windows 32 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881
  1. #------------------------------------------------------------------------------
  2. # $File: windows,v 1.26 2019/05/01 17:55:25 christos Exp $
  3. # windows: file(1) magic for Microsoft Windows
  4. #
  5. # This file is mainly reserved for files where programs
  6. # using them are run almost always on MS Windows 3.x or
  7. # above, or files only used exclusively in Windows OS,
  8. # where there is no better category to allocate for.
  9. # For example, even though WinZIP almost run on Windows
  10. # only, it is better to treat them as "archive" instead.
  11. # For format usable in DOS, such as generic executable
  12. # format, please specify under "msdos" file.
  13. #
  14. # Summary: Outlook Express DBX file
  15. # Extension: .dbx
  16. # Created by: Christophe Monniez
  17. 0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file
  18. >4 byte =0xC5 \b, message database
  19. >4 byte =0xC6 \b, folder database
  20. >4 byte =0xC7 \b, account information
  21. >4 byte =0x30 \b, offline database
  22. # Summary: Windows crash dump
  23. # Extension: .dmp
  24. # Created by: Andreas Schuster (https://computer.forensikblog.de/)
  25. # Reference (1): https://computer.forensikblog.de/en/2008/02/64bit_magic.html
  26. # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only)
  27. 0 string PAGE
  28. >4 string DUMP MS Windows 32bit crash dump
  29. >>0x05c byte 0 \b, no PAE
  30. >>0x05c byte 1 \b, PAE
  31. >>0xf88 lelong 1 \b, full dump
  32. >>0xf88 lelong 2 \b, kernel dump
  33. >>0xf88 lelong 3 \b, small dump
  34. >>0x068 lelong x \b, %d pages
  35. >4 string DU64 MS Windows 64bit crash dump
  36. >>0xf98 lelong 1 \b, full dump
  37. >>0xf98 lelong 2 \b, kernel dump
  38. >>0xf98 lelong 3 \b, small dump
  39. >>0x090 lequad x \b, %lld pages
  40. # Summary: Vista Event Log
  41. # Extension: .evtx
  42. # Created by: Andreas Schuster (https://computer.forensikblog.de/)
  43. # Reference (1): https://computer.forensikblog.de/en/2007/05/some_magic.html
  44. 0 string ElfFile\0 MS Windows Vista Event Log
  45. >0x2a leshort x \b, %d chunks
  46. >>0x10 lelong x \b (no. %d in use)
  47. >0x18 lelong >1 \b, next record no. %d
  48. >0x18 lelong =1 \b, empty
  49. >0x78 lelong &1 \b, DIRTY
  50. >0x78 lelong &2 \b, FULL
  51. # Summary: Windows System Deployment Image
  52. # Created by: Joerg Jenderek
  53. # URL: http://en.wikipedia.org/wiki/System_Deployment_Image
  54. # Reference: http://skolk.livejournal.com/1320.html
  55. 0 string $SDI
  56. >4 string 0001 System Deployment Image
  57. !:mime application/x-ms-sdi
  58. #!:mime application/octet-stream
  59. # \Boot\boot.sdi
  60. !:ext sdi
  61. # MDBtype: 0~Unspecified 1~RAM 2~ROM
  62. >>8 ulequad !0 \b, MDBtype 0x%llx
  63. # BootCodeOffset
  64. >>16 ulequad !0 \b, BootCodeOffset 0x%llx
  65. # BootCodeSize
  66. >>24 ulequad !0 \b, BootCodeSize 0x%llx
  67. # VendorID
  68. >>32 ulequad !0 \b, VendorID 0x%llx
  69. # DeviceID
  70. >>40 ulequad !0 \b, DeviceID 0x%llx
  71. # DeviceModel
  72. >>48 ulequad !0 \b, DeviceModel 0x%llx
  73. >>>56 ulequad !0 \b%llx
  74. # DeviceRole
  75. >>64 ulequad !0 \b, DeviceRole 0x%llx
  76. # Reserved1; reserved fields and gaps between BLOBs are padded with \0
  77. #>>72 ulequad !0 \b, Reserved1 0x%llx
  78. # RuntimeGUID
  79. >>80 ulequad !0 \b, RuntimeGUID 0x%llx
  80. >>>88 ulequad !0 \b%llx
  81. # RuntimeOEMrev
  82. >>96 ulequad !0 \b, RuntimeOEMrev 0x%llx
  83. # Reserved2
  84. #>>104 ulequad !0 \b, Reserved2 0x%llx
  85. # BLOB alignment value in pages, as specified in sdimgr /pack: 1~4K 2~8k
  86. >>112 ulequad !0 \b, PageAlignment %llu
  87. # Reserved3[48]
  88. #>>120 ulequad !0 \b, Reserved3 0x%llx
  89. # SDI checksum 39h
  90. >>0x1f8 ulequad x \b, checksum 0x%llx
  91. # BLOBtype[8] \0-padded: PART, WIM , BOOT, LOAD, DISK
  92. >>0x400 string >\0 \b, type %-3.8s
  93. # 0~non-filesystem 7~NTFS 6~BIGFAT
  94. >>>0x420 ulequad !0 (0x%llx)
  95. # ATTRibutes
  96. >>>0x408 ulequad !0 0x%llx attributes
  97. # Offset
  98. >>>0x410 ulequad x at 0x%llx
  99. # print 1 space after size and then handles NTFS boot sector by ./filesystems
  100. >>>0x418 ulequad >0 %llu bytes
  101. >>>>(0x410.l) indirect x
  102. # 2nd BLOB: WIM
  103. >>0x440 string >\0 \b, type %-3.8s
  104. >>>0x428 ulequad !0 (0x%llx)
  105. # ATTRibutes
  106. >>>0x448 ulequad !0 0x%llx attributes
  107. # Offset
  108. >>>0x450 ulequad x at 0x%llx
  109. >>>0x458 ulequad >0 %llu bytes
