diff options
Diffstat (limited to 'contrib/file/magic/Magdir/msdos')
| -rw-r--r-- | contrib/file/magic/Magdir/msdos | 982 |
1 files changed, 853 insertions, 129 deletions
diff --git a/contrib/file/magic/Magdir/msdos b/contrib/file/magic/Magdir/msdos index 7ddbb30fbbe0..aacf85946b09 100644 --- a/contrib/file/magic/Magdir/msdos +++ b/contrib/file/magic/Magdir/msdos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.137 2020/03/20 17:20:19 christos Exp $ +# $File: msdos,v 1.169 2023/04/17 16:39:19 christos Exp $ # msdos: file(1) magic for MS-DOS files # @@ -47,29 +47,129 @@ # Tests for various EXE types. # -# Many of the compressed formats were extraced from IDARC 1.23 source code. +# Many of the compressed formats were extracted from IDARC 1.23 source code. # +# e_magic 0 string/b MZ -# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. ->0x18 leshort <0x40 MS-DOS executable +# TODO +# FLT: Syntrillium CoolEdit Filter https://en.wikipedia.org/wiki/Adobe_Audition +# FMX64:FileMaker Pro 64-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FMX: FileMaker Pro 32-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FOD: WIFE Font Driver +# GAU: MS Flight Simulator Gauge +# IFS: OS/2 Installable File System https://en.wikipedia.org/wiki/OS/2 +# MEXW32:MATLAB Windows 32bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MEXW64:MATLAB Windows 64bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MLL: Maya plug-in (generic) http://en.wikipedia.org/wiki/Autodesk_Maya +# PFL: PhotoFilter plugin http://photofiltre.free.fr +# 8*: PhotoShop plug-in (generic) http://www.adobe.com/products/photoshop/main.html +# PLG: Aston Shell plugin http://www.astonshell.com/ +# QLB: Microsoft Basic Quick library https://en.wikipedia.org/wiki/QuickBASIC +# SKL: WinLIFT skin http://www.zapsolution.com/winlift/index.htm +# TBK: Asymetrix ToolBook application http://www.toolbook.com +# TBP: The Bat! plugin http://www.ritlabs.com +# UPC: Ultimate Paint Graphics Editor plugin http://ultimatepaint.j-t-l.com +# XFM: Syntrillium Cool Edit Transform Effect bad http://www.cooledit.com +# XPL: X-Plane plugin http://www.xsquawkbox.net/xpsdk/ +# ZAP: ZoneLabs Zone Alarm data http://www.zonelabs.com +# +# NEXT LINES FOR DEBUGGING! +# e_cblp; bytes on last page of file +# e_cp; pages in file +#>4 uleshort x \b, e_cp 0x%x +# e_lfanew; file address of new exe header +#>0x3c ulelong x \b, e_lfanew 0x%x +# e_lfarlc; address of relocation table +#>0x18 uleshort x \b, e_lfarlc=0x%x +# e_ovno; overlay number. If zero, this is the main executable foo +#>0x1a uleshort !0 \b, e_ovno 0x%x +#>0x1C ubequad !0 \b, e_res 0x%16.16llx +# e_oemid; often 0 +#>0x24 uleshort !0 \b, e_oemid 0x%x +# e_oeminfo; typically zeroes, but 13Dh (WORDSTAR.CNV WPFT5.CNV) 143h (WRITWIN.CNV) +# 1A3h (DBASE.CNV LOTUS123.CNV RFTDCA.CNV WORDDOS.CNV WORDMAC.CNV WORDWIN1.CNVXLBIFF.CNV) +#>0x26 uleshort !0 \b, e_oeminfo 0x%x +# e_res2; typically zeroes, but 000006006F082D2Ah SCSICFG.EXE 00009A0300007C03h de.exe +# 0000CA0000000002h country.exe dosxmgr.exe 421E0A00421EA823h QMC.EXE +#>0x28 ubequad !0 \b, e_res2 0x%16.16llx +# https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593 +# https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs +# new exe header magic like: PE NE LE LX W3 W4 +# no examples found for ZM DL MP P2 P3 +#>(0x3c.l) string x \b, at [0x3c] %.2s +#>(0x3c.l) ubelong x \b, at [0x3c] %#8.8x +#>(0x3c.l+4) ubelong x \b, at [0x3c+4] %#8.8x +# +# Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the file. +# http://www.mitec.cz/Downloads/EXE.zip/EXE64.exe e_lfarlc=0x8ead +# OS/2 ECS\INSTALL\DETECTEI\PCISCAN.EXE e_lfarlc=0x1c +# some EFI apps Shell_Full.efi ext4_x64_signed.efi e_lfarlc=0 +# Icon library WORD60.ICL e_lfarlc=0 +# Microsoft compiled help format 2.0 WINWORD.DEV.HXS e_lfarlc=0 +>0x18 uleshort <0x40 +# check magic of new second header +# NE executable with low e_lfarlc like: WORD60.ICL +# ICL: Icons Library 16-bit http://fileformats.archiveteam.org/wiki/Icon_library +>>(0x3c.l) string NE Windows Icons Library 16-bit +!:mime image/x-ms-icl +!:ext icl +# handle LX executable with low e_lfarlc like: PCISCAN.EXE +>>(0x3c.l) string LX +>>>(0x3c.l) use lx-executable +# skip Portable Executable (PE) with low e_lfarlc here, because handled later +# like: ext4_x64_signed.efi Shell_Full.efi WINWORD.DEV.HXS +>>(0x3c.l) string PE +# not New Executable (NE) and not PE with low e_lfarlc like: +# MACCNV55.EXE WORK_RTF.EXE TELE200.EXE NDD.EXE iflash.exe +>>(0x3c.l) default x MS-DOS executable, MZ for MS-DOS !:mime application/x-dosexec # Windows and later versions of DOS will allow .EXEs to be named with a .COM # extension, mostly for compatibility's sake. -!:ext exe/com +# like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM +# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml +# also like: BGISRV.DRV +!:ext exe/com/vlm/drv # These traditional tests usually work but not always. When test quality support is # implemented these can be turned on. #>>0x18 leshort 0x1c (Borland compiler) #>>0x18 leshort 0x1e (MS compiler) # Maybe it's a PE? +# URL: http://fileformats.archiveteam.org/wiki/Portable_Executable +# Reference: https://docs.microsoft.com/de-de/windows/win32/debug/pe-format >(0x3c.l) string PE\0\0 PE -!:mime application/x-dosexec +!:mime application/vnd.microsoft.portable-executable +# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics +# DLL Characteristics +#>>(0x3c.l+22) uleshort x \b, CHARACTERISTICS %#4.4x, +# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file +# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program. +# 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL) >>(0x3c.l+24) leshort 0x010b \b32 executable +# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u >>(0x3c.l+24) leshort 0x020b \b32+ executable +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u >>(0x3c.l+24) leshort 0x0107 ROM image >>(0x3c.l+24) default x Unknown PE signature ->>>&0 leshort x 0x%x +>>>&0 leshort x %#x >>(0x3c.l+22) leshort&0x2000 >0 (DLL) +# 0~IMAGE_SUBSYSTEM_UNKNOWN An unknown subsystem +>>(0x3c.l+92) leshort 0 ( +# Summary: Microsoft compiled help *.HXS format 2.0 +# URL: https://en.wikipedia.org/wiki/Microsoft_Help_2 +# Reference: http://www.russotto.net/chm/itolitlsformat.html +# https://mark0.net/download/triddefs_xml.7z/defs/h/hxs.trid.xml +# Note: 2 PE sections (.rsrc, .its) implies Microsoft compiled help format; the .its section contains the help content ITOLITLS +# verified by command like `pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS` +>>>(0x3c.l+6) uleshort =2 \bMicrosoft compiled help format 2.0) +!:ext hxs +# 3 PE sections (.text, .reloc, .rsrc) implies some Control Panel Item like: +# CPL: Control Panel item for WINE 1.7.28 https://www.winehq.org/ +>>>(0x3c.l+6) uleshort !2 \bControl Panel Item) +!:ext cpl +# 1~IMAGE_SUBSYSTEM_NATIVE device drivers and native Windows processes >>(0x3c.l+92) leshort 1 # Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the # drivers in Windows/System32/drivers/*.sys. @@ -77,6 +177,7 @@ !:ext dll/sys >>>(0x3c.l+22) leshort&0x2000 0 (native) !:ext exe/sys +# 2~IMAGE_SUBSYSTEM_WINDOWS_GUI The Windows graphical user interface (GUI) subsystem >>(0x3c.l+92) leshort 2 >>>(0x3c.l+22) leshort&0x2000 >0 (GUI) # These could probably be at least partially distinguished from one another by @@ -92,22 +193,73 @@ # Screen savers typically include code from the scrnsave.lib static library, but # that's not guaranteed. !:ext exe/scr +# 3~IMAGE_SUBSYSTEM_WINDOWS_CUI The Windows character subsystem >>(0x3c.l+92) leshort 3 >>>(0x3c.l+22) leshort&0x2000 >0 (console) !:ext dll/cpl/tlb/ocx/acm/ax/ime >>>(0x3c.l+22) leshort&0x2000 0 (console) !:ext exe/com -# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format ->>(0x3c.l+92) leshort 7 (POSIX) ->>(0x3c.l+92) leshort 9 (Windows CE) +# NO Windows Subsystem number 4! +>>(0x3c.l+92) leshort 4 (Unknown subsystem 4) +# 5~IMAGE_SUBSYSTEM_OS2_CUI The OS/2 character subsystem +>>(0x3c.l+92) leshort 5 (OS/2) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-os2 +# NO Windows Subsystem number 6! +>>(0x3c.l+92) leshort 6 (Unknown subsystem 6) +# 7~IMAGE_SUBSYSTEM_POSIX_CUI The Posix character subsystem +>>(0x3c.l+92) leshort 7 (POSIX +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: PSXDLL.