#------------------------------------------------------------------------------ # msdos: file(1) magic for MS-DOS files # # .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 0 string @echo\ off MS-DOS batch file text # XXX - according to Microsoft's spec, at an offset of 0x3c in a # PE-format executable is the offset in the file of the PE header; # unfortunately, that's a little-endian offset, and there's no way # to specify an indirect offset with a specified byte order. # So, for now, we assume the standard MS-DOS stub, which puts the # PE header at 0x80 = 128. # # Required OS version and subsystem version were 4.0 on some NT 3.51 # executables built with Visual C++ 4.0, so it's not clear that # they're interesting. The user version was 0.0, but there's # probably some linker directive to set it. The linker version was # 3.0, except for one ".exe" which had it as 4.20 (same damn linker!). # 128 string PE\0\0 MS Windows PE >150 leshort&0x0100 >0 32-bit >132 leshort 0x0 unknown processor >132 leshort 0x14c Intel 80386 >132 leshort 0x166 MIPS R4000 >132 leshort 0x184 Alpha >132 leshort 0x268 Motorola 68000 >132 leshort 0x1f0 PowerPC >132 leshort 0x290 PA-RISC >148 leshort >27 >>220 leshort 0 unknown subsystem >>220 leshort 1 native >>220 leshort 2 GUI >>220 leshort 3 console >>220 leshort 7 POSIX >150 leshort&0x2000 =0 executable #>>136 ledate x stamp %s, >>150 leshort&0x0001 >0 not relocatable #>>150 leshort&0x0004 =0 with line numbers, #>>150 leshort&0x0008 =0 with local symbols, #>>150 leshort&0x0200 =0 with debug symbols, >>150 leshort&0x1000 >0 system file #>>148 leshort >0 #>>>154 byte x linker %d #>>>155 byte x \b.%d, #>>148 leshort >27 #>>>192 leshort x requires OS %d #>>>194 leshort x \b.%d, #>>>196 leshort x user version %d #>>>198 leshort x \b.%d, #>>>200 leshort x subsystem version %d #>>>202 leshort x \b.%d, >150 leshort&0x2000 >0 DLL #>>136 ledate x stamp %s, >>150 leshort&0x0001 >0 not relocatable #>>150 leshort&0x0004 =0 with line numbers, #>>150 leshort&0x0008 =0 with local symbols, #>>150 leshort&0x0200 =0 with debug symbols, >>150 leshort&0x1000 >0 system file #>>148 leshort >0 #>>>154 byte x linker %d #>>>155 byte x \b.%d, #>>148 leshort >27 #>>>192 leshort x requires OS %d #>>>194 leshort x \b.%d, #>>>196 leshort x user version %d #>>>198 leshort x \b.%d, #>>>200 leshort x subsystem version %d #>>>202 leshort x \b.%d, 0 leshort 0x14c MS Windows COFF Intel 80386 object file #>4 ledate x stamp %s 0 leshort 0x166 MS Windows COFF MIPS R4000 object file #>4 ledate x stamp %s 0 leshort 0x184 MS Windows COFF Alpha object file #>4 ledate x stamp %s 0 leshort 0x268 MS Windows COFF Motorola 68000 object file #>4 ledate x stamp %s 0 leshort 0x1f0 MS Windows COFF PowerPC object file #>4 ledate x stamp %s 0 leshort 0x290 MS Windows COFF PA-RISC object file #>4 ledate x stamp %s # .EXE formats (Greg Roelofs, newt@uchicago.edu) # 0 string MZ MS-DOS executable (EXE) >24 string @ \b, OS/2 or MS Windows >1638 string -lh5- \b, LHa SFX archive v2.13S >7195 string Rar! \b, RAR self-extracting archive # # [GRR 950118: file 3.15 has a buffer-size limitation; offsets bigger than # 8161 bytes are ignored. To make the following entries work, increase # HOWMANY in file.h to 32K at least, and maybe to 70K or more for OS/2, # NT/Win32 and VMS.] # [GRR: some company sells a self-extractor/displayer for image data(!)] # >11696 string PK\003\004 \b, PKZIP SFX archive v1.1 >13297 string PK\003\004 \b, PKZIP SFX archive v1.93a >15588 string PK\003\004 \b, PKZIP2 SFX archive v1.09 >15770 string PK\003\004 \b, PKZIP SFX archive v2.04g >28374 string PK\003\004 \b, PKZIP2 SFX archive v1.02 # # Info-ZIP self-extractors # these are the DOS versions: >25115 string PK\003\004 \b, Info-ZIP SFX archive v5.12 >26331 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption # these are the OS/2 versions (OS/2 is flagged above): >47031 string PK\003\004 \b, Info-ZIP SFX archive v5.12 >49845 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption # this is the NT/Win32 version: >69120 string PK\003\004 \b, Info-ZIP NT SFX archive v5.12 w/decryption # # TELVOX Teleinformatica CODEC self-extractor for OS/2: >49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 >>49824 leshort =1 \b, 1 file >>49824 leshort >1 \b, %u files # .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) # Uncommenting only the first two lines will cover about 2/3 of COM files, # but it isn't feasible to match all COM files since there must be at least # two dozen different one-byte "magics". #0 byte 0xe9 MS-DOS executable (COM) #0 byte 0x8c MS-DOS executable (COM) # 0xeb conflicts with "sequent" magic #0 byte 0xeb MS-DOS executable (COM) #0 byte 0xb8 MS-DOS executable (COM) # miscellaneous formats 0 string LZ MS-DOS executable (built-in) #0 byte 0xf0 MS-DOS program library data # # # Windows NT Registry files. # 0 string regf Windows NT Registry file # Popular applications 2080 string Microsoft\ Word\ 6.0\ Document %s 2080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data # Pawel Wiecek (for polish Word) 2112 string MSWordDoc Microsoft Word document data # 0 belong 0x31be0000 Microsoft Word Document # 0 string PO^Q` Microsoft Word 6.0 Document # 2080 string Microsoft\ Excel\ 5.0\ Worksheet %s # # Pawel Wiecek (for polish Excel) 2114 string Biff5 Microsoft Excel 5.0 Worksheet # 0 belong 0x00001a00 Lotus 1-2-3 >4 belong 0x00100400 wk3 document data >4 belong 0x02100400 wk4 document data >4 belong 0x07800100 fm3 or fmb document data >4 belong 0x07800000 fm3 or fmb document data # 0 belong 0x00000200 Lotus 1-2-3 >4 belong 0x06040600 wk1 document data >4 belong 0x06800200 fmt document data # WordPerfect documents - Trevor Johnson # 1 string WPC WordPerfect document