  110. >>>>(0x450.l) indirect x
  111. # 3rd BLOB
  112. >>0x480 string >\0 \b, type %-3.8s
  113. # Summary: Windows Error Report text files
  114. # URL: https://en.wikipedia.org/wiki/Windows_Error_Reporting
  115. # Reference: https://www.nirsoft.net/utils/app_crash_view.html
  116. # Created by: Joerg Jenderek
  117. # Note: in directories %ProgramData%\Microsoft\Windows\WER\{ReportArchive,ReportQueue}
  118. # %LOCALAPPDATA%\Microsoft\Windows\WER\{ReportArchive,ReportQueue}
  119. 0 lestring16 Version=
  120. >22 lestring16 EventType Windows Error Report
  121. !:mime text/plain
  122. # Report.wer
  123. !:ext wer
  124. # Summary: Windows 3.1 group files
  125. # Extension: .grp
  126. # Created by: unknown
  127. 0 string \120\115\103\103 MS Windows 3.1 group files
  128. # Summary: Old format help files
  129. # URL: https://en.wikipedia.org/wiki/WinHelp
  130. # Reference: https://www.oocities.org/mwinterhoff/helpfile.htm
  131. # Update: Joerg Jenderek
  132. # Created by: Dirk Jagdmann <doj@cubic.org>
  133. #
  134. # check and then display version and date inside MS Windows HeLP file fragment
  135. 0 name help-ver-date
  136. # look for Magic of SYSTEMHEADER
  137. >0 leshort 0x036C
  138. # version Major 1 for right file fragment
  139. >>4 leshort 1 Windows
  140. # print non empty string above to avoid error message
  141. # Warning: Current entry does not yet have a description for adding a MIME type
  142. !:mime application/winhelp
  143. !:ext hlp
  144. # version Minor of help file format is hint for windows version
  145. >>>2 leshort 0x0F 3.x
  146. >>>2 leshort 0x15 3.0
  147. >>>2 leshort 0x21 3.1
  148. >>>2 leshort 0x27 x.y
  149. >>>2 leshort 0x33 95
  150. >>>2 default x y.z
  151. >>>>2 leshort x 0x%x
  152. # to complete message string like "MS Windows 3.x help file"
  153. >>>2 leshort x help
  154. # GenDate often older than file creation date
  155. >>>6 ldate x \b, %s
  156. #
  157. # Magic for HeLP files
  158. 0 lelong 0x00035f3f
  159. # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file"
  160. # file header magic 0x293B at DirectoryStart+9
  161. >(4.l+9) uleshort 0x293B MS
  162. # look for @VERSION bmf.. like IBMAVW.ANN
  163. >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation
  164. !:mime application/x-winhelp
  165. !:ext ann
  166. >>0xD4 string !\x62\x6D\x66\x01\x00
  167. # "GID Help index" by TrID
  168. >>>(4.l+0x65) string =|Pete Windows help Global Index
  169. !:mime application/x-winhelp
  170. !:ext gid
  171. # HeLP Bookmark or
  172. # "Windows HELP File" by TrID
  173. >>>(4.l+0x65) string !|Pete
  174. # maybe there exist a cleaner way to detect HeLP fragments
  175. # brute search for Magic 0x036C with matching Major maximal 7 iterations
  176. # discapp.hlp
  177. >>>>16 search/0x49AF/s \x6c\x03
  178. >>>>>&0 use help-ver-date
  179. >>>>>&4 leshort !1
  180. # putty.hlp
  181. >>>>>>&0 search/0x69AF/s \x6c\x03
  182. >>>>>>>&0 use help-ver-date
  183. >>>>>>>&4 leshort !1
  184. >>>>>>>>&0 search/0x49AF/s \x6c\x03
  185. >>>>>>>>>&0 use help-ver-date
  186. >>>>>>>>>&4 leshort !1
  187. >>>>>>>>>>&0 search/0x49AF/s \x6c\x03
  188. >>>>>>>>>>>&0 use help-ver-date
  189. >>>>>>>>>>>&4 leshort !1
  190. >>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
  191. >>>>>>>>>>>>>&0 use help-ver-date
  192. >>>>>>>>>>>>>&4 leshort !1
  193. >>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
  194. >>>>>>>>>>>>>>>&0 use help-ver-date
  195. >>>>>>>>>>>>>>>&4 leshort !1
  196. >>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
  197. # GCC.HLP is detected after 7 iterations
  198. >>>>>>>>>>>>>>>>>&0 use help-ver-date
  199. # this only happens if bigger hlp file is detected after used search iterations
  200. >>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help
  201. !:mime application/winhelp
  202. !:ext hlp
  203. # repeat search again or following default line does not work
  204. >>>>16 search/0x49AF/s \x6c\x03
  205. # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit)
  206. >>>>16 default x Windows help Bookmark
  207. !:mime application/x-winhelp
  208. !:ext bmk
  209. ## FirstFreeBlock normally FFFFFFFFh 10h for *ANN
  210. ##>>8 lelong x \b, FirstFreeBlock 0x%8.8x
  211. # EntireFileSize
  212. >>12 lelong x \b, %d bytes
  213. ## ReservedSpace normally 042Fh AFh for *.ANN
  214. #>>(4.l) lelong x \b, ReservedSpace 0x%8.8x
  215. ## UsedSpace normally 0426h A6h for *.ANN
  216. #>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x
  217. ## FileFlags normally 04...