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: PAX.EXE +!:ext exe +# 8~IMAGE_SUBSYSTEM_NATIVE_WINDOWS Native Win9x driver +>>(0x3c.l+92) leshort 8 (Win9x) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-win98 +# 9~IMAGE_SUBSYSTEM_WINDOWS_CE_GUI Windows CE +>>(0x3c.l+92) leshort 9 (Windows CE +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: MCS9900Ce50.dll Mosiisr99x.dll TMCGPS.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: NNGStart.exe navigator.exe +!:ext exe +# 10~IMAGE_SUBSYSTEM_EFI_APPLICATION An Extensible Firmware Interface (EFI) application >>(0x3c.l+92) leshort 10 (EFI application) +# like: bootmgfw.efi grub.efi gdisk_x64.efi Shell_Full.efi shim.efi syslinux.efi +!:ext efi +# 11~IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER An EFI driver with boot services >>(0x3c.l+92) leshort 11 (EFI boot service driver) +# like: ext2_x64_signed.efi Fat_x64.efi iso9660_x64_signed.efi +!:ext efi >>(0x3c.l+92) leshort 12 (EFI runtime driver) +# no sample found +!:ext efi +# 13~IMAGE_SUBSYSTEM_EFI_ROM An EFI ROM image >>(0x3c.l+92) leshort 13 (EFI ROM) +# no sample found +!:ext efi +# 14~IMAGE_SUBSYSTEM_XBOX XBOX >>(0x3c.l+92) leshort 14 (XBOX) ->>(0x3c.l+92) leshort 15 (Windows boot application) ->>(0x3c.l+92) default x (Unknown subsystem ->>>&0 leshort x 0x%x) +#!:ext foo-xbox +# NO Windows Subsystem number 15! +>>(0x3c.l+92) leshort 15 (Unknown subsystem 15) +# 16~IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION Windows boot application +>>(0x3c.l+92) leshort 16 (Windows boot application +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: bootvhd.dll bootuwf.dll hvloader.dll tcbloader.dll bootspaces.dll +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: bootmgr.efi memtest.efi shellx64.efi memtest.exe winload.exe winresume.exe bootvhd.dll hvloader.dll +!:ext efi/exe +# GRR: the next 2 lines are not executed! +#>>(0x3c.l+92) default x (Unknown subsystem +#>>>&0 leshort x %#x) +>>(0x3c.l+92) leshort >16 (Unknown subsystem +>>>&0 leshort x %#x) >>(0x3c.l+4) leshort 0x14c Intel 80386 >>(0x3c.l+4) leshort 0x166 MIPS R4000 >>(0x3c.l+4) leshort 0x168 MIPS R10000 @@ -134,12 +286,15 @@ >>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit >>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit >>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit +>>(0x3c.l+4) leshort 0x6232 LoongArch 32-bit +>>(0x3c.l+4) leshort 0x6264 LoongArch 64-bit >>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R >>(0x3c.l+4) leshort 0x8664 x86-64 >>(0x3c.l+4) leshort 0xaa64 Aarch64 >>(0x3c.l+4) leshort 0xc0ee MSIL +# GRR: the next 2 lines are not executed! >>(0x3c.l+4) default x Unknown processor type ->>>&0 leshort x 0x%x +>>>&0 leshort x %#x >>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) >>(0x3c.l+22) leshort&0x1000 >0 system file >>(0x3c.l+24) leshort 0x010b @@ -174,33 +329,134 @@ >>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>0x30 string Inno \b, InnoSetup self-extracting archive +# NumberOfSections; Normal Dynamic Link libraries have a few sections for code, data and resource etc. +# PE used as container have less sections +>>(0x3c.l+6) leshort >1 \b, %u sections +# do not display for 1 section to get output like in version 5.43 and to keep output columns low +#>>(0x3c.l+6) leshort =1 \b, %u section # If the relocation table is 0x40 or more bytes into the file, it's definitely # not a DOS EXE. ->0x18 leshort >0x3f +>0x18 uleshort >0x3f # Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # must be one of the unusual subformats. >>(0x3c.l) string !PE\0\0 MS-DOS executable -!:mime application/x-dosexec +#!:mime application/x-dosexec >>(0x3c.l) string NE \b, NE -!:mime application/x-dosexec +#!:mime application/x-dosexec +!:mime application/x-ms-ne-executable +# FOR DEBUGGING! +# Reference: https://wiki.osdev.org/NE +# ProgFlags; Program flags, bitmapped +#>>>(0x3c.l+0x0C) ubyte x \b, ProgFlags 0x%2.2x +# >>>(0x3c.l+0x0c) ubyte&0x03 =0 \b, none +# >>>(0x3c.l+0x0c) ubyte&0x03 =1 \b, single shared +# >>>(0x3c.l+0x0c) ubyte&0x03 =2 \b, multiple +# >>>(0x3c.l+0x0c) ubyte&0x03 =3 \b, (null) +# >>>(0x3c.l+0x0c) ubyte &0x04 \b, Global initialization +# >>>(0x3c.l+0x0c) ubyte &0x08 \b, Protected mode only +# >>>(0x3c.l+0x0c) ubyte &0x10 \b, 8086 instructions +# >>>(0x3c.l+0x0c) ubyte &0x20 \b, 80286 instructions +# >>>(0x3c.l+0x0c) ubyte &0x40 \b, 80386 instructions +# >>>(0x3c.l+0x0c) ubyte &0x80 \b, 80x87 instructions +# ApplFlags; Application flags, bitmapped +# https://www.fileformat.info/format/exe/corion-ne.htm +#>>>(0x3c.l+0x0D) ubyte x \b, ApplFlags 0x%2.2x +# Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API) +# 2~Compatible with Windows/P.M. API 3~Uses Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =1 \b, Full screen +#>>>(0x3c.l+0x0D) ubyte&0x07 =2 \b, Compatible with Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =3 \b, use Windows/P.M. API +# bit 7; DLL or driver (SS:SP info invalid, CS:IP points at FAR init routine called with AX handle +#>>>(0x3c.l+0x0D) ubyte &0x80 \b, DLL or driver +# AutoDataSegIndex; automatic data segment index like: 0 2 3 22 +# zero if the SINGLEDATA and MULTIPLEDATA bits are cleared +#>>>(0x3c.l+0x0e) uleshort x \b, AutoDataSegIndex %u +# InitHeapSize; intial local heap size like; 0 400h 1400h +# zero if there is no local allocation +#>>>(0x3c.l+0x10) uleshort !0 \b, InitHeapSize 0x%x +# InitStackSize; inital stack size like: 0 10h A00h 7D0h A8Ch FA0h 1000h 1388h +# 1400h (CBT) 1800h 2000h 2800h 2EE0h 2F3Ch 3258h 3E80h 4000h 4E20h 5000h 6000h +# 6D60h 8000h 40000h +# zero if the SS register value does not equal the DS register value +#>>>(0x3c.l+0x12) uleshort !0 \b, InitStackSize 0x%x +# EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h +#>>>(0x3c.l+0x14) ulelong !0 \b, EntryPoint 0x%x +# InitStack; specifies the segment offset value of stack pointer SS:SP +# like: 0 20000h 160000h +#>>>(0x3c.l+0x18) ulelong !0 \b, InitStack 0x%x +# SegCount; number of segments in segment table like: 0 1 2 3 16h +#>>>(0x3c.l+0x1C) uleshort x \b, SegCount 0x%x +# ModRefs; number of module references (DLLs) like; 0 1 3 +#>>>(0x3c.l+0x1E) uleshort !0 \b, ModRefs %u +# NoResNamesTabSiz; size in bytes of non-resident names table +# like: Bh 16h B4h B9h 2Ch 18Fh 16AAh +#>>>(0x3c.l+0x20) uleshort x \b, NoResNamesTabSiz 0x%x +# SegTableOffset; offset of Segment table like: 40h +#>>>(0x3c.l+0x22) uleshort !0x40 \b, SegTableOffset 0x%x +# ResTableOffset; offset of resources table like: 40h 50h 58h F0h +# 40h for most fonts likedos737.fon FMFONT.FOT but 60h for L1WBASE.FON +#>>>(0x3c.l+0x24) uleshort x \b, ResTableOffset 0x%x +# ResidNamTable; offset of resident names table +# like: 58h 5Ch 60h 68h 74h 98h 2E3h 2E7h 2F0h +#>>>(0x3c.l+0x26) uleshort x \b, ResidNamTable 0x%x +# ImportNameTable; offset of imported names table (array of counted strings, terminated with string of length 00h) +# like: 77h 7Eh 80h C6h A7h ACh 2F8h 3FFh +#>>>(0x3c.l+0x2a) uleshort x \b, ImportNameTable 0x%x +# OffStartNonResTab; offset from start of file to non-resident names table +# like: 110h 11Dh 19Bh 1A5h 3F5h 4C8h 4EEh D93h +#>>>(0x3c.l+0x2c) ulelong x \b, OffStartNonResTab 0x%x +# MovEntryCount; number of movable entry points like: 0 4 5 6 16 17 24 312 355 446 +#>>>(0x3c.l+0x30) uleshort !0 \b, MovEntryCount %u +# FileAlnSzShftCnt; log2 of the segment sector size; 4~16 0~9~512 (default) +#>>>(0x3c.l+0x32) uleshort !9 \b, FileAlnSzShftCnt %u +# nResTabEntries; number of resource table entries like: 0 2 +#>>>(0x3c.l+0x34) uleshort !0 \b, nResTabEntries %u +# targOS; Target OS; 0~unknown~OS/2 1.0 or MS Windows 1-2 +# OS/2 1.0 like: DTM.DLL SHELL11F.EXE HELPMSG.EXE CREATEDD.EXE +# or Windows 1.03 - 2.1 like: MSDOSD.EXE KARTEI.EXE KALENDER.EXE +#>>>(0x3c.l+0x36) byte x TARGOS %x +>>>(0x3c.l+0x36) byte 0 for OS/2 1.0 or MS Windows 1-2 >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS >>>(0x3c.l+0x36) byte 4 for Windows 386 >>>(0x3c.l+0x36) byte 5 for Borland Operating System Services +# http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip +# D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE +# GRR: WHAT OS is this? +#>>>(0x3c.l+0x36) byte 6 for TARGET SIX +# https://en.wikipedia.org/wiki/Phar_Lap_(company) +>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender, OS/2 +# like: CVP7.EXE +>>>(0x3c.l+0x36) byte 0x82 for MS-DOS, Phar Lap DOS extender, Windows >>>(0x3c.l+0x36) default x ->>>>(0x3c.l+0x36) byte x (unknown OS %x) ->>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender +>>>>(0x3c.l+0x36) ubyte x (unknown OS %#x) +# expctwinver; expected Windows version (minor first) like: +# 0.0~DTM.DLL 203.4~Windows 1.03 GDI.EXE 2.1~TTY.DRV 3.0~dos737.fon FMFONT.FOT THREED.VBX 3.10~GDI.EXE 4.0~(ME) VGAFULL.3GR +>>>(0x3c.l+0x3F) ubyte x (%u +>>>(0x3c.l+0x3E) ubyte x \b.%u) +# OS2EXEFlags; other EXE flags +# 0~Long filename support 1~2.x protected mode 4~2.x proportional fonts 8~Executable has gangload area +#>>>(0x3c.l+0x37) byte !0 \b, OS2EXEFlags 0x%x +# retThunkOffset; offset to return thunks or start of gangload area like: 0 34h 58h 246h +#>>>(0x3c.l+0x38) uleshort !0 \b, retThunkOffset 0x%x +# segrefthunksoff; offset to segment reference thunks or size of gangload area +# like: 0 33Eh 39Ah AEEh +#>>>(0x3c.l+0x3A) uleshort !0 \b, segrefthunksoff 0x%x +# mincodeswap; minimum code swap area size like 0 620Ch +#>>>(0x3c.l+0x3C) uleshort !0 \b, mincodeswap 0x%x >>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) # DRV: Driver # 3GR: Grabber device driver # CPL: Control Panel Item -# VBX: Visual Basic Extension -# FON: Bitmap font +# VBX: Visual Basic Extension https://en.wikipedia.org/wiki/Visual_Basic +# FON: Bitmap font http://fileformats.archiveteam.org/wiki/FON # FOT: Font resource file +# EXE: WINSPOOL.EXE USER.EXE krnl386.exe GDI.EXE +# CNV: Microsoft Word text conversion https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-conversion-data !:ext dll/drv/3gr/cpl/vbx/fon/fot >>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) !:ext exe/scr @@ -226,8 +482,17 @@ >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive # MS Windows system file, supposedly a collection of LE executables +# like vmm32.vxd WIN386.EXE >>(0x3c.l) string W3 \b, W3 for MS Windows -!:mime application/x-dosexec +#!:mime application/x-dosexec +!:mime application/x-ms-w3-executable +!:ext vxd/exe +# W4 executable +>>(0x3c.l) string W4 \b, W4 for MS Windows +#!:mime application/x-dosexec +!:mime application/x-ms-w4-executable +# windows 98 VMM32.VXD +!:ext vxd >>(0x3c.l) string LE\0\0 \b, LE executable !:mime application/x-dosexec @@ -266,11 +531,19 @@ !:ext exe/com # header data too small for extended executable >2 long !0 ->>0x18 leshort <0x40 +>>0x18 uleshort <0x40 >>>(4.s*512) leshort !0x014c >>>>&(2.s-514) string !LE ->>>>>&-2 string !BW \b, MZ for MS-DOS +>>>>>&-2 string !BW +#>>>>>>(0x3c.l) string x \b, 2ND MAGIC %.2s +# but some LX executable appear here also like: PCISCAN.EXE +>>>>>>(0x3c.l) string !LX +# because Portable Executable (PE) already done skip many here like: +# xcopy32.exe stinger64.exe WimUtil.exe +# NO such DOS examples found and +# DOS examples seems to be already handled by e_lfarlc <0x40 like: CMD8086.COM CMD-FR.COM +>>>>>>>(0x3c.l) string !PE \b, MZ for MS-DOS !:mime application/x-dosexec >>>>&(2.s-514) string LE \b, LE >>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender @@ -289,7 +562,7 @@ >>>&1 string x for DOS, Win or OS/2, emx %s >>&(&0x42.l-3) byte x >>>&0x26 string UPX \b, UPX compressed -# and yet another guess: small .text, and after large .data is unusal, could be 32lite +# and yet another guess: small .text, and after large .data is unusual, could be 32lite >>&0x2c search/0xa0 .text >>>&0x0b lelong <0x2000 >>>>&0 lelong >0x6000 \b, 32lite compressed @@ -362,12 +635,94 @@ >>49824 leshort =1 \b, 1 file >>49824 leshort >1 \b, %u files +# Summary: OS/2 LX Library and device driver (no DOS stub) +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/EXE +# Reference: http://www.textfiles.com/programming/FORMATS/lxexe.txt +# https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h +# Note: by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)" +# TODO: unify with DOS stub variant (MZ magic) +0 string/b LX +>2 ushort =0 +>>0 use lx-executable +# no examples found for big endian variant +>2 ushort =0x0101 +>>0 use \^lx-executable +0 name lx-executable +# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX" +#>0x00 uleshort x executable, +# signature OSF_FLAT_LX_SIGNATURE~0x584C~LX OSF_FLAT_SIGNATURE~0x454C~LE +>0x00 uleshort =0x584c LX +>0x00 uleshort =0x454C LE +>0x00 uleshort x executable +#!:mime application/x-msdownload +!:mime application/x-lx-executable +!:ext exe +# byte order: 00h~little-endian non-zero=1~big-endian +#>0x02 ubyte =0 (little-endian) +>0x02 ubyte !0 (big-endian) +# FOR DEBUGGING! +# word order: 00h~little-endian non-zero=1~big-endian +#>0x03 ubyte =0 \b, little-endian word order +#>0x03 ubyte !0 \b, big-endian word order +# cpu_type; CPU type like: 1~286 2~386 3~486 4 20h~i860 21h~Intel N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000 +#>0x08 uleshort x \b, CPU %u +# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 3~DOS 4.x 4~Windows 386 +#>0x0A leshort x \b, OS %u +# flags; module type flags +#>0x10 ulelong x \b, FLAGS %#8.8x +# 00000002h ~Reserved for system use +#>0x10 ulelong &0x00000002 \b, 2h reserved +# OSF_INIT_INSTANCE=00000004h ~Per-Process Library Initialization; setting this bit for EXE file is invalid +#>0x10 ulelong &0x00000004 \b, per-process library Initialization +# OSF_INTERNAL_FIXUPS_DONE=00000010h ~Internal fixups for the module have been applied +#>0x10 ulelong &0x00000010 \b, int. fixup +# OSF_EXTERNAL_FIXUPS_DONE=00000020h ~External fixups for the module have been applied +#>0x10 ulelong &0x00000020 \b, ext. fixup +# OSF_NOT_PM_COMPATIBLE=00000100h ~Incompatible with PM windowing +#>0x10 ulelong&0x00000100 =0x00000100 \b, incompatible with PM windowing +# OSF_PM_COMPATIBLE=00000200h ~Compatible with PM windowing +#>0x10 ulelong&0x00000200 =0x00000200 \b, compatible with PM windowing +# bit 17; device driver +#>0x10 ulelong&0x00020000 >0 \b, device driver +# Per-process Library Termination; setting this bit for EXE file is invalid +#>0x10 ulelong&0x40000000 =0x40000000 \b, per-process library termination +>0x0a leshort 1 for OS/2 +# no example found +>0x0a leshort 3 for DOS +# http://www.ctyme.com/intr/rb-2939.htm#Table1610 +# library by module type mask 00038000h (bits 15-17); +# 0h ~executable Program module +>0x10 ulelong&0x00038000 =0x00000000 (program) +#!:ext exe +# OSF_IS_DLL=8000h ~Library module (DLL) +>0x10 ulelong&0x00038000 >0x00000000 +# OSF_PHYS_DEVICE=00020000h ~device driver +>>0x10 ulelong&0x00020000 >0 (device driver) +!:ext sys +# if not device driver it is library (DLL) +>>0x10 ulelong&0x00020000 =0 (library) +!:ext dll +# bits 8-10; OSF_PM_APP=300h in flags ~Uses PM windowing API; either it is GUI or console +>0x10 ulelong&0x00000300 =0x00000300 (GUI) +>0x10 ulelong&0x00000300 !0x00000300 (console) +# CPU type +>0x08 uleshort 1 i80286 +# all inspected examples +>0x08 uleshort 2 i80386 +>0x08 uleshort 3 i80486 +>0x08 uleshort 4 i80586 +# 21h Intel "N11" or compatible +# 40h MIPS Mark I ( R2000, R3000) or compatible +# 41h MIPS Mark II ( R6000 ) or compatible +# 42h MIPS Mark III ( R4000 ) or compatible + # added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc # and https://www.freedos.org/software/?prog=kpdos # for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 0 string/b KCF FreeDOS KEYBoard Layout collection # only version=0x100 found ->3 uleshort x \b, version 0x%x +>3 uleshort x \b, version %#x # length of string containing author,info and special characters >6 ubyte >0 #>>6 pstring x \b, name=%s @@ -378,42 +733,58 @@ # for FreeDOS *.KL files 0 string/b KLF FreeDOS KEYBoard Layout file # only version=0x100 or 0x101 found ->3 uleshort x \b, version 0x%x +>3 uleshort x \b, version %#x # stringlength >5 ubyte >0 >>8 string x \b, name=%-.2s 0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file -# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 -# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 +# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020,Mar 2023 +# URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver +# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html +# http://www.o3one.org/hwdocs/bios_doc/dosref22.html 0 ulequad&0x07a0ffffffff 0xffffffff ->0 use msdos-driver +# skip OS/2 INI ./os2 +>4 ubelong !0x14000000 +#>>10 ubequad x MAYBE_DRIVER_NAME=%16.16llx +# https://bugs.astron.com/view.php?id=434 +# skip OOXML document fragment 0000.dat where driver name is "empty" instead of "ASCII like" +>>10 ubequad !0 +>>>0 use msdos-driver 0 name msdos-driver DOS executable ( #!:mime application/octet-stream !:mime application/x-dosdriver # also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN -!:ext sys/dev/bin ->40 search/7 UPX! \bUPX compressed +# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used? +# PROTMAN.DOS ELNKPL.DOS +!:ext sys/dev/bin/dos +# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device" +>40 search/7 UPX! \bUPX compressed # DOS device driver attributes >4 uleshort&0x8000 0x0000 \bblock device driver # character device >4 uleshort&0x8000 0x8000 \b ->>4 uleshort&0x0008 0x0008 \bclock +# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$" +>>4 uleshort&0x0008 0x0008 \bclock # fast video output by int 29h ->>4 uleshort&0x0010 0x0010 \bfast +# 1 space char after "fast" to get phrase like "fast standard input/output character device driver" +>>4 uleshort&0x0010 0x0010 \bfast # standard input/output device ->>4 uleshort&0x0003 >0 \bstandard +# 1 space char after "standard" to get phrase like "standard input/output character device driver" +>>4 uleshort&0x0003 >0 \bstandard >>>4 uleshort&0x0001 0x0001 \binput >>>4 uleshort&0x0003 0x0003 \b/ ->>>4 uleshort&0x0002 0x0002 \boutput +# 1 space char after "output" to get phrase like "input/output character device driver" +>>>4 uleshort&0x0002 0x0002 \boutput >>4 uleshort&0x8000 0x8000 \bcharacter device driver >0 ubyte x # upx compressed device driver has garbage instead of real in name field of header >>40 search/7 UPX! >>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped ->>>12 ubyte >0x2E \b +# 1 space char before device driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver PC$MOUSE" +>>>12 ubyte >0x23 \b >>>>10 ubyte >0x20 >>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c @@ -456,6 +827,7 @@ >4 uleshort&0x8000 0x0000 >>4 uleshort&0x4842 >0 \bsupport >0 ubyte x \b) +>0 ulelong !0xffffffff with pointer %#x # DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 0 ulequad 0x0513c00000000012 >0 use msdos-driver @@ -464,6 +836,7 @@ >0 use msdos-driver 0 ulequad 0x007f00000000ffff >0 use msdos-driver +# https://www.uwe-sieber.de/files/cfg_echo.zip 0 ulequad 0x001600000000ffff >0 use msdos-driver # DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field @@ -471,6 +844,12 @@ >0 use msdos-driver 0 ulequad 0x07bd08c2ffffffff >0 use msdos-driver +# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS +0 ulequad 0x027ac0c0ffffffff +>0 use msdos-driver +# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS +0 ulequad 0x00228880ffffffff +>0 use msdos-driver # updated by Joerg Jenderek # GRR: line below too general as it catches also @@ -484,7 +863,8 @@ # skip "GPG symmetrically encrypted data" ./gnu # skip "PGP symmetric key encrypted data" ./pgp # openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type ->>>4 ubyte >13 DOS executable (COM, 0x8C-variant) +>>>4 ubyte >13 +>>>>0 use msdos-com # the remaining files should be DOS *.COM executables # dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd # hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 @@ -494,48 +874,164 @@ # SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b # validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e # devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e -!:mime application/x-dosexec -!:ext com - -# updated by Joerg Jenderek at Oct 2008 -0 ulelong 0xffff10eb DR-DOS executable (COM) -# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb -0 ubeshort&0xeb8d >0xeb00 -# DR-DOS STACKER.COM SCREATE.SYS missed 0 name msdos-com ->0 byte x DOS executable (COM) -!:mime application/x-dosexec -!:ext com +# URL: http://fileformats.archiveteam.org/wiki/DOS_executable_(.com) +>0 byte x DOS executable ( +# DOS executable with JuMP 16-bit instruction +>0 byte =0xE9 +# check for probably nil padding til offset 64 of Lotus driver name +>>56 quad =0 +# check for "long" alphabetic Lotus driver name like: +# Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus" +>>>24 regex =^[A-Z][A-Za-z\040]{5,21} \bLotus driver) %s +!:mime application/x-dosexec +# like: CPQ0TD.DRV IBM0MONO.DRV (Lotus 123 10a) SDIAB4.DRV SPL0CPLS.DRV (Lotus Symphony 2) +!:ext drv +# COM with nils like MODE.COM IBMDOS.COM (pcdos 3.31 ru Compaq) RSSTUB.COM (PC-DOS 2000 de) ACCESS.COM (Lotus Symphony 1) +>>>24 default x \bCOM) +!:mime application/x-dosexec +!:ext com +# DOS executable with JuMP 16-bit and without nil padding +>>56 quad !0 +# https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot +# TODO: HOWTO distinguish COMboot from pure DOS executables? +# look for unreliable Syslinux specific api call INTerrupt 22h for 16-bit COMBOOT program +>>>1 search/0xc088 \xcd\x22 \bCOM