diff options
Diffstat (limited to 'contrib/file/magic/Magdir/database')
| -rw-r--r-- | contrib/file/magic/Magdir/database | 117 |
1 files changed, 100 insertions, 17 deletions
diff --git a/contrib/file/magic/Magdir/database b/contrib/file/magic/Magdir/database index 7f93f8e2da96..c4462f96675e 100644 --- a/contrib/file/magic/Magdir/database +++ b/contrib/file/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.63 2021/10/04 00:44:30 christos Exp $ +# $File: database,v 1.73 2024/11/09 19:54:36 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -151,6 +151,7 @@ # https://www.clicketyclick.dk/databases/xbase/format/dbf.html # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 0 ubelong&0x0000FFFF <0x00000C20 +!:strength +10 # skip Infocom game Z-machine >2 ubyte >0 # skip Androids *.xml @@ -386,8 +387,22 @@ >>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III >>>>>>16 ubyte 3 -# dBASE III DBT ->>>>>>>0 use dbase3-memo-print +# skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod +>>>>>>>512 ubyte >040 +# skip with valid 1st item "rintf" keylayouts.mod +# by looking for valid terminating character Ctrl-Z like in test.dbt +>>>>>>>>513 search/3308 \032 +# skip GRUB plan9.mod with invalid second terminating character 007 +# by checking second terminating character Ctrl-Z like in test.dbt +>>>>>>>>>&0 ubyte 032 +# dBASE III DBT with two Ctr-Z terminating characters +>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod +>>>>>>>>>&0 ubyte 0 +# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0 +>>>>>>>>>>0x1ad string !grub_mod_init +# like dbase-memo.dbt +>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage >>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF @@ -399,14 +414,35 @@ >>>>>>>>>>4 ushort 0 # check for valid FoxPro field type >>>>>>>>>>>512 ubelong <3 ->>>>>>>>>>>>0 use foxpro-memo-print +# skip LXMDCLN4.OUT LXMDCLN6.OUT LXMDALG6.OUT with invalid blocksize 170=AAh +>>>>>>>>>>>>6 ubeshort&0x002f 0 +>>>>>>>>>>>>>0 use foxpro-memo-print # dBASE III DBT , garbage # skip WORD1XW.DOC with improbably high free block index >>>>>>>>>0 ulelong <0x400000 # skip WinStore.App.exe by looking for printable 2nd character of 1st memo item >>>>>>>>>>513 ubyte >037 -# unusual dBASE III DBT like adressen.dbt ->>>>>>>>>>>0 use dbase3-memo-print +# skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item +>>>>>>>>>>>512 ubyte >037 +# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377 +>>>>>>>>>>>>512 ubyte <0377 +# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2) +# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>513 search/523 \032 +# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character +#>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o +# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt +>>>>>>>>>>>>>>&0 ubyte 032 +>>>>>>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>&0 ubyte 0 +# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space" +>>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show +# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt +>>>>>>>>>>>>>>>514 default x +# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF >>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes @@ -415,9 +451,23 @@ >>>>>>>>>>0 ulelong <0x400000 # skip AI070GEP.EPS by printable 1st character of 1st memo item >>>>>>>>>>>512 ubyte >037 +# skip some Microsoft Visual C, OMF library like: BZ2.LIB WATTCPWL.LIB ZLIB.LIB +>>>>>>>>>>>>512 ubyte <0200 # skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character ->>>>>>>>>>>>513 ubyte >037 ->>>>>>>>>>>>>0 use dbase3-memo-print +>>>>>>>>>>>>>513 ubyte >037 +# skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like +# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727" +# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735" +# "10586.494.amd64fre.th2_release_sec.160630-1736" +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>>513 search/0x11E \032 +# followed by second character Ctrl-Z implies typical DBT +>>>>>>>>>>>>>>>&0 ubyte 032 +# examples like: angest.