  218. #>>(4.l+5) lelong x \b, FileFlags 0x%8.8x
  219. ## file header magic 0x293B
  220. #>>(4.l+9) uleshort x \b, file header magic 0x%4.4x
  221. ## file header Flags 0x0402
  222. #>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x
  223. ## file header PageSize 0400h 80h for *.ANN
  224. #>>(4.l+13) uleshort x \b, PageSize 0x%4.4x
  225. ## Structure[16] z4
  226. #>>(4.l+15) string >\0 \b, Structure_"%-.16s"
  227. ## MustBeZero 0
  228. #>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x
  229. ## PageSplits
  230. #>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x
  231. ## RootPage
  232. #>>(4.l+35) uleshort x \b, RootPage 0x%4.4x
  233. ## MustBeNegOne 0xffff
  234. #>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x
  235. ## TotalPages 1
  236. #>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x
  237. ## NLevels 0x0001
  238. #>>(4.l+41) uleshort x \b, NLevels 0x%4.4x
  239. ## TotalBtreeEntries
  240. #>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x
  241. ## pages of the B+ tree
  242. #>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx
  243. # start with colon or semicolon for comment line like Back2Life.cnt
  244. 0 regex \^(:|;)
  245. # look for first keyword Base
  246. >0 search/45 :Base
  247. >>&0 use cnt-name
  248. # only solution to search again from beginning , because relative offsets changes when use is called
  249. >0 search/45 :Base
  250. >0 default x
  251. # look for other keyword Title like in putty.cnt
  252. >>0 search/45 :Title
  253. >>>&0 use cnt-name
  254. #
  255. # display mime type and name of Windows help Content source
  256. 0 name cnt-name
  257. # skip space at beginning
  258. >0 string \040
  259. # name without extension and greater character or name with hlp extension
  260. >>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s"
  261. !:mime text/plain
  262. !:apple ????TEXT
  263. !:ext cnt
  264. #
  265. # Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing
  266. 0 string tfMR MS Windows help Full Text Search index
  267. !:mime application/x-winhelp-fts
  268. !:ext fts
  269. >16 string >\0 for "%s"
  270. # Summary: Hyper terminal
  271. # Extension: .ht
  272. # Created by: unknown
  273. 0 string HyperTerminal\040
  274. >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile
  275. # https://ithreats.files.wordpress.com/2009/05/\040
  276. # lnk_the_windows_shortcut_file_format.pdf
  277. # Summary: Windows shortcut
  278. # Extension: .lnk
  279. # Created by: unknown
  280. # 'L' + GUUID
  281. 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut
  282. >20 lelong&1 1 \b, Item id list present
  283. >20 lelong&2 2 \b, Points to a file or directory
  284. >20 lelong&4 4 \b, Has Description string
  285. >20 lelong&8 8 \b, Has Relative path
  286. >20 lelong&16 16 \b, Has Working directory
  287. >20 lelong&32 32 \b, Has command line arguments
  288. >20 lelong&64 64 \b, Icon
  289. >>56 lelong x \b number=%d
  290. >24 lelong&1 1 \b, Read-Only
  291. >24 lelong&2 2 \b, Hidden
  292. >24 lelong&4 4 \b, System
  293. >24 lelong&8 8 \b, Volume Label
  294. >24 lelong&16 16 \b, Directory
  295. >24 lelong&32 32 \b, Archive
  296. >24 lelong&64 64 \b, Encrypted
  297. >24 lelong&128 128 \b, Normal
  298. >24 lelong&256 256 \b, Temporary
  299. >24 lelong&512 512 \b, Sparse
  300. >24 lelong&1024 1024 \b, Reparse point
  301. >24 lelong&2048 2048 \b, Compressed
  302. >24 lelong&4096 4096 \b, Offline
  303. >28 leqwdate x \b, ctime=%s
  304. >36 leqwdate x \b, mtime=%s
  305. >44 leqwdate x \b, atime=%s
  306. >52 lelong x \b, length=%u, window=
  307. >60 lelong&1 1 \bhide
  308. >60 lelong&2 2 \bnormal
  309. >60 lelong&4 4 \bshowminimized
  310. >60 lelong&8 8 \bshowmaximized
  311. >60 lelong&16 16 \bshownoactivate
  312. >60 lelong&32 32 \bminimize
  313. >60 lelong&64 64 \bshowminnoactive
  314. >60 lelong&128 128 \bshowna
  315. >60 lelong&256 256 \brestore
  316. >60 lelong&512 512 \bshowdefault
  317. #>20 lelong&1 0
  318. #>>20 lelong&2 2
  319. #>>>(72.l-64) pstring/h x \b [%s]
  320. #>20 lelong&1 1
  321. #>>20 lelong&2 2
  322. #>>>(72.s) leshort x
  323. #>>>&75 pstring/h x \b [%s]
  324. # Summary: Outlook Personal Folders
  325. # Created by: unknown
  326. 0 lelong 0x4E444221 Microsoft Outlook email folder
  327. >10 leshort 0x0e (<=2002)
  328. >10 leshort 0x17 (>=2003)
  329. # Summary: Windows help cache
  330. # Created by: unknown
  331. 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache
  332. # Summary: IE cache file
  333. # Created by: Christophe Monniez
