Cross Reference: /freebsd-10.2-release/contrib/file/magic/Magdir/linux

24139Sjoerg
89750Sdwmalone#------------------------------------------------------------------------------
24139Sjoerg# linux:  file(1) magic for Linux files
24139Sjoerg#
89750Sdwmalone# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
24139Sjoerg# The following basic Linux magic is useful for reference, but using
24139Sjoerg# "long" magic is a better practice in order to avoid collisions.
24139Sjoerg#
24139Sjoerg# 2	leshort		100		Linux/i386
24139Sjoerg# >0	leshort		0407		impure executable (OMAGIC)
24139Sjoerg# >0	leshort		0410		pure executable (NMAGIC)
24139Sjoerg# >0	leshort		0413		demand-paged executable (ZMAGIC)
24139Sjoerg# >0	leshort		0314		demand-paged executable (QMAGIC)
24139Sjoerg#
24139Sjoerg0	lelong		0x00640107	Linux/i386 impure executable (OMAGIC)
24139Sjoerg>16	lelong		0		\b, stripped
24139Sjoerg0	lelong		0x00640108	Linux/i386 pure executable (NMAGIC)
24139Sjoerg>16	lelong		0		\b, stripped
24139Sjoerg0	lelong		0x0064010b	Linux/i386 demand-paged executable (ZMAGIC)
24139Sjoerg>16	lelong		0		\b, stripped
24139Sjoerg0	lelong		0x006400cc	Linux/i386 demand-paged executable (QMAGIC)
24139Sjoerg>16	lelong		0		\b, stripped
24139Sjoerg#
24139Sjoerg0	string		\007\001\000	Linux/i386 object file
24139Sjoerg>20	lelong		>0x1020		\b, DLL library
24139Sjoerg# Linux-8086 stuff:
24139Sjoerg0	string		\01\03\020\04	Linux-8086 impure executable
24139Sjoerg>28	long		!0		not stripped
24139Sjoerg0	string		\01\03\040\04	Linux-8086 executable
24139Sjoerg>28	long		!0		not stripped
24139Sjoerg#
24139Sjoerg0	string		\243\206\001\0	Linux-8086 object file
24139Sjoerg#
24139Sjoerg0	string		\01\03\020\20	Minix-386 impure executable
24139Sjoerg>28	long		!0		not stripped
24139Sjoerg0	string		\01\03\040\20	Minix-386 executable
24139Sjoerg>28	long		!0		not stripped
24139Sjoerg# core dump file, from Bill Reynolds <bill@goshawk.lanl.gov>
24139Sjoerg216	lelong		0421		Linux/i386 core file
24139Sjoerg>220	string		>\0		of '%s'
24139Sjoerg>200	lelong		>0		(signal %d)
24139Sjoerg#
24139Sjoerg# LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com>
24139Sjoerg# this can be overridden by the DOS executable (COM) entry
24139Sjoerg2	string		LILO		Linux/i386 LILO boot/chain loader
24139Sjoerg#
24139Sjoerg# PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com>
24139Sjoerg0	leshort		0x0436		Linux/i386 PC Screen Font data,
24139Sjoerg>2	byte		0		256 characters, no directory,
24139Sjoerg>2	byte		1		512 characters, no directory,
24139Sjoerg>2	byte		2		256 characters, Unicode directory,
24139Sjoerg>2	byte		3		512 characters, Unicode directory,
24139Sjoerg>3	byte		>0		8x%d
24139Sjoerg# Linux swap file, from Daniel Quinlan <quinlan@yggdrasil.com>
24139Sjoerg4086	string		SWAP-SPACE	Linux/i386 swap file
24139Sjoerg# From: Jeff Bailey <jbailey@ubuntu.com>
24139Sjoerg# Linux swap file with swsusp1 image, from Jeff Bailey <jbailey@ubuntu.com>
24139Sjoerg4076	string		SWAPSPACE2S1SUSPEND	Linux/i386 swap file (new style) with SWSUSP1 image
24139Sjoerg# according to man page of mkswap (8) March 1999
24139Sjoerg4086	string		SWAPSPACE2	Linux/i386 swap file (new style)
24139Sjoerg>0x400	long		x		%d (4K pages)
24139Sjoerg>0x404	long		x		size %d pages
24139Sjoerg>>4086	string		SWAPSPACE2
24139Sjoerg>>>1052	string		>\0		Label %s
24139Sjoerg# ECOFF magic for OSF/1 and Linux (only tested under Linux though)
24139Sjoerg#
24139Sjoerg#	from Erik Troan (ewt@redhat.com) examining od dumps, so this
24139Sjoerg#		could be wrong
24139Sjoerg#      updated by David Mosberger (davidm@azstarnet.com) based on
24139Sjoerg#      GNU BFD and MIPS info found below.
24139Sjoerg#
24139Sjoerg0	leshort		0x0183		ECOFF alpha
24139Sjoerg>24	leshort		0407		executable
24139Sjoerg>24	leshort		0410		pure
24139Sjoerg>24	leshort		0413		demand paged
24139Sjoerg>8	long		>0		not stripped
24139Sjoerg>8	long		0		stripped
24139Sjoerg>23	leshort		>0		- version %ld.
24139Sjoerg#
24139Sjoerg# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
24139Sjoerg# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
24139Sjoerg# and Nicol�s Lichtmaier <nick@debian.org>
