Import file-5.10.
[dragonfly.git] / contrib / file / magic / Magdir / msdos
CommitLineData
ab0b56cc
JS
1
2#------------------------------------------------------------------------------
9f86ab30 3# $File: msdos,v 1.77 2011/12/07 22:05:05 christos Exp $
ab0b56cc
JS
4# msdos: file(1) magic for MS-DOS files
5#
6
7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
884044a5 8# updated by Joerg Jenderek at Oct 2008,Apr 2011
e4d4ce0c 90 string/t @
f72f8299 10>1 string/cW \ echo\ off DOS batch file text
79343712 11!:mime text/x-msdos-batch
f72f8299 12>1 string/cW echo\ off DOS batch file text
79343712 13!:mime text/x-msdos-batch
884044a5 14>1 string/cW rem DOS batch file text
79343712 15!:mime text/x-msdos-batch
f72f8299 16>1 string/cW set\ DOS batch file text
79343712 17!:mime text/x-msdos-batch
9b22a626 18
ab0b56cc 19
2be182fc
JS
20# OS/2 batch files are REXX. the second regex is a bit generic, oh well
21# the matched commands seem to be common in REXX and uncommon elsewhere
e4d4ce0c
PA
22100 search/0xffff rxfuncadd
23>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text
24100 search/0xffff say
25>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text
09b9c1a5 26
ab0b56cc
JS
270 leshort 0x14c MS Windows COFF Intel 80386 object file
28#>4 ledate x stamp %s
290 leshort 0x166 MS Windows COFF MIPS R4000 object file
30#>4 ledate x stamp %s
310 leshort 0x184 MS Windows COFF Alpha object file
32#>4 ledate x stamp %s
330 leshort 0x268 MS Windows COFF Motorola 68000 object file
34#>4 ledate x stamp %s
350 leshort 0x1f0 MS Windows COFF PowerPC object file
36#>4 ledate x stamp %s
370 leshort 0x290 MS Windows COFF PA-RISC object file
38#>4 ledate x stamp %s
39
e4d4ce0c 40# Tests for various EXE types.
ab0b56cc 41#
e4d4ce0c 42# Many of the compressed formats were extraced from IDARC 1.23 source code.
ab0b56cc 43#
9f86ab30 440 string/b MZ
79343712 45!:mime application/x-dosexec
e4d4ce0c
PA
46# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file.
47>0x18 leshort <0x40 MS-DOS executable
48# These traditional tests usually work but not always. When test quality support is
49# implemented these can be turned on.
50#>>0x18 leshort 0x1c (Borland compiler)
51#>>0x18 leshort 0x1e (MS compiler)
52
53# If the relocation table is 0x40 or more bytes into the file, it's definitely
54# not a DOS EXE.
2be182fc 55>0x18 leshort >0x3f
e4d4ce0c
PA
56
57# Maybe it's a PE?
79343712 58>>(0x3c.l) string PE\0\0 PE
e4d4ce0c
PA
59>>>(0x3c.l+24) leshort 0x010b \b32 executable
60>>>(0x3c.l+24) leshort 0x020b \b32+ executable
61>>>(0x3c.l+24) leshort 0x0107 ROM image
62>>>(0x3c.l+24) default x Unknown PE signature
63>>>>&0 leshort x 0x%x
64>>>(0x3c.l+22) leshort&0x2000 >0 (DLL)
65>>>(0x3c.l+92) leshort 1 (native)
66>>>(0x3c.l+92) leshort 2 (GUI)
67>>>(0x3c.l+92) leshort 3 (console)
68>>>(0x3c.l+92) leshort 7 (POSIX)
69>>>(0x3c.l+92) leshort 9 (Windows CE)
79343712
PA
70>>>(0x3c.l+92) leshort 10 (EFI application)
71>>>(0x3c.l+92) leshort 11 (EFI boot service driver)
72>>>(0x3c.l+92) leshort 12 (EFI runtime driver)
e4d4ce0c
PA
73>>>(0x3c.l+92) leshort 13 (EFI ROM)
74>>>(0x3c.l+92) leshort 14 (XBOX)
75>>>(0x3c.l+92) leshort 15 (Windows boot application)
76>>>(0x3c.l+92) default x (Unknown subsystem
77>>>>&0 leshort x 0x%x)
79343712
PA
78>>>(0x3c.l+4) leshort 0x14c Intel 80386
79>>>(0x3c.l+4) leshort 0x166 MIPS R4000
e4d4ce0c 80>>>(0x3c.l+4) leshort 0x168 MIPS R10000
79343712 81>>>(0x3c.l+4) leshort 0x184 Alpha
e4d4ce0c
PA
82>>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3
83>>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4
84>>>(0x3c.l+4) leshort 0x1c0 ARM
85>>>(0x3c.l+4) leshort 0x1c2 ARM Thumb
79343712 86>>>(0x3c.l+4) leshort 0x1f0 PowerPC
79343712 87>>>(0x3c.l+4) leshort 0x200 Intel Itanium
e4d4ce0c
PA
88>>>(0x3c.l+4) leshort 0x266 MIPS16
89>>>(0x3c.l+4) leshort 0x268 Motorola 68000
90>>>(0x3c.l+4) leshort 0x290 PA-RISC
91>>>(0x3c.l+4) leshort 0x366 MIPSIV
92>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU
93>>>(0x3c.l+4) leshort 0xebc EFI byte code
94>>>(0x3c.l+4) leshort 0x8664 x86-64
95>>>(0x3c.l+4) leshort 0xc0ee MSIL
96>>>(0x3c.l+4) default x Unknown processor type
97>>>>&0 leshort x 0x%x
98>>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB)
79343712 99>>>(0x3c.l+22) leshort&0x1000 >0 system file
e4d4ce0c
PA
100>>>(0x3c.l+24) leshort 0x010b
101>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly
102>>>(0x3c.l+24) leshort 0x020b
103>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly
2be182fc 104
e4d4ce0c
PA
