head 1.4; access; symbols netbsd-11-0-RC4:1.4 netbsd-11-0-RC3:1.4 netbsd-11-0-RC2:1.4 netbsd-11-0-RC1:1.4 perseant-exfatfs-base-20250801:1.4 netbsd-11:1.4.0.4 netbsd-11-base:1.4 netbsd-10-1-RELEASE:1.3 perseant-exfatfs-base-20240630:1.4 perseant-exfatfs:1.4.0.2 perseant-exfatfs-base:1.4 netbsd-8-3-RELEASE:1.1.1.11 netbsd-9-4-RELEASE:1.1.1.13 netbsd-10-0-RELEASE:1.3 netbsd-10-0-RC6:1.3 netbsd-10-0-RC5:1.3 netbsd-10-0-RC4:1.3 netbsd-10-0-RC3:1.3 netbsd-10-0-RC2:1.3 netbsd-10-0-RC1:1.3 FILE5_45:1.1.1.18 netbsd-10:1.3.0.2 netbsd-10-base:1.3 FILE5_43:1.1.1.17 netbsd-9-3-RELEASE:1.1.1.13 cjep_sun2x-base1:1.2 cjep_sun2x:1.2.0.4 cjep_sun2x-base:1.2 cjep_staticlib_x-base1:1.2 netbsd-9-2-RELEASE:1.1.1.13 cjep_staticlib_x:1.2.0.2 cjep_staticlib_x-base:1.2 FILE5_40:1.1.1.16 netbsd-9-1-RELEASE:1.1.1.13 FILE5_39:1.1.1.15 phil-wifi-20200421:1.1.1.14 phil-wifi-20200411:1.1.1.14 is-mlppp:1.1.1.14.0.2 is-mlppp-base:1.1.1.14 phil-wifi-20200406:1.1.1.14 netbsd-8-2-RELEASE:1.1.1.11 netbsd-9-0-RELEASE:1.1.1.13 netbsd-9-0-RC2:1.1.1.13 FILE5_38:1.1.1.14 netbsd-9-0-RC1:1.1.1.13 phil-wifi-20191119:1.1.1.13 netbsd-9:1.1.1.13.0.2 netbsd-9-base:1.1.1.13 phil-wifi-20190609:1.1.1.13 netbsd-8-1-RELEASE:1.1.1.11 FILE5_37:1.1.1.13 netbsd-8-1-RC1:1.1.1.11 pgoyette-compat-merge-20190127:1.1.1.11.8.1 pgoyette-compat-20190127:1.1.1.12 pgoyette-compat-20190118:1.1.1.12 pgoyette-compat-1226:1.1.1.12 pgoyette-compat-1126:1.1.1.12 pgoyette-compat-1020:1.1.1.12 FILE5_35:1.1.1.12 pgoyette-compat-0930:1.1.1.11 pgoyette-compat-0906:1.1.1.11 netbsd-7-2-RELEASE:1.1.1.7 pgoyette-compat-0728:1.1.1.11 netbsd-8-0-RELEASE:1.1.1.11 phil-wifi:1.1.1.11.0.10 phil-wifi-base:1.1.1.11 pgoyette-compat-0625:1.1.1.11 netbsd-8-0-RC2:1.1.1.11 pgoyette-compat-0521:1.1.1.11 pgoyette-compat-0502:1.1.1.11 pgoyette-compat-0422:1.1.1.11 netbsd-8-0-RC1:1.1.1.11 FILE5_33:1.1.1.11 pgoyette-compat-0415:1.1.1.11 pgoyette-compat-0407:1.1.1.11 pgoyette-compat-0330:1.1.1.11 pgoyette-compat-0322:1.1.1.11 pgoyette-compat-0315:1.1.1.11 netbsd-7-1-2-RELEASE:1.1.1.7 pgoyette-compat:1.1.1.11.0.8 pgoyette-compat-base:1.1.1.11 netbsd-7-1-1-RELEASE:1.1.1.7 matt-nb8-mediatek:1.1.1.11.0.6 matt-nb8-mediatek-base:1.1.1.11 FILE5_32:1.1.1.11 perseant-stdc-iso10646:1.1.1.11.0.4 perseant-stdc-iso10646-base:1.1.1.11 netbsd-8:1.1.1.11.0.2 netbsd-8-base:1.1.1.11 FILE5_31:1.1.1.11 prg-localcount2-base3:1.1.1.10 prg-localcount2-base2:1.1.1.10 prg-localcount2-base1:1.1.1.10 prg-localcount2:1.1.1.10.0.2 prg-localcount2-base:1.1.1.10 pgoyette-localcount-20170426:1.1.1.10 bouyer-socketcan-base1:1.1.1.10 pgoyette-localcount-20170320:1.1.1.10 netbsd-7-1:1.1.1.7.0.8 netbsd-7-1-RELEASE:1.1.1.7 netbsd-7-1-RC2:1.1.1.7 FILE5_30:1.1.1.10 netbsd-7-nhusb-base-20170116:1.1.1.7 bouyer-socketcan:1.1.1.9.0.4 bouyer-socketcan-base:1.1.1.9 pgoyette-localcount-20170107:1.1.1.9 netbsd-7-1-RC1:1.1.1.7 pgoyette-localcount-20161104:1.1.1.9 netbsd-7-0-2-RELEASE:1.1.1.7 localcount-20160914:1.1.1.9 netbsd-7-nhusb:1.1.1.7.0.6 netbsd-7-nhusb-base:1.1.1.7 pgoyette-localcount-20160806:1.1.1.9 pgoyette-localcount-20160726:1.1.1.9 pgoyette-localcount:1.1.1.9.0.2 pgoyette-localcount-base:1.1.1.9 netbsd-7-0-1-RELEASE:1.1.1.7 netbsd-7-0:1.1.1.7.0.4 netbsd-7-0-RELEASE:1.1.1.7 netbsd-7-0-RC3:1.1.1.7 netbsd-7-0-RC2:1.1.1.7 netbsd-7-0-RC1:1.1.1.7 FILE5_22:1.1.1.9 FILE5_20:1.1.1.8 netbsd-6-0-6-RELEASE:1.1.1.2.6.1 netbsd-6-1-5-RELEASE:1.1.1.2.6.1 netbsd-7:1.1.1.7.0.2 netbsd-7-base:1.1.1.7 FILE5_19:1.1.1.7 yamt-pagecache-base9:1.1.1.6 yamt-pagecache-tag8:1.1.1.2.4.2 netbsd-6-1-4-RELEASE:1.1.1.2.6.1 netbsd-6-0-5-RELEASE:1.1.1.2.6.1 tls-earlyentropy:1.1.1.6.0.2 tls-earlyentropy-base:1.1.1.7 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.1.1.6 riastradh-drm2-base3:1.1.1.6 netbsd-6-1-3-RELEASE:1.1.1.2.6.1 netbsd-6-0-4-RELEASE:1.1.1.2.6.1 FILE5_16:1.1.1.6 netbsd-6-1-2-RELEASE:1.1.1.2.6.1 netbsd-6-0-3-RELEASE:1.1.1.2.6.1 netbsd-6-1-1-RELEASE:1.1.1.2.6.1 riastradh-drm2-base2:1.1.1.5 riastradh-drm2-base1:1.1.1.5 riastradh-drm2:1.1.1.5.0.6 riastradh-drm2-base:1.1.1.5 netbsd-6-1:1.1.1.2.6.1.0.6 netbsd-6-0-2-RELEASE:1.1.1.2.6.1 netbsd-6-1-RELEASE:1.1.1.2.6.1 khorben-n900:1.1.1.5.0.4 netbsd-6-1-RC4:1.1.1.2.6.1 netbsd-6-1-RC3:1.1.1.2.6.1 agc-symver:1.1.1.5.0.2 agc-symver-base:1.1.1.5 FILE5_14:1.1.1.5 netbsd-6-1-RC2:1.1.1.2.6.1 netbsd-6-1-RC1:1.1.1.2.6.1 yamt-pagecache-base8:1.1.1.4 FILE_5_12:1.1.1.4 netbsd-6-0-1-RELEASE:1.1.1.2.6.1 yamt-pagecache-base7:1.1.1.3 matt-nb6-plus-nbase:1.1.1.2.6.1 yamt-pagecache-base6:1.1.1.3 netbsd-6-0:1.1.1.2.6.1.0.4 netbsd-6-0-RELEASE:1.1.1.2.6.1 netbsd-6-0-RC2:1.1.1.2.6.1 tls-maxphys:1.1.1.3.0.2 tls-maxphys-base:1.1.1.7 matt-nb6-plus:1.1.1.2.6.1.0.2 matt-nb6-plus-base:1.1.1.2.6.1 netbsd-6-0-RC1:1.1.1.2.6.1 yamt-pagecache-base5:1.1.1.3 yamt-pagecache-base4:1.1.1.3 FILE5_11:1.1.1.3 netbsd-6:1.1.1.2.0.6 netbsd-6-base:1.1.1.2 yamt-pagecache-base3:1.1.1.2 yamt-pagecache-base2:1.1.1.2 yamt-pagecache:1.1.1.2.0.4 yamt-pagecache-base:1.1.1.2 FILE5_09:1.1.1.2 cherry-xenmp:1.1.1.2.0.2 cherry-xenmp-base:1.1.1.2 FILE5_07:1.1.1.2 bouyer-quota2-nbase:1.1.1.1 bouyer-quota2:1.1.1.1.0.4 bouyer-quota2-base:1.1.1.1 matt-mips64-premerge-20101231:1.1.1.1 matt-premerge-20091211:1.1.1.1 jym-xensuspend-base:1.1.1.1 jym-xensuspend:1.1.1.1.0.2 jym-xensuspend-nbase:1.1.1.1 FILE5_03:1.1.1.1 CHRISTOS:1.1.1; locks; strict; comment @# @; 1.4 date 2023.08.18.19.00.10; author christos; state Exp; branches; next 1.3; commitid MBLVQLzqzmQ7IiBE; 1.3 date 2022.09.24.20.21.46; author christos; state Exp; branches; next 1.2; commitid zJ5LoIcubBSIH9VD; 1.2 date 2021.04.09.19.11.41; author christos; state Exp; branches; next 1.1; commitid hKe2GL3vw8SVrEOC; 1.1 date 2009.05.08.16.35.09; author christos; state Exp; branches 1.1.1.1; next ; 1.1.1.1 date 2009.05.08.16.35.09; author christos; state Exp; branches 1.1.1.1.2.1; next 1.1.1.2; 1.1.1.2 date 2011.05.12.20.47.02; author christos; state Exp; branches 1.1.1.2.4.1 1.1.1.2.6.1; next 1.1.1.3; 1.1.1.3 date 2012.02.22.17.48.35; author christos; state Exp; branches 1.1.1.3.2.1; next 1.1.1.4; 1.1.1.4 date 2013.01.03.16.27.54; author christos; state Exp; branches; next 1.1.1.5; 1.1.1.5 date 2013.03.23.15.49.18; author christos; state Exp; branches; next 1.1.1.6; 1.1.1.6 date 2013.12.01.19.28.19; author christos; state Exp; branches 1.1.1.6.2.1; next 1.1.1.7; commitid RVQIxe3FpM3lSsfx; 1.1.1.7 date 2014.06.13.01.48.25; author christos; state Exp; branches; next 1.1.1.8; commitid jtTYsE5FmJU6MiEx; 1.1.1.8 date 2014.10.10.20.08.22; author christos; state Exp; branches; next 1.1.1.9; commitid pfOzhE33qnut2HTx; 1.1.1.9 date 2015.01.02.20.34.28; author christos; state Exp; branches 1.1.1.9.2.1 1.1.1.9.4.1; next 1.1.1.10; commitid VjK78yRsQNs8uu4y; 1.1.1.10 date 2017.02.10.17.42.58; author christos; state Exp; branches; next 1.1.1.11; commitid HAP3kn9Hn6ovMqFz; 1.1.1.11 date 2017.05.24.23.59.57; author christos; state Exp; branches 1.1.1.11.8.1 1.1.1.11.10.1; next 1.1.1.12; commitid WbyOU2LBE5qOyHSz; 1.1.1.12 date 2018.10.18.23.54.09; author christos; state Exp; branches; next 1.1.1.13; commitid e8WctwerBeEm4vWA; 1.1.1.13 date 2019.05.22.17.19.57; author christos; state Exp; branches; next 1.1.1.14; commitid VXeNRYYruN1MWdoB; 1.1.1.14 date 2019.12.17.02.23.53; author christos; state Exp; branches; next 1.1.1.15; commitid vqYTz60fS9PNg0PB; 1.1.1.15 date 2020.06.15.00.18.48; author christos; state Exp; branches; next 1.1.1.16; commitid HMbuXSjPojU5LfcC; 1.1.1.16 date 2021.04.09.18.58.02; author christos; state Exp; branches; next 1.1.1.17; commitid W9ddLLbSkHHinEOC; 1.1.1.17 date 2022.09.24.20.07.54; author christos; state Exp; branches; next 1.1.1.18; commitid Nf6F9kcpc0EPC9VD; 1.1.1.18 date 2023.08.18.18.36.50; author christos; state Exp; branches; next ; commitid IX26ghc1E2S0AiBE; 1.1.1.1.2.1 date 2009.05.08.16.35.09; author jym; state dead; branches; next 1.1.1.1.2.2; 1.1.1.1.2.2 date 2009.05.13.18.51.57; author jym; state Exp; branches; next ; 1.1.1.2.4.1 date 2012.04.17.00.03.08; author yamt; state Exp; branches; next 1.1.1.2.4.2; 1.1.1.2.4.2 date 2013.01.23.00.04.35; author yamt; state Exp; branches; next 1.1.1.2.4.3; 1.1.1.2.4.3 date 2014.05.22.15.44.59; author yamt; state Exp; branches; next ; commitid tYJXbWAuFvTh7yBx; 1.1.1.2.6.1 date 2012.03.07.23.18.26; author riz; state Exp; branches; next ; 1.1.1.3.2.1 date 2013.02.25.00.26.06; author tls; state Exp; branches; next 1.1.1.3.2.2; 1.1.1.3.2.2 date 2013.06.23.06.26.32; author tls; state Exp; branches; next 1.1.1.3.2.3; commitid OnlO1cBgtQRcIHUw; 1.1.1.3.2.3 date 2014.08.19.23.46.47; author tls; state Exp; branches; next ; commitid jTnpym9Qu0o4R1Nx; 1.1.1.6.2.1 date 2014.08.10.07.07.10; author tls; state Exp; branches; next ; commitid b1wUlsZGswrdGMLx; 1.1.1.9.2.1 date 2017.03.20.06.52.19; author pgoyette; state Exp; branches; next ; commitid jjw7cAwgyKq7RfKz; 1.1.1.9.4.1 date 2017.04.21.16.51.24; author bouyer; state Exp; branches; next ; commitid dUG7nkTKALCadqOz; 1.1.1.11.8.1 date 2018.10.20.06.58.20; author pgoyette; state Exp; branches; next ; commitid mTSoqZEZ4arHnFWA; 1.1.1.11.10.1 date 2019.06.10.21.44.46; author christos; state Exp; branches; next 1.1.1.11.10.2; commitid jtc8rnCzWiEEHGqB; 1.1.1.11.10.2 date 2020.04.08.14.04.04; author martin; state Exp; branches; next ; commitid Qli2aW9E74UFuA3C; desc @@ 1.4 log @merge conflicts between file-5.43 and file-5.45 @ text @ #------------------------------------------------------------------------------ # $File: linux,v 1.85 2023/07/17 14:40:09 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan # The following basic Linux magic is useful for reference, but using # "long" magic is a better practice in order to avoid collisions. # # 2 leshort 100 Linux/i386 # >0 leshort 0407 impure executable (OMAGIC) # >0 leshort 0410 pure executable (NMAGIC) # >0 leshort 0413 demand-paged executable (ZMAGIC) # >0 leshort 0314 demand-paged executable (QMAGIC) # 0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC) >16 lelong 0 \b, stripped # 0 string \007\001\000 Linux/i386 object file >20 lelong >0x1020 \b, DLL