  334. 0 string Client\ UrlCache\ MMF Internet Explorer cache file
  335. >20 string >\0 version %s
  336. # Summary: Registry files
  337. # Created by: unknown
  338. # Modified by (1): Joerg Jenderek
  339. 0 string regf MS Windows registry file, NT/2000 or above
  340. 0 string CREG MS Windows 95/98/ME registry file
  341. 0 string SHCC3 MS Windows 3.1 registry file
  342. # Summary: Windows Registry text
  343. # URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files
  344. # Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry
  345. # Submitted by: Abel Cheung <abelcheung@gmail.com>
  346. # Update: Joerg Jenderek
  347. # Windows 3-9X variant
  348. 0 string REGEDIT
  349. # skip ASCII text like "REGEDITor.txt" but match
  350. # L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL
  351. >7 search/3 \n Windows Registry text
  352. !:mime text/x-ms-regedit
  353. !:ext reg
  354. # Windows 9X variant
  355. >>0 string REGEDIT4 (Win95 or above)
  356. # Windows 2K ANSI variant
  357. 0 string Windows\ Registry\ Editor\
  358. >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above)
  359. !:mime text/x-ms-regedit
  360. !:ext reg
  361. # Windows 2K UTF-16 variant
  362. 2 lestring16 Windows\ Registry\ Editor\
  363. >0x32 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above)
  364. # relative offset not working
  365. #>&0 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above)
  366. !:mime text/x-ms-regedit
  367. !:ext reg
  368. # WINE variant
  369. # URL: https://en.wikipedia.org/wiki/Wine_(software)
  370. # Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html
  371. # Note: WINE use text based registry (system.reg,user.reg,userdef.reg)
  372. # instead binary hiv structure like Windows
  373. 0 string WINE\ REGISTRY\ Version\ WINE registry text
  374. # version 2
  375. >&0 string x \b, version %s
  376. !:mime text/x-wine-extension-reg
  377. !:ext reg
  378. # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018
  379. # empty ,comment , section
  380. # PR/383: remove unicode BOM because it is not portable across regex impls
  381. #0 regex/s \\`(\\r\\n|;|[[])
  382. # empty line CRLF
  383. 0 ubeshort 0x0D0A
  384. >0 use ini-file
  385. # comment line
  386. 0 string ;
  387. >0 use ini-file
  388. # section line
  389. 0 string [
  390. >0 use ini-file
  391. # check and then display Windows INItialization configuration
  392. 0 name ini-file
  393. # look for left bracket in section line
  394. >0 search/8192 [
  395. # https://en.wikipedia.org/wiki/Autorun.inf
  396. # https://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx
  397. # space after right bracket
  398. # or AutoRun.Amd64 for 64 bit systems
  399. # or only NL separator
  400. >>&0 regex/c \^(autorun)
  401. # but sometimes total commander directory tree file "treeinfo.wc" with lines like
  402. # [AUTORUN]
  403. # [boot]
  404. >>>&0 string =]\r\n[ Total commander directory treeinfo.wc
  405. !:mime text/plain
  406. !:ext wc
  407. # From: Pal Tamas <folti@balabit.hu>
  408. # Autorun File
  409. >>>&0 string !]\r\n[ Microsoft Windows Autorun file
  410. !:mime application/x-setupscript
  411. !:ext inf
  412. # https://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx
  413. # version strings ASCII coded case-independent for Windows setup information script file
  414. >>&0 regex/c \^(version|strings)] Windows setup INFormation
  415. !:mime application/x-setupscript
  416. #!:mime application/x-wine-extension-inf
  417. !:ext inf
  418. # NETCRC.INF OEMCPL.INF
  419. >>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation
  420. !:mime application/x-setupscript
  421. !:ext inf
  422. # http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm
  423. # https://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx
  424. # .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent
  425. >>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini
  426. !:mime application/x-wine-extension-ini
  427. #!:mime text/plain
  428. # https://support.microsoft.com/kb/84709/
  429. >>&0 regex/c \^(don't\ load)] Windows CONTROL.INI
  430. !:mime application/x-wine-extension-ini
  431. !:ext ini
  432. >>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI
  433. !:mime application/x-wine-extension-ini
  434. !:ext ini
  435. # https://technet.microsoft.com/en-us/library/cc722567.aspx
  436. # http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm
  437. >>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI
  438. !:mime application/x-wine-extension-ini