105# hooray, there's a DOS extender using the PE format, with a valid PE
106# executable inside (which just prints a message and exits if run in win)
107>>>(8.s*16) string 32STUB \b, 32rtm DOS extender
108>>>(8.s*16) string !32STUB \b, for MS Windows
109>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed
110>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed
111>>>(0x3c.l+0xf8) search/0x140 UPX2
112>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
113>>>(0x3c.l+0xf8) search/0x140 .idata
114>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
115>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive
116>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive
117>>>(0x3c.l+0xf8) search/0x140 .rsrc
118>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive
119>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive
120>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive
121>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive
122>>>(0x3c.l+0xf8) search/0x140 .data
123>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive
124>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed
125>>>>(0x3c.l+0xf7) byte x
126>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive
127>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive
128>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive
129>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip)
130>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive
131>>>0x30 string Inno \b, InnoSetup self-extracting archive
132
133# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
134# must be one of the unusual subformats.
79343712
PA
135>>(0x3c.l) string !PE\0\0 MS-DOS executable
136
9b22a626 137>>(0x3c.l) string NE \b, NE
2be182fc
JS
138>>>(0x3c.l+0x36) byte 1 for OS/2 1.x
139>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x
140>>>(0x3c.l+0x36) byte 3 for MS-DOS
e4d4ce0c
PA
141>>>(0x3c.l+0x36) byte 4 for Windows 386
142>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services
143>>>(0x3c.l+0x36) default x
144>>>>(0x3c.l+0x36) byte x (unknown OS %x)
2be182fc
JS
145>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender
146>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL)
147>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver)
148>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive
149>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
150
9b22a626 151>>(0x3c.l) string LX\0\0 \b, LX
2be182fc
JS
152>>>(0x3c.l+0x0a) leshort <1 (unknown OS)
153>>>(0x3c.l+0x0a) leshort 1 for OS/2
154>>>(0x3c.l+0x0a) leshort 2 for MS Windows
155>>>(0x3c.l+0x0a) leshort 3 for DOS
156>>>(0x3c.l+0x0a) leshort >3 (unknown OS)
157>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL)
158>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver)
159>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI)
160>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console)
161>>>(0x3c.l+0x08) leshort 1 i80286
162>>>(0x3c.l+0x08) leshort 2 i80386
163>>>(0x3c.l+0x08) leshort 3 i80486
164>>>(8.s*16) string emx \b, emx
165>>>>&1 string x %s
166>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive
167
168# MS Windows system file, supposedly a collection of LE executables
9b22a626 169>>(0x3c.l) string W3 \b, W3 for MS Windows
2be182fc 170
9b22a626 171>>(0x3c.l) string LE\0\0 \b, LE executable
2be182fc
JS
172>>>(0x3c.l+0x0a) leshort 1
173# some DOS extenders use LE files with OS/2 header
174>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender
175>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
176>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
177>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender
178>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
179>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
180>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
181# this is a wild guess; hopefully it is a specific signature
182>>>>&0x24 lelong <0x50
183>>>>>(&0x4c.l) string \xfc\xb8WATCOM
184>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed
185# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
186#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2
187# fails with DOS-Extenders.
188>>>(0x3c.l+0x0a) leshort 2 for MS Windows
9b22a626 189>>>(0x3c.l+0x0a) leshort 3 for DOS
2be182fc
JS
190>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD)
191>>>(&0x7c.l+0x26) string UPX \b, UPX compressed
192>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive
193
194# looks like ASCII, probably some embedded copyright message.