or COMBOOT 16-bit) +!:mime application/x-dosexec +# like: sbm.cbt command.com (Windows XP) UNI2ASCI.COM (FreeDOS 1.2) +!:ext com/cbt +>>>1 default x \bCOM) +!:mime application/x-dosexec +!:ext com +# DOS executable without JuMP 16-bit instruction +>0 byte !0xE9 +# SCREATE.SYS https://en.wikipedia.org/wiki/Stac_Electronics +>>10 string =?STACVOL \bSCREATE.SYS) +!:mime application/x-dosexec +!:ext sys +# COM executable without JuMP 16-bit instruction and not SCREATE.SYS +>>10 string !?STACVOL \bCOM) +!:mime application/x-dosexec +!:ext com >6 string SFX\ of\ LHarc \b, %s >0x1FE leshort 0xAA55 \b, boot code >85 string UPX \b, UPX compressed >4 string \ $ARX \b, ARX self-extracting archive >4 string \ $LHarc \b, LHarc self-extracting archive >0x20e string SFX\ by\ LARC \b, LARC self-extracting archive +# like: E30ODI.COM MADGEODI.COM UNI2ASCI.COM RECOVER.COM (DOS 2) COMMAND.COM (DOS 2) +>1 search/0xc088 \xcd\x22 \b, maybe with interrupt 22h +>0 ubelong x \b, start instruction %#8.8x +# show more instructions but not in samples like: rem.com (DJGPP) +>4 ubelong x %8.8x # JMP 8bit 0 byte 0xeb +# byte 0xeb conflicts with magic leshort 0xn2eb of "SYMMETRY i386" handled by ./sequent # allow forward jumps only >1 byte >-1 # that offset must be accessible +# with hexadecimal values like: 0e 2e 50 8c 8d ba bc bd be e8 fb fc >>(1.b+2) byte x ->>>0 use msdos-com - +# if look like COM executable with x86 boot signature then this +# implies FAT volume with x86 real mode code already handled by ./filesystems +# +# No x86 boot signature implies often DOS executable +# check for unrealistic high number of FATs. Then it is an unusual disk image or often a DOS executable +# like: FIXBIOS.COM (50 bytes) +>>>16 ubyte >3 +# https://www.drivedroid.io/ +# skip MBR disk image drivedroid.img version 12 July 2013 by start message +>>>>2 string !DriveDroid +# ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/ +# skip unusual floppy image disk1.img of MS-DOS 1.25 (Corona Data Systems OEM) +# by check for characteristic message text near the beginning +>>>>>15 string !Non\040System\040disk +# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 4.0.rar" +# skip BeOS 4 bootfloppy.img done as "Linux kernel x86 boot executable" by ./linux +# by check for characteristic message text near the beginning +>>>>>>6 string !read\040error\015 +# https://github.com/ventoy/Ventoy/releases/download/v1.0.78/ventoy-1.0.78-windows.zip +# skip ventoy 1.0.78 boot_hybrid.img +>>>>>>>24 string !\220\220\353I$\022\017 +# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/PC-DOS 1.0 (5.25).rar" +# skip unusual floppy image PCDOS100.IMG of DOS 1.0 +# by check for characteristic message text near the beginning +>>>>>>>>9 string !7-May-81 +# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 5.0 Personal (BA).rar" +# skip BeOS 5 floppy_1.44.00.ima done as "DOS/MBR boot sector" by ./filesystems +# by check for characteristic message near the beginning +>>>>>>>>>3 string !\370sdfS\270 +# like: FIXBIOS.COM (50 bytes) +>>>>>>>>>>0 use msdos-com +# check for unrealistic low number of FATs. Then it is an unusual FAT disk image or often a DOS executable +# like: DEVICE.COM INSTALL.COM (GAG 4.10) WORD.COM (Word 1.15) +>>>16 ubyte =0 +# if low FATs with x86 boot signature it can be unusual disk image like: boot.img (Ventoy 1.0.27) geodspms.img (Syslinux) +>>>>0x1FE leshort =0xAA55 +>>>>0x1FE default x +# https://thestarman.pcministry.com/tool/hxd/dimtut.htm +# skip unusual floppy image TK-DOS11.img IBMDOS11.img of IBM DOS 1.10 +# by check for characteristic bootloader names near end of boot sector +>>>>>395 string !ibmbio\040\040com +>>>>>>0 use msdos-com +# 8-bit jump with valid number of FAT implies FAT volume already handled by ./filesystems +# like: balder.img +>>>16 default x +# skip disk images with boot signature at end of 1st sector +# like: TDSK-64b.img +>>>>(11.s-2) uleshort !0xAA55 +# skip unusual floppy image without boot signature like 360k-256.img (mtools 4.0.18) +# by check for characteristic file system type text for FAT (12 bit or 16 bit) +>>>>>54 string !FAT +# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/Microsoft MS-DOS 3.31 (Compaq OEM) (3.5).rar" +# skip unusual floppy image Disk4.img without boot signature and file system type text +# by check for characteristic OEM-ID text +>>>>>>3 string !COMPAQ\040\040 +# no such DOS COM executables found +>>>>>>>0 use msdos-com # JMP 16bit 0 byte 0xe9 +# 16-bit offset; for DEBUGGING!; can be negative like: USBDRIVE.COM +#>1 leshort x \b, OFFSET %d # forward jumps ->1 short >-1 +>1 leshort >-1 # that offset must be accessible +# with hexadecimal values like: 06 1e 0e 2e 60 8c 8d b4 ba be e8 fc >>(1.s+3) byte x ->>>0 use msdos-com +# check for unrealistic high number of FATs. Then it is not a disk image and it is a DOS executable +# like: CALLVER.COM CPUCACHE.COM K437_EUR.COM SHSUCDX.COM UMBFILL.COM (183 bytes) +>>>16 ubyte >3 +>>>>0 use msdos-com +# check for unrealistic low number of FATs. Then it is not a disk image and it is a DOS executable +# like: GAG.COM DRMOUSE.COM NDN.COM CPQ0TD.DRV +>>>16 ubyte =0 +>>>>0 use msdos-com +# maybe disc image with valid number of FATs or DOS executable +# like: IPXODI.COM PERUSE.COM TASKID.COM +>>>16 default x +# invalid low media descriptor. Then it is not a disk image and it is a DOS executable +>>>>21 ubyte <0xE5 +>>>>>0 use msdos-com +# valid media descriptor. Then it is maybe disk image or DOS executable +>>>>21 ubyte >0xE4 +# invalid sectorsize not a power of 2 from 32-32768. Then it is not a disk image and it must be DOS executable +# like: LEARN.COM (Word 1.15) +>>>>>11 uleshort&0x001f !0 +>>>>>>0 use msdos-com # negative offset, must not lead into PSP ->1 short <-259 +# like: BASICA.COM (PC dos 3.20) FORMAT.COM SMC8100.COM WORD.COM (word4) +# HIDSUPT1.COM USBDRIVE.COM USBSUPT1.COM USBUHCI.COM (FreeDOS USBDOS) +>1 leshort <-259 # that offset must be accessible +# add 10000h to jump at end of 64 KiB segment, add 1 for jump instruction and 2 for 16-bit offset >>(1,s+65539) byte x +# after jump next instruction for DEBUGGING! +#>>>&-1 ubelong x \b, NEXT instruction %#8.8x >>>0 use msdos-com -# updated by Joerg Jenderek at Oct 2008,2015 +# updated by Joerg Jenderek at Oct 2008,2015,2022 # following line is too general 0 ubyte 0xb8 # skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux @@ -558,35 +1054,78 @@ # syslinux version (4.x) # "COM executable (COM32R)" or "Syslinux COM32 module" by TrID >>>1 lelong 0x21CD4CFe \b, relocatable) -# remaining are DOS COM executables starting with assembler instruction MOV -# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM -# MS-DOS SYS.COM RESTART.COM -# SYSLINUX.COM (version 1.40 - 2.13) -# GFXBOOT.COM (version 3.75) -# COPYBS.COM POWEROFF.COM INT18.COM ->>1 default x COM executable for DOS -!:mime application/x-dosexec -#!:mime application/x-ms-dos-executable -#!:mime application/x-msdos-program -!:ext com - +>>1 default x +# look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x) +>>>3 search/118 \xCD +# FOR DEBUGGING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux) +# 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS) +#>>>>&0 ubyte x \b, INTERUPT %#x +# few examples with interrupt 0x13 instruction +>>>>&0 ubyte =0x13 +# FOR DEBUGGING! +#>>>>>3 ubequad x \b, 2nd INSTRUCTION %#16.16llx +# skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems +# by check for assembler instructions: mov