library # Linux-8086 stuff: 0 string \01\03\020\04 Linux-8086 impure executable >28 long !0 not stripped 0 string \01\03\040\04 Linux-8086 executable >28 long !0 not stripped # 0 string \243\206\001\0 Linux-8086 object file # 0 string \01\03\020\20 Minix-386 impure executable >28 long !0 not stripped 0 string \01\03\040\20 Minix-386 executable >28 long !0 not stripped 0 string \01\03\04\20 Minix-386 NSYM/GNU executable >28 long !0 not stripped # core dump file, from Bill Reynolds 216 lelong 0421 Linux/i386 core file !:strength / 2 >220 string >\0 of '%s' >200 lelong >0 (signal %d) # # LILO boot/chain loaders, from Daniel Quinlan # this can be overridden by the DOS executable (COM) entry 2 string LILO Linux/i386 LILO boot/chain loader # # Linux make config build file, from Ole Aamot # Updated by Ken Sharp 28 string make\ config Linux make config build file (old) 49 search/70 Kernel\ Configuration Linux make config build file # # PSF fonts, from H. Peter Anvin # Updated by Adam Buchbinder # See: https://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html 0 leshort 0x0436 Linux/i386 PC Screen Font v1 data, >2 byte&0x01 0 256 characters, >2 byte&0x01 !0 512 characters, >2 byte&0x02 0 no directory, >2 byte&0x02 !0 Unicode directory, >3 byte >0 8x%d 0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data, >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, >28 lelong x %d >24 lelong x \bx%d # Linux swap and hibernate files # Linux kernel: include/linux/swap.h # util-linux: libblkid/src/superblocks/swap.c # format v0, unsupported since 2002 0xff6 string SWAP-SPACE Linux old swap file, 4k page size 0x1ff6 string SWAP-SPACE Linux old swap file, 8k page size 0x3ff6 string SWAP-SPACE Linux old swap file, 16k page size 0x7ff6 string SWAP-SPACE Linux old swap file, 32k page size 0xfff6 string SWAP-SPACE Linux old swap file, 64k page size # format v1, supported since 1998 0 name linux-swap >0x400 lelong 1 little endian, version %u, >>0x404 lelong x size %u pages, >>0x408 lelong x %u bad pages, >0x400 belong 1 big endian, version %u, >>0x404 belong x size %u pages, >>0x408 belong x %u bad pages, >0x41c string \0 no label, >0x41c string >\0 LABEL=%s, >0x40c ubelong x UUID=%08x >0x410 ubeshort x \b-%04x >0x412 ubeshort x \b-%04x >0x414 ubeshort x \b-%04x >0x416 ubelong x \b-%08x >0x41a ubeshort x \b%04x 0xff6 string SWAPSPACE2 Linux swap file, 4k page size, >0 use linux-swap 0x1ff6 string SWAPSPACE2 Linux swap file, 8k page size, >0 use linux-swap 0x3ff6 string SWAPSPACE2 Linux swap file, 16k page size, >0 use linux-swap 0x7ff6 string SWAPSPACE2 Linux swap file, 32k page size, >0 use linux-swap 0xfff6 string SWAPSPACE2 Linux swap file, 64k page size, >0 use linux-swap 0 name linux-hibernate >0 string S1SUSPEND \b, with SWSUSP1 image >0 string S2SUSPEND \b, with SWSUSP2 image >0 string ULSUSPEND \b, with uswsusp image >0 string LINHIB0001 \b, with compressed hibernate image >0 string \xed\xc3\x02\xe9\x98\x56\xe5\x0c \b, with tuxonice image >0 default x \b, with unknown hibernate image 0xfec string SWAPSPACE2 Linux swap file, 4k page size, >0 use linux-swap >0xff6 use linux-hibernate 0x1fec string SWAPSPACE2 Linux swap file, 8k page size, >0 use linux-swap >0x1ff6 use linux-hibernate 0x3fec string SWAPSPACE2 Linux swap file, 16k page size, >0 use linux-swap >0x3ff6 use linux-hibernate 0x7fec string SWAPSPACE2 Linux swap file, 32k page size, >0 use linux-swap >0x7ff6 use linux-hibernate 0xffec string SWAPSPACE2 Linux swap file, 64k page size, >0 use linux-swap >0xfff6 use linux-hibernate # # Linux kernel boot images, from Albert Cahalan # and others such as Axel Kohlmeyer # and Nicolas Lichtmaier # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 # Linux kernel boot images (i386 arch) (Wolfram Kleff) # URL: https://www.kernel.org/doc/Documentation/x86/boot.txt 514 string HdrS Linux kernel !:strength + 55 # often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes # Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin # DamnSmallLinux 1.5 damnsmll.lnx !:ext /dat/bin/lnx >510 leshort 0xAA55 x86 boot executable >>518 leshort >0x1ff >>>529 byte 0 zImage, >>>529 byte 1 bzImage, >>>526 lelong >0 >>>>(526.s+0x200) string >\0 version %s, >>498 leshort 1 RO-rootFS, >>498 leshort 0 RW-rootFS, >>508 leshort >0 root_dev %#X, >>502 leshort >0 swap_dev %#X, >>504 leshort >0 RAMdisksize %u KB, >>506 leshort 0xFFFF Normal VGA >>506 leshort 0xFFFE Extended VGA >>506 leshort 0xFFFD Prompt for Videomode >>506 leshort >0 Video mode %d # This also matches new kernels, which were caught above by "HdrS". 0 belong 0xb8c0078e Linux kernel >0x1e3 string Loading version 1.3.79 or older >0x1e9 string Loading from prehistoric times # System.map files - Nicolas Lichtmaier 8 search/1 \ A\ _text Linux kernel symbol map text # LSM entries - Nicolas Lichtmaier 0 search/1 Begin3 Linux Software Map entry text 0 search/1 Begin4 Linux Software Map entry text (new format) # From Matt Zimmerman, enhanced for v3 by Matthew Palmer 0 belong 0x4f4f4f4d User-mode Linux COW file >4 belong <3 \b, version %d >>8 string >\0 \b, backing file %s >4 belong >2 \b, version %d >>32 string >\0 \b, backing file %s ############################################################################ # Linux kernel versions 0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux >497 leshort 0 x86 boot sector >>514 belong 0x8e of a kernel from the dawn of time! >>514 belong 0x908ed8b4 version 0.99-1.1.42 >>514 belong 0x908ed8b8 for memtest86 >497 leshort !0 x86 kernel >>504 leshort >0 RAMdisksize=%u KB >>502 leshort >0 swap=%#X >>508 leshort >0 root=%#X >>>498 leshort 1 \b-ro >>>498 leshort 0 \b-rw >>506 leshort 0xFFFF vga=normal >>506 leshort 0xFFFE vga=extended >>506 leshort 0xFFFD vga=ask >>506 leshort >0 vga=%d >>514 belong 0x908ed881 version 1.1.43-1.1.45 >>514 belong 0x15b281cd >>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0 >>>0xa99 belong 0x55AA5a5a version 1.3.1,2 >>>0xaa3 belong 0x55AA5a5a version 1.3.3-1.3.30 >>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41 >>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45 >>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72 >>514 string HdrS >>>518 leshort >0x1FF >>>>529 byte 0 \b, zImage >>>>529 byte 1 \b, bzImage >>>>(526.s+0x200) string >\0 \b, version %s # Linux boot sector thefts. 0 belong 0xb8c0078e Linux >0x1e6 belong 0x454c4b53 ELKS Kernel >0x1e6 belong !0x454c4b53 style boot sector ############################################################################ # Linux S390 kernel image # Created by: Jan Kaluza 8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390 >0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc # 64bit >>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel >>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel >>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel >>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel # 32bit >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel >>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel >>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel ############################################################################ # Linux ARM compressed kernel image # From: Kevin Cernekee # Update: Joerg Jenderek 0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage # There are three possible situations: LE, BE with LE bootloader and pure BE. # In order to aid telling these apart a new endian flag was added. In order # to support kernels before the flag and BE with LE bootloader was added we'll # do a negative check against the BE variant of the flag when we see a LE magic. >0x30 belong !0x04030201 (little-endian) # raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin" !:ext img/bin >0x30 belong 0x04030201 (big-endian) 0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) ############################################################################ # Linux AARCH64 kernel image 0x38 lelong 0x644d5241 Linux kernel ARM64 boot executable Image >0x18 lelong ^1 \b, little-endian >0x18 lelong &1 \b, big-endian >0x18 lelong &2 \b, 4K pages >0x18 lelong &4 \b, 16K pages >0x18 lelong &6 \b, 32K pages ############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless >5 string . >>4 string >\0 \b, libc version %s 0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable >2 byte&0x01 !0 \b, unmapped zero page >2 byte&0x20 0 \b, impure >2 byte&0x20 !0 >>2 byte&0x10 !0 \b, A_EXEC >2 byte&0x02 !0 \b, A_PAL >2 byte&0x04 !0 \b, A_NSYM >2 byte&0x08 !0 \b, A_STAND >2 byte&0x40 !0 \b, A_PURE >2 byte&0x80 !0 \b, A_TOVLY >28 long !0 \b, not stripped >37 string . >>36 string >\0 \b, libc version %s # 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable # 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable # 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable # 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable # SYSLINUX boot logo files (from 'ppmtolss16' sources) # https://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename: # file extension .lss .16 0 lelong =0x1413f33d SYSLINUX' LSS16 image data # syslinux-4.05/mime/image/x-lss16.xml !:mime image/x-lss16 >4 leshort x \b, width %d >6 leshort x \b, height %d 0 string OOOM User-Mode-Linux's Copy-On-Write disk image >4 belong x version %d # SE Linux policy database # From: Mike Frysinger 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons # Linux Logical Volume Manager (LVM) # Emmanuel VARAGNAT # # System ID, UUID and volume group name are 128 bytes long # but they should never be full and initialized with zeros... # # LVM1 # 0x0 string/b HM\001 LVM1 (Linux Logical Volume Manager), version 1 >0x12c string/b >\0 , System ID: %s 0x0 string/b HM\002 LVM1 (Linux Logical Volume Manager), version 2 >0x12c string/b >\0 , System ID: %s # LVM2 # # It seems that the label header can be in one the four first sector # of the disk... (from _find_labeller in lib/label/label.c of LVM2) # # 0x200 seems to be the common case 0 name lvm2 # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >0x0 string >\x2f \b, UUID: %.6s >0x6 string >\x2f \b-%.4s >0xa string >\x2f \b-%.4s >0xe string >\x2f \b-%.4s >0x12 string >\x2f \b-%.4s >0x16 string >\x2f \b-%.4s >0x1a string >\x2f \b-%.6s >0x20 lequad x \b, size: %lld # read the offset to add to the start of the header, and the header # start in 0x200 0x218 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x20) use lvm2 0x018 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x20) use lvm2 0x418 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x20) use lvm2 0x618 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x20) use lvm2 # LVM snapshot # from Jason Farrel 0 string SnAp LVM Snapshot (CopyOnWrite store) >4 lelong !0 - valid, >4 lelong 0 - invalid, >8 lelong x version %d, >12 lelong x chunk_size %d # SE Linux policy database 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons # Summary: Xen saved domain file # Created by: Radek Vokal 0 string LinuxGuestRecord Xen saved domain >20 search/256 (name >>&1 string x (name %s) # Type: Xen, the virtual machine monitor # From: Radek Vokal 0 string LinuxGuestRecord Xen saved domain #>2 regex \(name\ [^)]*\) %s >20 search/256 (name (name >>&1 string x %s...) # Systemd journald files # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek # Update: Joerg Jenderek # URL: https://systemd.io/JOURNAL_FILE_FORMAT/ # Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml # Note: called "systemd journal" by TrID # verified by `journalctl --file=user-1000.journal` # check magic signature[8] 0 string LPKSHHRH # check that state is one of known values # STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2 >16 ubyte&252 0 # check that each half of three unique id128s is non-zero # file_id >>24 ubequad >0 >>>32 ubequad >0 # machine_id >>>>40 ubequad >0 >>>>>48 ubequad >0 # boot_id; last writer >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file #!:mime application/octet-stream !:mime application/x-linux-journal # provide more info # head_entry_realtime; contains a POSIX timestamp stored in microseconds >>>>>>>>184 leqdate/1000000 !0 \b, %s >>>>>>>>184 leqdate 0 empty # If a file is closed after writing the state field should be set to STATE_OFFLINE >>>>>>>>16 ubyte 0 \b, # for offline and empty only journal~ extension found >>>>>>>>>184 leqdate 0 offline # https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html # GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like: # Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~' !:ext journal~ # for offline and non empty often *.journal~ but also user-1001.journal >>>>>>>>>184 leqdate !0 offline !:ext journal/journal~ # if a file is opened for writing the state field should be set to STATE_ONLINE >>>>>>>>16 ubyte 1 \b, # for online and empty only journal~ extension found >>>>>>>>>184 leqdate 0 online # system@@0005febee06e2ff2-f7ea54d10e4346ff.journal~ !:ext journal~ # for online and non empty only journal extension found >>>>>>>>>184 leqdate !0 online # system.journal user-1000.journal !:ext journal # after a file has been rotated it should be set to STATE_ARCHIVED >>>>>>>>16 ubyte 2 \b, archived !:ext journal # no *.journal~ found #!:ext journal/journal~ # compatible_flags >>>>>>>>8 ulelong&1 1 \b, sealed # incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16 #>>>>>>>>12 ulelong x FLAGS=%#x >>>>>>>>12 ulelong&1 1 \b, compressed >>>>>>>>12 ulelong&2 !0 \b, compressed lz4 >>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24 >>>>>>>>12 ulelong&8 !0 \b, compressed zstd >>>>>>>>12 ulelong&16 !0 \b, compact # uint8_t reserved[7]; apparently nil #>>17 long !0 \b, reserved %#8.8x # seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6 #>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx #>>>>>>>>80 ubequad x b%16.16llx # header_size like: 100h >>>>>>>>88 ulequad !0x100h \b, header size %#llx # arena_size like: 0 7fff00h ffff00h 17fff00h #>>>>>>>>96 ulequad >0 \b, arena size %#llx # data_hash_table_offset like: 0 15f0h 15f0h #>>>>>>>>104 ulequad >0 \b, hash table offset %#llx # data_hash_table_size like: 0 38e380h #>>>>>>>>112 ulequad >0 \b, hash table size %#llx # field_hash_table_offset like: 0 110h #>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx # field_hash_table_size like: 0 14d0h #>>>>>>>>128 ulequad >0 \b, field hash table size %#llx # tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h #>>>>>>>>136 ulequad >0 \b, tail object offset %#llx # n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh #>>>>>>>>144 ulequad >0 \b, objects %#llx # n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h >>>>>>>>152 ulequad >0 \b, entries %#llx # tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh #>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx # head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah #>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx # entry_array_offset like: 0 390058h 3909d8h 3909e0h #>>>>>>>>176 ulequad >0 \b, entry array offset %#llx # BCache backing and cache devices # From: Gabriel de Perthuis 0x1008 lequad 8 >0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache >>0x1010 ulequad 0 cache device >>0x1010 ulequad 1 backing device >>0x1010 ulequad 3 cache device >>0x1010 ulequad 4 backing device >>0x1048 string >0 \b, label "%.32s" >>0x1028 ubelong x \b, uuid %08x >>0x102c ubeshort x \b-%04x >>0x102e ubeshort x \b-%04x >>0x1030 ubeshort x \b-%04x >>0x1032 ubelong x \b-%08x >>0x1036 ubeshort x \b%04x >>0x1038 ubelong x \b, set uuid %08x >>0x103c ubeshort x \b-%04x >>0x103e ubeshort x \b-%04x >>0x1040 ubeshort x \b-%04x >>0x1042 ubelong x \b-%08x >>0x1046 ubeshort x \b%04x # Linux device tree: # File format description can be found in the Linux kernel sources at # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed # structure must be within blob, strings are omitted to handle devicetrees > 1M >&(8.L) byte x >>20 belong >1 Device Tree Blob version %d >>>4 belong x \b, size=%d >>>20 belong >1 >>>>28 belong x \b, boot CPU=%d >>>20 belong >2 >>>>32 belong x \b, string block size=%d >>>20 belong >16 >>>>36 belong x \b, DT structure block size=%d # glibc locale archive as defined in glibc locale/locarchive.h 0 lelong 0xde020109 locale archive >24 lelong x %d strings # Linux Software RAID (mdadm) # Russell Coker 0 name linuxraid >16 belong x UUID=%8x: >20 belong x \b%8x: >24 belong x \b%8x: >28 belong x \b%8x >32 string x name=%s >72 lelong x level=%d >92 lelong x disks=%d 4096 lelong 0xa92b4efc Linux Software RAID >4100 lelong x version 1.2 (%d) >4096 use linuxraid 0 lelong 0xa92b4efc Linux Software RAID >4 lelong x version 1.1 (%d) >0 use linuxraid # Summary: Database file for mlocate # Description: A database file as used by mlocate, a fast implementation # of locate/updatedb. It uses merging to reuse the existing # database and avoid rereading most of the filesystem. It's # the default version of locate on Arch Linux (and others). # File path: /var/lib/mlocate/mlocate.db by default (but configurable) # Site: https://fedorahosted.org/mlocate/ # Format docs: https://linux.die.net/man/5/mlocate.db # Type: mlocate database file # URL: https://fedorahosted.org/mlocate/ # From: Wander Nauta 0 string \0mlocate mlocate database >12 byte x \b, version %d >13 byte 1 \b, require visibility >16 string x \b, root %s # Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL: # https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 # From: Pavel Emelyanov 0 lelong 0x45311224 iproute2 routes dump 0 lelong 0x47361222 iproute2 addresses dump # Image and service files for CRIU tool. # URL: https://criu.org # From: Pavel Emelyanov 0 lelong 0x54564319 CRIU image file v1.1 0 lelong 0x55105940 CRIU service file 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files # https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION 0 string KDUMP\x20\x20\x20 Kdump compressed dump >0 use kdump-compressed-dump 0 name kdump-compressed-dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s >142 string >\0 \b, release %s >207 string >\0 \b, version %s >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s # Flattened format 0 string makedumpfile >16 bequad 1 >>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump >>>0x1010 use kdump-compressed-dump # Device Tree files 0 search/1024 /dts-v1/ Device Tree File (v1) # beat c code !:strength +14 # e2fsck undo file # David Gilman 0 string E2UNDO02 e2fsck undo file, version 2 >44 lelong x \b, undo file is >>44 lelong&1 0 not finished >>44 lelong&1 1 finished >48 lelong x \b, undo file features: >>48 lelong&1 0 lacks filesystem offset >>48 lelong&1 1 has filesystem offset >>>64 lequad x at %#llx # ansible vault (does not really belong here) 0 string $ANSIBLE_VAULT; Ansible Vault >&0 regex [0-9]+\\.[0-9]+ \b, version %s >>&0 string ; >>>&0 regex [A-Z0-9]+ \b, encryption %s # From: Joerg Jenderek # URL: https://www.gnu.org/software/grub # Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz # grub-2.06/include/grub/keyboard_layouts.h # grub-2.06/grub-core/commands/keylayouts.c # GRUB_KEYBOARD_LAYOUTS_FILEMAGIC 0 string GRUBLAYO GRUB Keyboard !:mime application/x-grub-keyboard !:ext gkb # GRUB_KEYBOARD_LAYOUTS_VERSION like: 10 >8 ulelong !10 \b, version %u # 4 grub_uint32_t grub_keyboard_layout[160] # for normal french keyboard this is letter a >92 ubyte !0x71 >>92 ubyte >0x40 \b, english q is %c #>732 ubyte x \b, english Q is %c # for normal german keyboard this is letter z >124 ubyte !0x79 >>124 ubyte >0x40 \b, english y is %c #>764 ubyte x \b, english Y is %c @ 1.3 log @merge changes between 5.40 and 5.43 @ text @d3 1 a3 1 # $File: linux,v 1.82 2022/09/07 11:23:44 christos Exp $ d70 2 a71 2 >24 lelong x %d >28 lelong x \bx%d d383 6 a388 2 # check magic d391 1 d394 1 d397 1 d400 1 d403 2 a404 1 !:mime application/octet-stream d406 2 d409 22 a430 2 >>>>>>>>16 ubyte 0 \b, offline >>>>>>>>16 ubyte 1 \b, online d432 4 d437 2 d440 33 d565 4 a568 1 # https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION d570 1 a570 1 0 string KDUMP Kdump compressed dump d579 6 @ 1.2 log @merge local changes between 5.39 and 5.40 and add magic entries from HEAD. @ text @d3 1 a3 1 # $File: linux,v 1.78 2021/04/04 17:46:17 christos Exp $ d157 2 a158 2 >>508 leshort >0 root_dev 0x%X, >>502 leshort >0 swap_dev 0x%X, d194 2 a195 2 >>502 leshort >0 swap=0x%X >>508 leshort >0 root=0x%X a366 10 # LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec # Anthon van der Neut (anthon@@mnt.org) 0 string LUKS\xba\xbe LUKS encrypted file, >6 beshort x ver %d >8 string x [%s, >40 string x %s, >72 string x %s] >168 string x UUID: %s d521 1 a521 1 >>>64 lequad x at 0x%llx d525 1 a525 1 >&0 regex [0-9]*\.