windows 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718
  1. #------------------------------------------------------------------------------
  2. # $File: windows,v 1.22 2018/02/16 15:44:00 christos Exp $
  3. # windows: file(1) magic for Microsoft Windows
  4. #
  5. # This file is mainly reserved for files where programs
  6. # using them are run almost always on MS Windows 3.x or
  7. # above, or files only used exclusively in Windows OS,
  8. # where there is no better category to allocate for.
  9. # For example, even though WinZIP almost run on Windows
  10. # only, it is better to treat them as "archive" instead.
  11. # For format usable in DOS, such as generic executable
  12. # format, please specify under "msdos" file.
  13. #
  14. # Summary: Outlook Express DBX file
  15. # Extension: .dbx
  16. # Created by: Christophe Monniez
  17. 0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file
  18. >4 byte =0xC5 \b, message database
  19. >4 byte =0xC6 \b, folder database
  20. >4 byte =0xC7 \b, account information
  21. >4 byte =0x30 \b, offline database
  22. # Summary: Windows crash dump
  23. # Extension: .dmp
  24. # Created by: Andreas Schuster (http://computer.forensikblog.de/)
  25. # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html
  26. # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only)
  27. 0 string PAGE
  28. >4 string DUMP MS Windows 32bit crash dump
  29. >>0x05c byte 0 \b, no PAE
  30. >>0x05c byte 1 \b, PAE
  31. >>0xf88 lelong 1 \b, full dump
  32. >>0xf88 lelong 2 \b, kernel dump
  33. >>0xf88 lelong 3 \b, small dump
  34. >>0x068 lelong x \b, %d pages
  35. >4 string DU64 MS Windows 64bit crash dump
  36. >>0xf98 lelong 1 \b, full dump
  37. >>0xf98 lelong 2 \b, kernel dump
  38. >>0xf98 lelong 3 \b, small dump
  39. >>0x090 lequad x \b, %lld pages
  40. # Summary: Vista Event Log
  41. # Extension: .evtx
  42. # Created by: Andreas Schuster (http://computer.forensikblog.de/)
  43. # Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html
  44. 0 string ElfFile\0 MS Windows Vista Event Log
  45. >0x2a leshort x \b, %d chunks
  46. >>0x10 lelong x \b (no. %d in use)
  47. >0x18 lelong >1 \b, next record no. %d
  48. >0x18 lelong =1 \b, empty
  49. >0x78 lelong &1 \b, DIRTY
  50. >0x78 lelong &2 \b, FULL
  51. # Summary: Windows 3.1 group files
  52. # Extension: .grp
  53. # Created by: unknown
  54. 0 string \120\115\103\103 MS Windows 3.1 group files
  55. # Summary: Old format help files
  56. # URL: https://en.wikipedia.org/wiki/WinHelp
  57. # Reference: http://www.oocities.org/mwinterhoff/helpfile.htm
  58. # Update: Joerg Jenderek
  59. # Created by: Dirk Jagdmann <doj@cubic.org>
  60. #
  61. # check and then display version and date inside MS Windows HeLP file fragment
  62. 0 name help-ver-date
  63. # look for Magic of SYSTEMHEADER
  64. >0 leshort 0x036C
  65. # version Major 1 for right file fragment
  66. >>4 leshort 1 Windows
  67. # print non empty string above to avoid error message
  68. # Warning: Current entry does not yet have a description for adding a MIME type
  69. !:mime application/winhelp
  70. !:ext hlp
  71. # version Minor of help file format is hint for windows version
  72. >>>2 leshort 0x0F 3.x
  73. >>>2 leshort 0x15 3.0
  74. >>>2 leshort 0x21 3.1
  75. >>>2 leshort 0x27 x.y
  76. >>>2 leshort 0x33 95
  77. >>>2 default x y.z
  78. >>>>2 leshort x 0x%x
  79. # to complete message string like "MS Windows 3.x help file"
  80. >>>2 leshort x help
  81. # GenDate often older than file creation date
  82. >>>6 ldate x \b, %s
  83. #
  84. # Magic for HeLP files
  85. 0 lelong 0x00035f3f
  86. # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file"
