[dragonfly.git] / contrib / file-4 / magic / Magdir / msdos

#------------------------------------------------------------------------------
# msdos:  file(1) magic for MS-DOS files
#

# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
0       string/c        @echo\ off      MS-DOS batch file text

# XXX - according to Microsoft's spec, at an offset of 0x3c in a
# PE-format executable is the offset in the file of the PE header;
# unfortunately, that's a little-endian offset, and there's no way
# to specify an indirect offset with a specified byte order.
# So, for now, we assume the standard MS-DOS stub, which puts the
# PE header at 0x80 = 128.
#
# Required OS version and subsystem version were 4.0 on some NT 3.51
# executables built with Visual C++ 4.0, so it's not clear that
# they're interesting.  The user version was 0.0, but there's
# probably some linker directive to set it.  The linker version was
# 3.0, except for one ".exe" which had it as 4.20 (same damn linker!).
#
128     string          PE\0\0  MS Windows PE
>150    leshort&0x0100  >0      32-bit
>132    leshort         0x0     unknown processor
>132    leshort         0x14c   Intel 80386
>132    leshort         0x166   MIPS R4000
>132    leshort         0x184   Alpha
>132    leshort         0x268   Motorola 68000
>132    leshort         0x1f0   PowerPC
>132    leshort         0x290   PA-RISC
>148    leshort         >27
>>220   leshort         0       unknown subsystem
>>220   leshort         1       native
>>220   leshort         2       GUI
>>220   leshort         3       console
>>220   leshort         7       POSIX
>150    leshort&0x2000  =0      executable
#>>136  ledate          x       stamp %s,
>>150   leshort&0x0001  >0      not relocatable
#>>150  leshort&0x0004  =0      with line numbers,
#>>150  leshort&0x0008  =0      with local symbols,
#>>150  leshort&0x0200  =0      with debug symbols,
>>150   leshort&0x1000  >0      system file
#>>148  leshort         >0
#>>>154 byte            x       linker %d
#>>>155 byte            x       \b.%d,
#>>148  leshort         >27
#>>>192 leshort         x       requires OS %d
#>>>194 leshort         x       \b.%d,
#>>>196 leshort         x       user version %d
#>>>198 leshort         x       \b.%d,
#>>>200 leshort         x       subsystem version %d
#>>>202 leshort         x       \b.%d,
>150    leshort&0x2000  >0      DLL
#>>136  ledate          x       stamp %s,
>>150   leshort&0x0001  >0      not relocatable
#>>150  leshort&0x0004  =0      with line numbers,
#>>150  leshort&0x0008  =0      with local symbols,
#>>150  leshort&0x0200  =0      with debug symbols,
>>150   leshort&0x1000  >0      system file
#>>148  leshort         >0
#>>>154 byte            x       linker %d
#>>>155 byte            x       \b.%d,
#>>148  leshort         >27
#>>>192 leshort         x       requires OS %d
#>>>194 leshort         x       \b.%d,
#>>>196 leshort         x       user version %d
#>>>198 leshort         x       \b.%d,
#>>>200 leshort         x       subsystem version %d
#>>>202 leshort         x       \b.%d,
0       leshort         0x14c   MS Windows COFF Intel 80386 object file
#>4     ledate          x       stamp %s
0       leshort         0x166   MS Windows COFF MIPS R4000 object file
#>4     ledate          x       stamp %s
0       leshort         0x184   MS Windows COFF Alpha object file
#>4     ledate          x       stamp %s
0       leshort         0x268   MS Windows COFF Motorola 68000 object file
#>4     ledate          x       stamp %s
0       leshort         0x1f0   MS Windows COFF PowerPC object file
#>4     ledate          x       stamp %s
0       leshort         0x290   MS Windows COFF PA-RISC object file
#>4     ledate          x       stamp %s

