diff options
Diffstat (limited to 'contrib/file/magic/Magdir/windows')
-rw-r--r-- | contrib/file/magic/Magdir/windows | 706 |
1 files changed, 656 insertions, 50 deletions
diff --git a/contrib/file/magic/Magdir/windows b/contrib/file/magic/Magdir/windows index c98708ae1bae..f58ce3e5a511 100644 --- a/contrib/file/magic/Magdir/windows +++ b/contrib/file/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.44 2022/05/31 17:39:08 christos Exp $ +# $File: windows,v 1.63 2023/07/17 16:56:13 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -15,40 +15,255 @@ # Summary: Outlook Express DBX file -# Extension: .dbx # Created by: Christophe Monniez -0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file ->4 byte =0xC5 \b, message database ->4 byte =0xC6 \b, folder database ->4 byte =0xC7 \b, account information ->4 byte =0x30 \b, offline database +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Outlook_Express_Database +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbx.trid.xml +# https://sourceforge.net/projects/ol2mbox/files/LibDBX/ +# v1.0.4/libdbx_1.0.4.tar.gz/FILE-FORMAT +# Note: called "Outlook Express Database" by TrID and DROID via PUID fmt/838 fmt/839 +# and partly verified by `undbx --verbosity 4 Posteingang.dbx` +0 string \xCF\xAD\x12\xFE +# skip DROID fmt-838-signature-id-1193.dbx fmt-839-signature-id-1194.dbx by check for valid file size +>0x7C ulelong >0 MS Outlook Express DBX file +#!:mime application/octet-stream +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-dbx +!:ext dbx +>>4 byte =0xC5 \b, message database +>>4 byte =0xC6 \b, folder database +>>4 byte =0xC7 \b, account information +>>4 byte =0x30 \b, offline database +# version like: 5.2 5.5 (typical) +>>20 ulequad !0x0000000500000005 \b, version +# major version +>>>24 ulelong x %u +# minor version +>>>20 ulelong x \b.%u +# CLSID: 6F74FDC5-E366-11d1-9A4E-00C04FA309D4~Message 6F74FDC6-E366-11D1-9A4E-00C04FA309D4~Folder +# 26FE9D30-1A8F-11D2-AABF-006097D474C4~offline +#>>4 guid x \b, CLSID %s +# file size; total size of file; sometimes real size a little bit higher +>>0x7C ulelong x \b, ~ %u bytes +# highest Email ID; the next email will have a number one higher than this +>>0x5c ulelong x \b, highest ID %#x +# item count; number of items stored in this DBX file +>>0xC4 ulelong x \b, %u item +# plural s +>>0xC4 ulelong !1 \bs +# index pointer; file offset pointing to a page of Data Indexes +>>0xE4 ulelong >0 \b, index pointer %#x +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Nickfile +# https://www.nirsoft.net/utils/outlook_nk2_edit.html +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nk2.trid.xml +# https://github.com/libyal/libnk2/blob/main/documentation +# Nickfile%20(NK2)%20format.asciidoc +# Note: called "Outlook Nickfile" by TrID & TestDisk and +# "Outlook Nickname File" by Microsoft Outlook and +# "Outlook AutoComplete File" by Nirsoft NK2Edit +# partly verfied by NK2Edit Raw Text Edit Mode +0 ubelong 0x0DF0ADBA MS Outlook Nickfile +#!:mime application/octet-stream +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-nickfile +!:ext nk2/dat/bak +# nick is used by "older" Outlook; dat is used by "newer" Outlook (probably 2010 - 2016); bak is used for backup +#!:ext nick/nk2/dat/bak +# Unknown; probably a version indicator like: 0000000Ah 0000000Ch +>4 ulelong x \b, probably version %u +# Unknown2; probably a version indicator like: 1 0 +>8 ulelong x \b.%u +# number of rows (nickname or alias items) in file +>12 ulelong x \b, %u items +# number of item entries/columns/properties value like: 17h +>16 ulelong x \b, %u entries +# value type/property tag: 001Fh~4 bytes for data size of UTF-16 LE string +>20 uleshort x \b, value type %#4.4x +# entry type/property identifier: 6001h~PR_DOTSTUFF_STATE/PR_NICK_NAME_W +>22 uleshort x \b, entry type %#4.4x +# Reserved like: 0013FD90h +#>24 ulelong x \b, reserved %#8.8x +# value data array/Irrelevant Union like: 0000000004E31A80h +#>28 ulequad x \b, data %#16.16llx +# UTF-16 +>20 uleshort =0x001F +# unicode string bytes like: 2Ch +>>36 ulelong x \b, %u bytes +# unicode string value PT_UNICODE like: janesmith@contoso.org +>>40 lestring16 x "%s" # Summary: Windows crash dump -# Extension: .dmp # Created by: Andreas Schuster (https://computer.forensikblog.de/) -# Reference (1): https://computer.forensikblog.de/en/2008/02/64bit_magic.html +# https://web.archive.org/web/20101125060849/https://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) +# Modified by (2): Joerg Jenderek (addtional fields, extension, URL) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp.trid.xml +# https://gitlab.com/qemu-project/qemu/-/blob/master/include/qemu/win_dump_defs.h +# Note: called "Windows memory dump" by TrID +# and verified by like Windows Kit `Dumpchk.exe 043022-18703-01.dmp` +# and partly by NirSoft `BlueScreenView.exe 043022-18703-01.dmp` +# char Signature[4] 0 string PAGE +# char ValidDump[4] >4 string DUMP MS Windows 32bit crash dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: Mini111013-01.dmp +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 2600 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 709000 +#>>16 ulelong x \b, DirectoryTableBase %#x +# PfnDatabase like: 805620c8 +#>>20 ulelong x \b, PfnDatabase %#x +# PsLoadedModuleList like: 8055d720 +#>>24 ulelong x \b, PsLoadedModuleList %#x +# PsActiveProcessHead like:805638b8 +#>>28 ulelong x \b, PsActiveProcessHead %#x +# MachineImageType like: 14c (intel x86) +>>32 ulelong !0x14c \b, MachineImageType %#x +# NumberProcessors like: 2 +>>36 ulelong x \b, %u processors +# BugcheckCode like: e2 +#>>40 ulelong x \b, BugcheckCode %#x +# BugcheckParameter1 like: 0 +#>>44 ulelong x \b, BugcheckParameter1 %#x +# BugcheckParameter2 like: 0 +#>>48 ulelong x \b, BugcheckParameter2 %#x +# BugcheckParameter3 like: 0 +#>>52 ulelong x \b, BugcheckParameter3 %#x +# BugcheckParameter4 like: 0 +#>>56 ulelong x \b, BugcheckParameter4 %#x +# VersionUser[32]; like "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>60 string x \b, VersionUser "%.32s" +# uint32_t reserved0 like: 45474101 +#>>92 ulelong x \b, reserved0 %#x >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE +# KdDebuggerDataBlock like: 8054d2e0 +#>>96 ulelong x \b, KdDebuggerDataBlock %#x +# uint8_t PhysicalMemoryBlockBuffer[700] +# WinDumpPhyMemDesc32 NumberOfRuns like: 45474150 +#>>100 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +#>>104 ulelong x \b, NumberOfPages %#x +# WinDumpPhyMemRun32 Run[86]; 688 bytes +#>>108 ulelong x \b, BasePage %#x +#>>112 ulelong x \b, PageCount %#x +# uint8_t reserved1[3200] +#>>800 string x \b, reserved "%s" +#>>4000 ulelong x \b, RequiredDumpSpace %#x +# uint8_t reserved2[92]; +#>>4004 string x \b, reserved2 "%s" >>0xf88 lelong 1 \b, full dump >>0xf88 lelong 2 \b, kernel dump >>0xf88 lelong 3 \b, small dump +# like: 4 +>>0xf88 lelong >3 \b, dump type (%#x) +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! +#>>104 ulelong x \b, NumberOfPages %#x >>0x068 lelong x \b, %d pages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp-64.trid.xml113o +# Note: called "Windows 64bit Memory Dump" by TrID +# char ValidDump[4] >4 string DU64 MS Windows 64bit crash dump ->>0xf98 lelong 1 \b, full dump ->>0xf98 lelong 2 \b, kernel dump ->>0xf98 lelong 3 \b, small dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: c:\Windows\Minidump\020322-18890-01.dmp c:\Windows\MEMORY.DMP +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 9600 19041 22621 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 001ab000 +#>>16 ulequad x \b, DirectoryTableBase %#llx +# PfnDatabase like: fffffa8000000000 +#>>24 ulequad x \b, PfnDatabase %#llx +# PsLoadedModuleList like: fffff800c553f650 +#>>32 ulequad x \b, PsLoadedModuleList %#llx +# PsActiveProcessHead like: fffff800c5525400 +#>>40 ulequad x \b, PsActiveProcessHead %#llx +# MachineImageType like: 00008664 +>>48 ulelong !0x8664 \b, MachineImageType %#x +# NumberProcessors like: 2 4 +>>52 ulelong x \b, %u processors +# BugcheckCode like: 1000007e +#>>56 ulelong x \b, BugcheckCode %#x +# unused0 +#>>60 ulelong x \b, unused0 %#x +# BugcheckParameter1 like: ffffffffc0000005 +#>>64 ulequad x \b, BugcheckParameter1 %#llx +# BugcheckParameter2 like: fffff801abb2158f +#>>72 ulequad x \b, BugcheckParameter2 %#llx +# BugcheckParameter3 like: ffffd000290d4288 +#>>80 ulequad x \b, BugcheckParameter3 %#llx +# BugcheckParameter4 like: ffffd000290d3aa0 +#>>88 ulequad x \b, BugcheckParameter4 %#llx +# VersionUser[32]; like "" "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>96 string x \b, VersionUser "%.32s" +# KdDebuggerDataBlock like: fffff800c550c530 +#>>128 ulequad x \b, KdDebuggerDataBlock %#llx +# uint8_t PhysicalMemoryBlockBuffer[704] +# WinDumpPhyMemDesc64 NumberOfRuns like: 6 7 0x45474150 +#>>136 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc64 unused like: 0 0x45474150 +#>>140 ulelong x \b, unused %#x +# WinDumpPhyMemRun64 Run[43] BasePage like: 1 +#>>152 ulequad x \b, BasePage %#llx +# WinDumpPhyMemRun64 