  87. # file header magic 0x293B at DirectoryStart+9
  88. >(4.l+9) uleshort 0x293B MS
  89. # look for @VERSION bmf.. like IBMAVW.ANN
  90. >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation
  91. !:mime application/x-winhelp
  92. !:ext ann
  93. >>0xD4 string !\x62\x6D\x66\x01\x00
  94. # "GID Help index" by TrID
  95. >>>(4.l+0x65) string =|Pete Windows help Global Index
  96. !:mime application/x-winhelp
  97. !:ext gid
  98. # HeLP Bookmark or
  99. # "Windows HELP File" by TrID
  100. >>>(4.l+0x65) string !|Pete
  101. # maybe there exist a cleaner way to detect HeLP fragments
  102. # brute search for Magic 0x036C with matching Major maximal 7 iterations
  103. # discapp.hlp
  104. >>>>16 search/0x49AF/s \x6c\x03
  105. >>>>>&0 use help-ver-date
  106. >>>>>&4 leshort !1
  107. # putty.hlp
  108. >>>>>>&0 search/0x69AF/s \x6c\x03
  109. >>>>>>>&0 use help-ver-date
  110. >>>>>>>&4 leshort !1
  111. >>>>>>>>&0 search/0x49AF/s \x6c\x03
  112. >>>>>>>>>&0 use help-ver-date
  113. >>>>>>>>>&4 leshort !1
  114. >>>>>>>>>>&0 search/0x49AF/s \x6c\x03
  115. >>>>>>>>>>>&0 use help-ver-date
  116. >>>>>>>>>>>&4 leshort !1
  117. >>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
  118. >>>>>>>>>>>>>&0 use help-ver-date
  119. >>>>>>>>>>>>>&4 leshort !1
  120. >>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
  121. >>>>>>>>>>>>>>>&0 use help-ver-date
  122. >>>>>>>>>>>>>>>&4 leshort !1
  123. >>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
  124. # GCC.HLP is detected after 7 iterations
  125. >>>>>>>>>>>>>>>>>&0 use help-ver-date
  126. # this only happens if bigger hlp file is detected after used search iterations
  127. >>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help
  128. !:mime application/winhelp
  129. !:ext hlp
  130. # repeat search again or following default line does not work
  131. >>>>16 search/0x49AF/s \x6c\x03
  132. # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit)
  133. >>>>16 default x Windows help Bookmark
  134. !:mime application/x-winhelp
  135. !:ext bmk
  136. ## FirstFreeBlock normally FFFFFFFFh 10h for *ANN
  137. ##>>8 lelong x \b, FirstFreeBlock 0x%8.8x
  138. # EntireFileSize
  139. >>12 lelong x \b, %d bytes
  140. ## ReservedSpace normally 042Fh AFh for *.ANN
  141. #>>(4.l) lelong x \b, ReservedSpace 0x%8.8x
  142. ## UsedSpace normally 0426h A6h for *.ANN
  143. #>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x
  144. ## FileFlags normally 04...
  145. #>>(4.l+5) lelong x \b, FileFlags 0x%8.8x
  146. ## file header magic 0x293B
  147. #>>(4.l+9) uleshort x \b, file header magic 0x%4.4x
  148. ## file header Flags 0x0402
  149. #>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x
  150. ## file header PageSize 0400h 80h for *.ANN
  151. #>>(4.l+13) uleshort x \b, PageSize 0x%4.4x
  152. ## Structure[16] z4
  153. #>>(4.l+15) string >\0 \b, Structure_"%-.16s"
  154. ## MustBeZero 0
  155. #>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x
  156. ## PageSplits
  157. #>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x
  158. ## RootPage
  159. #>>(4.l+35) uleshort x \b, RootPage 0x%4.4x
  160. ## MustBeNegOne 0xffff
  161. #>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x
  162. ## TotalPages 1
  163. #>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x
  164. ## NLevels 0x0001
  165. #>>(4.l+41) uleshort x \b, NLevels 0x%4.4x
  166. ## TotalBtreeEntries
  167. #>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x
  168. ## pages of the B+ tree
  169. #>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx
  170. # start with colon or semicolon for comment line like Back2Life.cnt
