diff options
Diffstat (limited to 'contrib/file/magic/Magdir/linux')
-rw-r--r-- | contrib/file/magic/Magdir/linux | 543 |
1 files changed, 488 insertions, 55 deletions
diff --git a/contrib/file/magic/Magdir/linux b/contrib/file/magic/Magdir/linux index 0405f778aa35..16aadca87d1a 100644 --- a/contrib/file/magic/Magdir/linux +++ b/contrib/file/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.80 2022/03/24 15:48:58 christos Exp $ +# $File: linux,v 1.91 2024/11/09 21:15:48 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> @@ -67,8 +67,8 @@ >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, ->24 lelong x %d ->28 lelong x \bx%d +>28 lelong x %d +>24 lelong x \bx%d # Linux swap and hibernate files # Linux kernel: include/linux/swap.h @@ -137,34 +137,230 @@ # Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu> # and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de> # and Nicolas Lichtmaier <nick@debian.org> -# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 +# and Joerg Jenderek [unifying + more kernel info] +# many start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 +# by assembler instructions like: movw $0x07c0,%ax; movw %ax,%ds; movw $0x9000,%ax; movw %ax,%es; movw $0x0001,%cx; subw %si,%si; subw # Linux kernel boot images (i386 arch) (Wolfram Kleff) # URL: https://www.kernel.org/doc/Documentation/x86/boot.txt 514 string HdrS Linux kernel +# to display Linux kernel (strength=125=70+55) after VBR boot sector (130=70+60) but before DOS/MBR IPL (115=50+65), MBR boot sector (105=40+65) via ./filesystem +# before MZ PE32 executable (EFI application) (strength=50) and before DOS executable (COM) (strength=40) with start instruction 0xe9 via ./msdos !:strength + 55 # often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes # Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin # DamnSmallLinux 1.5 damnsmll.lnx +#!:mime application/octet-stream +!:mime application/x-linux-kernel !:ext /dat/bin/lnx +# GRR: does there exist here samples without 55AA boot signature? I believe NO (Joerg Jenderek) >510 leshort 0xAA55 x86 boot executable +>>0 use kernel-info +# show information about Linux kernel (root, swap device, vga modus, boot protocol, setup size, init_size, EFI entry point) +0 name kernel-info +# like: plpbtrom.bin +# After 16 bit jump instruction Hi, are you searching something? This is the Plop Boot Manager written by Elmar Hanlhofer http?://www.plop.at +>48 string Plop\040Boot\040Manager from PLOP Boot Manager +# dummy test below 512 limit (for LILO 24.2 bootsect.b) to get same magic indention level like in v 1.85 +# and display comma before zImage/bzImage or version +>498 leshort x \b, +# boot protocol option flags valid since boot protocol >= 2.00 >>518 leshort >0x1ff ->>>529 byte 0 zImage, ->>>529 byte 1 bzImage, ->>>526 lelong >0 +# loadflags bit 0 (read); LOADED_HIGH; if 0, the protected-mode code is loaded at 0x10000 +>>>529 ubyte&0x01 0 zImage, +# loadflags bit 0 (read); LOADED_HIGH; if 1, the protected-mode code is loaded at 0x100000; that implies is_bzImage +>>>529 ubyte&0x01 1 bzImage, +# kernel_version; since protocol 2.00 if not zero 2 byte pointer to kernel version string -200h; should be < 200h*setup_sects +# 0h (ldntldr.bin plpbtrom.bin) 260h (memtest32.bin memtest64.bin) 3b0h (memdisk16.bin) 890h (damnsmll.lnx) 3400h (linux64) 3640h (linux) +#>>>526 uleshort x kernel_version=%#4.4x +>>>526 uleshort >0 +# GRR: \353fHdrS\003\002 wrong shown if kernel_version=0 like in ldntldr.bin (GRUB for DOS) >>>>(526.s+0x200) string >\0 version %s, +# 498 MasterBootRecord 4th partition entry partition type (0~empty 1~FAT12) done by ./filesystems +# 499 MasterBootRecord 4th partition entry end heads done by ./filesystems +# root_flags; if set (=1), the root is mounted readonly; deprecated, use the "ro" or "rw" option on the command line instead +#>>498 uleshort >1 root_flags=%u >>498 leshort 1 RO-rootFS, >>498 leshort 0 RW-rootFS, +# root_dev; default root device number like 0 301h (/dev/hda1 damnsmll.lnx) 380h (/dev/hd?? linux-elks); deprecated and replaced by command