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +>>>>>>>>>>>>>>>&0 ubyte 0 +# no example found here with terminating sequence CTRL-Z + \0 +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size >>>>>>>20 uleshort >0 # dBASE IV DBT with valid block length like 512, 1024 @@ -439,8 +489,16 @@ # no positive block length #>20 uleshort =0 \b, block length %u >20 uleshort !0 \b, block length %u -# dBase III memo field terminated by \032\032 +# dBase III memo field terminated often by \032\032 +# like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT >512 string >\0 \b, 1st item "%s" +# For DEBUGGING +#>512 ubelong x \b, 1ST item %#8.8x +#>513 search/0x225 \032 FOUND_TERMINATOR +#>>&0 ubyte 032 2xCTRL_Z +# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte +#>>&0 ubyte 0 1xCTRL_Z + # https://www.clicketyclick.dk/databases/xbase/format/dbt.html # Print the information of dBase IV DBT memo file 0 name dbase4-memo-print @@ -486,7 +544,7 @@ >0 belong x FoxPro FPT !:mime application/x-fpt !:ext fpt -# Size of blocks for FoxPro ( 64,256 ) +# Size of blocks for FoxPro ( 64,256 ); probably a multiple of two >6 ubeshort x \b, blocks size %u # next available block #>0 belong =0 \b, next free block index %u @@ -682,13 +740,6 @@ >32 lelong 0x2601196D version 6, little-endian >>36 lelong x hash size %d bytes -# SE Linux policy database -0 lelong 0xf97cff8c SE Linux policy ->16 lelong x v%d ->20 lelong 1 MLS ->24 lelong x %d symbols ->28 lelong x %d ocons - # ICE authority file data (Wolfram Kleff) 2 string ICE ICE authority data @@ -762,7 +813,9 @@ 0 string ZEC3 Zope Object Database Client Cache File (data) # IDA (Interactive Disassembler) database +0 string IDA0 IDA (Interactive Disassembler) database 0 string IDA1 IDA (Interactive Disassembler) database +0 string IDA2 IDA (Interactive Disassembler) database # Hopper (reverse engineering tool) https://www.hopperapp.com/ 0 string hopperdb Hopper database @@ -813,8 +866,31 @@ # Used by older versions of Mozilla Suite and Firefox, # and current versions of Thunderbird. # From: David Korth <gerbilsoft@gerbilsoft.com> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Mork +# https://en.wikipedia.org/wiki/Mork_(file_format) +# Note: called "Mork" by DROID via fmt/612 0 string //\ <!--\ <mdb:mork:z\ v=" Mozilla Mork database +# display Mozilla Mork database (strength=260=260+0) before "exported SGML document" (strength=28=38-10) via ./sgml +#!:strength +0 +#!:mime text/plain +!:mime text/x-mozilla-mork +# version like 1.4 >23 string x \b, version %.3s +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/msf.trid.xml +# Note: called "Mozilla Mail Summary file" by TrID +>26 search/7516 mailboxName \b, Mail Summary file +# like: Archives.msf Drafts.msf INBOX.msf Junk.msf Sent.msf Templates.msf Trash.msf +!:ext msf +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mab.trid.xml +# Note: called "Mozilla Address Book" by TrID +>26 search/192 addrbk \b, Address Book +!:ext mab +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-mork.trid.xml +# Note: called "Mozilla Mail folder cache" by TrID +>26 search/210 indexingPriority \b, Mail folder cache +# panacea.dat +!:ext dat # URL: https://en.wikipedia.org/wiki/Management_Information_Format # Reference: https://www.dmtf.org/sites/default/files/standards/documents/DSP0005.pdf @@ -826,3 +902,10 @@ !:mime text/x-dmtf-mif !:ext mif +# https://github.com/boltdb/bolt +# https://github.com/etcd-io/bbolt +# See magic value here: https://github.com/boltdb/bolt/blob/fd01fc79c553a8e99d512a07e8e0c63d4a3ccfc5/db.go#L24 +# The magic value is written according to endianess of the host, +# so we check both to detect them also on hosts with differnet endianess +16 lelong 0xED0CDAED BoltDB database +16 belong 0xED0CDAED BoltDB database, big-endian |