[0-9]* \b, version %s d527 22 a548 1 >>>&0 regex [A-Z0-9]* \b, encryption %s @ 1.1 log @Initial revision @ text @d1 1 d3 1 d39 2 d43 1 d51 6 d58 7 a64 5 0 leshort 0x0436 Linux/i386 PC Screen Font data, >2 byte 0 256 characters, no directory, >2 byte 1 512 characters, no directory, >2 byte 2 256 characters, Unicode directory, >2 byte 3 512 characters, Unicode directory, d66 70 a135 25 # Linux swap file, from Daniel Quinlan 4086 string SWAP-SPACE Linux/i386 swap file # From: Jeff Bailey # Linux swap file with swsusp1 image, from Jeff Bailey 4076 string SWAPSPACE2S1SUSPEND Linux/i386 swap file (new style) with SWSUSP1 image # according to man page of mkswap (8) March 1999 4086 string SWAPSPACE2 Linux/i386 swap file (new style) >0x400 long x %d (4K pages) >0x404 long x size %d pages >>4086 string SWAPSPACE2 >>>1052 string >\0 Label %s # ECOFF magic for OSF/1 and Linux (only tested under Linux though) # # from Erik Troan (ewt@@redhat.com) examining od dumps, so this # could be wrong # updated by David Mosberger (davidm@@azstarnet.com) based on # GNU BFD and MIPS info found below. # 0 leshort 0x0183 ECOFF alpha >24 leshort 0407 executable >24 leshort 0410 pure >24 leshort 0413 demand paged >8 long >0 not stripped >8 long 0 stripped >23 leshort >0 - version %ld. d139 1 a139 1 # and Nicolás Lichtmaier d142 1 d144 5 d153 2 a154 1 >>>(526.s+0x200) string >\0 version %s, d169 1 a169 1 # System.map files - Nicolás Lichtmaier d172 1 a172 1 # LSM entries - Nicolás Lichtmaier d222 40 d264 1 a264 1 >5 string . d278 1 a278 1 >37 string . d287 2 a288 2 # http://syslinux.zytor.com/ # d290 2 d306 1 a306 1 # Linux Logical Volume Manager (LVM) d314 2 a315 2 0x0 string HM\001 LVM1 (Linux Logical Volume Manager), version 1 >0x12c string >\0 , System ID: %s d317 2 a318 2 0x0 string HM\002 LVM1 (Linux Logical Volume Manager), version 2 >0x12c string >\0 , System ID: %s d326 11 a337 1 0x218 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) d340 2 a341 1 >(0x214.l+0x200) string >\0 , UUID: %s d343 2 a344 2 0x018 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x014.l) string >\0 , UUID: %s d346 2 a347 2 0x418 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x414.l+0x400) string >\0 , UUID: %s d349 2 a350 2 0x618 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x614.l+0x600) string >\0 , UUID: %s d380 1 a380 1 >20 search/256 (name d383 155 @ 1.1.1.1 log @from ftp.astron.com @ text @@ 1.1.1.2 log @from ftp.astron.com. - many security related fixes - no MAXPATHLEN limits - fixed missing text specification on ascii magic - new ``pascal'' style string formats - whitespace comparison fix - more magic @ text @a0 1 a1 1 # $File: linux,v 1.41 2011/04/20 18:57:10 christos Exp $ a45 3 # Linux make config build file, from Ole Aamot 28 string make\ config Linux make config build file # d47 5 a51 7 # Updated by Adam Buchbinder # See: http://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html 0 leshort 0x0436 Linux/i386 PC Screen Font v1 data, >2 byte&0x01 0 256 characters, >2 byte&0x01 !0 512 characters, >2 byte&0x02 0 no directory, >2 byte&0x02 !0 Unicode directory, a52 7 0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data, >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, >24 lelong x %d >28 lelong x \bx%d a57 2 # From: James Hunt 4076 string SWAPSPACE2LINHIB0001 Linux/i386 swap file (new style) (compressed hibernate) d59 19 a77 16 # volume label and UUID Russell Coker # http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ 4086 string SWAPSPACE2 Linux/i386 swap file (new style), >0x400 long x version %d (4K pages), >0x404 long x size %d pages, >1052 string \0 no label, >1052 string >\0 LABEL=%s, >0x40c belong x UUID=%08x >0x410 beshort x \b-%04x >0x412 beshort x \b-%04x >0x414 beshort x \b-%04x >0x416 belong x \b-%08x >0x41a beshort x \b%04x # From Daniel Novotny # swap file for PowerPC 65526 string SWAPSPACE2 Linux/ppc swap file a156 16 # Linux S390 kernel image # Created by: Jan Kaluza 8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390 >0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc # 64bit >>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel >>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel >>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel >>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel # 32bit >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel >>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel >>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel ############################################################################ d220 1 a220 1 0x218 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) d223 10 a232 46 >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld 0x018 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld 0x418 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld 0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld a264 6 # Type: Xen, the virtual machine monitor # From: Radek Vokal 0 string LinuxGuestRecord Xen saved domain #>2 regex \(name\ [^)]*\) %s >20 search/256 (name (name >>&1 string x %s...) @ 1.1.1.2.4.1 log @sync with head @ text @d3 1 a3 1 # $File: linux,v 1.42 2012/02/07 21:35:03 christos Exp $ a184 5 # Linux ARM compressed kernel image # From: Kevin Cernekee 36 lelong 0x016f2818 Linux kernel ARM boot executable zImage (little-endian) 36 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) @ 1.1.1.2.4.2 log @sync with head @ text @d3 1 a3 1 # $File: linux,v 1.45 2012/10/29 17:36:49 christos Exp $ a38 2 0 string \01\03\04\20 Minix-386 NSYM/GNU executable >28 long !0 not stripped a90 1 16374 string SWAPSPACE2 Linux/ia64 swap file d216 2 a217 2 # http://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename: # file extension .lss .16 a218 2 # syslinux-4.05/mime/image/x-lss16.xml !:mime image/x-lss16 @ 1.1.1.2.4.3 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @d3 1 a3 1 # $File: linux,v 1.52 2013/11/19 23:18:15 christos Exp $ d97 1 a97 1 # and Nicolas Lichtmaier a100 1 !:strength + 55 d105 1 a105 2 >>>526 lelong >0 >>>>(526.s+0x200) string >\0 version %s, d120 1 a120 1 # System.map files - Nicolas Lichtmaier d123 1 a123 1 # LSM entries - Nicolas Lichtmaier a345 47 # Systemd journald files # See http://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek # check magic 0 string LPKSHHRH # check that state is one of known values >16 ubyte&252 0 # check that each half of three unique id128s is non-zero >>24 ubequad >0 >>>32 ubequad >0 >>>>40 ubequad >0 >>>>>48 ubequad >0 >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file !:mime application/octet-stream # provide more info >>>>>>>>184 leqdate 0 empty >>>>>>>>16 ubyte 0 \b, offline >>>>>>>>16 ubyte 1 \b, online >>>>>>>>16 ubyte 2 \b, archived >>>>>>>>8 ulelong&1 1 \b, sealed >>>>>>>>12 ulelong&1 1 \b, compressed # BCache backing and cache devices # From: Gabriel de Perthuis 0x1008 lequad 8 >0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache >>0x1010 ulequad 0 cache device >>0x1010 ulequad 1 backing device >>0x1010 ulequad 3 cache device >>0x1010 ulequad 4 backing device >>0x1048 string >0 \b, label "%.32s" >>0x1028 ubelong x \b, uuid %08x >>0x102c ubeshort x \b-%04x >>0x102e ubeshort x \b-%04x >>0x1030 ubeshort x \b-%04x >>0x1032 ubelong x \b-%08x >>0x1036 ubeshort x \b%04x >>0x1038 ubelong x \b, set uuid %08x >>0x103c ubeshort x \b-%04x >>0x103e ubeshort x \b-%04x >>0x1040 ubeshort x \b-%04x >>0x1042 ubelong x \b-%08x >>0x1046 ubeshort x \b%04x @ 1.1.1.2.6.1 log @Pull up following revision(s) (requested by christos in ticket #30): Update file to 5.11 (CDF security fixes) @ text @d3 1 a3 1 # $File: linux,v 1.42 2012/02/07 21:35:03 christos Exp $ a184 5 # Linux ARM compressed kernel image # From: Kevin Cernekee 36 lelong 0x016f2818 Linux kernel ARM boot executable zImage (little-endian) 36 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) @ 1.1.1.3 log @from ftp.astron.com, CDF security fixes @ text @d3 1 a3 1 # $File: linux,v 1.42 2012/02/07 21:35:03 christos Exp $ a184 5 # Linux ARM compressed kernel image # From: Kevin Cernekee 36 lelong 0x016f2818 Linux kernel ARM boot executable zImage (little-endian) 36 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) @ 1.1.1.3.2.1 log @resync with head @ text @d3 1 a3 1 # $File: linux,v 1.45 2012/10/29 17:36:49 christos Exp $ a38 2 0 string \01\03\04\20 Minix-386 NSYM/GNU executable >28 long !0 not stripped a90 1 16374 string SWAPSPACE2 Linux/ia64 swap file d216 2 a217 2 # http://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename: # file extension .lss .16 a218 2 # syslinux-4.05/mime/image/x-lss16.xml !:mime image/x-lss16 @ 1.1.1.3.2.2 log @resync from head @ text @d3 1 a3 1 # $File: linux,v 1.47 2013/02/06 14:18:52 christos Exp $ d97 1 a97 1 # and Nicolas Lichtmaier a100 1 !:strength + 5 d120 1 a120 1 # System.map files - Nicolas Lichtmaier d123 1 a123 1 # LSM entries - Nicolas Lichtmaier @ 1.1.1.3.2.3 log @Rebase to HEAD as of a few days ago. @ text @d3 1 a3 1 # $File: linux,v 1.57 2014/05/20 20:10:17 christos Exp $ a42 1 !:strength / 2 d51 1 a51 4 # Updated by Ken Sharp 28 string make\ config Linux make config build file (old) 49 search/70 Kernel\ Configuration Linux make config build file d101 1 a101 1 !:strength + 55 d106 1 a106 2 >>>526 lelong >0 >>>>(526.s+0x200) string >\0 version %s, a346 64 # Systemd journald files # See http://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek # check magic 0 string LPKSHHRH # check that state is one of known values >16 ubyte&252 0 # check that each half of three unique id128s is non-zero >>24 ubequad >0 >>>32 ubequad >0 >>>>40 ubequad >0 >>>>>48 ubequad >0 >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file !:mime application/octet-stream # provide more info >>>>>>>>184 leqdate 0 empty >>>>>>>>16 ubyte 0 \b, offline >>>>>>>>16 ubyte 1 \b, online >>>>>>>>16 ubyte 2 \b, archived >>>>>>>>8 ulelong&1 1 \b, sealed >>>>>>>>12 ulelong&1 1 \b, compressed # BCache backing and cache devices # From: Gabriel de Perthuis 0x1008 lequad 8 >0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache >>0x1010 ulequad 0 cache device >>0x1010 ulequad 1 backing device >>0x1010 ulequad 3 cache device >>0x1010 ulequad 4 backing device >>0x1048 string >0 \b, label "%.32s" >>0x1028 ubelong x \b, uuid %08x >>0x102c ubeshort x \b-%04x >>0x102e ubeshort x \b-%04x >>0x1030 ubeshort x \b-%04x >>0x1032 ubelong x \b-%08x >>0x1036 ubeshort x \b%04x >>0x1038 ubelong x \b, set uuid %08x >>0x103c ubeshort x \b-%04x >>0x103e ubeshort x \b-%04x >>0x1040 ubeshort x \b-%04x >>0x1042 ubelong x \b-%08x >>0x1046 ubeshort x \b%04x # Linux device tree: # File format description can be found in the Linux kernel sources at # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed # structure and strings must be within blob >&(8.L) byte x >>&(12.L) byte x >>>20 belong >1 Device Tree Blob version %d >>>>4 belong x \b, size=%d >>>>20 belong >1 >>>>>28 belong x \b, boot CPU=%d >>>>20 belong >2 >>>>>32 belong x \b, string block size=%d >>>>20 belong >16 >>>>>36 belong x \b, DT structure block size=%d @ 1.1.1.4 log @from ftp.astron.com @ text @d3 1 a3 1 # $File: linux,v 1.45 2012/10/29 17:36:49 christos Exp $ a38 2 0 string \01\03\04\20 Minix-386 NSYM/GNU executable >28 long !0 not stripped a90 1 16374 string SWAPSPACE2 Linux/ia64 swap file d216 2 a217 2 # http://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename: # file extension .lss .16 a218 2 # syslinux-4.05/mime/image/x-lss16.xml !:mime image/x-lss16 @ 1.1.1.5 log @import file-5.14 changes are "name" + "use" keyword features, bug fixes @ text @d3 1 a3 1 # $File: linux,v 1.47 2013/02/06 14:18:52 christos Exp $ d97 1 a97 1 # and Nicolas Lichtmaier a100 1 !:strength + 5 d120 1 a120 1 # System.map files - Nicolas Lichtmaier d123 1 a123 1 # LSM entries - Nicolas Lichtmaier @ 1.1.1.6 log @from ftp.astron.com, this is a bug fix release: * always leave magic file loaded, don't unload for magic_check, etc. * fix default encoding to binary instead of unknown which broke recently * handle empty and one byte files, less specially so that --mime-encoding does not break completely. * fix erroneous non-zero exit code from non-existant file and message * add CDF MSI file detection (Guy Helmer) @ text @d3 1 a3 1 # $File: linux,v 1.52 2013/11/19 23:18:15 christos Exp $ d101 1 a101 1 !:strength + 55 d106 1 a106 2 >>>526 lelong >0 >>>>(526.s+0x200) string >\0 version %s, a346 47 # Systemd journald files # See http://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek # check magic 0 string LPKSHHRH # check that state is one of known values >16 ubyte&252 0 # check that each half of three unique id128s is non-zero >>24 ubequad >0 >>>32 ubequad >0 >>>>40 ubequad >0 >>>>>48 ubequad >0 >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file !:mime application/octet-stream # provide more info >>>>>>>>184 leqdate 0 empty >>>>>>>>16 ubyte 0 \b, offline >>>>>>>>16 ubyte 1 \b, online >>>>>>>>16 ubyte 2 \b, archived >>>>>>>>8 ulelong&1 1 \b, sealed >>>>>>>>12 ulelong&1 1 \b, compressed # BCache backing and cache devices # From: Gabriel de Perthuis 0x1008 lequad 8 >0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache >>0x1010 ulequad 0 cache device >>0x1010 ulequad 1 backing device >>0x1010 ulequad 3 cache device >>0x1010 ulequad 4 backing device >>0x1048 string >0 \b, label "%.32s" >>0x1028 ubelong x \b, uuid %08x >>0x102c ubeshort x \b-%04x >>0x102e ubeshort x \b-%04x >>0x1030 ubeshort x \b-%04x >>0x1032 ubelong x \b-%08x >>0x1036 ubeshort x \b%04x >>0x1038 ubelong x \b, set uuid %08x >>0x103c ubeshort x \b-%04x >>0x103e ubeshort x \b-%04x >>0x1040 ubeshort x \b-%04x >>0x1042 ubelong x \b-%08x >>0x1046 ubeshort x \b%04x @ 1.1.1.6.2.1 log @Rebase. @ text @d3 1 a3 1 # $File: linux,v 1.57 2014/05/20 20:10:17 christos Exp $ a42 1 !:strength / 2 d51 1 a51 4 # Updated by Ken Sharp 28 string make\ config Linux make config build file (old) 49 search/70 Kernel\ Configuration Linux make config build file a394 17 # Linux device tree: # File format description can be found in the Linux kernel sources at # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed # structure and strings must be within blob >&(8.L) byte x >>&(12.L) byte x >>>20 belong >1 Device Tree Blob version %d >>>>4 belong x \b, size=%d >>>>20 belong >1 >>>>>28 belong x \b, boot CPU=%d >>>>20 belong >2 >>>>>32 belong x \b, string block size=%d >>>>20 belong >16 >>>>>36 belong x \b, DT structure block size=%d @ 1.1.1.7 log @import file-5.19 2014-06-09 9:04 Christos Zoulas * Misc buffer overruns and missing buffer size tests in cdf parsing (Francisco Alonso, Jan Kaluza) 2014-06-02 14:50 Christos Zoulas * Enforce limit of 8K on regex searches that have no limits * Allow the l modifier for regex to mean line count. Default to byte count. If line count is specified, assume a max of 80 characters per line to limit the byte count. * Don't allow conversions to be used for dates, allowing the mask field to be used as an offset. 2014-05-30 12:51 Christos Zoulas * Make the range operator limit the length of the regex search. 2014-05-14 19:23 Christos Zoulas * PR/347: Windows fixes * PR/352: Hangul word processor recognition * PR/354: Encoding irregularities in text files 2014-05-06 6:12 Christos Zoulas * Fix uninitialized title in CDF files (Jan Kaluza) 2014-05-04 14:55 Christos Zoulas * PR/351: Fix compilation of empty files 2014-04-30 17:39 Christos Zoulas * Fix integer formats: We don't specify 'l' or 'h' and 'hh' specifiers anymore, only 'll' for quads and nothing for the rest. This is so that magic writing is simpler. 2014-04-01 15:25 Christos Zoulas * PR/341: Jan Kaluza, fix memory leak * PR/342: Jan Kaluza, fix out of bounds read 2014-03-28 15:25 Christos Zoulas * Fix issue with long formats not matching fmtcheck @ text @d3 1 a3 1 # $File: linux,v 1.57 2014/05/20 20:10:17 christos Exp $ a42 1 !:strength / 2 d51 1 a51 4 # Updated by Ken Sharp 28 string make\ config Linux make config build file (old) 49 search/70 Kernel\ Configuration Linux make config build file a394 17 # Linux device tree: # File format description can be found in the Linux kernel sources at # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed # structure and strings must be within blob >&(8.L) byte x >>&(12.L) byte x >>>20 belong >1 Device Tree Blob version %d >>>>4 belong x \b, size=%d >>>>20 belong >1 >>>>>28 belong x \b, boot CPU=%d >>>>20 belong >2 >>>>>32 belong x \b, string block size=%d >>>>20 belong >16 >>>>>36 belong x \b, DT structure block size=%d @ 1.1.1.8 log @import file-5.20; bug fixes and better image magic descriptions. @ text @d3 1 a3 1 # $File: linux,v 1.58 2014/08/04 06:21:30 christos Exp $ a415 3 # glibc locale archive as defined in glibc locale/locarchive.h 0 lelong 0xde020109 locale archive >24 lelong x %d strings @ 1.1.1.9 log @Import file-5.22 @ text @d3 1 a3 1 # $File: linux,v 1.59 2014/11/03 21:03:36 christos Exp $ a418 16 # Summary: Database file for mlocate # Description: A database file as used by mlocate, a fast implementation # of locate/updatedb. It uses merging to reuse the existing # database and avoid rereading most of the filesystem. It's # the default version of locate on Arch Linux (and others). # File path: /var/lib/mlocate/mlocate.db by default (but configurable) # Site: https://fedorahosted.org/mlocate/ # Format docs: http://linux.die.net/man/5/mlocate.db # Type: mlocate database file # URL: https://fedorahosted.org/mlocate/ # From: Wander Nauta 0 string \0mlocate mlocate database >12 byte x \b, version %d >13 byte 1 \b, require visibility >16 string x \b, root %s @ 1.1.1.9.4.1 log @Sync with HEAD @ text @d3 1 a3 1 # $File: linux,v 1.63 2015/08/24 05:16:11 christos Exp $ a419 19 # Linux Software RAID (mdadm) # Russell Coker 0 name linuxraid >16 belong x UUID=%8x: >20 belong x \b%8x: >24 belong x \b%8x: >28 belong x \b%8x >32 string x name=%s >72 lelong x level=%d >92 lelong x disks=%d 4096 lelong 0xa92b4efc Linux Software RAID >4100 lelong x version 1.2 (%d) >4096 use linuxraid 0 lelong 0xa92b4efc Linux Software RAID >4 lelong x version 1.1 (%d) >0 use linuxraid a434 25 # Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL: # https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 # From: Pavel Emelyanov 0 lelong 0x45311224 iproute2 routes dump 0 lelong 0x47361222 iproute2 addresses dump # Image and service files for CRIU tool. # URL: http://criu.org # From: Pavel Emelyanov 0 lelong 0x54564319 CRIU image file v1.1 0 lelong 0x55105940 CRIU service file 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files # http://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION 0 string KDUMP Kdump compressed dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s >142 string >\0 \b, release %s >207 string >\0 \b, version %s >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s @ 1.1.1.9.2.1 log @Sync with HEAD @ text @d3 1 a3 1 # $File: linux,v 1.63 2015/08/24 05:16:11 christos Exp $ a419 19 # Linux Software RAID (mdadm) # Russell Coker 0 name linuxraid >16 belong x UUID=%8x: >20 belong x \b%8x: >24 belong x \b%8x: >28 belong x \b%8x >32 string x name=%s >72 lelong x level=%d >92 lelong x disks=%d 4096 lelong 0xa92b4efc Linux Software RAID >4100 lelong x version 1.2 (%d) >4096 use linuxraid 0 lelong 0xa92b4efc Linux Software RAID >4 