  439. !:ext ini
  440. # https://en.wikipedia.org/wiki/SYSTEM.INI
  441. >>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI
  442. !:mime application/x-wine-extension-ini
  443. !:ext ini
  444. # http://www.mdgx.com/newtip6.htm
  445. >>&0 regex/c \^(SafeList)] Windows IOS.INI
  446. !:mime application/x-wine-extension-ini
  447. !:ext ini
  448. # https://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information
  449. >>&0 regex/c \^(boot\x20loader)] Windows boot.ini
  450. !:mime application/x-wine-extension-ini
  451. !:ext ini
  452. # https://en.wikipedia.org/wiki/CONFIG.SYS
  453. >>&0 regex/c \^(menu)] MS-DOS CONFIG.SYS
  454. # @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE
  455. # CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYTEM\MSCONFIG.EXE
  456. # CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYTEM\MSCONFIG.EXE
  457. # dos and w40 used in dual booting scene
  458. !:ext sys/dos/w40
  459. # https://support.microsoft.com/kb/118579/
  460. >>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS
  461. !:ext sys/dos
  462. # http://chmspec.nongnu.org/latest/INI.html#HHP
  463. >>&0 regex/c \^(options)]\r\n Microsoft HTML Help Project
  464. !:mime text/plain
  465. !:ext hhp
  466. # unknown keyword after opening bracket
  467. >>&0 default x
  468. #>>>&0 string/c x UNKNOWN [%s
  469. # look for left bracket of second section
  470. >>>&0 search/8192 [
  471. # version Strings FileIdentification
  472. >>>>&0 string/c version Windows setup INFormation
  473. !:mime application/x-setupscript
  474. !:ext inf
  475. # https://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other
  476. >>>>&0 default x
  477. >>>>>&0 ubyte x
  478. # characters, digits, underscore and white space followed by right bracket
  479. # terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT
  480. >>>>>>&-1 regex \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s
  481. # NETDEF.INF multiarc.ini
  482. #!:mime application/x-setupscript
  483. !:mime application/x-wine-extension-ini
  484. #!:mime text/plain
  485. !:ext ini/inf
  486. # UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00
  487. 0 ubelong&0xFFff89FF =0xFFFE0900
  488. # look for left bracket in section line
  489. >2 search/8192 [
  490. # keyword without 1st letter which is maybe up-/down-case
  491. >>&3 lestring16 ersion] Windows setup INFormation
  492. !:mime application/x-setupscript
  493. !:ext inf
  494. >>&3 lestring16 trings] Windows setup INFormation
  495. !:mime application/x-setupscript
  496. !:ext inf
  497. >>&3 lestring16 ourceDisksNames] Windows setup INFormation
  498. !:mime application/x-setupscript
  499. !:ext inf
  500. # netnwcli.inf start with ;---[ NetNWCli.INX ]
  501. >>&3 default x
  502. # look for NL followed by left bracket
  503. >>>&0 search/8192 \x0A\x00\x5b
  504. >>>>&3 lestring16 ersion] Windows setup INFormation
  505. !:mime application/x-setupscript
  506. !:ext inf
  507. # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h
  508. # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm
  509. # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp
  510. 0 leshort&0xFeFe 0x0000
  511. !:strength -5
  512. # test for unused null bits in PNF_FLAGs
  513. >4 ulelong&0xFCffFe00 0x00000000
  514. # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure
  515. >>68 ulelong >0x57
  516. # test for zero high byte of InfValueBlockSize, followed by WinDirPath like
  517. # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT
  518. >>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF
  519. !:mime application/x-pnf
  520. # currently only found Major Version=1 and Minor Version=1
  521. #>>>>0 uleshort =0x0101
  522. #>>>>>1 ubyte x \b, version %u
  523. #>>>>>0 ubyte x \b.%u
  524. >>>>0 uleshort !0x0101
  525. >>>>>1 ubyte x \b, version %u
  526. >>>>>0 ubyte x \b.%u
  527. # 1 ,2 (windows 98 SE)
  528. #>>>>2 uleshort =2 \b, InfStyle %u
  529. >>>>2 uleshort !2 \b, InfStyle %u
  530. # PNF_FLAG_IS_UNICODE 0x00000001
  531. # PNF_FLAG_HAS_STRINGS 0x00000002
  532. # PNF_FLAG_SRCPATH_IS_URL 0x00000004
  533. # PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008
  534. # PNF_FLAG_INF_VERIFIED 0x00000010
  535. # PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020
  536. # ?? 0x00000100
  537. # ?? 0x01000000
  538. # ?? 0x02000000
  539. >>>>4 ulelong&0x00000001 0x00000001 \b, unicoded
  540. >>>>4 ulelong&0x00000020 0x00000020 \b, digitally signed
  541. #>>>>8 ulelong x \b, InfSubstValueListOffset 0x%x