195# and definitely not NE/LE/LX/PE
196>>0x3c lelong >0x20000000
9b22a626 197>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS
2be182fc
JS
198# header data too small for extended executable
199>2 long !0
79343712 200>>0x18 leshort <0x40
2be182fc
JS
201>>>(4.s*512) leshort !0x014c
202
203>>>>&(2.s-514) string !LE
9b22a626
PA
204>>>>>&-2 string !BW \b, MZ for MS-DOS
205>>>>&(2.s-514) string LE \b, LE
2be182fc
JS
206>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender
207# educated guess since indirection is still not capable enough for complex offset
208# calculations (next embedded executable would be at &(&2*512+&0-2)
209# I suspect there are only LE executables in these multi-exe files
210>>>>&(2.s-514) string BW
9b22a626
PA
211>>>>>0x240 search/0x100 DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded)
212>>>>>0x240 search/0x100 !DOS/4G ,\b BW collection for MS-DOS
2be182fc
JS
213
214# This sequence skips to the first COFF segment, usually .text
9b22a626 215>(4.s*512) leshort 0x014c \b, COFF
2be182fc
JS
216>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender
217>>(8.s*16) string emx
218>>>&1 string x for DOS, Win or OS/2, emx %s
219>>&(&0x42.l-3) byte x
220>>>&0x26 string UPX \b, UPX compressed
221# and yet another guess: small .text, and after large .data is unusal, could be 32lite
222>>&0x2c search/0xa0 .text
223>>>&0x0b lelong <0x2000
224>>>>&0 lelong >0x6000 \b, 32lite compressed
225
226>(8.s*16) string $WdX \b, WDos/X DOS extender
227
e4d4ce0c
PA
228# By now an executable type should have been printed out. The executable
229# may be a self-uncompressing archive, so look for evidence of that and
230# print it out.
231#
232# Some signatures below from Greg Roelofs, newt@uchicago.edu.
ab0b56cc 233#
79343712 234>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
e4d4ce0c
PA
235>0xe7 string LH/2\ Self-Extract \b, %s
236>0x1c string UC2X \b, UCEXE compressed
237>0x1c string WWP\ \b, WWPACK compressed
238>0x1c string RJSX \b, ARJ self-extracting archive
239>0x1c string diet \b, diet compressed
240>0x1c string LZ09 \b, LZEXE v0.90 compressed
241>0x1c string LZ91 \b, LZEXE v0.91 compressed
242>0x1c string tz \b, TinyProg compressed
243>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive
244!:mime application/zip
245# Yes, this really is "Copr", not "Corp."
246>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive
247!:mime application/zip
248# winarj stores a message in the stub instead of the sig in the MZ header
249>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive
250>0x20 string AIN
251>>0x23 string 2 \b, AIN 2.x compressed
252>>0x23 string <2 \b, AIN 1.x compressed
253>>0x23 string >2 \b, AIN 1.x compressed
2be182fc 254>0x24 string LHa's\ SFX \b, LHa self-extracting archive
79343712 255!:mime application/x-lha
2be182fc 256>0x24 string LHA's\ SFX \b, LHa self-extracting archive
79343712
PA
257!:mime application/x-lha
258>0x24 string \ $ARX \b, ARX self-extracting archive
259>0x24 string \ $LHarc \b, LHarc self-extracting archive
260>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive
e4d4ce0c
PA
261>0x40 string aPKG \b, aPackage self-extracting archive
262>0x64 string W\ Collis\0\0 \b, Compack compressed
263>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive
264>>&0xf4 search/0x140 \x0\x40\x1\x0
265>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
2be182fc 266>1638 string -lh5- \b, LHa self-extracting archive v2.13S
79343712 267>0x17888 string Rar! \b, RAR self-extracting archive
2be182fc 268
e4d4ce0c
PA
269# Skip to the end of the EXE. This will usually work fine in the PE case
270# because the MZ image is hardcoded into the toolchain and almost certainly
271# won't match any of these signatures.
2be182fc
JS
272>(4.s*512) long x
273>>&(2.s-517) byte x
274>>>&0 string PK\3\4 \b, ZIP self-extracting archive
275>>>&0 string Rar! \b, RAR self-extracting archive
276>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive
277>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive
278>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive
279>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive
280>>>&7 search/400 **ACE** \b, ACE self-extracting archive
281>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive
282
2be182fc
JS
283# a few unknown ZIP sfxes, no idea if they are needed or if they are
284# already captured by the generic patterns above
2be182fc
JS
285>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP)
286# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
ab0b56cc 287#
2be182fc 288
ab0b56cc
JS
289# TELVOX Teleinformatica CODEC self-extractor for OS/2:
290>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21
79343712
PA
291>>49824 leshort =1 \b, 1 file
292>>49824 leshort >1 \b, %u files
ab0b56cc 293
884044a5
PA
294# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc
295# and http://www.freedos.org/software/?prog=kpdos
296# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
9f86ab30 2970 string/b KCF FreeDOS KEYBoard Layout collection
884044a5
PA
298# only version=0x100 found
299>3 uleshort x \b, version 0x%x
300# length of string containing author,info and special characters
301>6 ubyte >0
302#>>6 pstring x \b, name=%s
303>>7 string >\0 \b, author=%-.14s
304>>7 search/254 \xff \b, info=
305#>>>&0 string x \b%-s
306>>>&0 string x \b%-.15s
307# for FreeDOS *.KL files
9f86ab30 3080 string/b KLF FreeDOS KEYBoard Layout file
884044a5
PA
309# only version=0x100 or 0x101 found
310>3 uleshort x \b, version 0x%x
311# stringlength
312>5 ubyte >0
313>>8 string x \b, name=%-.2s
3140 string \xffKEYB\ \ \ \0\0\0\0
315>12 string \0\0\0\0`\ 4\360 MS-DOS KEYBoard Layout file
316
ab0b56cc
JS
317# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com)
318# Uncommenting only the first two lines will cover about 2/3 of COM files,
319# but it isn't feasible to match all COM files since there must be at least
320# two dozen different one-byte "magics".
