linux revision 186675 
1
2#------------------------------------------------------------------------------
3# linux:  file(1) magic for Linux files
4#
5# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
6# The following basic Linux magic is useful for reference, but using
7# "long" magic is a better practice in order to avoid collisions.
8#
9# 2	leshort		100		Linux/i386
10# >0	leshort		0407		impure executable (OMAGIC)
11# >0	leshort		0410		pure executable (NMAGIC)
12# >0	leshort		0413		demand-paged executable (ZMAGIC)
13# >0	leshort		0314		demand-paged executable (QMAGIC)
14#
150	lelong		0x00640107	Linux/i386 impure executable (OMAGIC)
16>16	lelong		0		\b, stripped
170	lelong		0x00640108	Linux/i386 pure executable (NMAGIC)
18>16	lelong		0		\b, stripped
190	lelong		0x0064010b	Linux/i386 demand-paged executable (ZMAGIC)
20>16	lelong		0		\b, stripped
210	lelong		0x006400cc	Linux/i386 demand-paged executable (QMAGIC)
22>16	lelong		0		\b, stripped
23#
240	string		\007\001\000	Linux/i386 object file
25>20	lelong		>0x1020		\b, DLL library
26# Linux-8086 stuff:
270	string		\01\03\020\04	Linux-8086 impure executable
28>28	long		!0		not stripped
290	string		\01\03\040\04	Linux-8086 executable
30>28	long		!0		not stripped
31#
320	string		\243\206\001\0	Linux-8086 object file
33#
340	string		\01\03\020\20	Minix-386 impure executable
35>28	long		!0		not stripped
360	string		\01\03\040\20	Minix-386 executable
37>28	long		!0		not stripped
38# core dump file, from Bill Reynolds <bill@goshawk.lanl.gov>
39216	lelong		0421		Linux/i386 core file
40>220	string		>\0		of '%s'
41>200	lelong		>0		(signal %d)
42#
43# LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com>
44# this can be overridden by the DOS executable (COM) entry
452	string		LILO		Linux/i386 LILO boot/chain loader
46#
47# PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com>
480	leshort		0x0436		Linux/i386 PC Screen Font data,
49>2	byte		0		256 characters, no directory,
50>2	byte		1		512 characters, no directory,
51>2	byte		2		256 characters, Unicode directory,
52>2	byte		3		512 characters, Unicode directory,
53>3	byte		>0		8x%d
54# Linux swap file, from Daniel Quinlan <quinlan@yggdrasil.com>
554086	string		SWAP-SPACE	Linux/i386 swap file
56# From: Jeff Bailey <jbailey@ubuntu.com>
57# Linux swap file with swsusp1 image, from Jeff Bailey <jbailey@ubuntu.com>
584076	string		SWAPSPACE2S1SUSPEND	Linux/i386 swap file (new style) with SWSUSP1 image
59# according to man page of mkswap (8) March 1999
604086	string		SWAPSPACE2	Linux/i386 swap file (new style)
61>0x400	long		x		%d (4K pages)
62>0x404	long		x		size %d pages
63>>4086	string		SWAPSPACE2	
64>>>1052	string		>\0		Label %s
65# ECOFF magic for OSF/1 and Linux (only tested under Linux though)
66#
67#	from Erik Troan (ewt@redhat.com) examining od dumps, so this
68#		could be wrong
69#      updated by David Mosberger (davidm@azstarnet.com) based on
70#      GNU BFD and MIPS info found below.
71#
720	leshort		0x0183		ECOFF alpha
73>24	leshort		0407		executable
74>24	leshort		0410		pure
75>24	leshort		0413		demand paged
76>8	long		>0		not stripped
77>8	long		0		stripped
78>23	leshort		>0		- version %ld.
79#
80# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
81# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
82# and Nicol�s Lichtmaier <nick@debian.org>
83# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
84# Linux kernel boot images (i386 arch) (Wolfram Kleff)
85514	string		HdrS		Linux kernel
86>510	leshort		0xAA55		x86 boot executable
87>>518	leshort		>=0x200
88>>529	byte		0		zImage,
89>>>529	byte		1		bzImage,
90>>>(526.s+0x200) string	>\0		version %s,
91>>498	leshort		1		RO-rootFS,
92>>498	leshort		0		RW-rootFS,
93>>508	leshort		>0		root_dev 0x%X,
94>>502	leshort		>0		swap_dev 0x%X,
95>>504	leshort		>0		RAMdisksize %u KB,
96>>506	leshort		0xFFFF		Normal VGA
97>>506	leshort		0xFFFE		Extended VGA
98>>506	leshort		0xFFFD		Prompt for Videomode
99>>506	leshort		>0		Video mode %d
100# This also matches new kernels, which were caught above by "HdrS".
1010		belong	0xb8c0078e	Linux kernel
102>0x1e3		string	Loading		version 1.3.79 or older
103>0x1e9		string	Loading		from prehistoric times
104
105# System.map files - Nicol�s Lichtmaier <nick@debian.org>
1068	string	\ A\ _text	Linux kernel symbol map text
107
108# LSM entries - Nicol�s Lichtmaier <nick@debian.org>
1090	string	Begin3	Linux Software Map entry text
1100	string	Begin4	Linux Software Map entry text (new format)
111
112# From Matt Zimmerman
1130       belong  0x4f4f4f4d      User-mode Linux COW file
114>4      belong  x               \b, version %d
115>8      string  >\0             \b, backing file %s
116
117############################################################################
118# Linux kernel versions
119
1200		string		\xb8\xc0\x07\x8e\xd8\xb8\x00\x90	Linux
121>497		leshort		0		x86 boot sector
122>>514		belong		0x8e	of a kernel from the dawn of time!