# .EXE formats (Greg Roelofs, newt@uchicago.edu)
#
0       string  MZ              MS-DOS executable (EXE)
>24     string  @               \b, OS/2 or MS Windows
>>0xe7  string  LH/2\ Self-Extract      \b, %s
>>0xe9  string  PKSFX2          \b, %s
>>122   string  Windows\ self-extracting\ ZIP   \b, %s
>0x1c   string  RJSX\xff\xff    \b, ARJ SFX
>0x1c   string  diet\xf9\x9c    \b, diet compressed
>0x1c   string  LZ09            \b, LZEXE v0.90 compressed
>0x1c   string  LZ91            \b, LZEXE v0.91 compressed
>0x1e   string  Copyright\ 1989-1990\ PKWARE\ Inc.      \b, PKSFX
# JM: 0x1e "PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved\7\0\0\0"
>0x1e   string  PKLITE\ Copr.   \b, %.6s compressed
>0x24   string  LHa's\ SFX      \b, %.15s
>0x24   string  LHA's\ SFX      \b, %.15s
>1638   string  -lh5-           \b, LHa SFX archive v2.13S
>7195   string  Rar!            \b, RAR self-extracting archive
#
# [GRR 950118:  file 3.15 has a buffer-size limitation; offsets bigger than
#   8161 bytes are ignored.  To make the following entries work, increase
#   HOWMANY in file.h to 32K at least, and maybe to 70K or more for OS/2,
#   NT/Win32 and VMS.]
# [GRR:  some company sells a self-extractor/displayer for image data(!)]
#
>11696  string  PK\003\004      \b, PKZIP SFX archive v1.1
>13297  string  PK\003\004      \b, PKZIP SFX archive v1.93a
>15588  string  PK\003\004      \b, PKZIP2 SFX archive v1.09
>15770  string  PK\003\004      \b, PKZIP SFX archive v2.04g
>28374  string  PK\003\004      \b, PKZIP2 SFX archive v1.02
#
# Info-ZIP self-extractors
#    these are the DOS versions:
>25115  string  PK\003\004      \b, Info-ZIP SFX archive v5.12
>26331  string  PK\003\004      \b, Info-ZIP SFX archive v5.12 w/decryption
#    these are the OS/2 versions (OS/2 is flagged above):
>47031  string  PK\003\004      \b, Info-ZIP SFX archive v5.12
>49845  string  PK\003\004      \b, Info-ZIP SFX archive v5.12 w/decryption
#    this is the NT/Win32 version:
>69120  string  PK\003\004      \b, Info-ZIP NT SFX archive v5.12 w/decryption
#
# TELVOX Teleinformatica CODEC self-extractor for OS/2:
>49801  string  \x79\xff\x80\xff\x76\xff        \b, CODEC archive v3.21
>>49824 leshort         =1                      \b, 1 file
>>49824 leshort         >1                      \b, %u files

# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com)
# Uncommenting only the first two lines will cover about 2/3 of COM files,
# but it isn't feasible to match all COM files since there must be at least
# two dozen different one-byte "magics".
#0      byte            0xe9            MS-DOS executable (COM)
#>6     string  SFX\ of\ LHarc  (%s)
#0      byte            0x8c            MS-DOS executable (COM)
# 0xeb conflicts with "sequent" magic
#0      byte            0xeb            MS-DOS executable (COM)
#0      byte            0xb8            MS-DOS executable (COM)

# miscellaneous formats
0       string          LZ              MS-DOS executable (built-in)
#0      byte            0xf0            MS-DOS program library data
#

#
# Windows Registry files.
#
0       string          regf            Windows NT registry file
0       string          CREG            Windows 95 registry file


# AAF files:
# <stuartc@rd.bbc.co.uk> Stuart Cunningham
0       string  \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377                  AAF legacy file using MS Structured Storage
>30     byte    9               (512B sectors)
>30     byte    12              (4kB sectors)
0       string  \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001                        AAF file using MS Structured Storage
>30     byte    9               (512B sectors)
>30     byte    12              (4kB sectors)

# Popular applications
2080    string  Microsoft\ Word\ 6.0\ Document  %s
2080    string  Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data
# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word)
2112    string  MSWordDoc                       Microsoft Word document data
#
0       belong  0x31be0000                      Microsoft Word Document
#
0       string  PO^Q`                           Microsoft Word 6.0 Document
#
0       string  \376\067\0\043                  Microsoft Office Document
0       string  \320\317\021\340\241\261\032\341        Microsoft Office Document
0       string  \333\245-\0\0\0                 Microsoft Office Document
#
2080    string  Microsoft\ Excel\ 5.0\ Worksheet        %s
2080    string  Foglio\ di\ lavoro\ Microsoft\ Exce     %s
#
# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel)
2114    string  Biff5           Microsoft Excel 5.0 Worksheet
# Italian MS-Excel
2121    string  Biff5           Microsoft Excel 5.0 Worksheet
0       string  \x09\x04\x06\x00\x00\x00\x10\x00        Microsoft Excel Worksheet
#
0       belong  0x00001a00      Lotus 1-2-3
>4      belong  0x00100400      wk3 document data
>4      belong  0x02100400      wk4 document data
>4      belong  0x07800100      fm3 or fmb document data
>4      belong  0x07800000      fm3 or fmb document data
#
0       belong  0x00000200      Lotus 1-2-3
>4      belong  0x06040600      wk1 document data
>4      belong  0x06800200      fmt document data