24139Sjoerg# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
24139Sjoerg# Linux kernel boot images (i386 arch) (Wolfram Kleff)
24139Sjoerg514	string		HdrS		Linux kernel
24139Sjoerg>510	leshort		0xAA55		x86 boot executable
24139Sjoerg>>518	leshort		>=0x200
24139Sjoerg>>529	byte		0		zImage,
24139Sjoerg>>>529	byte		1		bzImage,
24139Sjoerg>>>(526.s+0x200) string	>\0		version %s,
24139Sjoerg>>498	leshort		1		RO-rootFS,
24139Sjoerg>>498	leshort		0		RW-rootFS,
24139Sjoerg>>508	leshort		>0		root_dev 0x%X,
24139Sjoerg>>502	leshort		>0		swap_dev 0x%X,
24139Sjoerg>>504	leshort		>0		RAMdisksize %u KB,
24139Sjoerg>>506	leshort		0xFFFF		Normal VGA
24139Sjoerg>>506	leshort		0xFFFE		Extended VGA
24139Sjoerg>>506	leshort		0xFFFD		Prompt for Videomode
24139Sjoerg>>506	leshort		>0		Video mode %d
89750Sdwmalone# This also matches new kernels, which were caught above by "HdrS".
89750Sdwmalone0		belong	0xb8c0078e	Linux kernel
24139Sjoerg>0x1e3		string	Loading		version 1.3.79 or older
89750Sdwmalone>0x1e9		string	Loading		from prehistoric times
24139Sjoerg
24139Sjoerg# System.map files - Nicol�s Lichtmaier <nick@debian.org>
24139Sjoerg8	string	\ A\ _text	Linux kernel symbol map text
24139Sjoerg
24139Sjoerg# LSM entries - Nicol�s Lichtmaier <nick@debian.org>
24139Sjoerg0	string	Begin3	Linux Software Map entry text
24139Sjoerg0	string	Begin4	Linux Software Map entry text (new format)
24139Sjoerg
24139Sjoerg# From Matt Zimmerman
24139Sjoerg0       belong  0x4f4f4f4d      User-mode Linux COW file
24139Sjoerg>4      belong  x               \b, version %d
24139Sjoerg>8      string  >\0             \b, backing file %s
24139Sjoerg
24139Sjoerg############################################################################
24139Sjoerg# Linux kernel versions
24139Sjoerg
24139Sjoerg0		string		\xb8\xc0\x07\x8e\xd8\xb8\x00\x90	Linux
24139Sjoerg>497		leshort		0		x86 boot sector
24139Sjoerg>>514		belong		0x8e	of a kernel from the dawn of time!
24139Sjoerg>>514		belong		0x908ed8b4	version 0.99-1.1.42
24139Sjoerg>>514		belong		0x908ed8b8	for memtest86
24139Sjoerg
24139Sjoerg>497		leshort		!0		x86 kernel
24139Sjoerg>>504		leshort		>0		RAMdisksize=%u KB
24139Sjoerg>>502		leshort		>0		swap=0x%X
24139Sjoerg>>508		leshort		>0		root=0x%X
24139Sjoerg>>>498		leshort		1		\b-ro
24139Sjoerg>>>498		leshort		0		\b-rw
24139Sjoerg>>506		leshort		0xFFFF		vga=normal
24139Sjoerg>>506		leshort		0xFFFE		vga=extended
24139Sjoerg>>506		leshort		0xFFFD		vga=ask
24139Sjoerg>>506		leshort		>0		vga=%d
24139Sjoerg>>514		belong		0x908ed881	version 1.1.43-1.1.45
24139Sjoerg>>514		belong		0x15b281cd
24139Sjoerg>>>0xa8e	belong		0x55AA5a5a	version 1.1.46-1.2.13,1.3.0
24139Sjoerg>>>0xa99	belong		0x55AA5a5a	version 1.3.1,2
24139Sjoerg>>>0xaa3	belong		0x55AA5a5a	version 1.3.3-1.3.30
24139Sjoerg>>>0xaa6	belong		0x55AA5a5a	version 1.3.31-1.3.41
24139Sjoerg>>>0xb2b	belong		0x55AA5a5a	version 1.3.42-1.3.45
24139Sjoerg>>>0xaf7	belong		0x55AA5a5a	version 1.3.46-1.3.72
24139Sjoerg>>514		string		HdrS
24139Sjoerg>>>518		leshort		>0x1FF
24139Sjoerg>>>>529		byte		0		\b, zImage
24139Sjoerg>>>>529		byte		1		\b, bzImage
24139Sjoerg>>>>(526.s+0x200) string 	>\0		\b, version %s
24139Sjoerg
24139Sjoerg# Linux boot sector thefts.
24139Sjoerg0		belong		0xb8c0078e	Linux
24139Sjoerg>0x1e6		belong		0x454c4b53	ELKS Kernel
24139Sjoerg>0x1e6		belong		!0x454c4b53	style boot sector
24139Sjoerg
24139Sjoerg############################################################################
24139Sjoerg# Linux 8086 executable
24139Sjoerg0	lelong&0xFF0000FF 0xC30000E9	Linux-Dev86 executable, headerless
24139Sjoerg>5	string		.
24139Sjoerg>>4	string		>\0		\b, libc version %s
24139Sjoerg
24139Sjoerg0	lelong&0xFF00FFFF 0x4000301	Linux-8086 executable
24139Sjoerg>2	byte&0x01	!0		\b, unmapped zero page
24139Sjoerg>2	byte&0x20	0		\b, impure
24139Sjoerg>2	byte&0x20	!0
24139Sjoerg>>2	byte&0x10	!0		\b, A_EXEC
24139Sjoerg>2	byte&0x02	!0		\b, A_PAL
>2	byte&0x04	!0		\b, A_NSYM
>2	byte&0x08	!0		\b, A_STAND
>2	byte&0x40	!0		\b, A_PURE
>2	byte&0x80	!0		\b, A_TOVLY
>28     long            !0              \b, not stripped
>37	string		.
>>36	string		>\0		\b, libc version %s