line option root= >>508 leshort >0 root_dev %#X, ->>502 leshort >0 swap_dev %#X, +# since protocol 2.04 the 2 upper bytes of long syssize and not swap_dev any more +>>518 uleshort <0x204 +# 502-505 MasterBootRecord 4th partition entry 1st LBA sector done by ./filesystems +>>>502 leshort >0 swap_dev %#X, >>504 leshort >0 RAMdisksize %u KB, +# 506-509 MasterBootRecord 4th partition entry sectors in partition done by ./filesystems >>506 leshort 0xFFFF Normal VGA >>506 leshort 0xFFFE Extended VGA >>506 leshort 0xFFFD Prompt for Videomode >>506 leshort >0 Video mode %d +# more kernel information added by Joerg Jenderek 2023 +# if needed display comma after video mode and before setup_sects +>>506 leshort >-4 +>>>506 leshort !0 \b, +# setup_sects; if field contains 0, the real value is 4; size of the setup in sectors like: +# 0 (memdisk16.bin) 1 (ldntldr.bin) 2 (memtest32.bin memtest64.bin) 4 (plpbtrom.bin linux-elks) 8 (bootsect.b) 10 (damnsmll.lnx) 25 27 (linux64) 29 30 31 33 (linux) +# MasterBootRecord 4th partition entry start cylinder bits 0-7 done by ./filesystems +>>497 ubyte !0 setup size 512*%u +>>497 ubyte =0 setup size 512*4 (not 0) +# 500 MasterBootRecord 4th partition entry end sectors+cylinder bits 8-9 done by ./filesystems +# 501 MasterBootRecord 4th partition entry end cylinder bits 0-7 done by ./filesystems +# syssize; 32-bit code size in 16-byte paragraphs; since protocol 2.04 long before unreliable short +>>518 uleshort <0x204 \b, +# 0 (ldntldr.bin) 0 (memdisk16.bin) f180h (damnsmll.lnx) +>>>500 uleshort x syssize %#x +>>518 uleshort >0x203 \b, +# 0 (plpbtrom.bin) 1270h (linux-elks) 217eh (memtest32.bin) 22deh (memtest64.bin) 2c01h (memtest86+.bin) 459c6h (linux misinterpreted as swap_dev 0X4) 70c32h (linux64 misinterpreted as swap_dev 0X7) +>>>500 ulelong x syssize %#x +# jump; jump instruction relative to byte 0x202 +>>512 ubyte =0xEB \b, jump +# jump adress like: 0x230 (damnsmll.lnx) 0x240 (memdisk16.bin) 0x268 (memtest32.bin memtest64.bin ldntldr.bin linux AFTER handover offset) 0x26c (linux64) +>>>513 byte+2 x 0x2%2.2x +# next instruction like: +# b800088ec00fb60e mov ax,0x0800; mov es,ax; movzx cx,byte [] memdisk16.bin +# 8cc88ed88ec0e88b00 movw %cs,%ax; movw %ax,%ds; movw %ax,%es; call get_mem_info memtest32.bin +# 8cc88ed88ec0e88b00 movw %cs,%ax; movw %ax,%ds; movw %ax,%es; call get_mem_info memtest64.bin +>>>(513.b+514) ubequad x %#16.16llx instruction +# without jump instruction like: 0 (bootsect-lilo-24.2.b EOF!) 0xb8 (mov linux-elks) 0xfa (cli memtest86+.bin) +>>512 ubyte !0xEB \b, at 0x200 %#x instruction +# boot protocol version field valid since version >= 2.00 which is indicated by HdrS magic +# so skip memtest86+.bin with misinterpreted protocol 144.0 (0x9000) +>>514 string HdrS \b, +# Boot protocol version; 2.3 (ldntldr.bin damnsmll.lnx) 2.6 (plpbtrom.bin) 2.10 2.11 (linux) 2.12 (memtest32.bin) 2.13 2.15 (linux64) +>>>519 ubyte x protocol %u +>>>518 ubyte x \b.%u +# boot protocol in hexadecimal needed for addtional tests +#>>>518 uleshort x (%#4.4x) +# type_of_loader; Boot loader identifier; filled out by the bootloader +>>>528 ubyte >0 \b, loader %#x +# loadflags; boot protocol option flags +#>>>529 ubyte x loadflags=%#x +# loadflags bit 1 (kernel internal); KASLR_FLAG KASLR status to kernel +>>>529 ubyte&0x02 !0 \b, KASLR enabled +# loadflags bit 5 (write); QUIET_FLAG +>>>529 ubyte&0x20 !0 \b, quiet +# loadflags bit 6 (write) since boot protocal version >= 2.07; KEEP_SEGMENTS +>>>518 uleshort >0x206 +>>>>529 ubyte&0x40 !0 \b, keep segments +# loadflags bit 7 (write); CAN_USE_HEAP +>>>529 ubyte&0x80 !0 \b, can use heap +# payload_offset; since boot protocol 2.08 if non-zero contains offset of the protected-mode code to the payload like: cdh (linux) 40dh (linux64) +>>>518 uleshort >0x207 +>>>>584 ulelong >0 \b, from protected-mode code at offset %#x +# payload_length; since boot protocol 2.08 the length of the payload like: 452c41h (linux) 6fb644h (linux64) +>>>>>588 ulelong x %#x bytes +# jump setup size sectors a 512 bytes from kernel beginning +>>>>>(497.b*512) ubequad