8086 object file 33# 340 string \01\03\020\20 Minix-386 impure executable 35>28 long !0 not stripped 360 string \01\03\040\20 Minix-386 executable 37>28 long !0 not stripped 38# core dump file, from Bill Reynolds <bill@goshawk.lanl.gov> 39216 lelong 0421 Linux/i386 core file 40>220 string >\0 of '%s' 41>200 lelong >0 (signal %d) 42# 43# LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com> 44# this can be overridden by the DOS executable (COM) entry 452 string LILO Linux/i386 LILO boot/chain loader 46# 47# Debian Packages, from Peter Tobias <tobias@server.et-inf.fho-emden.de> 480 string 0.9 49>8 byte 0x0a old Debian Binary Package 50>>3 byte >0 \b, created by dpkg 0.9%c 51>>4 byte >0 pl%c 52# PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com> 530 leshort 0x0436 Linux/i386 PC Screen Font data, 54>2 byte 0 256 characters, no directory, 55>2 byte 1 512 characters, no directory, 56>2 byte 2 256 characters, Unicode directory, 57>2 byte 3 512 characters, Unicode directory, 58>3 byte >0 8x%d 59# Linux swap file, from Daniel Quinlan <quinlan@yggdrasil.com> 604086 string SWAP-SPACE Linux/i386 swap file 61# according to man page of mkswap (8) March 1999 624086 string SWAPSPACE2 Linux/i386 swap file (new style) 63# ECOFF magic for OSF/1 and Linux (only tested under Linux though) 64# 65# from Erik Troan (ewt@redhat.com) examining od dumps, so this 66# could be wrong 67# updated by David Mosberger (davidm@azstarnet.com) based on 68# GNU BFD and MIPS info found below. 69# 700 leshort 0x0183 ECOFF alpha 71>24 leshort 0407 executable 72>24 leshort 0410 pure 73>24 leshort 0413 demand paged 74>8 long >0 not stripped 75>8 long 0 stripped 76>23 leshort >0 - version %ld. 77# 78# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu> 79# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de> 80# and Nicol�s Lichtmaier <nick@debian.org> 81# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 82514 string HdrS Linux kernel 83>518 leshort >0 84>>529 byte 0 zImage data, 85>>529 byte 1 bzImage data, 86>0x048c byte 0x31 87>>0x048c string x version %s 88>0x0493 byte 0x31 89>>0x0493 string x version %s 90>0x048c byte 0x32 91>>0x048c string x version %s 92>0x0493 byte 0x32 93>>0x0493 string x version %s 94>0x04df byte 0x32 95>>0x04df string x version %s 96>0x04fb byte 0x32 97>>0x04fb string x version %s 98# This also matches new kernels, which were caught above by "HdrS". 990 belong 0xb8c0078e Linux kernel 100>0x1e3 string Loading version 1.3.79 or older 101>0x1e9 string Loading from prehistoric times 102# LSM entries - Nicol�s Lichtmaier <nick@feedback.net.ar> 1030 string Begin3 Linux Software Map entry text 104 105############################################################################ 106# Linux kernel versions 107 1080 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux 109>497 leshort 0 x86 boot sector 110>>514 belong 0x8e of a kernel from the dawn of time! 111>>514 belong 0x908ed8b4 version 0.99-1.1.42 112>>514 belong 0x908ed8b8 for memtest86 113 114>497 leshort !0 x86 kernel 115>>504 leshort >0 RAMdisksize=%u KB 116>>502 leshort >0 swap=0x%X 117>>508 leshort >0 root=0x%X 118>>>498 leshort 1 \b-ro 119>>>498 leshort 0 \b-rw 120>>506 leshort 0xFFFF vga=normal 121>>506 leshort 0xFFFE vga=extended 122>>506 leshort 0xFFFD vga=ask 123>>506 leshort >0 vga=%d 124>>514 belong 0x908ed881 version 1.1.43-1.1.45 125>>514 belong 0x15b281cd 126>>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0 127>>>0xa99 belong 0x55AA5a5a version 1.3.1,2 128>>>0xaa3 belong 0x55AA5a5a version 1.3.3-1.3.30 129>>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41 130>>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45 131>>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72 132>>514 string HdrS 133>>>518 leshort >0x1FF 134>>>>529 byte 0 \b, zImage 135>>>>529 byte 1 \b, bzImage 136>>>>(526.s+0x200) string >\0 \b, version %s 137 138# Linux boot sector thefts. 1390 belong 0xb8c0078e Linux 140>0x1e6 belong 0x454c4b53 ELKS Kernel 141>0x1e6 belong !0x454c4b53 style boot sector 142 143############################################################################ 144# Linux 8086 executable 1450 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless 146>5 string . 147>>4 string >\0 \b, libc version %s 148 1490 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable 150>2 byte&0x01 !0 \b, unmapped zero page 151>2 byte&0x20 0 \b, impure 152>2 byte&0x20 !0 153>>2 byte&0x10 !0 \b, A_EXEC 154>2 byte&0x02 !0 \b, A_PAL 155>2 byte&0x04 !0 \b, A_NSYM 156>2 byte&0x08 !0 \b, A_STAND 157>2 byte&0x40 !0 \b, A_PURE 158>2 byte&0x80 !0 \b, A_TOVLY 159>28 long !0 \b, not stripped 160>37 string . 161>>36 string >\0 \b, libc version %s 162 163# 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable 164# 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable 165# 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable 166# 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable 167 168