123>>514		belong		0x908ed8b4	version 0.99-1.1.42
124>>514		belong		0x908ed8b8	for memtest86
125
126>497		leshort		!0		x86 kernel
127>>504		leshort		>0		RAMdisksize=%u KB
128>>502		leshort		>0		swap=0x%X
129>>508		leshort		>0		root=0x%X
130>>>498		leshort		1		\b-ro
131>>>498		leshort		0		\b-rw
132>>506		leshort		0xFFFF		vga=normal
133>>506		leshort		0xFFFE		vga=extended
134>>506		leshort		0xFFFD		vga=ask
135>>506		leshort		>0		vga=%d
136>>514		belong		0x908ed881	version 1.1.43-1.1.45
137>>514		belong		0x15b281cd
138>>>0xa8e	belong		0x55AA5a5a	version 1.1.46-1.2.13,1.3.0
139>>>0xa99	belong		0x55AA5a5a	version 1.3.1,2
140>>>0xaa3	belong		0x55AA5a5a	version 1.3.3-1.3.30
141>>>0xaa6	belong		0x55AA5a5a	version 1.3.31-1.3.41
142>>>0xb2b	belong		0x55AA5a5a	version 1.3.42-1.3.45
143>>>0xaf7	belong		0x55AA5a5a	version 1.3.46-1.3.72
144>>514		string		HdrS
145>>>518		leshort		>0x1FF
146>>>>529		byte		0		\b, zImage
147>>>>529		byte		1		\b, bzImage
148>>>>(526.s+0x200) string 	>\0		\b, version %s
149
150# Linux boot sector thefts.
1510		belong		0xb8c0078e	Linux
152>0x1e6		belong		0x454c4b53	ELKS Kernel
153>0x1e6		belong		!0x454c4b53	style boot sector
154
155############################################################################
156# Linux 8086 executable
1570	lelong&0xFF0000FF 0xC30000E9	Linux-Dev86 executable, headerless
158>5	string		.		
159>>4	string		>\0		\b, libc version %s
160
1610	lelong&0xFF00FFFF 0x4000301	Linux-8086 executable
162>2	byte&0x01	!0		\b, unmapped zero page
163>2	byte&0x20	0		\b, impure
164>2	byte&0x20	!0
165>>2	byte&0x10	!0		\b, A_EXEC
166>2	byte&0x02	!0		\b, A_PAL
167>2	byte&0x04	!0		\b, A_NSYM
168>2	byte&0x08	!0		\b, A_STAND
169>2	byte&0x40	!0		\b, A_PURE
170>2	byte&0x80	!0		\b, A_TOVLY
171>28     long            !0              \b, not stripped
172>37	string		.		
173>>36	string		>\0		\b, libc version %s
174
175# 0	lelong&0xFF00FFFF 0x10000301	ld86 I80386 executable
176# 0	lelong&0xFF00FFFF 0xB000301	ld86 M68K executable
177# 0	lelong&0xFF00FFFF 0xC000301	ld86 NS16K executable
178# 0	lelong&0xFF00FFFF 0x17000301	ld86 SPARC executable
179
180# SYSLINUX boot logo files (from 'ppmtolss16' sources)
181# http://syslinux.zytor.com/
182#
1830	lelong	=0x1413f33d		SYSLINUX' LSS16 image data
184>4	leshort	x			\b, width %d
185>6	leshort	x			\b, height %d
186
1870	string	OOOM			User-Mode-Linux's Copy-On-Write disk image
188>4	belong	x			version %d
189
190# SE Linux policy database
191# From: Mike Frysinger <vapier@gentoo.org>
1920	lelong	0xf97cff8c		SE Linux policy
193>16	lelong	x			v%d
194>20	lelong	1			MLS
195>24	lelong	x			%d symbols
196>28	lelong	x			%d ocons
197
198# Linux Logical Volume Manager (LVM) 
199# Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net>
200#
201# System ID, UUID and volume group name are 128 bytes long
202# but they should never be full and initialized with zeros...
203#
204# LVM1
205#
2060x0	string	HM\001		LVM1 (Linux Logical Volume Manager), version 1
207>0x12c	string	>\0		, System ID: %s
208
2090x0	string	HM\002		LVM1 (Linux Logical Volume Manager), version 2
210>0x12c	string	>\0		, System ID: %s
211
212#  LVM2
213#
214# It seems that the label header can be in one the four first sector
215# of the disk... (from _find_labeller in lib/label/label.c of LVM2)
216#
217# 0x200 seems to be the common case
218
2190x218		 string	LVM2\ 001	LVM2 (Linux Logical Volume Manager)
220# read the offset to add to the start of the header, and the header
221# start in 0x200
222>(0x214.l+0x200) string	>\0		, UUID: %s
223
2240x018		 string	LVM2\ 001	LVM2 (Linux Logical Volume Manager)
225>(0x014.l)	 string	>\0		, UUID: %s
226
2270x418		 string	LVM2\ 001	LVM2 (Linux Logical Volume Manager)
228>(0x414.l+0x400) string	>\0		, UUID: %s
229
2300x618		 string	LVM2\ 001	LVM2 (Linux Logical Volume Manager)
231>(0x614.l+0x600) string	>\0		, UUID: %s
232
233# SE Linux policy database
2340	lelong	0xf97cff8c		SE Linux policy
235>16	lelong	x			v%d
236>20	lelong	1			MLS
237>24	lelong	x			%d symbols
238>28	lelong	x			%d ocons
239
240# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec
241# Anthon van der Neut (anthon@mnt.org)
2420	string	LUKS\xba\xbe	LUKS encrypted file,
243>6	beshort x		ver %d
244>8	string	x		[%s,
245>40	string	x		%s,
246>72	string	x		%s]
247>168	string	x		UUID: %s
248
249