  171. 0 regex \^(:|;)
  172. # look for first keyword Base
  173. >0 search/45 :Base
  174. >>&0 use cnt-name
  175. # only solution to search again from beginning , because relative offsets changes when use is called
  176. >0 search/45 :Base
  177. >0 default x
  178. # look for other keyword Title like in putty.cnt
  179. >>0 search/45 :Title
  180. >>>&0 use cnt-name
  181. #
  182. # display mime type and name of Windows help Content source
  183. 0 name cnt-name
  184. # skip space at beginning
  185. >0 string \040
  186. # name without extension and greater character or name with hlp extension
  187. >>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s"
  188. !:mime text/plain
  189. !:apple ????TEXT
  190. !:ext cnt
  191. #
  192. # Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing
  193. 0 string tfMR MS Windows help Full Text Search index
  194. !:mime application/x-winhelp-fts
  195. !:ext fts
  196. >16 string >\0 for "%s"
  197. # Summary: Hyper terminal
  198. # Extension: .ht
  199. # Created by: unknown
  200. 0 string HyperTerminal\040
  201. >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile
  202. # http://ithreats.files.wordpress.com/2009/05/\040
  203. # lnk_the_windows_shortcut_file_format.pdf
  204. # Summary: Windows shortcut
  205. # Extension: .lnk
  206. # Created by: unknown
  207. # 'L' + GUUID
  208. 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut
  209. >20 lelong&1 1 \b, Item id list present
  210. >20 lelong&2 2 \b, Points to a file or directory
  211. >20 lelong&4 4 \b, Has Description string
  212. >20 lelong&8 8 \b, Has Relative path
  213. >20 lelong&16 16 \b, Has Working directory
  214. >20 lelong&32 32 \b, Has command line arguments
  215. >20 lelong&64 64 \b, Icon
  216. >>56 lelong x \b number=%d
  217. >24 lelong&1 1 \b, Read-Only
  218. >24 lelong&2 2 \b, Hidden
  219. >24 lelong&4 4 \b, System
  220. >24 lelong&8 8 \b, Volume Label
  221. >24 lelong&16 16 \b, Directory
  222. >24 lelong&32 32 \b, Archive
  223. >24 lelong&64 64 \b, Encrypted
  224. >24 lelong&128 128 \b, Normal
  225. >24 lelong&256 256 \b, Temporary
  226. >24 lelong&512 512 \b, Sparse
  227. >24 lelong&1024 1024 \b, Reparse point
  228. >24 lelong&2048 2048 \b, Compressed
  229. >24 lelong&4096 4096 \b, Offline
  230. >28 leqwdate x \b, ctime=%s
  231. >36 leqwdate x \b, mtime=%s
  232. >44 leqwdate x \b, atime=%s
  233. >52 lelong x \b, length=%u, window=
  234. >60 lelong&1 1 \bhide
  235. >60 lelong&2 2 \bnormal
  236. >60 lelong&4 4 \bshowminimized
  237. >60 lelong&8 8 \bshowmaximized
  238. >60 lelong&16 16 \bshownoactivate
  239. >60 lelong&32 32 \bminimize
  240. >60 lelong&64 64 \bshowminnoactive
  241. >60 lelong&128 128 \bshowna
  242. >60 lelong&256 256 \brestore
  243. >60 lelong&512 512 \bshowdefault
  244. #>20 lelong&1 0
  245. #>>20 lelong&2 2
  246. #>>>(72.l-64) pstring/h x \b [%s]
  247. #>20 lelong&1 1
  248. #>>20 lelong&2 2
  249. #>>>(72.s) leshort x
  250. #>>>&75 pstring/h x \b [%s]
  251. # Summary: Outlook Personal Folders
  252. # Created by: unknown
  253. 0 lelong 0x4E444221 Microsoft Outlook email folder
  254. >10 leshort 0x0e (<=2002)
  255. >10 leshort 0x17 (>=2003)
  256. # Summary: Windows help cache
  257. # Created by: unknown
  258. 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache
  259. # Summary: IE cache file
  260. # Created by: Christophe Monniez
  261. 0 string Client\ UrlCache\ MMF Internet Explorer cache file
  262. >20 string >\0 version %s
  263. # Summary: Registry files
  264. # Created by: unknown
  265. # Modified by (1): Joerg Jenderek
  266. 0 string regf MS Windows registry file, NT/2000 or above
