diff options
Diffstat (limited to 'magic/Magdir/coff')
| -rw-r--r-- | magic/Magdir/coff | 78 |
1 files changed, 47 insertions, 31 deletions
diff --git a/magic/Magdir/coff b/magic/Magdir/coff index 31b47e7aff42..535187c2ce9e 100644 --- a/magic/Magdir/coff +++ b/magic/Magdir/coff @@ -1,11 +1,11 @@ #------------------------------------------------------------------------------ -# $File: coff,v 1.3 2018/08/01 10:34:03 christos Exp $ +# $File: coff,v 1.6 2021/04/26 15:56:00 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF # -# by Joerg Jenderek at Oct 2015 +# by Joerg Jenderek at Oct 2015, Feb 2021 # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html @@ -16,62 +16,78 @@ 0 name display-coff # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags >18 uleshort&0x8E80 0 ->>0 clear x +# skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections +>>2 uleshort >0 +# skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections +>>>2 uleshort <4207 +>>>>0 clear x # f_magic - magic number # DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) ->>0 uleshort 0x014C Intel 80386 +>>>>0 uleshort 0x014C Intel 80386 # Hitachi SH big-endian COFF (./hitachi-sh) ->>0 uleshort 0x0500 Hitachi SH big-endian +>>>>0 uleshort 0x0500 Hitachi SH big-endian # Hitachi SH little-endian COFF (./hitachi-sh) ->>0 uleshort 0x0550 Hitachi SH little-endian +>>>>0 uleshort 0x0550 Hitachi SH little-endian # executable (RISC System/6000 V3.1) or obj module (./ibm6000) -#>>0 uleshort 0x01DF +#>>>>0 uleshort 0x01DF # MS Windows COFF Intel Itanium, AMD64 # https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx ->>0 uleshort 0x0200 Intel ia64 ->>0 uleshort 0x8664 Intel amd64 +>>>>0 uleshort 0x0200 Intel ia64 +>>>>0 uleshort 0x8664 Intel amd64 +# ARM COFF (./arm) +>>>>0 uleshort 0xaa64 Aarch64 +>>>>0 uleshort 0x01c0 ARM +>>>>0 uleshort 0x01c2 ARM Thumb +>>>>0 uleshort 0x01c4 ARMv7 Thumb # TODO for other COFFs -#>>0 uleshort 0xABCD COFF_TEMPLATE ->>0 default x ->>>0 uleshort x type 0x%04x ->>0 uleshort x COFF +#>>>>0 uleshort 0xABCD COFF_TEMPLATE +>>>>0 default x +>>>>>0 uleshort x type %#04x +>>>>0 uleshort x COFF # F_EXEC flag bit ->>18 leshort ^0x0002 object file -#!:mime application/x-coff -#!:ext cof/o/obj/lib ->>18 leshort &0x0002 executable +>>>>18 leshort ^0x0002 object file +!:mime application/x-coff +!:ext o/obj/lib +# no cof sample found +#!:ext cof/o/obj/lib +>>>>18 leshort &0x0002 executable #!:mime application/x-coffexec # F_RELFLG flag bit,static object ->>18 leshort &0x0001 \b, no relocation info +>>>>18 leshort &0x0001 \b, no relocation info # F_LNNO flag bit ->>18 leshort &0x0004 \b, no line number info +>>>>18 leshort &0x0004 \b, no line number info # F_LSYMS flag bit ->>18 leshort &0x0008 \b, stripped ->>18 leshort ^0x0008 \b, not stripped +>>>>18 leshort &0x0008 \b, stripped +>>>>18 leshort ^0x0008 \b, not stripped # flags in other COFF versions #0x0010 F_FDPR_PROF #0x0020 F_FDPR_OPTI #0x0040 F_DSA # F_AR32WR flag bit -#>>>18 leshort &0x0100 \b, 32 bit little endian +#>>>>18 leshort &0x0100 \b, 32 bit little endian #0x1000 F_DYNLOAD #0x2000 F_SHROBJ #0x4000 F_LOADONLY -# f_nscns - number of sections ->>2 uleshort <2 \b, %d section ->>2 uleshort >1 \b, %d sections -# f_timdat - file time & date stamp only for little endian -#>>4 date x \b, %s +# f_nscns - number of sections like: 1 2 3 4 5 7 8 9 11 12 15 16 19 20 21 22 26 30 36 40 42 56 80 89 96 124 +>>>>2 uleshort <2 \b, %u section +>>>>2 uleshort >1 \b, %u sections # f_symptr - symbol table pointer, only for not stripped ->>8 ulelong >0 \b, symbol offset=0x%x +# like: 0 0x7c 0xf4 0x104 0x182 0x1c2 0x1c6 0x468 0x948 0x416e 0x149a6 0x1c9d8 0x23a68 0x35120 0x7afa0 +>>>>8 ulelong >0 \b, symbol offset=%#x # f_nsyms - number of symbols, only for not stripped ->>12 ulelong >0 \b, %d symbols -# f_opthdr - optional header size ->>16 uleshort >0 \b, optional header size %d +# like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546 +>>>>12 ulelong >0 \b, %d symbols +# f_opthdr - optional header size. An object file should have a value of 0 +>>>>16 uleshort >0 \b, optional header size %u +# f_timdat - file time & date stamp only for little endian +>>>>4 ledate >0 \b, created %s # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. # or first section header # additional variables for other COFF files +>>>>16 uleshort =0 +# first section name s_name[8] like: .text .data .debug$S .drectve .testseg +>>>>>20 string x \b, 1st section name "%.8s" # >20 beshort 0407 (impure) # >20 beshort 0410 (pure) # >20 beshort 0413 (demand paged) |