Run[43] PageCount like: 57h +#>>160 ulequad x \b, PageCount %#llx +# uint8_t ContextBuffer[3000] like: "" "\001" "\0207J\266\001\340\377\377&8\007\312" +#>>840 string x \b, ContextBuffer "%s" +# WinDumpExceptionRecord ExceptionCode +#>>3840 ulelong x \b, ExceptionCode %#x +# WinDumpExceptionRecord ExceptionFlags +#>>3844 ulelong x \b, ExceptionFlags %#x +# WinDumpExceptionRecord ExceptionRecord +#>>3848 ulequad x \b, ExceptionRecord %#llx +# WinDumpExceptionRecord ExceptionAddress +#>>3856 ulequad x \b, ExceptionAddress %#llx +# WinDumpExceptionRecord NumberParameters +#>>3864 ulelong x \b, NumberParameters %#x +# WinDumpExceptionRecord unused +#>>3868 ulelong x \b, unsed %#x +# WinDumpExceptionRecord ExceptionInformation[15] +#>>3872 ulequad x \b, ExceptionInformation[0] %#llx +# https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options +# but DumpType like: 4~small 5~full (MEMORY.DMP) 6~kernel (MEMORY.DMP) +>>0xf98 ulelong x \b, +>>>0xf98 lelong 5 full dump +>>>0xf98 lelong 6 kernel dump +>>>0xf98 lelong 4 small dump +# This probably never occur +>>>0xf98 default x DumpType +>>>>0xf98 ulelong x (%#x) +# WinDumpPhyMemDesc64 uint64_t NumberOfPages like: 3142425 8341923 8366500 1162297680 4992030524978970960 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! >>0x090 lequad x \b, %lld pages - # Summary: Vista Event Log -# Extension: .evtx # Created by: Andreas Schuster (https://computer.forensikblog.de/) -# Reference (1): https://computer.forensikblog.de/en/2007/05/some_magic.html -0 string ElfFile\0 MS Windows Vista Event Log +# Update: Joerg Jenderek +# URL: https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc +# Reference (1): https://web.archive.org/web/20110803085000/ +# https://computer.forensikblog.de/en/2007/05/some_magic.html +# http://mark0.net/download/triddefs_xml.7z/defs/e/evtx.trid.xml +# Note: called "Vista Event Log" by TrID and "Event Log" by Windows +# verified partly by `wevtutil.exe gli /lf:true dumpfile.evtx` +0 string ElfFile\0 MS Windows +#!:mime application/octet-stream +!:mime application/x-ms-evtx +!:ext evtx +# Major+Minor format version: 3.1~Vista and later 3.2~Windows 10 (2004) and later +>0x24 ulelong =0x00030001 Vista-8.1 Event Log +>0x24 ulelong !0x00030001 10-11 Event Log, version +>>0x26 uleshort x %u +>>0x24 uleshort x \b.%u >0x2a leshort x \b, %d chunks >>0x10 lelong x \b (no. %d in use) >0x18 lelong >1 \b, next record no. %d @@ -56,6 +271,32 @@ >0x78 lelong &1 \b, DIRTY >0x78 lelong &2 \b, FULL +# Summary: Windows Event Trace Log +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/ETL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/etl.trid.xml +# https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/tracelog/trace_logfile_header.htm +# Note: called "Window tracing/diagnostic binary log" by TrID +# verified by `tracerpt.EXE Wifi.etl -of EVTX` +# and by etl-parser `etl2xml --input AMSITrace.etl --output AMSITrace.xml` +# Every ETL file begins with a WMI_BUFFER_HEADER, a SYSTEM_TRACE_HEADER and a TRACE_LOGFILE_HEADER +0 ubyte 0 +# look for corresponding encoded as UTF-16 file name extension like in: boot_BASE+CSWITCH_1.etl +>0 search/0x699087/b .\0e\0t\0l\0\0\0 +# GRR: line above only works if in ../../src/file.h FILE_BYTES_MAX is raised above 699086h (6,59 MiB) +>>0 use trace-etl +# display information of Windows Performance Analyzer Trace File (file name) +0 name trace-etl +>0 ubyte x Windows Event Trace Log +#!:mime application/x-ms-etl +# http://extension.nirsoft.net/etl +!:mime application/etl +!:ext etl +# look for DOS drive letter part of log file name like: PhotosAppTracing_startedInBGMode.etl +>0 search/0x2b4/sb :\0\x5c\0 +# like: "c:\Windows\Logs\NetSetup\service.0.etl" "C:\Windows\System32\LogFiles\WMI\Wifi.etl" +>>&-2 lestring16 x "%s" + # Summary: Windows System Deployment Image # Created by: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/System_Deployment_Image @@ -370,68 +611,340 @@ >16 string >\0 for "%s" # Summary: Hyper terminal -# Extension: .ht # Created by: unknown +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/HyperACCESS +# https://www.hilgraeve.com/hyperterminal/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/ht.trid.xml +# Note: called "HyperTerminal data file" by TrID and "HyperTerminal File" on English Windows 0 string HyperTerminal\040 ->15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile +>14 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile +#!:mime application/octet-stream +!:mime application/x-ms-ht +!:ext ht # https://ithreats.files.wordpress.com/2009/05/\040 # lnk_the_windows_shortcut_file_format.pdf # Summary: Windows shortcut -# Extension: .lnk # Created by: unknown +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Windows_Shortcut +# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnk-shortcut.trid.xml +# https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%5d.pdf +# Note: called "Windows Shortcut" by TrID, "Microsoft Windows Shortcut" by DROID via PUID x-fmt/428 and "Windows shortcut file" by ./msdos (v 1.158) +# partly verified by command like `lnkinfo AOL.lnk` # 'L' + GUUID +# HeaderSize + LinkCLSID 00021401-0000-0000-C000-000000000046 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut !:mime application/x-ms-shortcut !:ext lnk +# LinkFlags +# HasLinkTargetIDList; if set a LinkTargetIDList structure MUST follow the ShellLinkHeader; If is not set, structure MUST NOT be present >20 lelong&1 1 \b, Item id list present +# HasLinkInfo; if set a LinkInfo structure MUST follow the ShellLinkHeader or LinkTargetIDList; If is not set, structure MUST NOT be present >20 lelong&2 2 \b, Points to a file or directory >20 lelong&4 4 \b, Has Description string >20 lelong&8 8 \b, Has Relative path >20 lelong&16 16 \b, Has Working directory >20 lelong&32 32 \b, Has command line arguments >20 lelong&64 64 \b, Icon +# IconIndex >>56 lelong x \b number=%d +# IsUnicode; If set then StringData section contains Unicode-encoded strings +>20 lelong&128 128 \b, Unicoded +# ForceNoLinkInfo; LinkInfo structure is ignored +>20 lelong&256 256 \b, NoLinkInfo +# HasExpString; with an EnvironmentVariableDataBlock +>20 lelong&512 512 \b, HasEnvironment +# look for BlockSize 314h and EnvironmentVariableDataBlock BlockSignature A0000001h +>>76 search/1972 \x14\x03\x00\x00\x01\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes): optional NULL-terminated path to same environment variable Unicode encoded +# like: "%windir%\system32\calc.exe" +>>>&260 lestring16 x "%s" +# RunInSeparateProcess; run in a separate virtual machine when launching a 16-bit application; no examples found +>20 lelong&1024 1024 \b, RunInSeparateProcess +# Unused1; undefined and MUST be ignored +#>20 lelong&2048 2048 \b, Unused1 +# HasDarwinID; with a DarwinDataBlock +>20 lelong&4096 4096 \b, HasDarwinID +# look for BlockSize 314h and DarwinDataBlock BlockSignature A0000006h +>>76 search/1972 \x14\x03\x00\x00\x06\x00\x00\xa0 +# DarwinDataAnsi (260 bytes); NULL-terminated application identifier encoded with system default code page; SHOULD be ignored +#>>>&0 string x '%s' +# DarwinDataUnicode (520 bytes); NULL-terminated application identifier Unicode encoded +>>>&260 lestring16 x "%s" +# RunAsUser; target application is run as a different user +>20 lelong&8192 8192 \b, RunAsUser +# HasExpIcon; with an IconEnvironmentDataBlock +>20 lelong&16384 16384 \b, HasExpIcon +# look for BlockSize 314h and IconEnvironmentDataBlock BlockSignature A0000007h +>>76 search/1972 \x14\x03\x00\x00\x07\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment icon variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes); optional NULL-terminated path to same icon environment variable Unicode encoded +# like: "%SystemDrive%\Program Files\YaCy\addon\YaCy.ico" +>>>&260 lestring16 x "%s" +# NoPidlAlias; represented in the shell namespace; no examples found +>20 lelong&32768 32768 \b, NoPidlAlias +# Unused2; undefined and MUST be ignored +#>20 lelong&65536 65536 \b, Unused2 +# RunWithShimLayer; with a ShimDataBlock; no examples found +>20 lelong&131072 131072 \b, RunWithShimLayer +# ForceNoLinkTrack; TrackerDataBlock is ignored; no examples found +>20 lelong&262144 262144 \b, ForceNoLinkTrack +>20 lelong&262144 0 +# look for BlockSize 60h, TrackerDataBlock BlockSignature A0000003h, it length 58h and Version 0 +>>76 search/1972 \x60\x00\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\0\0\0\0 +# MachineID (16 bytes); a NULL-terminated NetBIOS name encoded with system default code page of the machine +>>>&0 string x \b, MachineID %0.16s +# Droid (32 bytes) +# +# DroidBirth (32 bytes) +# +# EnableTargetMetadata; collect target properties and store in PropertyStoreDataBlock +>20 lelong&524288 524288 \b, EnableTargetMetadata +# look for BlockSize >= Ch, PropertyStoreDataBlock BlockSignature A0000009h +#>>76 search/1972 \x00\x00\x09\x00\x00\xa0 +# PropertyStore (variable) +# +# DisableLinkPathTracking; EnvironmentVariableDataBlock is ignored; no examples found +>20 