  267. 0 string CREG MS Windows 95/98/ME registry file
  268. 0 string SHCC3 MS Windows 3.1 registry file
  269. # Summary: Windows Registry text
  270. # URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files
  271. # Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry
  272. # Submitted by: Abel Cheung <abelcheung@gmail.com>
  273. # Update: Joerg Jenderek
  274. # Windows 3-9X variant
  275. 0 string REGEDIT
  276. # skip ASCII text like "REGEDITor.txt" but match
  277. # L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL
  278. >7 search/3 \n Windows Registry text
  279. !:mime text/x-ms-regedit
  280. !:ext reg
  281. # Windows 9X variant
  282. >>0 string REGEDIT4 (Win95 or above)
  283. # Windows 2K ANSI variant
  284. 0 string Windows\ Registry\ Editor\
  285. >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above)
  286. !:mime text/x-ms-regedit
  287. !:ext reg
  288. # Windows 2K UTF-16 variant
  289. 2 lestring16 Windows\ Registry\ Editor\
  290. >0x32 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above)
  291. # relative offset not working
  292. #>&0 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above)
  293. !:mime text/x-ms-regedit
  294. !:ext reg
  295. # WINE variant
  296. # URL: https://en.wikipedia.org/wiki/Wine_(software)
  297. # Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html
  298. # Note: WINE use text based registry (system.reg,user.reg,userdef.reg)
  299. # instead binary hiv structure like Windows
  300. 0 string WINE\ REGISTRY\ Version\ WINE registry text
  301. # version 2
  302. >&0 string x \b, version %s
  303. !:mime text/x-wine-extension-reg
  304. !:ext reg
  305. # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018
  306. # empty ,comment , section
  307. # PR/383: remove unicode BOM because it is not portable across regex impls
  308. #0 regex/s \\`(\\r\\n|;|[[])
  309. # empty line CRLF
  310. 0 ubeshort 0x0D0A
  311. >0 use ini-file
  312. # comment line
  313. 0 string ;
  314. >0 use ini-file
  315. # section line
  316. 0 string [
  317. >0 use ini-file
  318. # check and then display Windows INItialization configuration
  319. 0 name ini-file
  320. # look for left bracket in section line
  321. >0 search/8192 [
  322. # http://en.wikipedia.org/wiki/Autorun.inf
  323. # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx
  324. # space after right bracket
  325. # or AutoRun.Amd64 for 64 bit systems
  326. # or only NL separator
  327. >>&0 regex/c \^(autorun)
  328. # but sometimes total commander directory tree file "treeinfo.wc" with lines like
  329. # [AUTORUN]
  330. # [boot]
  331. >>>&0 string =]\r\n[ Total commander directory treeinfo.wc
  332. !:mime text/plain
  333. !:ext wc
  334. # From: Pal Tamas <folti@balabit.hu>
  335. # Autorun File
  336. >>>&0 string !]\r\n[ Microsoft Windows Autorun file
  337. !:mime application/x-setupscript
  338. !:ext inf
  339. # http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx
  340. # version strings ASCII coded case-independent for Windows setup information script file
  341. >>&0 regex/c \^(version|strings)] Windows setup INFormation
  342. !:mime application/x-setupscript
  343. #!:mime application/x-wine-extension-inf
  344. !:ext inf
  345. # NETCRC.INF OEMCPL.INF
  346. >>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation
  347. !:mime application/x-setupscript
  348. !:ext inf
  349. # http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm
  350. # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx
  351. # .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent
  352. >>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini
  353. !:mime application/x-wine-extension-ini
  354. #!:mime text/plain
  355. # http://support.microsoft.com/kb/84709/
  356. >>&0 regex/c \^(don't\ load)] Windows CONTROL.INI
  357. !:mime application/x-wine-extension-ini
  358. !:ext ini
  359. >>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI
  360. !:mime application/x-wine-extension-ini
  361. !:ext ini
  362. # http://technet.microsoft.com/en-us/library/cc722567.aspx
  363. # http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm
  364. >>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI
  365. !:mime application/x-wine-extension-ini
  366. !:ext ini
  367. # http://en.wikipedia.org/wiki/SYSTEM.INI
  368. >>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI
  369. !:mime application/x-wine-extension-ini
  370. !:ext ini
  371. # http://www.mdgx.com/newtip6.htm
  372. >>&0 regex/c \^(SafeList)] Windows IOS.INI
  373. !:mime application/x-wine-extension-ini
  374. !:ext ini
  375. # http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information
  376. >>&0 regex/c \^(boot\x20loader)] Windows boot.ini
  377. !:mime application/x-wine-extension-ini
  378. !:ext ini
  379. # http://en.wikipedia.org/wiki/CONFIG.SYS
  380. >>&0 regex/c \^(menu)] MS-DOS CONFIG.SYS
  381. # @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE
  382. # CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYTEM\MSCONFIG.EXE
  383. # CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYTEM\MSCONFIG.EXE
  384. # dos and w40 used in dual booting scene
  385. !:ext sys/dos/w40
  386. # http://support.microsoft.com/kb/118579/
  387. >>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS
  388. !:ext sys/dos
  389. # http://chmspec.nongnu.org/latest/INI.html#HHP
  390. >>&0 regex/c \^(options)]\r\n Microsoft HTML Help Project
  391. !:mime text/plain
  392. !:ext hhp
  393. # unknown keyword after opening bracket
  394. >>&0 default x
  395. #>>>&0 string/c x UNKNOWN [%s
  396. # look for left bracket of second section
  397. >>>&0 search/8192 [
  398. # version Strings FileIdentification
  399. >>>>&0 string/c version Windows setup INFormation
  400. !:mime application/x-setupscript
  401. !:ext inf
  402. # http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other
  403. >>>>&0 default x
  404. >>>>>&0 ubyte x
  405. # characters, digits, underscore and white space followed by right bracket
  406. # terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT
  407. >>>>>>&-1 regex \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s
  408. # NETDEF.INF multiarc.ini
  409. #!:mime application/x-setupscript
  410. !:mime application/x-wine-extension-ini
  411. #!:mime text/plain
  412. !:ext ini/inf
  413. # UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00
  414. 0 ubelong&0xFFff89FF =0xFFFE0900
  415. # look for left bracket in section line
  416. >2 search/8192 [
  417. # keyword without 1st letter which is maybe up-/down-case
  418. >>&3 lestring16 ersion] Windows setup INFormation
  419. !:mime application/x-setupscript
  420. !:ext inf
  421. >>&3 lestring16 trings] Windows setup INFormation
  422. !:mime application/x-setupscript
  423. !:ext inf
  424. >>&3 lestring16 ourceDisksNames] Windows setup INFormation
  425. !:mime application/x-setupscript
  426. !:ext inf
  427. # netnwcli.inf start with ;---[ NetNWCli.INX ]
  428. >>&3 default x
  429. # look for NL followed by left bracket
  430. >>>&0 search/8192 \x0A\x00\x5b
  431. >>>>&3 lestring16 ersion] Windows setup INFormation
  432. !:mime application/x-setupscript
  433. !:ext inf
  434. # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h
  435. # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm
  436. # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp
  437. 0 leshort&0xFeFe 0x0000
  438. !:strength -5
  439. # test for unused null bits in PNF_FLAGs
  440. >4 ulelong&0xFCffFe00 0x00000000
  441. # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure
  442. >>68 ulelong >0x57
  443. # test for zero high byte of InfValueBlockSize, followed by WinDirPath like
  444. # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT
  445. >>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF
  446. !:mime application/x-pnf
  447. # currently only found Major Version=1 and Minor Version=1
  448. #>>>>0 uleshort =0x0101
  449. #>>>>>1 ubyte x \b, version %u
  450. #>>>>>0 ubyte x \b.%u
  451. >>>>0 uleshort !0x0101
  452. >>>>>1 ubyte x \b, version %u
  453. >>>>>0 ubyte x \b.%u
  454. # 1 ,2 (windows 98 SE)
  455. #>>>>2 uleshort =2 \b, InfStyle %u
  456. >>>>2 uleshort !2 \b, InfStyle %u
  457. # PNF_FLAG_IS_UNICODE 0x00000001
  458. # PNF_FLAG_HAS_STRINGS 0x00000002
  459. # PNF_FLAG_SRCPATH_IS_URL 0x00000004
  460. # PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008
  461. # PNF_FLAG_INF_VERIFIED 0x00000010
  462. # PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020
  463. # ?? 0x00000100
  464. # ?? 0x01000000
  465. # ?? 0x02000000
  466. >>>>4 ulelong&0x00000001 0x00000001 \b, unicoded
  467. >>>>4 ulelong&0x00000020 0x00000020 \b, digitally signed
  468. #>>>>8 ulelong x \b, InfSubstValueListOffset 0x%x
  469. # many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF
  470. #>>>>12 uleshort x \b, InfSubstValueCount 0x%x
  471. # only < 9 found
  472. #>>>>14 uleshort x \b, InfVersionDatumCount 0x%x
  473. # only found values lower 0x0000ffff
  474. #>>>>16 ulelong x \b, InfVersionDataSize 0x%x
  475. # only found positive values lower 0x00ffFFff for InfVersionDataOffset
  476. >>>>20 ulelong x \b, at 0x%x
  477. >>>>4 ulelong&0x00000001 =0x00000001
  478. # case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature
  479. >>>>>(20.l) lestring16 x "%s"
  480. >>>>4 ulelong&0x00000001 !0x00000001
  481. >>>>>(20.l) string x "%s"
  482. # FILETIME is number of 100-nanosecond intervals since 1 January 1601
  483. #>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx
  484. # only found values lower 0x00ffFFff
  485. #>>>>32 ulelong x \b, StringTableBlockOffset 0x%x
  486. #>>>>36 ulelong x \b, StringTableBlockSize 0x%x
  487. #>>>>40 ulelong x \b, InfSectionCount 0x%x
  488. #>>>>44 ulelong x \b, InfSectionBlockOffset 0x%x
  489. #>>>>48 ulelong x \b, InfSectionBlockSize 0x%x
  490. #>>>>52 ulelong x \b, InfLineBlockOffset 0x%x
  491. #>>>>56 ulelong x \b, InfLineBlockSize 0x%x
  492. #>>>>60 ulelong x \b, InfValueBlockOffset 0x%x
  493. #>>>>64 ulelong x \b, InfValueBlockSize 0x%x
  494. # WinDirPathOffset
  495. #>>>>68 ulelong x \b, at 0x%x
  496. >>>>68 ulelong >0x57
  497. >>>>>4 ulelong&0x00000001 =0x00000001
  498. >>>>>>(68.l) ubequad =0x43003a005c005700
  499. # normally unicoded C:\Windows
  500. #>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s"
  501. >>>>>>(68.l) ubequad !0x43003a005c005700
  502. >>>>>>>(68.l) lestring16 x \b, WinDirPath "%s"
  503. >>>>>4 ulelong&0x00000001 !0x00000001
  504. # normally ASCII C:\WINDOWS
  505. #>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s"
  506. >>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s"
  507. # found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF
  508. #>>>>72 ulelong >0 \b, at 0x%x
  509. >>>>72 ulelong >0 \b,
  510. >>>>>4 ulelong&0x00000001 =0x00000001
  511. >>>>>>(72.l) lestring16 x OsLoaderPath "%s"
  512. >>>>>4 ulelong&0x00000001 !0x00000001
  513. # seldom C:\ instead empty