# Help files
0       string  ?_\3\0          MS Windows Help Data

#  DeIsL1.isu what this is I don't know
0       string  \161\250\000\000\001\002        DeIsL1.isu whatever that is

# Winamp .avs
#0      string  Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
0       string  Nullsoft\ AVS\ Preset\  Winamp plug in

# Hyper terminal:
0       string  HyperTerminal\  hyperterm
>15     string  1.0\ --\ HyperTerminal\ data\ file      MS-windows Hyperterminal

# Windows Metafont .WMF
0       string  \327\315\306\232\000\000\000\000\000\000        ms-windows metafont .wmf

#tz3 files whatever that is (MS Works files)
0       string  \003\001\001\004\070\001\000\000        tz3 ms-works file
0       string  \003\002\001\004\070\001\000\000        tz3 ms-works file
0       string  \003\003\001\004\070\001\000\000        tz3 ms-works file

# PGP sig files .sig
#0 string \211\000\077\003\005\000\063\237\127 065 to  \027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig

# windows zips files .dmf
0       string  MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 Ms-windows special zipped file


# Windows help file FTG FTS
0       string  \164\146\115\122\012\000\000\000\001\000\000\000        ms-windows help cache

# grp old windows 3.1 group files
0 string  \120\115\103\103      Ms-windows 3.1 group files


# lnk files windows symlinks
0       string  \114\000\000\000\001\024\002\000\000\000\000\000\300\000\000\000\000\000\000\106        ms-Windows shortcut

#ico files
0       string  \102\101\050\000\000\000\056\000\000\000\000\000\000\000        Icon for ms-windows

# Windows icons (Ian Springer <ips@fpk.hp.com>)
0       string  \000\000\001\000        ms-windows icon resource
>4      byte    1                       - 1 icon
>4      byte    >1                      - %d icons
>>6     byte    >0                      \b, %dx
>>>7    byte    >0                      \b%d
>>8     byte    0                       \b, 256-colors
>>8     byte    >0                      \b, %d-colors


# .chr files
0       string  PK\010\010BGI   Borland font 
>4      string  >\0     %s
# then there is a copyright notice


# .bgi files
0       string  pk\010\010BGI   Borland device 
>4      string  >\0     %s
# then there is a copyright notice


# recycled/info the windows trash bin index
9       string  \000\000\000\030\001\000\000\000 ms-windows recycled bin info


##### put in Either Magic/font or Magic/news
# Acroread or something  files wrongly identified as G3  .pfm
# these have the form \000 \001 any? \002 \000 \000
# or \000 \001 any? \022 \000 \000
#0      string  \000\001 pfm?
#>3     string  \022\000\000Copyright\  yes
#>3     string  \002\000\000Copyright\  yes
#>3     string  >\0     oops, not a font file. Cancel that.
#it clashes with ttf files so put it lower down.

# From Doug Lee via a FreeBSD pr
9       string          GERBILDOC       First Choice document
9       string          GERBILDB        First Choice database
9       string          GERBILCLIP      First Choice database
0       string          GERBIL          First Choice device file
9       string          RABBITGRAPH     RabbitGraph file
0       string          DCU1            Borland Delphi .DCU file
0       string          !<spell>        MKS Spell hash list (old format)
0       string          !<spell2>       MKS Spell hash list
# Too simple - MPi
#0      string          AH              Halo(TM) bitmapped font file
0       lelong          0x08086b70      TurboC BGI file
0       lelong          0x08084b50      TurboC Font file

# WARNING: below line conflicts with Infocom game data Z-machine 3
0       byte            0x03            DBase 3 data file
>0x04   lelong          0               (no records)
>0x04   lelong          >0              (%ld records)
0       byte            0x83            DBase 3 data file with memo(s)
>0x04   lelong          0               (no records)
>0x04   lelong          >0              (%ld records)
0       leshort         0x0006          DBase 3 index file
0       string          PMCC            Windows 3.x .GRP file
1       string          RDC-meg         MegaDots 
>8      byte            >0x2F           version %c
>9      byte            >0x2F           \b.%c file
0       lelong          0x4C
>4      lelong          0x00021401      Windows shortcut file

