diff options
Diffstat (limited to 'contrib/file/magic/Magdir/linux')
-rw-r--r-- | contrib/file/magic/Magdir/linux | 207 |
1 files changed, 157 insertions, 50 deletions
diff --git a/contrib/file/magic/Magdir/linux b/contrib/file/magic/Magdir/linux index e7d0a15607e2..ae181148dfb9 100644 --- a/contrib/file/magic/Magdir/linux +++ b/contrib/file/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.72 2020/06/07 21:56:13 christos Exp $ +# $File: linux,v 1.85 2023/07/17 14:40:09 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> @@ -67,8 +67,8 @@ >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, ->24 lelong x %d ->28 lelong x \bx%d +>28 lelong x %d +>24 lelong x \bx%d # Linux swap and hibernate files # Linux kernel: include/linux/swap.h @@ -83,20 +83,20 @@ # format v1, supported since 1998 0 name linux-swap ->0x400 lelong 1 little endian, version %u, ->>0x404 lelong x size %u pages, ->>0x408 lelong x %u bad pages, ->0x400 belong 1 big endian, version %u, ->>0x404 belong x size %u pages, ->>0x408 belong x %u bad pages, ->0x41c string \0 no label, ->0x41c string >\0 LABEL=%s, ->0x40c belong x UUID=%08x ->0x410 beshort x \b-%04x ->0x412 beshort x \b-%04x ->0x414 beshort x \b-%04x ->0x416 belong x \b-%08x ->0x41a beshort x \b%04x +>0x400 lelong 1 little endian, version %u, +>>0x404 lelong x size %u pages, +>>0x408 lelong x %u bad pages, +>0x400 belong 1 big endian, version %u, +>>0x404 belong x size %u pages, +>>0x408 belong x %u bad pages, +>0x41c string \0 no label, +>0x41c string >\0 LABEL=%s, +>0x40c ubelong x UUID=%08x +>0x410 ubeshort x \b-%04x +>0x412 ubeshort x \b-%04x +>0x414 ubeshort x \b-%04x +>0x416 ubelong x \b-%08x +>0x41a ubeshort x \b%04x 0xff6 string SWAPSPACE2 Linux swap file, 4k page size, >0 use linux-swap @@ -154,8 +154,8 @@ >>>>(526.s+0x200) string >\0 version %s, >>498 leshort 1 RO-rootFS, >>498 leshort 0 RW-rootFS, ->>508 leshort >0 root_dev 0x%X, ->>502 leshort >0 swap_dev 0x%X, +>>508 leshort >0 root_dev %#X, +>>502 leshort >0 swap_dev %#X, >>504 leshort >0 RAMdisksize %u KB, >>506 leshort 0xFFFF Normal VGA >>506 leshort 0xFFFE Extended VGA @@ -191,8 +191,8 @@ >497 leshort !0 x86 kernel >>504 leshort >0 RAMdisksize=%u KB ->>502 leshort >0 swap=0x%X ->>508 leshort >0 root=0x%X +>>502 leshort >0 swap=%#X +>>508 leshort >0 root=%#X >>>498 leshort 1 \b-ro >>>498 leshort 0 \b-rw >>506 leshort 0xFFFF vga=normal @@ -239,14 +239,14 @@ # From: Kevin Cernekee <cernekee@gmail.com> # Update: Joerg Jenderek 0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage -# There are three posible situations: LE, BE with LE bootloader and pure BE. +# There are three possible situations: LE, BE with LE bootloader and pure BE. # In order to aid telling these apart a new endian flag was added. In order # to support kernels before the flag and BE with LE bootloader was added we'll # do a negative check against the BE variant of the flag when we see a LE magic. >0x30 belong !0x04030201 (little-endian) ->0x30 belong 0x04030201 (big-endian) # raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin" !:ext img/bin +>0x30 belong 0x04030201 (big-endian) 0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) ############################################################################ @@ -364,16 +364,6 @@ >24 lelong x %d symbols >28 lelong x %d ocons -# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec -# Anthon van der Neut (anthon@mnt.org) -0 string LUKS\xba\xbe LUKS encrypted file, ->6 beshort x ver %d ->8 string x [%s, ->40 string x %s, ->72 string x %s] ->168 string x UUID: %s - - # Summary: Xen saved domain file # Created by: Radek Vokal <rvokal@redhat.com> 0 string LinuxGuestRecord Xen saved domain @@ -390,26 +380,96 @@ # Systemd journald files # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl> - -# check magic +# Update: Joerg Jenderek +# URL: https://systemd.io/JOURNAL_FILE_FORMAT/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml +# Note: called "systemd journal" by TrID +# verified by `journalctl --file=user-1000.journal` +# check magic signature[8] 0 string LPKSHHRH # check that state is one of known values +# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2 >16 ubyte&252 0 # check that each half of three unique id128s is non-zero +# file_id >>24 ubequad >0 >>>32 ubequad >0 +# machine_id >>>>40 ubequad >0 >>>>>48 ubequad >0 +# boot_id; last writer >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file -!:mime application/octet-stream +#!:mime application/octet-stream +!:mime application/x-linux-journal # provide more info +# head_entry_realtime; contains a POSIX timestamp stored in microseconds +>>>>>>>>184 leqdate/1000000 !0 \b, %s >>>>>>>>184 leqdate 0 empty ->>>>>>>>16 ubyte 0 \b, offline ->>>>>>>>16 ubyte 1 \b, online +# If a file is closed after writing the state field should be set to STATE_OFFLINE +>>>>>>>>16 ubyte 0 \b, +# for offline and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 offline +# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html +# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like: +# Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~' +!:ext journal~ +# for offline and non empty often *.journal~ but also user-1001.journal +>>>>>>>>>184 leqdate !0 offline +!:ext journal/journal~ +# if a file is opened for writing the state field should be set to STATE_ONLINE +>>>>>>>>16 ubyte 1 \b, +# for online and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 online +# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~ +!:ext journal~ +# for online and non empty only journal extension found +>>>>>>>>>184 leqdate !0 online +# system.journal user-1000.journal +!:ext journal +# after a file has been rotated it should be set to STATE_ARCHIVED >>>>>>>>16 ubyte 2 \b, archived +!:ext journal +# no *.journal~ found +#!:ext journal/journal~ +# compatible_flags >>>>>>>>8 ulelong&1 1 \b, sealed +# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16 +#>>>>>>>>12 ulelong x FLAGS=%#x >>>>>>>>12 ulelong&1 1 \b, compressed +>>>>>>>>12 ulelong&2 !0 \b, compressed lz4 +>>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24 +>>>>>>>>12 ulelong&8 !0 \b, compressed zstd +>>>>>>>>12 ulelong&16 !0 \b, compact +# uint8_t reserved[7]; apparently nil +#>>17 long !0 \b, reserved %#8.8x +# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6 +#>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx +#>>>>>>>>80 ubequad x b%16.16llx +# header_size like: 100h +>>>>>>>>88 ulequad !0x100h \b, header size %#llx +# arena_size like: 0 7fff00h ffff00h 17fff00h +#>>>>>>>>96 ulequad >0 \b, arena size %#llx +# data_hash_table_offset like: 0 15f0h 15f0h +#>>>>>>>>104 ulequad >0 \b, hash table offset %#llx +# data_hash_table_size like: 0 38e380h +#>>>>>>>>112 ulequad >0 \b, hash table size %#llx +# field_hash_table_offset like: 0 110h +#>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx +# field_hash_table_size like: 0 14d0h +#>>>>>>>>128 ulequad >0 \b, field hash table size %#llx +# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h +#>>>>>>>>136 ulequad >0 \b, tail object offset %#llx +# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh +#>>>>>>>>144 ulequad >0 \b, objects %#llx +# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h +>>>>>>>>152 ulequad >0 \b, entries %#llx +# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh +#>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx +# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah +#>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx +# entry_array_offset like: 0 390058h 3909d8h 3909e0h +#>>>>>>>>176 ulequad >0 \b, entry array offset %#llx # BCache backing and cache devices # From: Gabriel de Perthuis <g2p.code@gmail.com> @@ -438,17 +498,16 @@ # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed -# structure and strings must be within blob +# structure must be within blob, strings are omitted to handle devicetrees > 1M >&(8.L) byte x ->>&(12.L) byte x ->>>20 belong >1 Device Tree Blob version %d ->>>>4 belong x \b, size=%d ->>>>20 belong >1 ->>>>>28 belong x \b, boot CPU=%d ->>>>20 belong >2 ->>>>>32 belong x \b, string block size=%d ->>>>20 belong >16 ->>>>>36 belong x \b, DT structure block size=%d +>>20 belong >1 Device Tree Blob version %d +>>>4 belong x \b, size=%d +>>>20 belong >1 +>>>>28 belong x \b, boot CPU=%d +>>>20 belong >2 +>>>>32 belong x \b, string block size=%d +>>>20 belong >16 +>>>>36 belong x \b, DT structure block size=%d # glibc locale archive as defined in glibc locale/locarchive.h 0 lelong 0xde020109 locale archive @@ -503,9 +562,12 @@ 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files -# https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION +# https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION -0 string KDUMP Kdump compressed dump +0 string KDUMP\x20\x20\x20 Kdump compressed dump +>0 use kdump-compressed-dump + +0 name kdump-compressed-dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s @@ -514,7 +576,52 @@ >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s +# Flattened format +0 string makedumpfile +>16 bequad 1 +>>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump +>>>0x1010 use kdump-compressed-dump + # Device Tree files 0 search/1024 /dts-v1/ Device Tree File (v1) # beat c code !:strength +14 + + +# e2fsck undo file +# David Gilman <davidgilman1@gmail.com> +0 string E2UNDO02 e2fsck undo file, version 2 +>44 lelong x \b, undo file is +>>44 lelong&1 0 not finished +>>44 lelong&1 1 finished +>48 lelong x \b, undo file features: +>>48 lelong&1 0 lacks filesystem offset +>>48 lelong&1 1 has filesystem offset +>>>64 lequad x at %#llx + +# ansible vault (does not really belong here) +0 string $ANSIBLE_VAULT; Ansible Vault +>&0 regex [0-9]+\\.[0-9]+ \b, version %s +>>&0 string ; +>>>&0 regex [A-Z0-9]+ \b, encryption %s + +# From: Joerg Jenderek +# URL: https://www.gnu.org/software/grub +# Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz +# grub-2.06/include/grub/keyboard_layouts.h +# grub-2.06/grub-core/commands/keylayouts.c +# GRUB_KEYBOARD_LAYOUTS_FILEMAGIC +0 string GRUBLAYO GRUB Keyboard +!:mime application/x-grub-keyboard +!:ext gkb +# GRUB_KEYBOARD_LAYOUTS_VERSION like: 10 +>8 ulelong !10 \b, version %u +# 4 grub_uint32_t grub_keyboard_layout[160] +# for normal french keyboard this is letter a +>92 ubyte !0x71 +>>92 ubyte >0x40 \b, english q is %c +#>732 ubyte x \b, english Q is %c +# for normal german keyboard this is letter z +>124 ubyte !0x79 +>>124 ubyte >0x40 \b, english y is %c +#>764 ubyte x \b, english Y is %c |