  514. >>>>>>(72.l) string x OsLoaderPath "%s"
  515. # 1fdh
  516. #>>>>76 uleshort x \b, StringTableHashBucketCount 0x%x
  517. >>>>78 uleshort !0x407 \b, LanguageId %x
  518. # only 407h found
  519. #>>>>78 uleshort =0x407 \b, LanguageId %x
  520. # InfSourcePathOffset often 0
  521. #>>>>80 ulelong >0 \b, at 0x%x
  522. >>>>80 ulelong >0 \b,
  523. >>>>>4 ulelong&0x00000001 =0x00000001
  524. >>>>>>(80.l) lestring16 x SourcePath "%s"
  525. >>>>>4 ulelong&0x00000001 !0x00000001
  526. >>>>>>(80.l) string >\0 SourcePath "%s"
  527. # OriginalInfNameOffset often 0
  528. #>>>>84 ulelong >0 \b, at 0x%x
  529. >>>>84 ulelong >0 \b,
  530. >>>>>4 ulelong&0x00000001 =0x00000001
  531. >>>>>>(84.l) lestring16 x InfName "%s"
  532. >>>>>4 ulelong&0x00000001 !0x00000001
  533. >>>>>>(84.l) string >\0 InfName "%s"
  534. # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003
  535. # Extension: .bkf
  536. # Created by: Joerg Jenderek
  537. # URL: http://en.wikipedia.org/wiki/NTBackup
  538. # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF
  539. # Descriptor BloCK name of Microsoft Tape Format
  540. 0 string TAPE
  541. # Format Logical Address is zero
  542. >20 ulequad 0
  543. # Reserved for MBC is zero
  544. >>28 uleshort 0
  545. # Control Block ID is zero
  546. >>>36 ulelong 0
  547. # BIT4-BIT15, BIT18-BIT31 of block attributes are unused
  548. >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive
  549. #!:mime application/x-ntbackup
  550. !:ext bkf
  551. # OS ID
  552. >>>>>10 ubyte 1 \b NetWare
  553. >>>>>10 ubyte 13 \b NetWare SMS
  554. >>>>>10 ubyte 14 \b NT
  555. >>>>>10 ubyte 24 \b 3
  556. >>>>>10 ubyte 25 \b OS/2
  557. >>>>>10 ubyte 26 \b 95
  558. >>>>>10 ubyte 27 \b Macintosh
  559. >>>>>10 ubyte 28 \b UNIX
  560. # OS Version (2)
  561. #>>>>>11 ubyte x OS V=%x
  562. # MTF_CONTINUATION Media Sequence Number > 1
  563. #>>>>>4 ulelong&0x00000001 !0 \b, continued
  564. # MTF_COMPRESSION
  565. >>>>>4 ulelong&0x00000004 !0 \b, compressed
  566. # MTF_EOS_AT_EOM End Of Medium was hit during end of set processing
  567. >>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit
  568. >>>>>4 ulelong&0x00020000 0
  569. # MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape
  570. >>>>>>4 ulelong&0x00010000 !0 \b, with catalog
  571. # MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present
  572. >>>>>4 ulelong&0x00020000 !0 \b, with file catalog
  573. # Offset To First Event 238h,240h,28Ch
  574. #>>>>>8 uleshort x \b, event offset %4.4x
  575. # Displayable Size (20e0230h 20e024ch 20e0224h)
  576. #>>>>>8 ulequad x dis. size %16.16llx
  577. # Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h)
  578. #>>>>>52 ulelong x family ID %8.8x
  579. # TAPE Attributes (3)
  580. #>>>>>56 ulelong x TAPE %8.8x
  581. # Media Sequence Number
  582. >>>>>60 uleshort >1 \b, sequence %u
  583. # Password Encryption Algorithm (3)
  584. >>>>>62 uleshort >0 \b, 0x%x encrypted
  585. # Soft Filemark Block Size * 512 (2)
  586. #>>>>>64 uleshort =2 \b, soft size %u*512
  587. >>>>>64 uleshort !2 \b, soft size %u*512
  588. # Media Based Catalog Type (1,2)
  589. #>>>>>66 uleshort x \b, catalog type %4.4x
  590. # size of Media Name (66,68,6Eh)
  591. >>>>>68 uleshort >0
  592. # offset of Media Name (5Eh)
  593. >>>>>>70 uleshort >0
  594. # 0~, 1~ANSI, 2~UNICODE
  595. >>>>>>>48 ubyte 1
  596. # size terminated ansi coded string normally followed by "MTF Media Label"
  597. >>>>>>>>(70.s) string >\0 \b, name: %s
  598. >>>>>>>48 ubyte 2
  599. # Not null, but size terminated unicoded string
  600. >>>>>>>>(70.s) lestring16 x \b, name: %s
  601. # size of Media Label (104h)