x +#>>>>>(497.b*512) ubequad x 512BYTES_BEFORE_PROTECTED-MODE_CODE=%#16.16llx +# jump payload_offset bytes + 512 bytes (for boot sector) - 8 (ubequad length) to payload start +#>>>>>>&(584.l+504) ubeshort x PAYLOAD=%#4.4x +# supported compression formats are gzip (magic numbers 1F8B or 1F9E linux) bzip2 (425A), LZMA (5D00 linux64), XZ (FD37) LZ4 (0221) ZST v0.8+ (28B5) +>>>>>>&(584.l+504) ubeshort =0x1F8B gzip compressed +>>>>>>&(584.l+504) ubeshort =0x1F9E gzip compressed +>>>>>>&(584.l+504) ubeshort =0x425A bzip2 compressed +>>>>>>&(584.l+504) ubeshort =0x5D00 LZMA compressed +>>>>>>&(584.l+504) ubeshort =0xFD37 XZ compressed +>>>>>>&(584.l+504) ubeshort =0x0221 LZ4 compressed +>>>>>>&(584.l+504) ubeshort =0x28B5 ZST compressed +# TODO: handle compressed data by ./compress; difficulties with leading space and duplicate gzip compressed +#>>>>>>&(584.l+504) indirect x COMPRESS_NOT_WORKING +# setup_move_size; for protocol 2.00-2.01; bytes starting with the beginning of the boot sector +# like: 0 (ldntldr.bin memdisk16.bin memtest32.bin memtest64.bin plpbtrom.bin) 8000h (damnsmll.lnx linux linux64) +>>>518 uleshort <0x202 +>>>>518 uleshort >0x1FF +>>>>530 uleshort x \b, setup_move_size %#4.4x +# code32_start; address to jump to in protected mode like: 100000h (linux linux64 memtest32.bin memtest64.bin) +#>>>>532 ulelong >0 \b, code32_start %#x +# kernel_alignment; since boot protocol 2.05 alignment unit required by the kernel (if relocatable_kernel is true) like: 0 (plptrom.bin) 1000h (memtest32.bin memtest64.bin) 200000h (linux) 1000000h (linux64) +#>>>518 uleshort >0x204 +#>>>>560 ulelong x \b, kernel_alignment %#x +# relocatable_kernel; since boot protocol 2.05 the protected-mode part of the kernel can be loaded at any address if this field is nonzero +>>>518 uleshort >0x204 +>>>>564 ubyte =1 \b, relocatable +#>>>>564 ubyte x \b, relocatable_kernel=%u +# min_alignment; since boot protocol 2.10 if nonzero, indicates as a power of two the minimum alignment required like: 12 (4 KB memtest32.bin memtest64.bin) 13 (8 KB linux) 21 (2 MB linux64) +#>>>518 uleshort >0x209 +#>>>>565 ubyte >0 \b, min_alignment %u +# xloadflags; since boot protocol 2.12 like: 3fh (linux64 unexpected value) 4h(memtest32.bin) 9h(memtest64.bin) +>>>518 uleshort >0x20B +#>>>>566 uleshort x \b, xloadflags=%#4.4x +# handover_offset; offset from beginning of kernel image to EFI handover protocol entry point like: +# 0 (damnsmll.lnx ldntldr.bin) 10h (memtest32.bin memtest64.bin) 30h (linux) 190h (linux64) 8e9000b8h (plpbtrom.bin INVALID!) +# this value makes only sense when 32 or 64-bit EFI handoff entry point +>>>>566 uleshort&0x000C !0 \b, handover offset +>>>>>612 ulelong x %#x +# Bit 0 XLF_KERNEL_64; if 1, this kernel has the legacy 64-bit entry point at 0x200 +>>>>566 uleshort&0x0001 !0 \b, legacy 64-bit entry point +# Bit 1 XLF_CAN_BE_LOADED_ABOVE_4G; if 1, kernel/boot_params/cmdline/ramdisk can be above 4G +>>>>566 uleshort&0x0002 !0 \b, can be above 4G +# Bit 2 XLF_EFI_HANDOVER_32; if 1, the kernel supports the 32-bit EFI handoff entry point +>>>>566 uleshort&0x0004 !0 \b, 32-bit EFI handoff entry point +# Bit 3 XLF_EFI_HANDOVER_64; if 1, the kernel supports the 64-bit EFI handoff entry point +>>>>566 uleshort&0x0008 !0 \b, 64-bit EFI handoff entry point +# Bit 4 EFI_KEXEC; if 1, the kernel supports kexec EFI boot with EFI runtime support +>>>>566 uleshort&0x0010 !0 \b, EFI kexec boot support +# GRR: What does bit 5 mean? +>>>>566 uleshort&0x0020 !0 \b, xloadflags bit 5 +# cmdline_size; since boot protocol 2.06 maximum size of the kernel command line like: 255 (memtest32.bin memtest64.bin) 2047 (linux linux64 plpbtrom); version <= 2.06 maximum was 255 +>>>518 uleshort >0x205 +>>>>568 ulelong x \b, max cmdline size %u +# hardware_subarch; since boot protocol 2.07 hardware subarchtecture like: 0~default x86 1~lguest 2~Xen 3~Moorestown 4~CE4100 TV +>>>518 uleshort >0x206 +>>>>572 ulelong >0 \b, hardware_subarch %u +# hardware_subarch_data; since boot protocol 2.07 pointer to data specific for hardware subarch; unused for