es,ax ; mov ax,07c0h ; mov ds,ax +>>>>>3 ubequad !0x8ec0b8c0078ed88d +# few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com +# http://bootcd.narod.ru/bcdw150z_en.zip +>>>>>>0 use msdos-com +# few examples with interrupt 0x16 instruction like flashimg.img +>>>>&0 ubyte =0x16 +# skip Syslinux 3.71 flashimg.img done as "DOS/MBR boot sector" by ./filesystems +# by check for assembler instructions: cmp ax 0xE4E4 (magic); jnz +>>>>>8 ubelong !0x3DE4E475 +# no DOS executable with interrupt 0x16 found +>>>>>>0 use msdos-com +# most examples with interrupt instruction unequal 0x13 and 0x16 +>>>>&0 default x +#>>>>>&-1 ubyte x \b, INTERUPT %#x +# like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com +>>>>>0 use msdos-com +# few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM +# or some EUC-KR text files or one Ulead Imaginfo thumbnail +>>>3 default x +# FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM) +# or random like: 0x0 (IMAGINFO.PE3 sky_snow) 0xb1 (euckr_.txt) +#>>>>3 ubyte x \b, 2nd INSTRUCTION %#x +# skip 1 Ulead Imaginfo thumbnail (IMAGINFO.PE3 sky_snow) +# inside SAMPLES/TEXTURES/SKY_SNOW +# from https://archive.org/download/PI3CANON/PI3CANON.iso +>>>>3 ubyte !0x0 +# skip some EUC-KR text files like: euckr_falsepositive.txt +# https://bugs.astron.com/view.php?id=186 +>>>>>3 ubyte !0xb1 +# like: RESTART.COM (DOS 7.10) REBOOT.COM +>>>>>>0 use msdos-com + +# URL: https://en.wikipedia.org/wiki/UPX +# Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/ +# src/stub/src/i086-dos16.com.S +# Update: Joerg Jenderek +# assembler instructions: cmp sp, offset sp_limit 0 string/b \x81\xfc +#>2 uleshort x \b, sp_limit=%#x +# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy >4 string \x77\x02\xcd\x20\xb9 ->>36 string UPX! FREE-DOS executable (COM), UPX compressed +#>9 uleshort x \b, [bytes_to_copy]=%#x +# at different offsets assembler instructions: push di; jump decomp_start_n2b +>0x1e search/3 \x57\xe9 +#>>&0 uleshort x \b, decomp_start_n2b=%#x +# src/stub/src/include/header.S; UPX_MAGIC_LE32 +>>&2 string UPX! FREE-DOS executable (COM), UPX !:mime application/x-dosexec +# UPX compressed *.CPI; See ./fonts +>>>&21 string =FONT compressed DOS code page font +!:ext cpx +>>>&21 string !FONT compressed !:ext com +# compressed size? +#>>>&14 uleshort+152 x \b, %u bytes +# uncompressed len +>>>&12 uleshort x \b, uncompressed %u bytes 252 string Must\ have\ DOS\ version DR-DOS executable (COM) !:mime application/x-dosexec !:ext com -# added by Joerg Jenderek at Oct 2008 -# GRR search is not working -#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed -34 string UPX! FREE-DOS executable (COM), UPX compressed -!:mime application/x-dosexec -!:ext com -35 string UPX! FREE-DOS executable (COM), UPX compressed -!:mime application/x-dosexec -!:ext com # GRR search is not working #2 search/28 \xcd\x21 COM executable for MS-DOS #WHICHFAT.cOM @@ -616,7 +1155,11 @@ !:mime application/x-dosexec !:ext com #HELP.COm EDIT.coM -18 string \xcd\x21 COM executable for MS-DOS +18 string \xcd\x21 +# not printable before it? +>17 byte >32 +>>17 byte <126 +>>17 default x COM executable for MS-DOS !:mime application/x-dosexec !:ext com #NWRPLTRM.COm @@ -687,7 +1230,7 @@ # reserved; must be zero #>>6 ulelong !0 \b, reserved %u # block pointer to the block containing optional file manager information -#>>0x1C uleshort x \b, at 0x%x info block +#>>0x1C uleshort x \b, at %#x info block # jump to File manager information block >>(0x1C.s*128) uleshort x # test for valid information start; maybe also 0012h @@ -717,7 +1260,7 @@ # number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0 >>0x6A uleshort >0 \b, %u blocks # bit field for corrected text areas -#>>0x6C uleshort x \b, 0x%x bit field +#>>0x6C uleshort x \b, %#x bit field # text of document; some times start with 4 non printable characters like CR LF >>128 ubyte x \b, >>>128 ubyte >0x1F @@ -821,7 +1364,7 @@ >>>>6 uleshort !0x0004 formatting data !:ext fXX # main revision number ->>>>4 uleshort x \b, revision 0x%x +>>>>4 uleshort x \b, revision %#x >>>6 uleshort =0x0004 \b, cell range # active cellcoord range (start row, page,column ; end row, page, column) # start values normally 0~1st sheet A1 @@ -835,9 +1378,9 @@ >>>>12 uleshort x \b%d, >>>>15 ubyte x \b%d # Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) ->>>>20 ubyte >1 \b, character set 0x%x +>>>>20 ubyte >1 \b, character set %#x # flags ->>>>21 ubyte x \b, flags 0x%x +>>>>21 ubyte x \b, flags %#x >>>6 uleshort !0x0004 # record type (FONTNAME=00AEh) >>>>30 search/29 \0\xAE @@ -855,7 +1398,7 @@ !:strength -1 # skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h >7 ubyte 0 -# skip Windows cursors with image width 256 and keep Lotus with positiv opcode +# skip Windows cursors with image width 256 and keep Lotus with positive opcode >>6 ubyte >0 Lotus # !:mime application/x-123 !:mime application/vnd.lotus-1-2-3 @@ -911,10 +1454,10 @@ # (version 5.26) labeled the entry as "Lotus 1-2-3" >>>4 default x unknown worksheet or configuration !:ext cnf ->>>>4 uleshort x \b, revision 0x%x +>>>>4 uleshort x \b, revision %#x # 2nd record for most worksheets describes cells range >>>6 use lotus-cells -# 3nd record for most japan worksheets describes cells range +# 3rd record for most japan worksheets describes cells range >>>(8.s+10) use lotus-cells # check and then display Lotus worksheet cells range 0 name lotus-cells @@ -946,15 +1489,82 @@ 0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in # Windows Metafile .WMF -0 string/b \327\315\306\232 Windows metafile -!:mime image/wmf -!:ext wmf +# URL: http://fileformats.archiveteam.org/wiki/Windows_Metafile +# http://en.wikipedia.org/wiki/Windows_Metafile +# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WMF%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/w/wmf.trid.xml +# Note: called "Windows Metafile" by TrID and +# verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File) +# META_PLACEABLE Record (Aldus Placeable Metafile signature) +0 string/b \327\315\306\232 +# Note: called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119 +# and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Windows Placeable metafile" +# skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf with invalid version 3a02h +# and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAVERSION300 +>26 uleshort&0xFDff =0x0100 Windows metafile +# HWmf; resource handle to the metafile; When the metafile is on disk, this field MUST contain 0 +# seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf +>>4 uleshort !0 \b, resource handle %#x +# BoundingBox; the rectangle in the playback context measured in logical units for displaying +# sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024) +# but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589) +#>>6 ubequad x \b, bounding box %#16.16llx +# Left; x-coordinate of the upper-left corner of the rectangle +>>6 leshort x \b, bounding box (%d +# Top; y-coordinate upper-left corner +>>8 leshort x \b,%d +# Right; x-coordinate lower-right corner +>>10 leshort x / %d +# Bottom; y-coordinate lower-right corner +>>12 leshort x \b,%d) +# Inch; number of logical units per inch like: 72 96 575 576 1000 1200 1439 1440 2540 +>>14 uleshort x \b, dpi %u +# Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf +>>16 ulelong !0 \b, reserved %#x +# Checksum; checksum for the previous 10 words +>>20 uleshort x \b, checksum %#x +# META_HEADER Record after META_PLACEABLE Record +>>22 use wmf-head +# GRR: no example for type 2 (DISKMETAFILE) variant found under few thousands WMF 0 string/b \002\000\011\000 Windows metafile +>0 use wmf-head +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml +# Note: called "Windows Metafile (old Win 3.x format)" by TrID and +# "Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119 +# verified by XnView `nconvert -info *.wmf` as Windows metafile +# variant with type=1=MEMORYMETAFILE and valid HeaderSize 9 +0 string/b \001\000\011\000 +# skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011) +>18 ulelong >0 Windows metafile +# GRR: in version 5.44 unequal and not endian variant not working! +#>18 ulelong !0 THIS_SHOULD_NOT_HAPPEN +#>18 long !0 THIS_SHOULD_NOT_HAPPEN +>>0 use wmf-head +# display information of Windows metafile header (type, size, objects) +0 name wmf-head +# MetafileType: 0001h=MEMORYMETAFILE~Metafile is stored in memory 0002h=DISKMETAFILE~Metafile is stored on disk +>0 uleshort !0x0001 \b, type %#x +# HeaderSize; the number of WORDs in header record; seems to be always 9 (18 bytes) +>2 uleshort*2 !18 \b, header size %u +# MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAVERSION300~DIBs are supported +# but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf +>4 uleshort =0x0100 \b, DIBs not supported +>4 uleshort =0x0300 +#>4 uleshort =0x0300 \b, DIBs supported +# this should not happen! +>4 default x \b, version +>>4 uleshort x %#x +# Size; the number of WORDs in the entire metafile +>6 ulelong x \b, size %u words +#>6 ulelong*2 x \b, size %u bytes !:mime image/wmf !:ext wmf -0 string/b \001\000\011\000 Windows metafile -!:mime image/wmf -!:ext wmf +# NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8 9 12 13 14 16 17 20 27 110 PERSGRID.WMF +>10 uleshort x \b, %u objects +# MaxRecord: the size of the largest record in the metafile in WORDs like: 78h b0h 1f4h 310h 63fh 1e0022h 3fcc21h +>12 ulelong x \b, largest record size %#x +# NumberOfMembers: It SHOULD be 0x0000, but 5 TestBitBltStretchBlt.wmf 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-2.wmf +>16 uleshort !0 \b, %u members #tz3 files whatever that is (MS Works files) 0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file @@ -1037,7 +1647,7 @@ #>3 ubyte x \b, reserved %x #>8 ulelong x \b, image size %d # offset of PNG or DIB image -#>12 ulelong x \b, offset 0x%x +#>12 ulelong x \b, offset %#x # PNG header (\x89PNG) >(12.l) ubelong =0x89504e47 # 1 space char after "with" to get phrase "with PNG image" by magic in ./images @@ -1107,8 +1717,6 @@ 1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file -0 lelong 0x4C ->4 lelong 0x00021401 Windows shortcut file # .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm # only for windows versions equal or greater 3.0 @@ -1144,28 +1752,15 @@ >0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT #>>&06 string x \b:%s -# DOS EPS Binary File Header -# From: Ed Sznyter <ews@Black.Market.NET> -0 belong 0xC5D0D3C6 DOS EPS Binary File -!:mime image/x-eps ->4 long >0 Postscript starts at byte %d ->>8 long >0 length %d ->>>12 long >0 Metafile starts at byte %d ->>>>16 long >0 length %d ->>>20 long >0 TIFF starts at byte %d ->>>>24 long >0 length %d - -# TNEF magic From "Joomy" <joomy@se-ed.net> -# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) -0 lelong 0x223e9f78 TNEF -!:mime application/vnd.ms-tnef - # Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # of http://www.davep.org/norton-guides/ng2h-105.tgz # https://en.wikipedia.org/wiki/Norton_Guides 0 string NG\0\001 # only value 0x100 found at offset 2 >2 ulelong 0x00000100 Norton Guide +!:mime application/x-norton-guide +# often like NORTON.NG but some times like NC.HLP +!:ext ng/hlp # Title[40] >>8 string >\0 "%-.40s" #>>6 uleshort x \b, MenuCount=%u @@ -1173,6 +1768,66 @@ >>48 string >\0 \b, %-.66s >>114 string >\0 %-.66s +# URL: https://en.wikipedia.org/wiki/Norton_Commander +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml +# From: Joerg Jenderek +# Note: Message file is used by executable with same main name. +# Only tested with version 5.50 (english) and 2.01 (Windows) +0 string Abort +# \0 or i +#>5 ubyte x %x +# skip ASCII Abort text by looking for error message like in NCVIEW.MSG +>6 search/7089 Non-DOS\ disk Norton Commander module message +!:mime application/x-norton-msg +!:ext msg + +# URL: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml +# From: Joerg Jenderek +0 string DOS\ Client\ Message\ File: Novell DOS client message +#!:mime application/octet-stream +#!:mime application/x-novell-msg +!:ext msg +# look for second letter instead space character +>26 ubyte >0x20 +# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr +>>25 ubyte !0x20 %c +>>>26 ubyte !0x20 \b%c +>>>>27 ubyte !0x20 \b%c +>>>>>28 ubyte !0x20 \b%c +>>>>>>29 ubyte !0x20 \b%c +>>>>>>>30 ubyte !0x20 \b%c +>>>>>>>>31 ubyte !0x20 \b%c +>>>>>>>>>32 ubyte !0x20 \b%c +>>>>>>>>>>33 ubyte !0x20 \b%c +>>>>>>>>>>>34 ubyte !0x20 \b%c +>>>>>>>>>>>>35 ubyte !0x20 \b%c +>>>>>>>>>>>>>36 ubyte !0x20 \b%c +# followed by string like: 0 v.10 V1.20 +# +# followed by ,\040Tran +>28 search/14 ,\040Tran +# probably translated version string like: 0 v1.00 +>>&0 string x \b, tran version %s +# followed by Ctrl-J Ctrl-Z +>>>&0 ubyte !0xa \b, terminated by %#2.2x +>>>>&0 ubyte x \b%2.2x +# Ctrl-Z +>0x65 ubyte !0x1A \b, at 0x65 %#x +# one +>0x66 ubyte !0x01 \b, at 0x66 %#x +# URL: https://en.wikipedia.org/wiki/NetWare +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml +# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html +# From: Joerg Jenderek +0 string Novell\ Message\ Librarian\ Data\ File Novell message librarian data +#>35 string Version\ 1.00 +#>49 string COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc. +#>83 string \ \ All\ Rights\ Reserved +#!:mime application/octet-stream +#!:mime application/x-novell-msg +!:ext msg +#!:ext msg/dat # 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS # of https://www.4dos.info/ # pointer,HelpID[8]=4DHnnnmm @@ -1184,6 +1839,8 @@ # HtmlHelp files (.chm) 0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data +!:mime application/vnd.ms-htmlhelp +!:ext chm # GFA-BASIC (Wolfram Kleff) 2 string/b GFA-BASIC3 GFA-BASIC 3 data @@ -1234,7 +1891,7 @@ # member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims >>0x2c search/211/c .swf\0 skin !:ext ims -# member anim.im3 implies IncrediMail animation like in letter_fold.ima +# member anim.im3 implies IncrediMail animation like in letter_fold.ima >>0x2c search/92/c anim.im3\0 animation !:ext ima # other IncrediMail cab archive @@ -1248,6 +1905,12 @@ >0x2c default x # look for 1st member name >>(16.l+16) ubyte x +# From: Joerg Jenderek +# URL: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-packages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml +>>>&-1 string PackageInfo.xml \b, Device Metadata Package +!:mime application/vnd.ms-cab-compressed +!:ext devicemetadata-ms # https://en.wikipedia.org/wiki/SNP_file_format >>>&-1 string/c _accrpt_.snp \b, Access report snapshot !:mime application/msaccess @@ -1270,15 +1933,21 @@ !:mime application/vnd.ms-cab-compressed !:ext msu >>>&-1 default x -# look at point charcter of 1st archive member name for file name extension +# look at point character of 1st archive member name for file name extension +# GRR: search range is maybe too large and match point else