# DOS EPS Binary File Header
# From: Ed Sznyter <ews@Black.Market.NET>
0       belong          0xC5D0D3C6      DOS EPS Binary File
>4      long            >0              Postscript starts at byte %d
>>8     long            >0              length %d
>>>12   long            >0              Metafile starts at byte %d
>>>>16  long            >0              length %d
>>>20   long            >0              TIFF starts at byte %d
>>>>24  long            >0              length %d

# TNEF magic From "Joomy" <joomy@se-ed.net> 
0       leshort         0x223e9f78      TNEF

# HtmlHelp files (.chm)
0       string  ITSF\003\000\000\000\x60\000\000\000\001\000\000\000    MS Windows HtmlHelp Data

# GFA-BASIC (Wolfram Kleff)
2       string          GFA-BASIC3      GFA-BASIC 3 data

# DJGPP compiled files
# v >2, uses DPMI & small(2k) stub (Robert vd Boon, rjvdboon@europe.com)
0x200   string          go32stub        DOS-executable compiled w/DJGPP
>0x20c  string          >0              (stub v%.4s)
>>0x8b2 string          djp             [compressed w/%s
>>>&1   string          >\0             %.4s]
>>0x8ad string          UPX             [compressed w/%s
>>>&1   string          >\0             %.4s]
>>0x1c  string          pmodedj         stubbed with %s

#------------------------------------------------------------------------------
# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
# Microsoft Cabinet files
0       string          MSCF\0\0\0\0    Microsoft Cabinet file
>8      lelong          x               \b, %u bytes
>28     leshort         1               \b, 1 file
>28     leshort         >1              \b, %u files

# InstallShield Cabinet files
0       string          ISc(            InstallShield Cabinet file
>5      byte&0xf0       =0x60           version 6,
>5      byte&0xf0       !0x60           version 4/5,
>(12.l+40)      lelong  x               %u files

# Windows CE package files
0       string          MSCE\0\0\0\0    Microsoft WinCE install header
>20     lelong          0               \b, architecture-independent
>20     lelong          103             \b, Hitachi SH3
>20     lelong          104             \b, Hitachi SH4
>20     lelong          0xA11           \b, StrongARM
>20     lelong          4000            \b, MIPS R4000
>20     lelong          10003           \b, Hitachi SH3
>20     lelong          10004           \b, Hitachi SH3E
>20     lelong          10005           \b, Hitachi SH4
>20     lelong          70001           \b, ARM 7TDMI
>52     leshort         1               \b, 1 file
>52     leshort         >1              \b, %u files
>56     leshort         1               \b, 1 registry entry
>56     leshort         >1              \b, %u registry entries

# Outlook Personal Folders
0       lelong  0x4E444221      Microsoft Outlook binary email folder

# From: Dirk Jagdmann <doj@cubic.org>
0       lelong  0x00035f3f      Windows 3.x help file

# Christophe Monniez
0       string  Client\ UrlCache\ MMF   Microsoft Internet Explorer Cache File
>20     string  >\0                     Version %s
0       string  \xCF\xAD\x12\xFE        Microsoft Outlook Express DBX File
>4      byte    =0xC5                   Message database
>4      byte    =0xC6                   Folder database
>4      byte    =0xC7                   Accounts informations
>4      byte    =0x30                   Offline database


# Windows Enhanced Metafile (EMF)
# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 
# for further information. Note that "0 lelong 1" should be true i.e.
# the first double word in the file should be 1. With the extended
# syntax available by some file commands you could write:
# 0 lelong 1
# &40 ulelong 0x464D4520 Windows Enhanced Metafile (EMF) image data
40      ulelong 0x464D4520      Windows Enhanced Metafile (EMF) image data
>44     ulelong x               version 0x%x.
# If the description has a length greater than zero, it exists and is 
# found at offset (*64).
>64     ulelong >0              Description available at offset 0x%x
>>60    ulelong >0              (length 0x%x)
# Note it would be better to print out the description, which is found 
# as below. Unfortunately the following only prints out the first couple
# of characters instead of all the "description length"
# number of characters -- indicated by the ulelong at offset 60.
>>(64.l)  lestring16 >0 Description: %15.15s