default x86 +>>>>>576 ulequad >0 \b, hardware_subarch_data %#llx +# setup_data; since boot protocol 2.09 64-bit physical pointer to NULL terminated single linked list of struct setup_data +>>>518 uleshort >0x208 +>>>>592 ulequad >0 \b, setup_data %16.16llx +# pref_address; since boot protocol 2.10 if nonzero preferred load address for kernel like: 100000h (memtest32.bin memtest64.bin) 200000h (linux) 1000000h (linux64) +#>>>518 uleshort >0x209 +#>>>>600 ulequad >0 \b, pref_address %#llx +# init_size; since boot protocol 2.10 indicates amount of contiguous memory kernel needs before it is capable of examining its memory map +# like: 0h (damnsmll.lnx) 687f8h (memtest32.bin) 6acf8h (memtest64.bin) aa3000h (linux) 2514000h (linux64) 67ea0000h (memdisk16.bin INVALID) a4f3f2ffh (plpbtrom.bin INVALID) ffffff80h (ldntldr.bin INVALID) +>>>518 uleshort >0x209 +>>>>608 ulelong x \b, init_size %#x # This also matches new kernels, which were caught above by "HdrS". -0 belong 0xb8c0078e Linux kernel +# but also few samples without "HdrS" magic like: bootsect-lilo-24.2.b linux-elks memtest86+.bin +# URL: https://tldp.org/HOWTO/Linux-i386-Boot-Code-HOWTO/bootsect.html +#0 belong 0xb8c0078e Linux kernel +0 belong 0xb8c0078e +# to display Linux x86 kernel or Linux ELKS Kernel (strength=70=70+0) after VBR boot sector (130=70+60) DOS/MBR IPL (115=50+65), MBR boot sector (105=40+65) via ./filesystem +#!:strength +0 +# "newer" kernel (with HdrS magic) already done before +>514 string HdrS +# so handle "old" kernel variant (without HdrS magic) +>514 default x Linux +#!:mime application/octet-stream +!:mime application/x-linux-kernel +# GRR: in file 5.45 remaining default clause not working for samples with size = 512 like LILO 24.2 bootsect.b +>>0 belong x +# ELKS kernel variant is now unified with other "old" kernel variant (without HdrS magic) +>>0x1e6 belong =0x454c4b53 ELKS Kernel +!:ext / +# "old" kernel variant and not ELKS +>>0x1e6 belong !0x454c4b53 x86 kernel +!:ext /b/bin +# show kernel version information based on "Loading" message offset +>>0 use kernel-version-old1 +# unified "old" variant with start instruction \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 +>>4 string \xd8\xb8\x00\x90 +# show kernel version information part 2 for "old" kernel variant (without HdrS magic) based on new HdrS field +>>>0 use kernel-version-old2 +# show kernel version information part 3 for "old" kernel variant (without HdrS magic) based on new HdrS field +>>>0 use kernel-version-old3 +# show common kernel information +>>0 use kernel-info +# show kernel version information part 1 for "old" kernel variant (without HdrS magic) based on "Loading" message offset +0 name kernel-version-old1 >0x1e3 string Loading version 1.3.79 or older >0x1e9 string Loading from prehistoric times +# LILO 24.2-5.1 bootsect.b +>0x1c5 string Loading from LILO 24.2 +# Memtest86 5.31b memtest86+.bin +>0x1d2 string Loading from Memtest86 5.31b +# DamnSmallLinux kernel version 2.4.26 damnsmll.lnx not needed because done by kernel_version pointer +#>0x1cb string Loading damnsmll.lnx 2.4.26~ +# Memtest86+ v6.20 memtest32.bin not needed because done by kernel_version pointer +#>0x1c6 string Loading\040Memtest86+ from Memtest86+ v6.20 # System.map files - Nicolas Lichtmaier <nick@debian.org> 8 search/1 \ A\ _text Linux kernel symbol map text @@ -183,13 +379,37 @@ ############################################################################ # Linux kernel versions -0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux +# apply only to "old" kernel variant (without HdrS magic) like damnsmll.lnx memtest86+.bin +# wrong (497 setup_sects 498 root_flags) and now already done by 1st unified "old" kernel variant +#0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux +0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90foo OLD_VARIANT Linux >497 leshort 0 x86 boot sector +>>0 use kernel-version-old2 +>497 leshort !0 x86 kernel +# not needed any more because information is now shown by common kernel-info with other phrases +>>0 use kernel-info-old +# kernel version information part 3 for "old" kernel variant (without HdrS magic) based on HdrS field +>>0 use kernel-version-old3 +>>0 use kernel-version-4 +# version information part 2 for "old" kernel variant (without HdrS magic) based on new HdrS field +0 name kernel-version-old2 +# dummy test to get same magic indention level like in v 1.85 +>518 leshort x >>514 belong 0x8e of a kernel from the dawn of time! >>514 belong 0x908ed8b4 version 0.99-1.1.42 >>514 belong 0x908ed8b8 for memtest86 - +# dummy test function to get same magic indention level like in v 1.85 +0 name kernel-version-dummy >497 leshort !0 x86 kernel +# not needed any more because information is now shown by kernel-info +#>0 use kernel-info-old +>>0 use kernel-info +# kernel version information part 3 for "old" kernel variant (without HdrS magic) based on HdrS field +>0 use kernel-version-old3 +# deprecated because same information is shown by kernel-info with other phrases +0 name kernel-info-old +# dummy test to get same magic indention level like in v 1.85 +>504 leshort x >>504 leshort >0 RAMdisksize=%u KB >>502 leshort >0 swap=%#X >>508 leshort >0 root=%#X @@ -199,6 +419,10 @@ >>506 leshort 0xFFFE vga=extended >>506 leshort 0xFFFD vga=ask >>506 leshort >0 vga=%d +# kernel version information part 3 for "old" kernel variant (without HdrS magic) based on HdrS field +0 name kernel-version-old3 +# dummy test to get same magic indention level like in v 1.85 +>514 belong x >>514 belong 0x908ed881 version 1.1.43-1.1.45 >>514 belong 0x15b281cd >>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0 @@ -207,16 +431,27 @@ >>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41 >>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45 >>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72 +# show kernel version information part 4 for kernel variant (with HdrS magic) based on "HdrS" field +# not needed any more because information is now shown by common kernel-info +0 name kernel-version-4 +# dummy test to get same magic indention level like in v 1.85 +>518 leshort x >>514 string HdrS >>>518 leshort >0x1FF >>>>529 byte 0 \b, zImage >>>>529 byte 1 \b, bzImage +# GRR: Not valid if kernel_version=0 >>>>(526.s+0x200) string >\0 \b, version %s # Linux boot sector thefts. -0 belong 0xb8c0078e Linux ->0x1e6 belong 0x454c4b53 ELKS Kernel ->0x1e6 belong !0x454c4b53 style boot sector +# ELKS kernel variant is now unified with above "old" kernel variant (without HdrS magic) +#0 belong 0xb8c0078e Linux +# display "Linux ELKS Kernel" or "Linux style boot sector" (strength=70) after DOS/MBR IPL (115=50+65) and MBR boot sector (105=40+65) via ./filesystem +#!:strength +0 +# https://en.wikipedia.org/wiki/Embeddable_Linux_Kernel_Subset +# https://github.com/jbruchon/elks/releases/download/v0.6.0/fd2880-fat.img/linux +#>0x1e6 belong 0x454c4b53 ELKS Kernel +#>0x1e6 belong !0x454c4b53 style boot sector ############################################################################ # Linux S390 kernel image @@ -238,16 +473,44 @@ # Linux ARM compressed kernel image # From: Kevin Cernekee <cernekee@gmail.com> # Update: Joerg Jenderek +# Update: Luke T. Shumaker +0 name arm-zimage +# Version indicators +>0x34 lelong 0x45454545 (kernel >=v4.15) +>0x34 lelong !0x45454545 +>>0x30 clear x +>>0x30 belong 0x04030201 (kernel >=v3.17, <v4.15) +>>0x30 lelong 0x04030201 (kernel >=v3.17, <v4.15) +>>0x30 default x (kernel <v3.17) +# Endianness indicators +# +# The kernel has 3 endianness modes: little-endian, and 2 variants of +# big-endian: BE-32 (ARMv5) and BE-8 (ARMv6+). +# +# In kernels <v3.17: +# - the 0x016f2818 @ 0x24 magic number indicates big-endian or +# little-endian (can't distinguish between BE-8 and BE-32) +# In kernels >=v3.17: +# - a new 0x04030201 @ 0x30 magic number indicates big-endian or +# little-endian, but doesn't distinguish between BE-8 and BE-32 +# - the old 0x016f2818 @ 0x24 magic number is little-endian for +# LE *and* BE-8, or big-endian for BE-32 +# +# >=v3.17 +>0x30 clear x +>0x30 belong 0x04030201 (big-endian, +>>0x24 belong 0x016f2818 