# 0	lelong&0xFF00FFFF 0x10000301	ld86 I80386 executable
# 0	lelong&0xFF00FFFF 0xB000301	ld86 M68K executable
# 0	lelong&0xFF00FFFF 0xC000301	ld86 NS16K executable
# 0	lelong&0xFF00FFFF 0x17000301	ld86 SPARC executable

# SYSLINUX boot logo files (from 'ppmtolss16' sources)
# http://syslinux.zytor.com/
#
0	lelong	=0x1413f33d		SYSLINUX' LSS16 image data
>4	leshort	x			\b, width %d
>6	leshort	x			\b, height %d

0	string	OOOM			User-Mode-Linux's Copy-On-Write disk image
>4	belong	x			version %d

# SE Linux policy database
# From: Mike Frysinger <vapier@gentoo.org>
0	lelong	0xf97cff8c		SE Linux policy
>16	lelong	x			v%d
>20	lelong	1			MLS
>24	lelong	x			%d symbols
>28	lelong	x			%d ocons

# Linux Logical Volume Manager (LVM)
# Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net>
#
# System ID, UUID and volume group name are 128 bytes long
# but they should never be full and initialized with zeros...
#
# LVM1
#
0x0	string	HM\001		LVM1 (Linux Logical Volume Manager), version 1
>0x12c	string	>\0		, System ID: %s

0x0	string	HM\002		LVM1 (Linux Logical Volume Manager), version 2
>0x12c	string	>\0		, System ID: %s

#  LVM2
#
# It seems that the label header can be in one the four first sector
# of the disk... (from _find_labeller in lib/label/label.c of LVM2)
#
# 0x200 seems to be the common case

0x218		 string	LVM2\ 001	LVM2 (Linux Logical Volume Manager)
# read the offset to add to the start of the header, and the header
# start in 0x200
>(0x214.l+0x200) string	>\0		, UUID: %s

0x018		 string	LVM2\ 001	LVM2 (Linux Logical Volume Manager)
>(0x014.l)	 string	>\0		, UUID: %s

0x418		 string	LVM2\ 001	LVM2 (Linux Logical Volume Manager)
>(0x414.l+0x400) string	>\0		, UUID: %s

0x618		 string	LVM2\ 001	LVM2 (Linux Logical Volume Manager)
>(0x614.l+0x600) string	>\0		, UUID: %s