  542. # many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF
  543. #>>>>12 uleshort x \b, InfSubstValueCount 0x%x
  544. # only < 9 found
  545. #>>>>14 uleshort x \b, InfVersionDatumCount 0x%x
  546. # only found values lower 0x0000ffff
  547. #>>>>16 ulelong x \b, InfVersionDataSize 0x%x
  548. # only found positive values lower 0x00ffFFff for InfVersionDataOffset
  549. >>>>20 ulelong x \b, at 0x%x
  550. >>>>4 ulelong&0x00000001 =0x00000001
  551. # case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature
  552. >>>>>(20.l) lestring16 x "%s"
  553. >>>>4 ulelong&0x00000001 !0x00000001
  554. >>>>>(20.l) string x "%s"
  555. # FILETIME is number of 100-nanosecond intervals since 1 January 1601
  556. #>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx
  557. # only found values lower 0x00ffFFff
  558. #>>>>32 ulelong x \b, StringTableBlockOffset 0x%x
  559. #>>>>36 ulelong x \b, StringTableBlockSize 0x%x
  560. #>>>>40 ulelong x \b, InfSectionCount 0x%x
  561. #>>>>44 ulelong x \b, InfSectionBlockOffset 0x%x
  562. #>>>>48 ulelong x \b, InfSectionBlockSize 0x%x
  563. #>>>>52 ulelong x \b, InfLineBlockOffset 0x%x
  564. #>>>>56 ulelong x \b, InfLineBlockSize 0x%x
  565. #>>>>60 ulelong x \b, InfValueBlockOffset 0x%x
  566. #>>>>64 ulelong x \b, InfValueBlockSize 0x%x
  567. # WinDirPathOffset
  568. #>>>>68 ulelong x \b, at 0x%x
  569. >>>>68 ulelong >0x57
  570. >>>>>4 ulelong&0x00000001 =0x00000001
  571. >>>>>>(68.l) ubequad =0x43003a005c005700
  572. # normally unicoded C:\Windows
  573. #>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s"
  574. >>>>>>(68.l) ubequad !0x43003a005c005700
  575. >>>>>>>(68.l) lestring16 x \b, WinDirPath "%s"
  576. >>>>>4 ulelong&0x00000001 !0x00000001
  577. # normally ASCII C:\WINDOWS
  578. #>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s"
  579. >>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s"
  580. # found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF
  581. #>>>>72 ulelong >0 \b, at 0x%x
  582. >>>>72 ulelong >0 \b,
  583. >>>>>4 ulelong&0x00000001 =0x00000001
  584. >>>>>>(72.l) lestring16 x OsLoaderPath "%s"
  585. >>>>>4 ulelong&0x00000001 !0x00000001
  586. # seldom C:\ instead empty
  587. >>>>>>(72.l) string x OsLoaderPath "%s"
  588. # 1fdh
  589. #>>>>76 uleshort x \b, StringTableHashBucketCount 0x%x
  590. >>>>78 uleshort !0x407 \b, LanguageId %x
  591. # only 407h found
  592. #>>>>78 uleshort =0x407 \b, LanguageId %x
  593. # InfSourcePathOffset often 0
  594. #>>>>80 ulelong >0 \b, at 0x%x
  595. >>>>80 ulelong >0 \b,
  596. >>>>>4 ulelong&0x00000001 =0x00000001
  597. >>>>>>(80.l) lestring16 x SourcePath "%s"
  598. >>>>>4 ulelong&0x00000001 !0x00000001
  599. >>>>>>(80.l) string >\0 SourcePath "%s"
  600. # OriginalInfNameOffset often 0
  601. #>>>>84 ulelong >0 \b, at 0x%x
  602. >>>>84 ulelong >0 \b,
  603. >>>>>4 ulelong&0x00000001 =0x00000001
  604. >>>>>>(84.l) lestring16 x InfName "%s"
  605. >>>>>4 ulelong&0x00000001 !0x00000001
  606. >>>>>>(84.l) string >\0 InfName "%s"
  607. # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003
  608. # Extension: .bkf
  609. # Created by: Joerg Jenderek
  610. # URL: https://en.wikipedia.org/wiki/NTBackup
  611. # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF
  612. # Descriptor BloCK name of Microsoft Tape Format
  613. 0 string TAPE
  614. # Format Logical Address is zero
  615. >20 ulequad 0
  616. # Reserved for MBC is zero
  617. >>28 uleshort 0
  618. # Control Block ID is zero
  619. >>>36 ulelong 0
  620. # BIT4-BIT15, BIT18-BIT31 of block attributes are unused
  621. >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive
  622. #!:mime application/x-ntbackup
  623. !:ext bkf
  624. # OS ID
  625. >>>>>10 ubyte 1 \b NetWare
  626. >>>>>10 ubyte 13 \b NetWare SMS
  627. >>>>>10 ubyte 14 \b NT
  628. >>>>>10 ubyte 24 \b 3
  629. >>>>>10 ubyte 25 \b OS/2
  630. >>>>>10 ubyte 26 \b 95
  631. >>>>>10 ubyte 27 \b Macintosh
  632. >>>>>10 ubyte 28 \b UNIX
  633. # OS Version (2)
  634. #>>>>>11 ubyte x OS V=%x
  635. # MTF_CONTINUATION Media Sequence Number > 1
  636. #>>>>>4 ulelong&0x00000001 !0 \b, continued
  637. # MTF_COMPRESSION
  638. >>>>>4 ulelong&0x00000004 !0 \b, compressed
  639. # MTF_EOS_AT_EOM End Of Medium was hit during end of set processing
  640. >>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit
  641. >>>>>4 ulelong&0x00020000 0
  642. # MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape
  643. >>>>>>4 ulelong&0x00010000 !0 \b, with catalog
  644. # MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present