lelong&1048576 1048576 \b, DisableLinkPathTracking +# DisableKnownFolderTracking; SpecialFolderDataBlock and KnownFolderDataBlock are ignored and not saved +>20 lelong&2097152 2097152 \b, DisableKnownFolderTracking +>20 lelong&2097152 0 +# look for BlockSize 1Ch and KnownFolderDataBlock BlockSignature A000000Bh +>>76 search/1972 \x1c\x00\x00\x00\x0B\x00\x00\xa0 +# https://learn.microsoft.com/en-us/dotnet/desktop/winforms/controls/known-folder-guids-for-file-dialog-custom-places +# KnownFolderID specifies the folder GUID ID +# ProgramFiles 905E63B6-C1BF-494E-B29C-65B732D3D21A +# ProgramFilesX86 7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E +>>>&0 guid x KnownFolderID %s +# DisableKnownFolderAlias; unaliased form of the known folder IDList SHOULD be used; no examples found +>20 lelong&4194304 4194304 \b, DisableKnownFolderAlias +# AllowLinkToLink; link that references another link is enabled; no examples found +>20 lelong&8388608 8388608 \b, AllowLinkToLink +# UnaliasOnSave; unaliased form of that known folder or the target IDList SHOULD be used; no examples found +>20 lelong&16777216 16777216 \b, UnaliasOnSave +# PreferEnvironmentPath; path specified in the EnvironmentVariableDataBlock SHOULD be used +>20 lelong&33554432 33554432 \b, PreferEnvironmentPath +# KeepLocalIDListForUNCTarget; UNC name SHOULD be stored in local path IDList in PropertyStoreDataBlock; no examples found +>20 lelong&67108864 67108864 \b, KeepLocalIDListForUNCTarget +# FileAttributes >24 lelong&1 1 \b, Read-Only >24 lelong&2 2 \b, Hidden >24 lelong&4 4 \b, System ->24 lelong&8 8 \b, Volume Label +# Reserved1; MUST be zero +>24 lelong&8 8 \b, Reserved1 >24 lelong&16 16 \b, Directory >24 lelong&32 32 \b, Archive ->24 lelong&64 64 \b, Encrypted +# Reserved2; MUST be zero +>24 lelong&64 64 \b, Reserved2 >24 lelong&128 128 \b, Normal >24 lelong&256 256 \b, Temporary +# no examples found >24 lelong&512 512 \b, Sparse +# no examples found >24 lelong&1024 1024 \b, Reparse point >24 lelong&2048 2048 \b, Compressed >24 lelong&4096 4096 \b, Offline ->28 leqwdate x \b, ctime=%s ->36 leqwdate x \b, mtime=%s ->44 leqwdate x \b, atime=%s +# FILE_ATTRIBUTE_NOT_CONTENT_INDEXED; contents need to be indexed +>24 lelong&8192 8192 \b, NeedIndexed +# FILE_ATTRIBUTE_ENCRYPTED; file or directory is encrypted +>24 lelong&16384 16384 \b, Encrypted +# value zero means there is no time set on the target +>28 leqwdate !0 \b, ctime=%s +# Access time of target in UTC +>36 leqwdate !0 \b, atime=%s +# write time of target in UTC +>44 leqwdate !0 \b, mtime=%s +# FileSize; 32 bit size of target in bytes >52 lelong x \b, length=%u, window= ->60 lelong&1 1 \bhide ->60 lelong&2 2 \bnormal ->60 lelong&4 4 \bshowminimized ->60 lelong&8 8 \bshowmaximized ->60 lelong&16 16 \bshownoactivate ->60 lelong&32 32 \bminimize ->60 lelong&64 64 \bshowminnoactive ->60 lelong&128 128 \bshowna ->60 lelong&256 256 \brestore ->60 lelong&512 512 \bshowdefault -#>20 lelong&1 0 -#>>20 lelong&2 2 -#>>>(72.l-64) pstring/h x \b [%s] -#>20 lelong&1 1 -#>>20 lelong&2 2 -#>>>(72.s) leshort x -#>>>&75 pstring/h x \b [%s] +# ShowCommand; 1~SW_SHOWNORMAL 3~SW_SHOWMAXIMIZED HerzlichMEDION.lnk 7~SW_SHOWMINNOACTIVE YaCy.lnk Privoxy.lnk; All other values like 2 MUST be treated as SW_SHOWNORMAL +#>60 lelong x ShowCommand=%#x +>60 lelong x +>>60 lelong 3 \bshowmaximized +>>60 lelong 7 \bshowminnoactive +>>60 default x \bnormal +# Hotkey +>64 uleshort >0 \b, hot key +# 41h~A 42h~B ... +>>64 ubyte x %c +# modifier keys: 0x01~HOTKEYF_SHIFT 0x02~HOTKEYF_CONTROL 0x04~HOTKEYF_ALT +>>65 ubyte&1 1 \b+SHIFT +>>65 ubyte&2 2 \b+CONTROL +>>65 ubyte&4 4 \b+ALT +# Reserved; MUST be zero +#>66 uleshort !0 \b, reserved %#x +# Reserved2; MUST be zero +#>68 ulelong !0 \b, reserved2 %#x +# Reserved3; MUST be zero +#>72 ulelong !0 \b, reserved3 %#x +# optional LINKTARGET_IDLIST if LinkFlags bit HasLinkTargetIDList is set +>20 lelong&1 1 +# IDListSize; size of IDList +>>76 uleshort x \b, IDListSize %#4.4x +# 1st item +>>78 use lnk-item +# 2nd possible item +>>(78.s+78) uleshort >0 +>>>(78.s+78) use lnk-item +# 3rd possible item +>>>&(&-2.s-2) uleshort >0 +>>>>&-2 use lnk-item +# 4th possible item +>>>>&(&-2.s-2) uleshort >0 +>>>>>&-2 use lnk-item +# Because HasLinkInfo is set, a LinkInfo structure follows +>20 lelong&2 2 +# if no LINKTARGET_IDLIST (no HasLinkTargetIDList) then direct after header; no example found +>>20 lelong&1 =0 +>>>76 use lnk-info +# if LINKTARGET_IDLIST (HasLinkTargetIDList) then after LINKTARGET_IDLIST by addtional IDListSize