79343712 321# test too generic ?
9b22a626 3220 byte 0xe9 DOS executable (COM)
79343712 323>0x1FE leshort 0xAA55 \b, boot code
2be182fc 324>6 string SFX\ of\ LHarc (%s)
884044a5
PA
325
326# DOS device driver updated by Joerg Jenderek at May 2011
327# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
3280 ulequad&0x07a0ffffffff 0xffffffff DOS executable (
329>40 search/7 UPX! \bUPX compressed
330# DOS device driver attributes
331>4 uleshort&0x8000 0x0000 \bblock device driver
332# character device
333>4 uleshort&0x8000 0x8000 \b
334>>4 uleshort&0x0008 0x0008 \bclock
335# fast video output by int 29h
336>>4 uleshort&0x0010 0x0010 \bfast
337# standard input/output device
338>>4 uleshort&0x0003 >0 \bstandard
339>>>4 uleshort&0x0001 0x0001 \binput
340>>>4 uleshort&0x0003 0x0003 \b/
341>>>4 uleshort&0x0002 0x0002 \boutput
342>>4 uleshort&0x8000 0x8000 \bcharacter device driver
343>0 ubyte x
344# upx compressed device driver has garbage instead of real in name field of header
345>>40 search/7 UPX!
346>>40 default x
347# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
348>>>12 ubyte >0x27 \b
349>>>>10 ubyte >0x20
350>>>>>10 ubyte !0x2E
351>>>>>>10 ubyte !0x2A \b%c
352>>>>11 ubyte >0x20
353>>>>>11 ubyte !0x2E \b%c
354>>>>12 ubyte >0x20
355>>>>>12 ubyte !0x39
356>>>>>>12 ubyte !0x2E \b%c
357>>>13 ubyte >0x20
358>>>>13 ubyte !0x2E \b%c
359>>>>14 ubyte >0x20
360>>>>>14 ubyte !0x2E \b%c
361>>>>15 ubyte >0x20
362>>>>>15 ubyte !0x2E \b%c
363>>>>16 ubyte >0x20
364>>>>>16 ubyte !0x2E
365>>>>>>16 ubyte <0xCB \b%c
366>>>>17 ubyte >0x20
367>>>>>17 ubyte !0x2E
368>>>>>>17 ubyte <0x90 \b%c
369# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
370>>>4 uleshort&0x8000 0x8000
371>>>>12 ubyte <0x2F
372# they have their real name at offset 22
373>>>>>22 string >\0 \b%-.5s
374>4 uleshort&0x8000 0x0000
375# 32 bit sector adressing ( > 32 MB) for block devices
376>>4 uleshort&0x0002 0x0002 \b,32-bit sector-
377# support by driver functions 13h, 17h, 18h
378>4 uleshort&0x0040 0x0040 \b,IOCTL-
379# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
380>4 uleshort&0x0800 0x0800 \b,close media-
381# output until busy support by int 10h for character device driver
382>4 uleshort&0x8000 0x8000
383>>4 uleshort&0x2000 0x2000 \b,until busy-
384# direct read/write support by driver functions 03h,0Ch
385>4 uleshort&0x4000 0x4000 \b,control strings-
386>4 uleshort&0x8000 0x8000
387>>4 uleshort&0x6840 >0 \bsupport
388>4 uleshort&0x8000 0x0000
389>>4 uleshort&0x4842 >0 \bsupport
390>0 ubyte x \b)
391# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
a96e001b
PA
392# Too weak, matches files that only contain 0's
393#0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable (
394#>4 uleshort&0x8000 0x8000 \bcharacter device driver
395#>>10 string x %-.8s
396#>4 uleshort&0x4000 0x4000 \b,control strings-support)
884044a5 397
79343712 398# test too generic ?
9b22a626 3990 byte 0x8c DOS executable (COM)
79343712
PA
400# updated by Joerg Jenderek at Oct 2008
4010 ulelong 0xffff10eb DR-DOS executable (COM)
402# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
4030 ubeshort&0xeb8d >0xeb00
404# DR-DOS STACKER.COM SCREATE.SYS missed
9f86ab30
PA
405>0 byte 0xeb
406>>0x1FE leshort 0xAA55 DOS executable (COM), boot code
407>>85 string UPX DOS executable (COM), UPX compressed
408>>4 string \ $ARX DOS executable (COM), ARX self-extracting archive
409>>4 string \ $LHarc DOS executable (COM), LHarc self-extracting archive
410>>0x20e string SFX\ by\ LARC DOS executable (COM), LARC self-extracting archive
79343712
PA
411# updated by Joerg Jenderek at Oct 2008
412#0 byte 0xb8 COM executable
4130 uleshort&0x80ff 0x00b8
9b22a626 414# modified by Joerg Jenderek
79343712 415>1 lelong !0x21cd4cff COM executable for DOS
9b22a626
PA
416# http://syslinux.zytor.com/comboot.php
417# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
418# start with assembler instructions mov eax,21cd4cffh
79343712
PA
4190 uleshort&0xc0ff 0xc0b8
420>1 lelong 0x21cd4cff COM executable (32-bit COMBOOT)
e4d4ce0c
PA
421# syslinux:doc/comboot.txt
422# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
423# eax,21cd4cfeh) as a magic number.