  645. >>>>>4 ulelong&0x00020000 !0 \b, with file catalog
  646. # Offset To First Event 238h,240h,28Ch
  647. #>>>>>8 uleshort x \b, event offset %4.4x
  648. # Displayable Size (20e0230h 20e024ch 20e0224h)
  649. #>>>>>8 ulequad x dis. size %16.16llx
  650. # Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h)
  651. #>>>>>52 ulelong x family ID %8.8x
  652. # TAPE Attributes (3)
  653. #>>>>>56 ulelong x TAPE %8.8x
  654. # Media Sequence Number
  655. >>>>>60 uleshort >1 \b, sequence %u
  656. # Password Encryption Algorithm (3)
  657. >>>>>62 uleshort >0 \b, 0x%x encrypted
  658. # Soft Filemark Block Size * 512 (2)
  659. #>>>>>64 uleshort =2 \b, soft size %u*512
  660. >>>>>64 uleshort !2 \b, soft size %u*512
  661. # Media Based Catalog Type (1,2)
  662. #>>>>>66 uleshort x \b, catalog type %4.4x
  663. # size of Media Name (66,68,6Eh)
  664. >>>>>68 uleshort >0
  665. # offset of Media Name (5Eh)
  666. >>>>>>70 uleshort >0
  667. # 0~, 1~ANSI, 2~UNICODE
  668. >>>>>>>48 ubyte 1
  669. # size terminated ansi coded string normally followed by "MTF Media Label"
  670. >>>>>>>>(70.s) string >\0 \b, name: %s
  671. >>>>>>>48 ubyte 2
  672. # Not null, but size terminated unicoded string
  673. >>>>>>>>(70.s) lestring16 x \b, name: %s
  674. # size of Media Label (104h)
  675. >>>>>72 uleshort >0
  676. # offset of Media Label (C4h,C6h,CCh)
  677. >>>>>74 uleshort >0
  678. >>>>>>48 ubyte 1
  679. #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields
  680. >>>>>>>(74.s) string >\0 \b, label: %s
  681. >>>>>>48 ubyte 2
  682. >>>>>>>(74.s) lestring16 x \b, label: %s
  683. # size of password name (0,1Ch)
  684. #>>>>>76 uleshort >0 \b, password size %4.4x
  685. # Software Vendor ID (CBEh)
  686. >>>>>86 uleshort x \b, software (0x%x)
  687. # size of Software Name (6Eh)
  688. >>>>>80 uleshort >0
  689. # offset of Software Name (1C8h,1CAh,1D0h)
  690. >>>>>>82 uleshort >0
  691. # 1~ANSI, 2~UNICODE
  692. >>>>>>>48 ubyte 1
  693. >>>>>>>>(82.s) string >\0 \b: %s
  694. >>>>>>>48 ubyte 2
  695. # size terminated unicoded coded string normally followed by "SPAD"
  696. >>>>>>>>(82.s) lestring16 x \b: %s
  697. # Format Logical Block Size (512,1024)
  698. #>>>>>84 uleshort =1024 \b, block size %u
  699. >>>>>84 uleshort !1024 \b, block size %u
  700. # Media Date of MTF_DATE_TIME type with 5 bytes
  701. #>>>>>>88 ubequad x DATE %16.16llx
  702. # MTF Major Version (1)
  703. #>>>>>>93 ubyte x \b, MFT version %x
  704. #
  705. # URL: https://en.wikipedia.org/wiki/PaintShop_Pro
  706. # Reference: https://www.cryer.co.uk/file-types/p/pal.htm
  707. # Created by: Joerg Jenderek
  708. # Note: there exist other color palette formats also with .pal extension
  709. 0 string JASC-PAL\r\n PaintShop Pro color palette
  710. #!:mime text/plain
  711. # PspPalette extension is used by newer (probably 8) PaintShopPro versions
  712. !:ext pal/PspPalette
  713. # 2nd line contains palette file version. For example "0100"
  714. >10 string !0100 \b, version %.4s
  715. # third line contains the number of colours: 16 256 ...
  716. >16 string x \b, %.3s colors
  717. # URL: https://en.wikipedia.org/wiki/Innosetup
  718. # Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas
  719. # Created by: Joerg Jenderek
  720. # Note: created by like "InnoSetup self-extracting archive" inside ./msdos
  721. # TrID labeles the entry as "Inno Setup Uninstall Log"
  722. # TUninstallLogID
  723. 0 string Inno\ Setup\ Uninstall\ Log\ (b) InnoSetup Log
  724. !:mime application/x-innosetup
  725. # unins000.dat, unins001.dat, ...
  726. !:ext dat
  727. # " 64-bit" variant
  728. >0x1c string >\0 \b%.7s
  729. # AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ...
  730. >0xc0 string x %s
  731. # AppId[0x80] is simliar to AppName or
  732. # GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace
  733. >0x40 ubyte 0x7b
  734. >>0x40 string x %-.38s
  735. # do not know how this log version correlates to program version
  736. >0x140 ulelong x \b, version 0x%x
  737. # NumRecs
  738. #>0x144 ulelong x \b, 0x%4.4x records
  739. # EndOffset means files size
  740. >0x148 ulelong x \b, %u bytes
  741. # Flags 5 25h 35h
  742. #>0x14c ulelong x \b, flags %8.8x
  743. # Reserved: array[0..26] of Longint
  744. # the non Unicode HighestSupportedVersion may never become greater than or equal to 1000
  745. >0x140 ulelong <1000
  746. # hostname
  747. >>0x1d6 pstring x \b, %s
  748. # user name
  749. >>>&0 pstring x \b\%s
  750. # directory like C:\Program Files (x86)\GnuWin32
  751. >>>>&0 pstring x \b, "%s"