bytes +>>20 lelong&1 =1 +>>>76 uleshort >0 +#>>>>(76.s+78) use lnk-info +>>>>(76.s+78) ubelong x +# move pointer to beginnig of LinkInfo structure +>>>>>&-8 ubelong x +#>>>>>>&16 ulelong x \b, LocalBasePathOffset=%#8.8x +>>>>>>&(&16.l) string x \b, LocalBasePath "%s" +# check and then display link item (size,data) +0 name lnk-item +# size value 0x0000 means TerminalID; indicates the end of the item IDs list +>0 uleshort >0 +#>>0 uleshort x \b, ItemIDSize %#4.4x +# item Data +#>>2 ubequad x \b, Item data=%#16.16llx +#>>2 ubyte x \b, Item type=%#x +>>2 ubyte =0x1f \b, Root folder +# like: "26EE0668-A00A-44D7-9371-BEB064C98683" Control Panel +# "20D04FE0-3AEA-1069-A2D8-08002B30309D" My Computer +# "871C5380-42A0-1069-A2EA-08002B30309D" Internet Explorer +>>>4 guid x "%s" +>>2 ubyte =0x2f \b, Volume +# like: "C:\" "D:\" +>>>3 string x "%s" +# Control panel category +#>>2 ubyte foo \b, Control panel category +# display LinkInfo structure (size,flags,offsets) +0 name lnk-info +# LinkInfoSize; size of the LinkInfo structure +>0 ulelong x \b, LinkInfoSize %#x +# LinkInfoHeaderSize; if 1C no optional fields; >=24 optional fields are specified +>4 ulelong x \b, LinkInfoHeaderSize %#x +# LinkInfoFlags; +#>8 ulelong x \b, LinkInfoFlags=%#x +>8 ulelong&1 1 \b, VolumeIDAndLocalBasePath +# VolumeIDOffset; location of the VolumeID field (VolumeIDSize DriveType DriveSerialNumber VolumeLabelOffset ... ) inside LinkInfo structure +>>12 ulelong x \b, VolumeIDOffset %#x +# LocalBasePathOffset; location of LocalBasePath field like "C:\test\a.txt" inside LinkInfo structure +>>16 ulelong x \b, LocalBasePathOffset %#x +# LocalBasePathOffsetUnicode; location of the LocalBasePathUnicode field inside LinkInfo structure +>>4 ulelong >23 +>>>28 ulelong x \b, LocalBasePathOffsetUnicode %#x +>8 ulelong&2 2 \b, CommonNetworkRelativeLinkAndPathSuffix +# CommonNetworkRelativeLinkOffset; location of the CommonNetworkRelativeLink field inside LinkInfo structure +>>20 ulelong x \b, CommonNetworkRelativeLinkOffset %#x +# CommonPathSuffixOffset; location of CommonPathSuffix field +>24 ulelong x \b, CommonPathSuffixOffset %#x +# CommonPathSuffixOffsetUnicode; location of CommonPathSuffixUnicode field inside LinkInfo structure +>4 ulelong >23 +>>32 ulelong x \b, CommonPathSuffixOffsetUnicode %#x # Summary: Outlook Personal Folders # Created by: unknown -0 lelong 0x4E444221 Microsoft Outlook email folder ->10 leshort 0x0e (<=2002) ->10 leshort 0x17 (>=2003) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Personal_Folder_File +# https://en.wikipedia.org/wiki/Personal_Storage_Table +# Reference: https://interoperability.blob.core.windows.net/files/MS-PST/%5bMS-PST%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml +# dwMagic !BDN +0 lelong 0x4E444221 +# skip DROID x-fmt-75-signature-id-472.pab x-fmt-248-signature-id-260.pst x-fmt-249-signature-id-261.pst +# by check for existance of bPlatformCreate value +>14 ubyte x Microsoft Outlook +#!:mime application/octet-stream +# NOT official registered ! +!:mime application/vnd.ms-outlook +# dwCRCPartial; 32-bit cyclic redundancy check (CRC) value of followin 471 bytes; zero for 64-bit +#>>4 ulelong !0 \b, CRC %#x +# wMagicClient; AB (4142h) is used for PAB files; SM (534Dh) is used for PST files; SO (534Fh) is used for OST files +#>>8 leshort x \b, wMagicClient=%#x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml +# Note: called "Microsoft Personal Address Book" by TrID and +# "Microsoft Outlook Personal Address Book" by DROID via x-fmt/75 +>>8 leshort 0x4142 Personal Address Book +#!:mime application/x-ms-pab +!:ext pab +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pst.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/p/pst-unicode.trid.xml +# Note: called "Microsoft OutLook Personal Folder" by TrID and +# by DROID via x-fmt/248 for ANSI and via x-fmt/249 for Unicode +#>>8 leshort 0x4D53 \b, PST~ +# called "Microsoft Outlook email folder" in ./windows version 1.37 and older +>>8 leshort 0x4D53 Personal Storage +#!:mime application/x-ms-pst +!:ext pst +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ost.trid.xml +# Note: called "Outlook Exchange Offline Storage" by TrID +>>8 leshort 0x4F53 Offline Storage +#!:mime application/x-ms-ost +!:ext ost +# wVer; file format version. 