  602. >>>>>72 uleshort >0
  603. # offset of Media Label (C4h,C6h,CCh)
  604. >>>>>74 uleshort >0
  605. >>>>>>48 ubyte 1
  606. #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields
  607. >>>>>>>(74.s) string >\0 \b, label: %s
  608. >>>>>>48 ubyte 2
  609. >>>>>>>(74.s) lestring16 x \b, label: %s
  610. # size of password name (0,1Ch)
  611. #>>>>>76 uleshort >0 \b, password size %4.4x
  612. # Software Vendor ID (CBEh)
  613. >>>>>86 uleshort x \b, software (0x%x)
  614. # size of Software Name (6Eh)
  615. >>>>>80 uleshort >0
  616. # offset of Software Name (1C8h,1CAh,1D0h)
  617. >>>>>>82 uleshort >0
  618. # 1~ANSI, 2~UNICODE
  619. >>>>>>>48 ubyte 1
  620. >>>>>>>>(82.s) string >\0 \b: %s
  621. >>>>>>>48 ubyte 2
  622. # size terminated unicoded coded string normally followed by "SPAD"
  623. >>>>>>>>(82.s) lestring16 x \b: %s
  624. # Format Logical Block Size (512,1024)
  625. #>>>>>84 uleshort =1024 \b, block size %u
  626. >>>>>84 uleshort !1024 \b, block size %u
  627. # Media Date of MTF_DATE_TIME type with 5 bytes
  628. #>>>>>>88 ubequad x DATE %16.16llx
  629. # MTF Major Version (1)
  630. #>>>>>>93 ubyte x \b, MFT version %x
  631. #
  632. # URL: https://en.wikipedia.org/wiki/PaintShop_Pro
  633. # Reference: http://www.cryer.co.uk/file-types/p/pal.htm
  634. # Created by: Joerg Jenderek
  635. # Note: there exist other color palette formats also with .pal extension
  636. 0 string JASC-PAL\r\n PaintShop Pro color palette
  637. #!:mime text/plain
  638. # PspPalette extension is used by newer (probably 8) PaintShopPro versions
  639. !:ext pal/PspPalette
  640. # 2nd line contains palette file version. For example "0100"
  641. >10 string !0100 \b, version %.4s
  642. # third line contains the number of colours: 16 256 ...
  643. >16 string x \b, %.3s colors
  644. # URL: http://en.wikipedia.org/wiki/Innosetup
  645. # Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas
  646. # Created by: Joerg Jenderek
  647. # Note: created by like "InnoSetup self-extracting archive" inside ./msdos
  648. # TrID labeles the entry as "Inno Setup Uninstall Log"
  649. # TUninstallLogID
  650. 0 string Inno\ Setup\ Uninstall\ Log\ (b) InnoSetup Log
  651. !:mime application/x-innosetup
  652. # unins000.dat, unins001.dat, ...
  653. !:ext dat
  654. # " 64-bit" variant
  655. >0x1c string >\0 \b%.7s
  656. # AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ...
  657. >0xc0 string x %s
  658. # AppId[0x80] is simliar to AppName or
  659. # GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace
  660. >0x40 ubyte 0x7b
  661. >>0x40 string x %-.38s
  662. # do not know how this log version correlates to program version
  663. >0x140 ulelong x \b, version 0x%x
  664. # NumRecs
  665. #>0x144 ulelong x \b, 0x%4.4x records
  666. # EndOffset means files size
  667. >0x148 ulelong x \b, %u bytes
  668. # Flags 5 25h 35h
  669. #>0x14c ulelong x \b, flags %8.8x
  670. # Reserved: array[0..26] of Longint
  671. # the non Unicode HighestSupportedVersion may never become greater than or equal to 1000
  672. >0x140 ulelong <1000
  673. # hostname
  674. >>0x1d6 pstring x \b, %s
  675. # user name
  676. >>>&0 pstring x \b\%s
  677. # directory like C:\Program Files (x86)\GnuWin32
  678. >>>>&0 pstring x \b, "%s"
  679. # version 1000 or higher implies unicode
  680. >0x140 ulelong >999
  681. # hostname
  682. >>0x1db lestring16 x \b, %-.9s
  683. # utf string variant with prepending fe??ffFFff
  684. >>0x1db search/43 \xFF\xFF\xFF
  685. # user name
  686. >>>&0 lestring16 x \b\%-.9s
  687. >>>&0 search/43 \xFF\xFF\xFF
  688. # directory like C:\Program Files\GIMP 2
  689. >>>>&0 lestring16 x \b, %-.42s