9f86ab30 4240 string/b \xb8\xfe\x4c\xcd\x21 COM executable (COM32R)
e4d4ce0c
PA
425# start with assembler instructions mov eax,21cd4cfeh
4260 uleshort&0xc0ff 0xc0b8
427>1 lelong 0x21cd4cfe COM executable (32-bit COMBOOT, relocatable)
9f86ab30 4280 string/b \x81\xfc
9b22a626 429>4 string \x77\x02\xcd\x20\xb9
79343712
PA
430>>36 string UPX! FREE-DOS executable (COM), UPX compressed
431252 string Must\ have\ DOS\ version DR-DOS executable (COM)
432# added by Joerg Jenderek at Oct 2008
433# GRR search is not working
434#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed
43534 string UPX! FREE-DOS executable (COM), UPX compressed
43635 string UPX! FREE-DOS executable (COM), UPX compressed
9b22a626
PA
437# GRR search is not working
438#2 search/28 \xcd\x21 COM executable for MS-DOS
439#WHICHFAT.cOM
4402 string \xcd\x21 COM executable for DOS
441#DELTREE.cOM DELTREE2.cOM
4424 string \xcd\x21 COM executable for DOS
443#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
4445 string \xcd\x21 COM executable for DOS
445#DELTMP.COm HASFAT32.cOM
4467 string \xcd\x21
447>0 byte !0xb8 COM executable for DOS
448#COMP.cOM MORE.COm
44910 string \xcd\x21
450>5 string !\xcd\x21 COM executable for DOS
451#comecho.com
45213 string \xcd\x21 COM executable for DOS
453#HELP.COm EDIT.coM
45418 string \xcd\x21 COM executable for MS-DOS
455#NWRPLTRM.COm
45623 string \xcd\x21 COM executable for MS-DOS
457#LOADFIX.cOm LOADFIX.cOm
45830 string \xcd\x21 COM executable for MS-DOS
459#syslinux.com 3.11
46070 string \xcd\x21 COM executable for DOS
2be182fc
JS
461# many compressed/converted COMs start with a copy loop instead of a jump
4620x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS
9b22a626 4630x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS
2be182fc
JS
464>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed
4650x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed
466# FIXME: missing diet .com compression
ab0b56cc
JS
467
468# miscellaneous formats
9f86ab30 4690 string/b LZ MS-DOS executable (built-in)
ab0b56cc
JS
470#0 byte 0xf0 MS-DOS program library data
471#
472
ab0b56cc
JS
473# AAF files:
474# <stuartc@rd.bbc.co.uk> Stuart Cunningham
9f86ab30 4750 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage
ab0b56cc
JS
476>30 byte 9 (512B sectors)
477>30 byte 12 (4kB sectors)
9f86ab30 4780 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage
ab0b56cc
JS
479>30 byte 9 (512B sectors)
480>30 byte 12 (4kB sectors)
481
482# Popular applications
4832080 string Microsoft\ Word\ 6.0\ Document %s
79343712 484!:mime application/msword
ab0b56cc 4852080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data
79343712 486!:mime application/msword
ab0b56cc
JS
487# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word)
4882112 string MSWordDoc Microsoft Word document data
79343712 489!:mime application/msword
ab0b56cc
JS
490#
4910 belong 0x31be0000 Microsoft Word Document
79343712 492!:mime application/msword
ab0b56cc 493#
9f86ab30 4940 string/b PO^Q` Microsoft Word 6.0 Document
79343712 495!:mime application/msword
ab0b56cc 496#
9f86ab30 4970 string/b \376\067\0\043 Microsoft Office Document
79343712 498!:mime application/msword
9f86ab30 4990 string/b \333\245-\0\0\0 Microsoft Office Document
79343712 500!:mime application/msword
9f86ab30 501512 string/b \354\245\301 Microsoft Word Document
79343712 502!:mime application/msword
ab0b56cc
JS
503#
5042080 string Microsoft\ Excel\ 5.0\ Worksheet %s
79343712
PA
505!:mime application/vnd.ms-excel
506
ab0b56cc 5072080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s
79343712 508!:mime application/vnd.ms-excel
ab0b56cc
JS
509#
510# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel)
5112114 string Biff5 Microsoft Excel 5.0 Worksheet
79343712 512!:mime application/vnd.ms-excel
ab0b56cc
JS
513# Italian MS-Excel
5142121 string Biff5 Microsoft Excel 5.0 Worksheet
79343712 515!:mime application/vnd.ms-excel
9f86ab30 5160 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet
79343712 517!:mime application/vnd.ms-excel
ab0b56cc
JS
518#
5190 belong 0x00001a00 Lotus 1-2-3