BE-32, ARMv5) +>>0x24 lelong 0x016f2818 BE-8, ARMv6+) +>0x30 lelong 0x04030201 (little-endian) +# <v3.17 +>0x30 default x +>>0x24 lelong 0x016f2818 (little-endian) +>>0x24 belong 0x016f2818 (big-endian) + 0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage -# There are three possible situations: LE, BE with LE bootloader and pure BE. -# In order to aid telling these apart a new endian flag was added. In order -# to support kernels before the flag and BE with LE bootloader was added we'll -# do a negative check against the BE variant of the flag when we see a LE magic. ->0x30 belong !0x04030201 (little-endian) -# raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin" -!:ext img/bin ->0x30 belong 0x04030201 (big-endian) -0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) +>0 use arm-zimage +0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage +>0 use arm-zimage ############################################################################ # Linux AARCH64 kernel image @@ -259,6 +522,12 @@ >0x18 lelong &6 \b, 32K pages ############################################################################ +# Linux RISC-V kernel image +0x38 string RSC\05 Linux kernel RISC-V boot executable Image +>0x18 lelong ^1 \b, little-endian +>0x18 lelong &1 \b, big-endian + +############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless >5 string . @@ -357,59 +626,105 @@ >8 lelong x version %d, >12 lelong x chunk_size %d -# SE Linux policy database -0 lelong 0xf97cff8c SE Linux policy ->16 lelong x v%d ->20 lelong 1 MLS ->24 lelong x %d symbols ->28 lelong x %d ocons - -# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec -# Anthon van der Neut (anthon@mnt.org) -0 string LUKS\xba\xbe LUKS encrypted file, ->6 beshort x ver %d ->8 string x [%s, ->40 string x %s, ->72 string x %s] ->168 string x UUID: %s - - # Summary: Xen saved domain file # Created by: Radek Vokal <rvokal@redhat.com> 0 string LinuxGuestRecord Xen saved domain >20 search/256 (name >>&1 string x (name %s) -# Type: Xen, the virtual machine monitor -# From: Radek Vokal <rvokal@redhat.com> -0 string LinuxGuestRecord Xen saved domain -#>2 regex \(name\ [^)]*\) %s ->20 search/256 (name (name ->>&1 string x %s...) - # Systemd journald files # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl> - -# check magic +# Update: Joerg Jenderek +# URL: https://systemd.io/JOURNAL_FILE_FORMAT/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml +# Note: called "systemd journal" by TrID +# verified by `journalctl --file=user-1000.journal` +# check magic signature[8] 0 string LPKSHHRH # check that state is one of known values +# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2 >16 ubyte&252 0 # check that each half of three unique id128s is non-zero +# file_id >>24 ubequad >0 >>>32 ubequad >0 +# machine_id >>>>40 ubequad >0 >>>>>48 ubequad >0 +# boot_id; last writer >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file -!:mime application/octet-stream +#!:mime application/octet-stream +!:mime application/x-linux-journal # provide more info +# head_entry_realtime; contains a POSIX timestamp stored in microseconds +>>>>>>>>184 leqdate/1000000 !0 \b, %s >>>>>>>>184 leqdate 0 empty ->>>>>>>>16 ubyte 0 \b, offline ->>>>>>>>16 ubyte 1 \b, online +# If a file is closed after writing the state field should be set to STATE_OFFLINE +>>>>>>>>16 ubyte 0 \b, +# for offline and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 offline +# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html +# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like: +# Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~' +!:ext journal~ +# for offline and non empty often *.journal~ but also user-1001.journal +>>>>>>>>>184 leqdate !0 offline +!:ext journal/journal~ +# if a file is opened for writing the state field should be set to STATE_ONLINE +>>>>>>>>16 ubyte 1 \b, +# for online and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 online +# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~ +!:ext journal~ +# for online and non empty only journal