  752. # version 1000 or higher implies unicode
  753. >0x140 ulelong >999
  754. # hostname
  755. >>0x1db lestring16 x \b, %-.9s
  756. # utf string variant with prepending fe??ffFFff
  757. >>0x1db search/43 \xFF\xFF\xFF
  758. # user name
  759. >>>&0 lestring16 x \b\%-.9s
  760. >>>&0 search/43 \xFF\xFF\xFF
  761. # directory like C:\Program Files\GIMP 2
  762. >>>>&0 lestring16 x \b, %-.42s
  763. # Windows Imaging (WIM) Image
  764. # Update: Joerg Jenderek at Mar 2019
  765. # URL: https://en.wikipedia.org/wiki/Windows_Imaging_Format
  766. # Reference: https://download.microsoft.com/download/f/e/f/
  767. # fefdc36e-392d-4678-9e4e-771ffa2692ab/Windows%20Imaging%20File%20Format.rtf
  768. # Note: verified by like `7z t boot.wim` `wiminfo install.esd --header`
  769. 0 string MSWIM\000\000\000
  770. >0 use wim-archive
  771. # https://wimlib.net/man1/wimoptimize.html
  772. 0 string WLPWM\000\000\000
  773. >0 use wim-archive
  774. 0 name wim-archive
  775. # _WIMHEADER_V1_PACKED ImageTag[8]
  776. >0 string x Windows imaging
  777. !:mime application/x-ms-wim
  778. # TO avoid in file version 5.36 error like
  779. # Magdir/windows, 760: Warning: Current entry does not yet have a description
  780. # file: could not find any valid magic files! (No error)
  781. # splitted WIM
  782. >16 ulelong &0x00000008 (SWM
  783. !:ext swm
  784. # usPartNumber; 1, unless the file was split into multiple parts
  785. >>40 uleshort x \b %u
  786. # usTotalParts; The total number of WIM file parts in a spanned set
  787. >>42 uleshort x \b of %u) image
  788. # non splitted WIM
  789. >16 ulelong ^0x00000008
  790. # https://wimlib.net/man1/wimmount.html
  791. # solid WIMs; version 3584; usually contain LZMS-compressed and the .esd extension
  792. >>12 ulelong 3584 (ESD) image
  793. !:ext esd
  794. >>12 ulelong !3584 (WIM) image
  795. !:ext wim
  796. >0 string/b WLPWM\000\000\000 \b, wimlib pipable format
  797. # cbSize size of the WIM header in bytes like 208
  798. #>8 ulelong x \b, headersize %u
  799. # dwVersion version of the WIM file 00010d00h~1.13 00000e00h~0.14
  800. >14 uleshort x v%u
  801. >13 ubyte x \b.%u
  802. # dwImageCount; The number of images contained in the WIM file
  803. >44 ulelong >1 \b, %u images
  804. # dwBootIndex
  805. # 1-based index of the bootable image of the WIM, or 0 if no image is bootable
  806. >0x78 ulelong >0 \b, bootable no. %u
  807. # dwFlags
  808. #>16 ulelong x \b, flags 0x%8.8x
  809. #define FLAG_HEADER_COMPRESSION 0x00000002
  810. #define FLAG_HEADER_READONLY 0x00000004
  811. #define FLAG_HEADER_SPANNED 0x00000008
  812. #define FLAG_HEADER_RESOURCE_ONLY 0x00000010
  813. #define FLAG_HEADER_METADATA_ONLY 0x00000020
  814. #define FLAG_HEADER_WRITE_IN_PROGRESS 0x00000040
  815. #define FLAG_HEADER_RP_FIX 0x00000080 reparse point fixup
  816. #define FLAG_HEADER_COMPRESS_RESERVED 0x00010000
  817. #define FLAG_HEADER_COMPRESS_XPRESS 0x00020000
  818. #define FLAG_HEADER_COMPRESS_LZX 0x00040000
  819. #define FLAG_HEADER_COMPRESS_LZMS 0x00080000
  820. #define FLAG_HEADER_COMPRESS_XPRESS2 0x00100000 wimlib-1.13.0\include\wimlib\header.h
  821. # XPRESS, with small chunk size
  822. >16 ulelong &0x00100000 \b, XPRESS2
  823. >16 ulelong &0x00080000 \b, LZMS
  824. >16 ulelong &0x00040000 \b, LZX
  825. >16 ulelong &0x00020000 \b, XPRESS
  826. >16 ulelong &0x00000002 compressed
  827. >16 ulelong &0x00000004 \b, read only
  828. >16 ulelong &0x00000010 \b, resource only
  829. >16 ulelong &0x00000020 \b, metadata only
  830. >16 ulelong &0x00000080 \b, reparse point fixup
  831. #>16 ulelong &0x00010000 \b, RESERVED
  832. # dwCompressionSize; Uncompressed chunk size for resources or 0 if uncompressed
  833. #>20 ulelong >0 \b, chunk size %u bytes
  834. # gWIMGuid
  835. #>24 ubequad x \b, GUID 0x%16.16llx
  836. #>>32 ubequad x \b%16.16llx
  837. # rhOffsetTable; the location of the resource lookup table
  838. # wim_reshdr_disk[24]= u8 size_in_wim[7] + u8 flags + le64 offset_in_wim + le64 uncompressed_size
  839. #>48 ubequad x \b, rhOffsetTable 0x%16.16llx
  840. # rhXmlData; the location of the XML data
  841. #>0x50 ulelong x \b, at 0x%8.8x
  842. # NOT WORKING \xff\xfe<\0W\0I\0M\0
  843. #>(0x50.l) ubequad x \b, xml=%16.16llx
  844. # rhBootMetadata; the location of the metadata resource
  845. #>0x60 ubequad x \b, rhBootMetadata 0x%16.16llx
  846. # rhIntegrity; the location of integrity table used to verify files
  847. #>0x7c ubequad x \b, rhIntegrity 0x%16.16llx
  848. # Unused[60]
  849. #>148 ubequad !0 \b,unused 0x%16.16llx
  850. #