79343712 520!:mime application/x-123
ab0b56cc
JS
521>4 belong 0x00100400 wk3 document data
522>4 belong 0x02100400 wk4 document data
523>4 belong 0x07800100 fm3 or fmb document data
524>4 belong 0x07800000 fm3 or fmb document data
525#
79343712
PA
5260 belong 0x00000200 Lotus 1-2-3
527!:mime application/x-123
ab0b56cc
JS
528>4 belong 0x06040600 wk1 document data
529>4 belong 0x06800200 fmt document data
9f86ab30 5300 string/b WordPro\0 Lotus WordPro
79343712 531!:mime application/vnd.lotus-wordpro
9f86ab30 5320 string/b WordPro\r\373 Lotus WordPro
79343712 533!:mime application/vnd.lotus-wordpro
ab0b56cc 534
ab0b56cc 535
79343712
PA
536# Summary: Script used by InstallScield to uninstall applications
537# Extension: .isu
538# Submitted by: unknown
539# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
5400 string \x71\xa8\x00\x00\x01\x02
541>12 string Stirling\ Technologies, InstallShield Uninstall Script
ab0b56cc
JS
542
543# Winamp .avs
79343712 544#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
9f86ab30 5450 string/b Nullsoft\ AVS\ Preset\ Winamp plug in
ab0b56cc 546
ab0b56cc 547# Windows Metafont .WMF
9f86ab30
PA
5480 string/b \327\315\306\232 ms-windows metafont .wmf
5490 string/b \002\000\011\000 ms-windows metafont .wmf
5500 string/b \001\000\011\000 ms-windows metafont .wmf
ab0b56cc
JS
551
552#tz3 files whatever that is (MS Works files)
9f86ab30
PA
5530 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file
5540 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file
5550 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file
ab0b56cc
JS
556
557# PGP sig files .sig
558#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig
5590 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
5600 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
5610 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
5620 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
5630 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
5640 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
565
566# windows zips files .dmf
9f86ab30 5670 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
ab0b56cc
JS
568
569
ab0b56cc 570#ico files
9f86ab30 5710 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows
ab0b56cc
JS
572
573# Windows icons (Ian Springer <ips@fpk.hp.com>)
9f86ab30 5740 string/b \000\000\001\000 MS Windows icon resource
e4d4ce0c 575!:mime image/x-icon
ab0b56cc
JS
576>4 byte 1 - 1 icon
577>4 byte >1 - %d icons
578>>6 byte >0 \b, %dx
579>>>7 byte >0 \b%d
580>>8 byte 0 \b, 256-colors
581>>8 byte >0 \b, %d-colors
582
583
584# .chr files
9f86ab30 5850 string/b PK\010\010BGI Borland font
ab0b56cc
JS
586>4 string >\0 %s
587# then there is a copyright notice
588
589
590# .bgi files
9f86ab30 5910 string/b pk\010\010BGI Borland device
ab0b56cc
JS
592>4 string >\0 %s
593# then there is a copyright notice
594
595
79343712
PA
596# Windows Recycle Bin record file (named INFO2)
597# By Abel Cheung (abelcheung AT gmail dot com)
598# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
599# Since Vista uses another structure, INFO2 structure probably won't change
600# anymore. Detailed analysis in:
601# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
6020 lelong 0x00000004
603>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below)
604
6050 lelong 0x00000005
606>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP)
ab0b56cc
JS
607
608
609##### put in Either Magic/font or Magic/news
79343712 610# Acroread or something files wrongly identified as G3 .pfm
ab0b56cc
JS
611# these have the form \000 \001 any? \002 \000 \000
612# or \000 \001 any? \022 \000 \000
e4d4ce0c
PA
6130 belong&0xffff00ff 0x00010012 PFM data
614>4 string \000\000
615>6 string >\060 - %s
616
6170 belong&0xffff00ff 0x00010002 PFM data
618>4 string \000\000
619>6 string >\060 - %s
79343712
PA
620#0 string \000\001 pfm?
621#>3 string \022\000\000Copyright\ yes
622#>3 string \002\000\000Copyright\ yes
623#>3 string >\0 oops, not a font file. Cancel that.
ab0b56cc
JS
624#it clashes with ttf files so put it lower down.