where like in EN600x64.cab! >>>>&-1 search/255 . # http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm # PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 # packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB ->>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go +>>>>>&0 string/c ppt\0 +>>>>>>28 uleshort >1 \b, PowerPoint Packed and Go !:mime application/vnd.ms-powerpoint #!:mime application/mspowerpoint !:ext ppz +# or POWERPNT.PPT packed as POWERPNT.PP_ found on Windows 2000,XP setup CD in directory i386 +>>>>>>28 uleshort =1 \b, one packed PowerPoint +!:mime application/vnd.ms-cab-compressed +!:ext pp_ # https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx # first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack # or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack @@ -1292,6 +1961,13 @@ >>>>>>(16.l+16) string !Panoram 7 or 8 !:ext themepack/deskthemepack >>>>>>(16.l+16) ubyte x Theme Pack +# URL: https://en.wikipedia.org/wiki/Microsoft_OneNote#File_format +# http://fileformats.archiveteam.org/wiki/OneNote +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/o/onepkg.trid.xml +# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor Öffnen.onetoc2" +>>>>>&0 string/c one \b, OneNote Package +!:mime application/msonenote +!:ext onepkg >>>>>&0 default x # look for null terminator of 1st member name >>>>>>&0 search/255 \0 @@ -1319,6 +1995,16 @@ >>>>>>>>>30 uleshort !0x0000 \b, single !:mime application/vnd.ms-cab-compressed !:ext cab +# first archive name without point character +>>>>&-1 default x +>>>>>28 uleshort =1 \b, single +!:mime application/vnd.ms-cab-compressed +# on XP_CD\I386\ like: NETWORKS._ PROTOCOL._ QUOTES._ SERVICES._ +!:ext _ +>>>>>28 uleshort >1 \b, many +!:mime application/vnd.ms-cab-compressed +# like: HP Envy 6000 printer driver packages Full_x86.cab Full_x64.cab +!:ext cab # TODO: additional extensions like # .xtp InfoPath Template Part # .lvf Logitech Video Effects Face Accessory @@ -1329,7 +2015,7 @@ #>4 belong !0 \b, reserved1 %x #>12 belong !0 \b, reserved2 %x # offset of the first CFFILE entry coffFiles: minimal 2Ch ->16 ulelong x \b, at 0x%x +>16 ulelong x \b, at %#x >(16.l) use cab-file # at least also 2nd member >28 uleshort >1 @@ -1339,12 +2025,12 @@ >>>>&0 use cab-file #>20 belong !0 \b, reserved %x # Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 ->24 ubeshort !0x0301 \b version 0x%x +>24 ubeshort !0x0301 \b version %#x # number of CFFOLDER entries >26 uleshort >1 \b, %u cffolders # cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields # only found for flags 0 1 2 3 4 not 7 ->30 uleshort >0 \b, flags 0x%x +>30 uleshort >0 \b, flags %#x # Cabinet files have a 16-bit cabinet setID field that is designed for application use. # default is zero, however, the -i option of cabarc can be used to set this field >32 uleshort >0 \b, ID %u @@ -1395,30 +2081,30 @@ # display folder structure CFFOLDER information like compression of cabinet 0 name cab-folder # offset of the CFDATA block in this folder -#>0 ulelong x \b, coffCabStart 0x%x +#>0 ulelong x \b, coffCabStart %#x # number of CFDATA blocks in folder >4 uleshort x \b, %u datablock # plural s >4 uleshort >1 \bs # compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 ->6 uleshort x \b, 0x%x compression +>6 uleshort x \b, %#x compression # optional per-folder reserved area -#>8 ubequad x \b, abReserve 0x%llx +#>8 ubequad x \b, abReserve %#llx # display member structure CFFILE information like member name of cabinet 0 name cab-file -# cbFile is uncompressed size of file in bytes +# cbFile is uncompressed size of file in bytes #>0 ulelong x \b, cbFile %u # uoffFolderStart is uncompressed offset of file in folder -#>4 ulelong >0 \b, uoffFolderStart 0x%x +#>4 ulelong >0 \b, uoffFolderStart %#x # iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet # define ifoldCONTINUED_FROM_PREV (0xFFFD) # define ifoldCONTINUED_TO_NEXT (0xFFFE) # define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) ->8 uleshort >0 \b, iFolder 0x%x +>8 uleshort >0 \b, iFolder %#x # date stamp for file -#>10 uleshort x \b, date 0x%x +>10 lemsdosdate x last modified %s # time stamp for file -#>12 uleshort x \b, time 0x%x +>12 lemsdostime x %s # attribs is attribute flags for file # define _A_RDONLY (0x01) file is read-only # define _A_HIDDEN (0x02) file is hidden @@ -1428,7 +2114,7 @@ # define _A_EXEC (0x40) run after extraction # define _A_NAME_IS_UTF (0x80) szName[] contains UTF # define UNKNOWN (0x0100) undocumented or accident -#>14 uleshort x \b, attribs 0x%x +#>14 uleshort x \b, attribs %#x >14 uleshort >0 + >>14 uleshort &0x0001 \bR >>14 uleshort &0x0002 \bH @@ -1471,7 +2157,7 @@ # for further information. 0 ulelong 1 >40 string \ EMF Windows Enhanced Metafile (EMF) image data ->>44 ulelong x version 0x%x +>>44 ulelong x version %#x 0 string/b \224\246\056 Microsoft Word Document @@ -1516,7 +2202,8 @@ 0 string Jetsam0 Mallard BASIC Jetsam index data # DOS backup 2.0 to 3.2 - +# URL: http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS) +# Reference: http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm # backupid.@@@ # plausibility check for date @@ -1526,6 +2213,7 @@ # actually 121 nul bytes >>>0x7 string \0\0\0\0\0\0\0\0 >>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d +#!:mime application/octet-stream !:ext @@@ >>>>0x0 ubyte 0xff \b, last disk @@ -1548,7 +2236,7 @@ # but sometimes garbage according to Ralf Quint. So can not be used as test #>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 # first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator -# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE +# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE >>>>>5 ubyte&0x8C 0x0C # ./msdos (version 5.30) labeled the entry as # "DOS 2.0 backed up file %s, split file, sequence %d" or @@ -1559,7 +2247,9 @@ >>>>>>>1 uleshort x sequence %d of # full file name with path but without drive letter and colon stored from 0x05 til 0x52 >>>>>>0x5 string x file %s +#!:mime application/octet-stream # backup name is original filename +#!:ext doc/exe/rar/zip #!:ext * # magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' # file: line 1169: Bad magic entry ' *' @@ -1578,3 +2268,37 @@ # NB: The BACKUP.nnn files consist of the files backed up, # concatenated. + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_date/time +# Reference: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime +# Note: DOS date+time format is different from formats such as Unix epoch +# bit encoded; uses year values relative to 1980 and 2 second precision +0 name dos-date +# HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2) +#>0 uleshort x RAW TIME [%#4.4x] +# hour part +#>0 uleshort/2048 x hour [%u] +# YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31) +#>2 uleshort x RAW DATE [%#4.4x] +# day part +>2 uleshort&0x001F x %u +#>2 uleshort/16 x MONTH PART [%#x] +# GRR: not working +#>2 uleshort/16 &0x000F MONTH [%u] +#>2 uleshort&0x01E0 x MONTH PART [%#4.4x] +>2 uleshort&0x01E0 =0x0020 jan +>2 uleshort&0x01E0 =0x0040 feb +>2 uleshort&0x01E0 =0x0060 mar +>2 uleshort&0x01E0 =0x0080 apr +>2 uleshort&0x01E0 =0x00A0 may +>2 uleshort&0x01E0 =0x00C0 jun +>2 uleshort&0x01E0 =0x00E0 jul +>2 uleshort&0x01E0 =0x0100 aug +>2 uleshort&0x01E0 =0x0120 sep +>2 uleshort&0x01E0 =0x0140 oct +>2 uleshort&0x01E0 =0x0160 nov +>2 uleshort&0x01E0 =0x0180 dec +# year part +>2 uleshort/512 x 1980+%u +# |