lelong x version 1.1 (%d) >0 use linuxraid a434 25 # Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL: # https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 # From: Pavel Emelyanov 0 lelong 0x45311224 iproute2 routes dump 0 lelong 0x47361222 iproute2 addresses dump # Image and service files for CRIU tool. # URL: http://criu.org # From: Pavel Emelyanov 0 lelong 0x54564319 CRIU image file v1.1 0 lelong 0x55105940 CRIU service file 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files # http://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION 0 string KDUMP Kdump compressed dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s >142 string >\0 \b, release %s >207 string >\0 \b, version %s >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s @ 1.1.1.10 log @2017-02-10 12:24 Christos Zoulas * release 5.30 2017-02-07 23:27 Christos Zoulas * If we exceeded the offset in a search return no match (Christoph Biedl) * Be more lenient on corrupt CDF files (Christoph Biedl) 2017-02-04 16:46 Christos Zoulas * pacify ubsan sign extension (oss-fuzz/524) 2017-02-01 12:42 Christos Zoulas * off by one in cdf parsing (PR/593) * report debugging sections in elf (PR/591) 2016-11-06 10:52 Christos Zoulas * Allow @@@@@@ in extensions * Add missing overflow check in der magic (Jonas Wagner) 2016-10-25 10:40 Christos Zoulas * release 5.29 2016-10-24 11:20 Christos Zoulas * der getlength overflow (Jonas Wagner) * multiple magic file load failure (Christoph Biedl) 2016-10-17 11:26 Christos Zoulas * CDF parsing improvements (Guy Helmer) 2016-07-20 7:26 Christos Zoulas * Add support for signed indirect offsets 2016-07-18 7:41 Christos Zoulas * cat /dev/null | file - should print empty (Christoph Biedl) 2016-07-05 15:20 Christos Zoulas * Bump string size from 64 to 96. 2016-06-13 20:20 Christos Zoulas * PR/556: Fix separators on annotations. 2016-06-13 19:40 Christos Zoulas * release 5.28 * fix leak on allocation failure 2016-06-01 1:20 Christos Zoulas * PR/555: Avoid overflow for offset > nbytes * PR/550: Segv on DER parsing: - use the correct variable for length - set offset to 0 on failure. 2016-05-13 12:00 Christos Zoulas * release 5.27 2016-04-18 9:35 Christos Zoulas * Errors comparing DER entries or computing offsets are just indications of malformed non-DER files. Don't print them. * Offset comparison was off-by-one. * Fix compression code (Werner Fink) * Put new bytes constant in the right file (not the generated one) 2016-04-16 18:34 Christos Zoulas * release 5.26 2016-03-31 13:50 Christos Zoulas * make the number of bytes read from files configurable. 2016-03-21 13:40 Christos Zoulas * Add bounds checks for DER code (discovered by Thomas Jarosch) * Change indirect recursion limit to indirect use count and bump from 15 to 50 to prevent abuse. 2016-03-13 20:39 Christos Zoulas * Add -00 which prints filename\0description\0 2016-03-01 13:28 Christos Zoulas * Fix ID3 indirect parsing 2016-01-19 10:18 Christos Zoulas * add DER parsing capability 2015-11-13 10:35 Christos Zoulas * provide dprintf(3) for the OS's that don't have it. 2015-11-11 16:25 Christos Zoulas * redo the compression code report decompression errors 2015-11-10 23:25 Christos Zoulas * REG_STARTEND code is not working as expected, delete it. 2015-11-09 16:05 Christos Zoulas * Add zlib support if we have it. 2015-11-05 11:22 Christos Zoulas * PR/492: compression forking was broken with magic_buffer. 2015-09-16 9:50 Christos Zoulas * release 5.25 2015-09-11 13:25 Christos Zoulas * add a limit to the length of regex searches 2015-09-08 9:50 Christos Zoulas * fix problems with --parameter (Christoph Biedl) 2015-07-11 10:35 Christos Zoulas * Windows fixes PR/466 (Jason Hood) 2015-07-09 10:35 Christos Zoulas * release 5.24 2015-06-11 8:52 Christos Zoulas * redo long option encoding to fix off-by-one in 5.23 2015-06-10 13:50 Christos Zoulas * release 5.23 2015-06-09 16:10 Christos Zoulas * Fix issue with regex range for magic with offset * Always return true from mget with USE (success to mget not match indication). Fixes mime evaluation after USE magic * PR/459: Don't insert magic entries to the list if there are parsing errors for them. 2015-06-03 16:00 Christos Zoulas * PR/455: Add utf-7 encoding 2015-06-03 14:30 Christos Zoulas * PR/455: Implement -Z, look inside, but don't report on compression * PR/454: Fix allocation error on bad magic. 2015-05-29 10:30 Christos Zoulas * handle MAGIC_CONTINUE everywhere, not just in softmagic 2015-05-21 14:30 Christos Zoulas * don't print descriptions for NAME types when mime. 2015-04-09 15:59 Christos Zoulas * Add --extension to list the known extensions for this file type Idea by Andrew J Roazen 2015-02-14 12:23 Christos Zoulas * Bump file search buffer size to 1M. 2015-01-09 14:35 Christos Zoulas * Fix multiple issues with date formats reported by Christoph Biedl: - T_LOCAL meaning was reversed - Arithmetic did not work Also stop adjusting daylight savings for gmt printing. 2015-01-05 13:00 Christos Zoulas * PR/411: Fix memory corruption from corrupt cdf file. @ text @d3 1 a3 1 # $File: linux,v 1.63 2015/08/24 05:16:11 christos Exp $ a419 19 # Linux Software RAID (mdadm) # Russell Coker 0 name linuxraid >16 belong x UUID=%8x: >20 belong x \b%8x: >24 belong x \b%8x: >28 belong x \b%8x >32 string x name=%s >72 lelong x level=%d >92 lelong x disks=%d 4096 lelong 0xa92b4efc Linux Software RAID >4100 lelong x version 1.2 (%d) >4096 use linuxraid 0 lelong 0xa92b4efc Linux Software RAID >4 lelong x version 1.1 (%d) >0 use linuxraid a434 25 # Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL: # https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 # From: Pavel Emelyanov 0 lelong 0x45311224 iproute2 routes dump 0 lelong 0x47361222 iproute2 addresses dump # Image and service files for CRIU tool. # URL: http://criu.org # From: Pavel Emelyanov 0 lelong 0x54564319 CRIU image file v1.1 0 lelong 0x55105940 CRIU service file 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files # http://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION 0 string KDUMP Kdump compressed dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s >142 string >\0 \b, release %s >207 string >\0 \b, version %s >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s @ 1.1.1.11 log @Import file-5.31; mostly oss-fuzz found bugs. @ text @d3 1 a3 1 # $File: linux,v 1.64 2017/03/17 21:35:28 christos Exp $ d202 1 a202 1 >5 string . d216 1 a216 1 >37 string . d244 1 a244 1 # Linux Logical Volume Manager (LVM) d304 1 a304 1 >&(&-12.l-0x21) byte x d343 1 a343 1 >20 search/256 (name d400 1 a400 1 # File format description can be found in the Linux kernel sources at @ 1.1.1.11.10.1 log @Sync with HEAD @ text @d3 1 a3 1 # $File: linux,v 1.67 2019/04/19 00:42:27 christos Exp $ d59 1 a59 1 # See: https://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html d82 1 a82 1 # https://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ a96 10 >0x400 long x version %d, >0x404 long x size %d pages, >1052 string \0 no label, >1052 string >\0 LABEL=%s, >0x40c belong x UUID=%08x >0x410 beshort x \b-%04x >0x412 beshort x \b-%04x >0x414 beshort x \b-%04x >0x416 belong x \b-%08x >0x41a beshort x \b%04x a103 1 # URL: https://www.kernel.org/doc/Documentation/x86/boot.txt a105 4 # often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes # Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin # DamnSmallLinux 1.5 damnsmll.lnx !:ext /dat/bin/lnx a195 1 # Update: Joerg Jenderek a196 2 # raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin" !:ext img/bin d225 1 a225 1 # https://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename: d354 1 a354 1 # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. d446 1 a446 1 # Format docs: https://linux.die.net/man/5/mlocate.db d462 1 a462 1 # URL: https://criu.org d469 1 a469 1 # https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION @ 1.1.1.11.10.2 log @Merge changes from current as of 20200406 @ text @d3 1 a3 1 # $File: linux,v 1.68 2019/09/11 21:20:56 christos Exp $ a496 5 # Device Tree files 0 search/1024 /dts-v1/ Device Tree File (v1) # beat c code !:strength +14 @ 1.1.1.11.8.1 log @Sync with head @ text @d3 1 a3 1 # $File: linux,v 1.65 2018/07/16 12:32:08 christos Exp $ a96 10 >0x400 long x version %d, >0x404 long x size %d pages, >1052 string \0 no label, >1052 string >\0 LABEL=%s, >0x40c belong x UUID=%08x >0x410 beshort x \b-%04x >0x412 beshort x \b-%04x >0x414 beshort x \b-%04x >0x416 belong x \b-%08x >0x41a beshort x \b%04x @ 1.1.1.12 log @2018-10-18 19:32 Christos Zoulas * release 5.35 2018-09-10 20:38 Christos Zoulas * Add FreeBSD ELF core file support (John Baldwin) 2018-08-20 18:40 Christos Zoulas * PR/30: Allow all parameter values to be set (don't treat 0 specially) * handle default annotations on the softmagic match instead at the end. 2018-07-25 10:17 Christos Zoulas * PR/23: Recognize JSON files 2018-07-25 10:17 Christos Zoulas * PR/18: file --mime-encoding should not print mime-type 2018-07-25 8:50 Christos Zoulas * release 5.34 2018-06-22 16:38 Christos Zoulas * Add Quad indirect offsets 2018-05-24 14:10 Christos Zoulas * Enable parsing of ELF dynamic sections to handle PIE better @ text @d3 1 a3 1 # $File: linux,v 1.65 2018/07/16 12:32:08 christos Exp $ a96 10 >0x400 long x version %d, >0x404 long x size %d pages, >1052 string \0 no label, >1052 string >\0 LABEL=%s, >0x40c belong x UUID=%08x >0x410 beshort x \b-%04x >0x412 beshort x \b-%04x >0x414 beshort x \b-%04x >0x416 belong x \b-%08x >0x41a beshort x \b%04x @ 1.1.1.13 log @2019-05-14 22:26 Christos Zoulas * release 5.37 2019-05-09 22:27 Christos Zoulas * Make sure that continuation separators are printed with -k within softmagic 2019-05-06 22:27 Christos Zoulas * Change SIGPIPE saving and restoring during compression to use sigaction(2) instead of signal(3) and cache it. (Denys Vlasenko) * Cache stat(2) calls more to reduce number of calls (Denys Vlasenko) 2019-05-06 17:25 Christos Zoulas * PR/77: Handle --mime-type and -k correctly. 