625
626# From Doug Lee via a FreeBSD pr
6279 string GERBILDOC First Choice document
6289 string GERBILDB First Choice database
6299 string GERBILCLIP First Choice database
6300 string GERBIL First Choice device file
6319 string RABBITGRAPH RabbitGraph file
6320 string DCU1 Borland Delphi .DCU file
2be182fc
JS
6330 string =!<spell> MKS Spell hash list (old format)
6340 string =!<spell2> MKS Spell hash list
ab0b56cc
JS
635# Too simple - MPi
636#0 string AH Halo(TM) bitmapped font file
6370 lelong 0x08086b70 TurboC BGI file
6380 lelong 0x08084b50 TurboC Font file
639
640# WARNING: below line conflicts with Infocom game data Z-machine 3
a96e001b
PA
6410 byte 0x03
642>0x02 byte <0x13 DBase 3 data file
643>>0x04 lelong 0 (no records)
644>>0x04 lelong >0 (%ld records)
6450 byte 0x83
646>0x02 byte <0x13 DBase 3 data file with memo(s)
647>>0x04 lelong 0 (no records)
648>>0x04 lelong >0 (%ld records)
ab0b56cc
JS
6490 leshort 0x0006 DBase 3 index file
6500 string PMCC Windows 3.x .GRP file
6511 string RDC-meg MegaDots
652>8 byte >0x2F version %c
653>9 byte >0x2F \b.%c file
6540 lelong 0x4C
655>4 lelong 0x00021401 Windows shortcut file
656
884044a5
PA
657# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm
658# only for windows versions equal or greater 3.0
6590x171 string MICROSOFT\ PIFEX\0 Windows Program Information File
660!:mime application/x-dosexec
661#>2 string >\0 \b, Title:%.30s
662>0x24 string >\0 \b for %.63s
663>0x65 string >\0 \b, directory=%.64s
664>0xA5 string >\0 \b, parameters=%.64s
665#>0x181 leshort x \b, offset %x
666#>0x183 leshort x \b, offsetdata %x
667#>0x185 leshort x \b, section length %x
668>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0
669>>&0x5e ubyte >0
670>>>&-1 string <PIFMGR.DLL \b, icon=%s
671#>>>&-1 string PIFMGR.DLL \b, icon=%s
672>>>&-1 string >PIFMGR.DLL \b, icon=%s
673>>&0xF0 ubyte >0
674>>>&-1 string <Terminal \b, font=%.32s
675#>>>&-1 string =Terminal \b, font=%.32s
676>>>&-1 string >Terminal \b, font=%.32s
677>>&0x110 ubyte >0
678>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s
679#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s
680>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s
681#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style
682#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style
683>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style
684#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style
685>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS
686#>>&06 string x \b:%s
687>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT
688#>>&06 string x \b:%s
689
ab0b56cc
JS
690# DOS EPS Binary File Header
691# From: Ed Sznyter <ews@Black.Market.NET>
6920 belong 0xC5D0D3C6 DOS EPS Binary File
693>4 long >0 Postscript starts at byte %d
694>>8 long >0 length %d
695>>>12 long >0 Metafile starts at byte %d
696>>>>16 long >0 length %d
697>>>20 long >0 TIFF starts at byte %d
698>>>>24 long >0 length %d
699
700# TNEF magic From "Joomy" <joomy@se-ed.net>
79343712 701# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
ab0b56cc 7020 leshort 0x223e9f78 TNEF
79343712 703!:mime application/vnd.ms-tnef
ab0b56cc
JS
704
705# HtmlHelp files (.chm)
9f86ab30 7060 string/b ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data
ab0b56cc
JS
707
708# GFA-BASIC (Wolfram Kleff)
9f86ab30 7092 string/b GFA-BASIC3 GFA-BASIC 3 data
ab0b56cc 710
ab0b56cc
JS
711#------------------------------------------------------------------------------
712# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
713# Microsoft Cabinet files
9f86ab30 7140 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data
79343712 715!:mime application/vnd.ms-cab-compressed
ab0b56cc
JS
716>8 lelong x \b, %u bytes
717>28 leshort 1 \b, 1 file
718>28 leshort >1 \b, %u files
719
720# InstallShield Cabinet files
9f86ab30 7210 string/b ISc( InstallShield Cabinet archive data
79343712
PA
722>5 byte&0xf0 =0x60 version 6,
723>5 byte&0xf0 !0x60 version 4/5,
ab0b56cc
JS
724>(12.l+40) lelong x %u files
725
726# Windows CE package files
9f86ab30 7270 string/b MSCE\0\0\0\0 Microsoft WinCE install header
ab0b56cc
JS
728>20 lelong 0 \b, architecture-independent
729>20 lelong 103 \b, Hitachi SH3
730>20 lelong 104 \b, Hitachi SH4
731>20 lelong 0xA11 \b, StrongARM
732>20 lelong 4000 \b, MIPS R4000
733>20 lelong 10003 \b, Hitachi SH3
734>20 lelong 10004 \b, Hitachi SH3E
735>20 lelong 10005 \b, Hitachi SH4
736>20 lelong 70001 \b, ARM 7TDMI
79343712
PA
737>52 leshort 1 \b, 1 file
738>52 leshort >1 \b, %u files
739>56 leshort 1 \b, 1 registry entry
740>56 leshort >1 \b, %u registry entries
ab0b56cc
JS
741
742
743# Windows Enhanced Metafile (EMF)
744# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
79343712
PA
745# for further information.
7460 ulelong 1
747>40 string \ EMF Windows Enhanced Metafile (EMF) image data
748>>44 ulelong x version 0x%x
9b22a626
PA
749
750# From: Alex Beregszaszi <alex@fsn.hu>
9f86ab30 7510 string/b COWD VMWare3
79343712 752>4 byte 3 disk image
5fc399ce
PA
753>>32 lelong x (%d/
754>>36 lelong x \b%d/
755>>40 lelong x \b%d)
79343712
PA
756>4 byte 2 undoable disk image
757>>32 string >\0 (%s)
9b22a626 758
9f86ab30
PA
7590 string/b VMDK VMware4 disk image
7600 string/b KDMV VMware4 disk image
9b22a626 761
05a9c884
PA
762#--------------------------------------------------------------------
763# Qemu Emulator Images
764# Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
e4d4ce0c
PA
765# Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
766# Made by reading sources, reading documentation, and doing trial and error
767# on existing QCOW files
9f86ab30 7680 string/b QFI\xFB QEMU QCOW Image
05a9c884
PA
769
770# Uncomment the following line to display Magic (only used for debugging
771# this magic number)
9f86ab30 772#>0 string/b x , Magic: %s
05a9c884 773
e4d4ce0c
PA
774# There are currently 2 Versions: "1" and "2".