extension found +>>>>>>>>>184 leqdate !0 online +# system.journal user-1000.journal +!:ext journal +# after a file has been rotated it should be set to STATE_ARCHIVED >>>>>>>>16 ubyte 2 \b, archived +!:ext journal +# no *.journal~ found +#!:ext journal/journal~ +# compatible_flags >>>>>>>>8 ulelong&1 1 \b, sealed +# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16 +#>>>>>>>>12 ulelong x FLAGS=%#x >>>>>>>>12 ulelong&1 1 \b, compressed +>>>>>>>>12 ulelong&2 !0 \b, compressed lz4 +>>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24 +>>>>>>>>12 ulelong&8 !0 \b, compressed zstd +>>>>>>>>12 ulelong&16 !0 \b, compact +# uint8_t reserved[7]; apparently nil +#>>17 long !0 \b, reserved %#8.8x +# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6 +#>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx +#>>>>>>>>80 ubequad x b%16.16llx +# header_size like: 100h +>>>>>>>>88 ulequad !0x100h \b, header size %#llx +# arena_size like: 0 7fff00h ffff00h 17fff00h +#>>>>>>>>96 ulequad >0 \b, arena size %#llx +# data_hash_table_offset like: 0 15f0h 15f0h +#>>>>>>>>104 ulequad >0 \b, hash table offset %#llx +# data_hash_table_size like: 0 38e380h +#>>>>>>>>112 ulequad >0 \b, hash table size %#llx +# field_hash_table_offset like: 0 110h +#>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx +# field_hash_table_size like: 0 14d0h +#>>>>>>>>128 ulequad >0 \b, field hash table size %#llx +# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h +#>>>>>>>>136 ulequad >0 \b, tail object offset %#llx +# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh +#>>>>>>>>144 ulequad >0 \b, objects %#llx +# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h +>>>>>>>>152 ulequad >0 \b, entries %#llx +# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh +#>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx +# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah +#>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx +# entry_array_offset like: 0 390058h 3909d8h 3909e0h +#>>>>>>>>176 ulequad >0 \b, entry array offset %#llx # BCache backing and cache devices # From: Gabriel de Perthuis <g2p.code@gmail.com> @@ -481,12 +796,90 @@ # Site: https://fedorahosted.org/mlocate/ # Format docs: https://linux.die.net/man/5/mlocate.db # Type: mlocate database file +# URL: https://en.wikipedia.org/wiki/Locate_(Unix) # URL: https://fedorahosted.org/mlocate/ # From: Wander Nauta <info@wandernauta.nl> +# Update: Joerg Jenderek 0 string \0mlocate mlocate database ->12 byte x \b, version %d +#!:mime application/octet-stream +!:mime application/x-mlocate +# default mlocate.db if not overriden with --output option of updatedb +!:ext db +# at the moment value is 0; a higher version will probably not occur, because mlocate is now often replaced by plocate +>12 byte !0 \b, version %d +# configured with -l option of updatedb >13 byte 1 \b, require visibility +# 2 byte pad for 32-bit total alignment +#>14 short !0 \b, padding %#x +# standard is 1 byte / if not overriden with --database-root option of updatedb >16 string x \b, root %s +# 1st variable name nil terminated like: prune_bind_mounts +>>&1 string x \b, 1st variable %s +# 1st variable value like: 0 1 +>>>&1 string x \b=%s +# configuration block size in big endian like: 82 85 174 181 185 483 491 496 497 556 600 +>8 ubelong x \b, configuration size %u + +# URL: https://plocate.sesse.net/ +# Reference: https://plocate.sesse.net/download/plocate-1.1.19.tar.gz +# plocate-1.1.19/db.h +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/db-plocate.trid.xml +# Note: called "plocate database" by TrID +# magic[8] +0 string \0plocate plocate database +#!:mime application/octet-stream +!:mime application/x-plocate +# default /var/lib/plocate/plocate.db if not overriden with --output option of updatedb.plocate +!:ext db +# version; 2 is the current version +>8 ulelong !1 \b, version %u +# hashtable_size; like 1 (for "empty" samples) 1b5c3h +#>12 ulelong >1 \b, hash table size %#x +# extra_ht_slots; like: 10h +>16 ulelong !0x10 \b, extra_ht_slots %#x +# num_docids; like 0 (for "empty" samples) a132h +>20 ulelong >0 \b, num_docids %u +# hash_table_offset_bytes; 78h (for "empty" samples) afdf99h +#>24 ulequad !0x78 \b, hash table offset %#llx +# filename_index_offset_bytes; 70h (for "empty" samples) aad571h +#>32 ulequad !0x70 \b, filename index offset %#llx +# version 1 and up only +>8 ulelong >0 +# max_version; nominally 1 or 2 but can be increased if more features are added in a backward-compatible way +>>40 ulelong !2 \b, max version %u +# zstd_dictionary_length_bytes; 0 (for "empty" samples) 400h +>>44 ulelong !0 \b, at %#x +# zstd_dictionary_offset_bytes; 0 (for "empty" samples) 70h +>>48 ulequad >0 \b+%#llx +# jump to beginning of zstd dictionary +>>>(48.q) ubequad x +# jump realative zstd dictionary length bytes - 8 (quad length) forward to ZST data beginning +#>>>>&(44.l-8) ubelong x ZST=%8.8x +>>>>&(44.l-8) ubelong x +# print 1 space char after zstd_dictionary_offset and then handles Zstandard compressed data by ./compress +# to get phrase like "at 0x400+0x70 Zstandard compressed data (v0.8+)" +>>>>>&-4 indirect x \b +# only if max_version >= 2 and only relevant for updatedb +>40 ulelong >1 +# directory_data_length_byte +#>>56 ulequad x \b, directory data length %#llx +# directory_data_offset_bytes; +#>>64 ulequad x offset %#llx +# next_zstd_dictionary_length_bytes; 0 (for "empty" samples) 400h +>>72 ulequad >0 \b, next zstd dictionary length %#llx +# next_zstd_dictionary_offset_bytes; 0 (for "empty" samples) 14b9cb8h +>>>80 ulequad >0 offset %#llx +# conf_block_length_bytes like; 65 147 148 151 152 452 537 540 543 +>>88 ulequad x \b, configuration size %llu +# conf_block_offset_bytes; 1a1h (for "empty" samples) 14ba0b8h +>>96 ulequad >0 \b, at %#llx 1st variable +# 1st variable name nil terminated like: prune_bind_mounts +>>>(96.q) string x %s +# 1st variable value nil terminated like: 0 1 +>>>>&1 string x \b=%s +# bool check_visibility; 0 or 1 configured with -l option of updatedb.plocate +>>104 ubyte 1 \b, require visibility +#>>104 ubyte x \b, check_visibility %#x # Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL: # https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 @@ -502,9 +895,12 @@ 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files -# https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION +# https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION + +0 string KDUMP\x20\x20\x20 Kdump compressed dump +>0 use kdump-compressed-dump -0 string KDUMP Kdump compressed dump +0 name kdump-compressed-dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s @@ -513,6 +909,12 @@ >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s +# Flattened format +0 string makedumpfile +>16 bequad 1 +>>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump +>>>0x1010 use kdump-compressed-dump + # Device Tree files 0 search/1024 /dts-v1/ Device Tree File (v1) # beat c code @@ -535,3 +937,34 @@ >&0 regex [0-9]+\\.[0-9]+ \b, version %s >>&0 string ; >>>&0 regex [A-Z0-9]+ \b, encryption %s + +# From: Joerg Jenderek +# URL: https://www.gnu.org/software/grub +# Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz +# grub-2.06/include/grub/keyboard_layouts.h +# grub-2.06/grub-core/commands/keylayouts.c +# GRUB_KEYBOARD_LAYOUTS_FILEMAGIC +0 string GRUBLAYO GRUB Keyboard +!:mime application/x-grub-keyboard +!:ext gkb +# GRUB_KEYBOARD_LAYOUTS_VERSION like: 10 +>8 ulelong !10 \b, version %u +# 4 grub_uint32_t grub_keyboard_layout[160] +# for normal french keyboard this is letter a +>92 ubyte !0x71 +>>92 ubyte >0x40 \b, english q is %c +#>732 ubyte x \b, english Q is %c +# for normal german keyboard this is letter z +>124 ubyte !0x79 +>>124 ubyte >0x40 \b, english y is %c +#>764 ubyte x \b, english Y is %c + + +# From: Ben Dooks <ben.dooks@codethink.co.uk> +# URL: https://github.com/torvalds/linux/blob/master/tools/perf/util/header.c +# perf files for v1 and v2 +0 string PERFFILE Linux perf recording, version 1 + +0 lequad 0x32454c4946524550 Linux perf recording, version 2. little endian + +0 bequad 0x32454c4946524550 Linux perf recording, version 2. big endian |