2019-05-03 15:26 Christos Zoulas * Switch decompression code to use vfork() because tools like rpmdiff and rpmbuild call libmagic with large process footprints (Denys Vlasenko) 2019-04-07 14:05 Christos Zoulas * PR/75: --enable-zlib, did not work. 2019-02-27 11:54 Christos Zoulas * Improve regex efficiency (Michael Schroeder) by: 1. Prefixing regex searches with regular search for keywords where possible 2. Using memmem(3) where available @ text @d3 1 a3 1 # $File: linux,v 1.67 2019/04/19 00:42:27 christos Exp $ d59 1 a59 1 # See: https://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html d82 1 a82 1 # https://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ a113 1 # URL: https://www.kernel.org/doc/Documentation/x86/boot.txt a115 4 # often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes # Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin # DamnSmallLinux 1.5 damnsmll.lnx !:ext /dat/bin/lnx a205 1 # Update: Joerg Jenderek a206 2 # raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin" !:ext img/bin d235 1 a235 1 # https://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename: d364 1 a364 1 # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. d456 1 a456 1 # Format docs: https://linux.die.net/man/5/mlocate.db d472 1 a472 1 # URL: https://criu.org d479 1 a479 1 # https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION @ 1.1.1.14 log @Import 5.38: - Always accept -S (no sandbox) even if we don't support sandboxing - More syscalls elided for sandboxiing - For ELF dynamic means having an interpreter not just PT_DYNAMIC - Check for large ELF session header offset - When saving and restoring a locale, keep the locale name in our own storage. - Add a flag to disable CSV file detection. - Don't pass NULL/0 to memset to appease sanitizers. - Avoid spurious prints when looks for extensions or apple strings in fsmagic. - Add builtin decompressors for xz and and bzip. - Add a limit for the number of CDF elements. - More checks for overflow in CDF. @ text @d3 1 a3 1 # $File: linux,v 1.68 2019/09/11 21:20:56 christos Exp $ a496 5 # Device Tree files 0 search/1024 /dts-v1/ Device Tree File (v1) # beat c code !:strength +14 @ 1.1.1.15 log @Import 5.39: * Remove unused subtype_mime (Steve Grubb) * Remove unused check in okstat (Steve Grubb) * Fix mime-type in elf binaries by making sure $x is set * Fix indirect negative offsets broken by OFFNEGATIVE * Fix GUID equality check * PR/165: Handle empty array and strings in JSON * PR/162: Add --exclude-quiet * Fix memory leak in ascmagic (Steve Grubb) * Fix string comparison length with ignore whitespace * Fix mingwin 64 compilation * PR/159: whitelist getpid needed for file_pipe2file() * Indicate negative offsets with a flag OFFNEGATIVE so that -0 works. * Introduce "offset" magic type that can be used to detect the file size, and bail on short files. * document DER better in the magic man page. * fix memory leaks (SonarQube) * rewrite confusing loops (SonarQube) * fix bogus test (SonarQube) * pass a sized buffer to file_fmttime() (SonarQube) * Don't allow * in printf formats, or the code itself (Christoph Biedl) * Introduce a printf output size checker to avoid DoS attacks * Avoid memory leak on error (oss-fuzz) * Check length of string on DER before derefercing and add new types * Add missing DER string (oss-fuzz) * Add missing DER types, and debugging * PR/140: Avoid abort with hand-crafted magic file (gockelhahn) * PR/139: Avoid DoS in printf with hand-crafted magic file (gockelhahn) * PR/138: Avoid crash with hand-crafted magic file (gockelhahn) * PR/136: Fix static build by adding a libmagic.pc (Fabrice Fontaine) * add guid support native support via the "guid" type. @ text @d3 1 a3 1 # $File: linux,v 1.72 2020/06/07 21:56:13 christos Exp $ d73 35 a107 63 # Linux swap and hibernate files # Linux kernel: include/linux/swap.h # util-linux: libblkid/src/superblocks/swap.c # format v0, unsupported since 2002 0xff6 string SWAP-SPACE Linux old swap file, 4k page size 0x1ff6 string SWAP-SPACE Linux old swap file, 8k page size 0x3ff6 string SWAP-SPACE Linux old swap file, 16k page size 0x7ff6 string SWAP-SPACE Linux old swap file, 32k page size 0xfff6 string SWAP-SPACE Linux old swap file, 64k page size # format v1, supported since 1998 0 name linux-swap >0x400 lelong 1 little endian, version %u, >>0x404 lelong x size %u pages, >>0x408 lelong x %u bad pages, >0x400 belong 1 big endian, version %u, >>0x404 belong x size %u pages, >>0x408 belong x %u bad pages, >0x41c string \0 no label, >0x41c string >\0 LABEL=%s, >0x40c belong x UUID=%08x >0x410 beshort x \b-%04x >0x412 beshort x \b-%04x >0x414 beshort x \b-%04x >0x416 belong x \b-%08x >0x41a beshort x \b%04x 0xff6 string SWAPSPACE2 Linux swap file, 4k page size, >0 use linux-swap 0x1ff6 string SWAPSPACE2 Linux swap file, 8k page size, >0 use linux-swap 0x3ff6 string SWAPSPACE2 Linux swap file, 16k page size, >0 use linux-swap 0x7ff6 string SWAPSPACE2 Linux swap file, 32k page size, >0 use linux-swap 0xfff6 string SWAPSPACE2 Linux swap file, 64k page size, >0 use linux-swap 0 name linux-hibernate >0 string S1SUSPEND \b, with SWSUSP1 image >0 string S2SUSPEND \b, with SWSUSP2 image >0 string ULSUSPEND \b, with uswsusp image >0 string LINHIB0001 \b, with compressed hibernate image >0 string \xed\xc3\x02\xe9\x98\x56\xe5\x0c \b, with tuxonice image >0 default x \b, with unknown hibernate image 0xfec string SWAPSPACE2 Linux swap file, 4k page size, >0 use linux-swap >0xff6 use linux-hibernate 0x1fec string SWAPSPACE2 Linux swap file, 8k page size, >0 use linux-swap >0x1ff6 use linux-hibernate 0x3fec string SWAPSPACE2 Linux swap file, 16k page size, >0 use linux-swap >0x3ff6 use linux-hibernate 0x7fec string SWAPSPACE2 Linux swap file, 32k page size, >0 use linux-swap >0x7ff6 use linux-hibernate 0xffec string SWAPSPACE2 Linux swap file, 64k page size, >0 use linux-swap >0xfff6 use linux-hibernate a208 1 ############################################################################ d212 1 a212 7 0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage # There are three posible situations: LE, BE with LE bootloader and pure BE. # In order to aid telling these apart a new endian flag was added. In order # to support kernels before the flag and BE with LE bootloader was added we'll # do a negative check against the BE variant of the flag when we see a LE magic. >0x30 belong !0x04030201 (little-endian) >0x30 belong 0x04030201 (big-endian) d215 1 a215 10 0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) ############################################################################ # Linux AARCH64 kernel image 0x38 lelong 0x644d5241 Linux kernel ARM64 boot executable Image >0x18 lelong ^1 \b, little-endian >0x18 lelong &1 \b, big-endian >0x18 lelong &2 \b, 4K pages >0x18 lelong &4 \b, 16K pages >0x18 lelong &6 \b, 32K pages d270 2 a271 2 0x0 string/b HM\001 LVM1 (Linux Logical Volume Manager), version 1 >0x12c string/b >\0 , System ID: %s d273 2 a274 2 0x0 string/b HM\002 LVM1 (Linux Logical Volume Manager), version 2 >0x12c string/b >\0 , System ID: %s a281 11 0 name lvm2 # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >0x0 string >\x2f \b, UUID: %.6s >0x6 string >\x2f \b-%.4s >0xa string >\x2f \b-%.4s >0xe string >\x2f \b-%.4s >0x12 string >\x2f \b-%.4s >0x16 string >\x2f \b-%.4s >0x1a string >\x2f \b-%.6s >0x20 lequad x \b, size: %lld d283 1 d286 10 a295 2 0x218 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x20) use lvm2 d297 11 a307 2 0x018 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x20) use lvm2 d309 11 a319 2 0x418 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x20) use lvm2 d321 11 a331 2 0x618 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x20) use lvm2 @ 1.1.1.16 log @2021-03-30 20:21 Christos Zoulas * release 5.40 2021-02-05 16:31 Christos Zoulas * PR/234: Add limit to the number of bytes to scan for encoding * PR/230: Fix /T (trim flag) for regex 2021-02-01 12:31 Christos Zoulas * PR/77: Trim trailing separator. 2020-12-17 15:44 Christos Zoulas * PR/211: Convert system read errors from corrupt ELF files into human readable error messages 2020-12-08 16:24 Christos Zoulas * fix multithreaded decompression file descriptor issue by using close-on-exec (Denys Vlasenko) 2020-06-27 11:58 Christos Zoulas * Exclude surrogate pairs from utf-8 detection (Michael Liu) 2020-06-25 12:53 Christos Zoulas * Include # to the list of ignored format chars (Werner Fink) @ text @d3 1 a3 1 # $File: linux,v 1.77 2021/02/24 23:05:02 christos Exp $ d242 1 a242 1 # There are three possible situations: LE, BE with LE bootloader and pure BE. d247 1 a249 1 >0x30 belong 0x04030201 (big-endian) d441 1 a441 1 # structure must be within blob, strings are omitted to handle devicetrees > 1M d443 9 a451 8 >>20 belong >1 Device Tree Blob version %d >>>4 belong x \b, size=%d >>>20 belong >1 >>>>28 belong x \b, boot CPU=%d >>>20 belong >2 >>>>32 belong x \b, string block size=%d >>>20 belong >16 >>>>36 belong x \b, DT structure block size=%d a520 18 # e2fsck undo file # David Gilman 0 string E2UNDO02 e2fsck undo file, version 2 >44 lelong x \b, undo file is >>44 lelong&1 0 not finished >>44 lelong&1 1 finished >48 lelong x \b, undo file features: >>48 lelong&1 0 lacks filesystem offset >>48 lelong&1 1 has filesystem offset >>>64 lequad x at 0x%llx # ansible vault (does not really belong here) 0 string $ANSIBLE_VAULT; Ansible Vault >&0 regex [0-9]*\.[0-9]* \b, version %s >>&0 string ; >>>&0 regex [A-Z0-9]* \b, encryption %s @ 1.1.1.17 log @Import file-5.43+; last was file-5.40 2022-09-20 17:12 Christos Zoulas * fixed various clustefuzz issues 2022-09-19 15:54 Christos Zoulas * Fix error detection for decompression code (Vincent Mihalkovic) 2022-09-15 13:50 Christos Zoulas * Add MAGIC_NO_COMPRESS_FORK and use it to produce a more meaningful error message if we are sandboxing. 