775# http://www.gnome.org/~markmc/qcow-image-format-version-1.html
776>4 belong 1 (v1)
05a9c884 777
e4d4ce0c 778# Using the existence of the Backing File Offset to determine whether
05a9c884 779# to read Backing File Information
e4d4ce0c
PA
780>>12 belong >0 \b, has backing file (
781# Note that this isn't a null-terminated string; the length is actually
782# (16.L). Assuming a null-terminated string happens to work usually, but it
783# may spew junk until it reaches a \0 in some cases.
784>>>(12.L) string >\0 \bpath %s
05a9c884
PA
785
786# Modification time of the Backing File
79343712 787# Really useful if you want to know if your backing
05a9c884 788# file is still usable together with this image
e4d4ce0c
PA
789>>>>20 bedate >0 \b, mtime %s)
790>>>>20 default x \b)
05a9c884 791
e4d4ce0c
PA
792# Size is stored in bytes in a big-endian u64.
793>>24 bequad x \b, %lld bytes
9b22a626 794
e4d4ce0c
PA
795# 1 for AES encryption, 0 for none.
796>>36 belong 1 \b, AES-encrypted
797
798# http://www.gnome.org/~markmc/qcow-image-format.html
799>4 belong 2 (v2)
800# Using the existence of the Backing File Offset to determine whether
801# to read Backing File Information
802>>8 bequad >0 \b, has backing file
803# Note that this isn't a null-terminated string; the length is actually
804# (16.L). Assuming a null-terminated string happens to work usually, but it
805# may spew junk until it reaches a \0 in some cases. Also, since there's no
806# .Q modifier, we just use the bottom four bytes as an offset. Note that if
807# the file is over 4G, and the backing file path is stored after the first 4G,
808# the wrong filename will be printed. (This should be (8.Q), when that syntax
809# is introduced.)
810>>>(12.L) string >\0 (path %s)
811>>24 bequad x \b, %lld bytes
812>>32 belong 1 \b, AES-encrypted
813
814>4 default x (unknown version)
815
9f86ab30 8160 string/b QEVM QEMU suspend to disk image
9b22a626 817
9f86ab30 8180 string/b Bochs\ Virtual\ HD\ Image Bochs disk image,
9b22a626
PA
819>32 string x type %s,
820>48 string x subtype %s
821
8220 lelong 0x02468ace Bochs Sparse disk image
823
824# from http://filext.com by Derek M Jones <derek@knosof.co.uk>
79343712 825# False positive with PPT (also currently this string is too long)
9f86ab30
PA
826#0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer
8270 string/b \320\317\021\340\241\261\032\341 Microsoft Office Document
79343712
PA
828#>48 byte 0x1B Excel Document
829#!:mime application/vnd.ms-excel
830>546 string bjbj Microsoft Word Document
831!:mime application/msword
832>546 string jbjb Microsoft Word Document
833!:mime application/msword
834
9f86ab30 8350 string/b \224\246\056 Microsoft Word Document
79343712
PA
836!:mime application/msword
837
838512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document
839!:mime application/msword
05a9c884
PA
840
841# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
842# Magic type for Dell's BIOS .hdr files
843# Dell's .hdr
9f86ab30 8440 string/b $RBU
05a9c884 845>23 string Dell %s system BIOS
a96e001b
PA
846>5 byte 2
847>>48 byte x version %d.
848>>49 byte x \b%d.
849>>50 byte x \b%d
850>5 byte <2
851>>48 string x version %.3s
05a9c884 852
79343712
PA
853# Type: Microsoft DirectDraw Surface
854# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp
855# From: Morten Hustveit <morten@debian.org>
9f86ab30 8560 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS),
79343712
PA
857>16 lelong >0 %hd x
858>12 lelong >0 %hd,
859>84 string x %.4s
860
861# Type: Microsoft Document Imaging Format (.mdi)
862# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
863# From: Daniele Sempione <scrows@oziosi.org>
8640 short 0x5045 Microsoft Document Imaging Format
865
866# MS eBook format (.lit)
9f86ab30 8670 string/b ITOLITLS Microsoft Reader eBook Data
79343712
PA
868>8 lelong x \b, version %u
869!:mime application/x-ms-reader
e4d4ce0c
PA
870
871# Windows CE Binary Image Data Format
872# From: Dr. Jesus <j@hug.gs>
9f86ab30 8730 string/b B000FF\n Windows Embedded CE binary image
e4d4ce0c
PA
874
875# Windows Imaging (WIM) Image
9f86ab30 8760 string/b MSWIM\000\000\000 Windows imaging (WIM) image