14 or 15 if the file is ANSI; > 21 or 23(=17h) if Unicode; 37 for written by Outlook with WIP +>>10 uleshort x ( +# probably NO intermediate versions exist +>>10 leshort <0x10 \b<=2002, ANSI, +>>10 leshort >0x14 \b>=2003, Unicode, +>>10 uleshort x version %u) +# wVerClient; client file format version like: 19 22 +#>>12 uleshort x \b, wVerClient=%u +# bPlatformCreate; This value MUST be set to 1 but also found 2 +>>14 ubyte >1 \b, bPlatformCreate=%u +# bPlatformAccess; This value MUST be set to 1 but also found 2 +>>15 ubyte >1 \b, bPlatformAccess=%u +# dwReserved1; SHOULD ignore and NOT modify this value; SHOULD initialize to zero +>>16 ulelong !0 \b, dwReserved1=%#x +# dwReserved2; SHOULD ignore and NOT modify this value; SHOULD initialize to zero +>>20 ulelong !0 \b, dwReserved2=%#x +# ANSI 32-bit variant Outlook 1997-2002 +>>10 uleshort <16 +# bidNextB; next BlockID (ANSI 4 bytes) +#>>>24 ulelong !0 \b, bidNextB=%#x +# bidNextP; Next available back BlockID pointer +#>>>28 ulelong !0 \b, bidNextP=%#x +# dwUnique; value monotonically increased when modifying PST; so CRC is changing +>>>32 ulelong !0 \b, dwUnique=%#x +# rgnid[128]; A fixed array of 32 NodeIDs, each corresponding to one of the 32 possible NID_TYPEs +#>>>36 ubequad x \b, rgnid=%#llx... +# dwReserved; Implementations SHOULD ignore this value and SHOULD NOT modify it; Initialized zero +>>>164 ulelong !0 \b, dwReserved=%#x +# ibFileEof; the size of the PST file, in bytes (ANSI 4 bytes) +>>>168 ulelong x \b, %u bytes +# ibAMapLast; offset to the last AMap page +#>>>172 ulelong x \b, ibAMapLast=%#x +# bSentinel; MUST be set to 0x80 +>>>460 ubyte !0x80 \b, bSentinel=%#x +# bCryptMethod: 0~No encryption 1~encryption with permutation 2~encryption with cyclic 16~encryption with Windows Information Protection (WIP) +>>>461 ubyte >0 \b, bCryptMethod=%u +# UNICODE 64-bit variant Outlook 2003-2007 +>>10 uleshort >20 +# bidUnused; Unused 8 bytes padding (Unicode only); sometimes like: 0x0000000100000004 +>>>24 ulequad !0x0000000100000004 \b, bidUnused=%#16.16llx +# dwUnique; value monotonically increased when modifying PST; so CRC is changing +>>>40 ulelong !0 \b, dwUnique=%#x +# rgnid[] (128 bytes): A fixed array of 32 NIDs, each corresponding to one of the 32 possible +#>>>44 ubequad x \b, rgnid=%#llx... +# ibFileEof; the size of the PST file, in bytes (Unicode 8 bytes) +>>>184 ulequad x \b, %llu bytes +# bSentinel; MUST be set to 0x80 +>>>512 ubyte !0x80 \b, bSentinel=%#x +# bCryptMethod; Encryption type like: 0 1 2 16 +>>>513 ubyte >0 \b, bCryptMethod=%u +# dwCRC; 32-bit CRC of the of the previous 516 bytes +>>>524 ulelong x \b, CRC32 %#x # Summary: Windows help cache @@ -596,6 +1109,27 @@ # like: 12510866.CPX !:ext cpx # From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/File_Explorer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-exp.trid.xml,scf-exp-old.trid.xml +# Note: called "Windows Explorer Command Shell File" by TrID and "File Explorer Command" by Windows via SHCmdFile +>>&0 regex/c \^Shell]\r\n Windows Explorer Shell Command File +#!:mime text/plain +!:mime text/x-ms-scf +# like: channels.scf desktop.scf explorer.scf "Desktop anzeigen.scf" +!:ext scf +# look for icon file directive maybe pointing to malicious file +>>>1 search/128 IconFile= \b, icon +>>>>&0 string x "%s" +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/VIA_Technologies +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-via.trid.xml +# Note: called "VIA setup configuration file" by TrID +>>&0 regex/c \^SCF]\r\n VIA setup configuration +#!:mime text/plain +!:mime text/x-via-scf +# like: SETUP.SCF +!:ext scf +# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/InstallShield # Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lid-is.trid.xml # Note: contain also 3 keywords like: count Default key0 @@ -614,6 +1148,23 @@ !:mime text/x-ms-tag # like: DATA.TAG !:ext tag +# URL: https://en.wikipedia.org/wiki/Flatpak +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/flatpakref.trid.xml +# Note: called "Flatpack Reference" by TrID +>>&0 string Flatpak\ Ref] Flatpak repository reference +#!:mime text/plain +# https://reposcope.com/mimetype/application/vnd.flatpak.ref +!:mime application/vnd.flatpak.ref +!:ext flatpakref +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/CloneCD +# Reference: https://en.wikipedia.org/wiki/CloneCD_Control_File +# http://mark0.net/download/triddefs_xml.7z/defs/c/cdimage-clonecd-cue.trid.xml +# Note: called "CloneCD CDImage (description)" by TrID and "CloneCD Control File" by DROID via PUID fmt/1760 +>>&0 string CloneCD] CloneCD CD-image Description +#!:mime text/plain +!:mime text/x-ccd +!:ext ccd # unknown keyword after opening bracket >>&0 default x #>>>&0 string/c x UNKNOWN [%s @@ -623,6 +1174,12 @@ >>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript !:ext inf +# From: Joerg Jenderek +# URL: https://cdrtfe.sourceforge.io/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cfp-cdrtfe.trid.xml +>>>>&0 string FileExplorer] cdrtfe Project +!:mime text/x-cfp +!:ext cfp # https://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other >>>>&0 default x >>>>>&0 ubyte x @@ -634,6 +1191,10 @@ !:mime application/x-wine-extension-ini #!:mime text/plain !:ext ini/inf +# samples with only 1 and unknown section name +# XXX: matches a file containing '[1] 2' +#>>>&0 default x Generic INItialization configuration +#>>>>0 string x \b, 1st line "%s" # UTF-16 BOM 0 ubeshort =0xFFFE # look for phrase of Windows policy ADMinistrative template (UTF-16 by adm-uni.trid.xml) @@ -715,21 +1276,24 @@ >>>2 uleshort <3 # look for colon in WinDirPath after PNF header #>>>>0x59 search/18 : ->>>>0 use PreCompiledInf +# skip few Adobe Photoshop Color swatch ("Mac OS.aco" TRUMATCH-Farben.aco Windows.aco) and some +# Targa image (money-256.tga XING_B_UCM8.tga x-fmt-367-signature-id-604.tga) with "invalid low section name" \0 +>>>>(20.l) ubelong >0x40004000 +>>>>>0 use PreCompiledInf 0 name PreCompiledInf >0 uleshort x Windows Precompiled iNF !:mime application/x-pnf !:ext pnf # major version 1 for older Windows like XP and 3 since about Windows Vista -# 101h~98-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362 +# 101h~95-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362-Windows11 >1 ubyte x \b, version %u >0 ubyte x \b.%u >0 uleshort =0x0101 (Windows ->>4 ulelong&0x00000001 !0x00000001 98) +>>4 ulelong&0x00000001 !0x00000001 95-98) >>4 ulelong&0x00000001 =0x00000001 XP) >0 uleshort =0x0301 (Windows Vista-8.1) >0 uleshort =0x0302 (Windows 10 older) ->0 uleshort =0x0303 (Windows 10) +>0 uleshort =0x0303 (Windows 10-11) # 1 ,2 (windows 98 SE) >2 uleshort !2 \b, InfStyle %u # PNF_FLAG_IS_UNICODE 0x00000001 @@ -771,7 +1335,7 @@ >>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>24 ulequad x \b, InfVersionLastWriteTime %16.16llx -#>24 foodate-0xbar x \b, InfVersionLastWriteTime %s +>24 qwdate x \b, InfVersionLastWriteTime %s # for Windows 98, XP >0 uleshort <0x0102 # only found values lower 0x00ffFFff @@ -809,6 +1373,7 @@ >>>>>(72.l) string x OsLoaderPath "%s" # 1fdh #>>>76 uleshort x \b, StringTableHashBucketCount %#x +# https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a # only 407h found >>>78 uleshort !0x409 \b, LanguageID %x #>>>78 uleshort =0x409 \b, LanguageID %x @@ -1186,7 +1751,7 @@ # 5000010021083f00 50000100b0335600 50000100cbfdf800 50000100dfbc4700 #>4 ubequad x \b, at 4 %#16.16llx # copyright text like: "Stirling Technologies, Inc. (c) 1990-1994" -# "InstallSHIELD Software Coporation (c) 1990-1997" +# "InstallSHIELD Software Corporation (c) 1990-1997" >13 pstring/h x "%s" # look for specific ASCII variable names >1 search/0x121/s SRCDIR \b, variable names: @@ -1214,3 +1779,44 @@ # ... LOGHANDLE >0 ubelong x ... # + +# Summary: Microsoft Remote Desktop Protocol connection +# From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/r/rdp.trid.xml +# Note: called "Remote Desktop Connection Settings" by TrID +0 string screen\040mode\040id:i: Remote Desktop Protocol connection +#!:mime text/plain +!:mime text/x-ms-rdp +!:ext rdp +# Screen mode: 1~session appear in a window 2~session appear full screen +>17 string 1 \b, window mode +>17 string 2 \b, full screen mode + +0 guid 7B5C52E4-D88C-4DA7-AEB1-5378D02996D3 Microsoft OneNote +!:ext one +!:mime application/onenote +0 guid 43FF2FA1-EFD9-4C76-9EE2-10EA5722765F Microsoft OneNote Revision Store File + +# Microsoft XAML Binary Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/WalkingCat/XbfDump/blob/8832d2ffcaa738434d803fefa2ba99d3af37ed29/xbf_data.h +0 string XBF\0 +>12 ulelong <0xFF +>>16 ulelong <0xFF Microsoft XAML Binary Format +!:ext xbf +>>>12 ulelong x %d +>>>16 ulelong x \b.%d +>>>4 ulelong x \b, metadata size: %d bytes +>>>8 ulelong x \b, node size: %d bytes + +# Metaswitch MetaView Service Assurance Server exports +0 string MetaView\x20Service\x20Assurance\x20Export\x20File MetaView SAS export +>39 string Version\x20 +>>47 byte x \b, version %c + +# Active Directory Group Policy Registry Policy File Format +# From: Yuuta Liang <yuuta@yuuta.moe> +# URL: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/registry-policy-file-format +0 string PReg +>4 lelong x Group Policy Registry Policy, Version=%d |