2022-09-15 10:45 Christos Zoulas * Add built-in lzip decompression support (Michal Gorny) 2022-09-14 10:35 Christos Zoulas * Add built-in zstd decompression support (Martin Rodriguez Reboredo) 2022-09-13 14:55 Christos Zoulas * release 5.43 2022-09-10 9:17 Christos Zoulas * Add octal indirect magic (Michal Gorny) 2022-08-17 11:43 Christos Zoulas * PR/374: avoid infinite loop in non-wide code (piru) * PR/373: Obey MAGIC_CONTINUE with multiple magic files (vismarli) 2022-07-26 11:10 Christos Zoulas * Fix bug with large flist (Florian Weimer) 2022-07-07 13:21 Christos Zoulas * PR/364: Detect non-nul-terminated core filenames from QEMU (mam-ableton) 2022-07-04 15:45 Christos Zoulas * PR/359: Add support for http://ndjson.org/ (darose) * PR/362: Fix wide printing (ro-ee) * PR/358: Fix width for -f - (jpalus) * PR/356: Fix JSON constant parsing (davewhite) 2022-06-10 9:40 Christos Zoulas * release 5.42 2022-05-31 14:50 Christos Zoulas * PR/348: add missing cases to prevent file from aborting on random magic files. 2022-05-27 21:05 Christos Zoulas * PR/351: octalify filenames when not raw before printing. 2022-04-18 17:51 Christos Zoulas * fix regex cacheing bug (Dirk Mueller) * merge file_regcomp and file_regerror() to simplify the code and reduce memory requirements for storing regexes (Dirk Mueller) 2022-03-19 12:56 Christos Zoulas * cache regex (Dirk Mueller) * detect filesystem full by flushing output (Dirk Mueller) 2021-11-19 12:36 Christos Zoulas * implement running decompressor programs using posix_spawnp(2) instead of vfork(2) 2021-10-24 11:51 Christos Zoulas * Add support for msdos dates and times 2021-10-20 9:55 Christos Zoulas * use the system byte swapping functions if available (Werner Fink) 2021-10-18 11:57 Christos Zoulas * release 5.41 2021-09-23 03:51 Christos Zoulas * Avinash Sonawane: Fix tzname detection 2021-09-03 09:17 Christos Zoulas * Fix relationship tests with "search" magic, don't short circuit logic 2021-07-13 01:06 Christos Zoulas * Fix memory leak in compile mode 2021-07-01 03:51 Christos Zoulas * PR/272: kiefermat: Only set returnval = 1 when we printed something (in all cases print or !print). This simplifies the logic and fixes the issue in the PR with -k and --mime-type there was no continuation printed before the default case. 2021-06-30 13:07 Christos Zoulas * PR/270: Don't translate unprintable characters in %s magic formats when -r * PR/269: Avoid undefined behavior with clang (adding offset to NULL) 2021-05-09 18:38 Christos Zoulas * Add a new flag (f) that requires that the match is a full word, not a partial word match. * Add varint types (unused) 2021-04-19 17:17 Christos Zoulas * PR/256: mutableVoid: If the file is less than 3 bytes, use the file length to determine type * PR/259: aleksandr.v.novichkov: mime printing through indirect magic is not taken into account, use match directly so that it does. 2021-04-04 17:02 Christos Zoulas * count the total bytes found not the total byte positions in order to determine encoding (Anatol Belski) @ text @d3 1 a3 1 # $File: linux,v 1.82 2022/09/07 11:23:44 christos Exp $ d86 14 a99 14 >0x400 lelong 1 little endian, version %u, >>0x404 lelong x size %u pages, >>0x408 lelong x %u bad pages, >0x400 belong 1 big endian, version %u, >>0x404 belong x size %u pages, >>0x408 belong x %u bad pages, >0x41c string \0 no label, >0x41c string >\0 LABEL=%s, >0x40c ubelong x UUID=%08x >0x410 ubeshort x \b-%04x >0x412 ubeshort x \b-%04x >0x414 ubeshort x \b-%04x >0x416 ubelong x \b-%08x >0x41a ubeshort x \b%04x d157 2 a158 2 >>508 leshort >0 root_dev %#X, >>502 leshort >0 swap_dev %#X, d194 2 a195 2 >>502 leshort >0 swap=%#X >>508 leshort >0 root=%#X d367 10 d531 1 a531 1 >>>64 lequad x at %#llx d535 1 a535 1 >&0 regex [0-9]+\\.[0-9]+ \b, version %s d537 1 a537 22 >>>&0 regex [A-Z0-9]+ \b, encryption %s # From: Joerg Jenderek # URL: https://www.gnu.org/software/grub # Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz # grub-2.06/include/grub/keyboard_layouts.h # grub-2.06/grub-core/commands/keylayouts.c # GRUB_KEYBOARD_LAYOUTS_FILEMAGIC 0 string GRUBLAYO GRUB Keyboard !:mime application/x-grub-keyboard !:ext gkb # GRUB_KEYBOARD_LAYOUTS_VERSION like: 10 >8 ulelong !10 \b, version %u # 4 grub_uint32_t grub_keyboard_layout[160] # for normal french keyboard this is letter a >92 ubyte !0x71 >>92 ubyte >0x40 \b, english q is %c #>732 ubyte x \b, english Q is %c # for normal german keyboard this is letter z >124 ubyte !0x79 >>124 ubyte >0x40 \b, english y is %c #>764 ubyte x \b, english Y is %c @ 1.1.1.18 log @Update to file-5.45 (Last was file-5.44) 2023-07-27 15:45 Christos Zoulas * release 5.45 2023-07-17 11:53 Christos Zoulas * PR/465: psrok1: Avoid muslc asctime_r crash 2023-05-21 13:05 Christos Zoulas * add SIMH tape format support 2023-02-09 12:50 Christos Zoulas * bump the max size of the elf section notes to be read to 128K and make it configurable 2023-01-08 1:08 Christos Zoulas * PR/415: Fix decompression with program returning empty 2022-12-26 1:47 Christos Zoulas * PR/408: fix -p with seccomp * PR/412: fix MinGW compilation @ text @d3 1 a3 1 # $File: linux,v 1.85 2023/07/17 14:40:09 christos Exp $ d70 2 a71 2 >28 lelong x %d >24 lelong x \bx%d d383 2 a384 6 # Update: Joerg Jenderek # URL: https://systemd.io/JOURNAL_FILE_FORMAT/ # Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml # Note: called "systemd journal" by TrID # verified by `journalctl --file=user-1000.journal` # check magic signature[8] a386 1 # STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2 a388 1 # file_id a390 1 # machine_id a392 1 # boot_id; last writer d395 1 a395 2 #!:mime application/octet-stream !:mime application/x-linux-journal a396 2 # head_entry_realtime; contains a POSIX timestamp stored in microseconds >>>>>>>>184 leqdate/1000000 !0 \b, %s d398 2 a399 22 # If a file is closed after writing the state field should be set to STATE_OFFLINE >>>>>>>>16 ubyte 0 \b, # for offline and empty only journal~ extension found >>>>>>>>>184 leqdate 0 offline # https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html # GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like: # Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~' !:ext journal~ # for offline and non empty often *.journal~ but also user-1001.journal >>>>>>>>>184 leqdate !0 offline !:ext journal/journal~ # if a file is opened for writing the state field should be set to STATE_ONLINE >>>>>>>>16 ubyte 1 \b, # for online and empty only journal~ extension found >>>>>>>>>184 leqdate 0 online # system@@0005febee06e2ff2-f7ea54d10e4346ff.journal~ !:ext journal~ # for online and non empty only journal extension found >>>>>>>>>184 leqdate !0 online # system.journal user-1000.journal !:ext journal # after a file has been rotated it should be set to STATE_ARCHIVED a400 4 !:ext journal # no *.journal~ found #!:ext journal/journal~ # compatible_flags a401 2 # incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16 #>>>>>>>>12 ulelong x FLAGS=%#x a402 33 >>>>>>>>12 ulelong&2 !0 \b, compressed lz4 >>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24 >>>>>>>>12 ulelong&8 !0 \b, compressed zstd >>>>>>>>12 ulelong&16 !0 \b, compact # uint8_t reserved[7]; apparently nil #>>17 long !0 \b, reserved %#8.8x # seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6 #>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx #>>>>>>>>80 ubequad x b%16.16llx # header_size like: 100h >>>>>>>>88 ulequad !0x100h \b, header size %#llx # arena_size like: 0 7fff00h ffff00h 17fff00h #>>>>>>>>96 ulequad >0 \b, arena size %#llx # data_hash_table_offset like: 0 15f0h 15f0h #>>>>>>>>104 ulequad >0 \b, hash table offset %#llx # data_hash_table_size like: 0 38e380h #>>>>>>>>112 ulequad >0 \b, hash table size %#llx # field_hash_table_offset like: 0 110h #>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx # field_hash_table_size like: 0 14d0h #>>>>>>>>128 ulequad >0 \b, field hash table size %#llx # tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h #>>>>>>>>136 ulequad >0 \b, tail object offset %#llx # n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh #>>>>>>>>144 ulequad >0 \b, objects %#llx # n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h >>>>>>>>152 ulequad >0 \b, entries %#llx # tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh #>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx # head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah #>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx # entry_array_offset like: 0 390058h 3909d8h 3909e0h #>>>>>>>>176 ulequad >0 \b, entry array offset %#llx d495 1 a495 4 # https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION 0 string KDUMP\x20\x20\x20 Kdump compressed dump >0 use kdump-compressed-dump d497 1 a497 1 0 name kdump-compressed-dump a505 6 # Flattened format 0 string makedumpfile >16 bequad 1 >>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump >>>0x1010 use kdump-compressed-dump @ 1.1.1.1.2.1 log @file linux was added on branch jym-xensuspend on 2009-05-13 18:51:57 +0000 @ text @d1 264 @ 1.1.1.1.2.2 log @Sync with HEAD. Second commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html @ text @a0 264 #------------------------------------------------------------------------------ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan # The following basic Linux magic is useful for reference, but using # "long" magic is a better practice in order to avoid collisions. # # 2 leshort 100 Linux/i386 # >0 leshort 0407 impure executable (OMAGIC) # >0 leshort 0410 pure executable (NMAGIC) # >0 leshort 0413 demand-paged executable (ZMAGIC) # >0 leshort 0314 demand-paged executable (QMAGIC) # 0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC) >16 lelong 0 \b, stripped # 0 string \007\001\000 Linux/i386 object file >20 lelong >0x1020 \b, DLL library # Linux-8086 stuff: 0 string \01\03\020\04 Linux-8086 impure executable >28 long !0 not stripped 0 string \01\03\040\04 Linux-8086 executable >28 long !0 not stripped # 0 string \243\206\001\0 Linux-8086 object file # 0 string \01\03\020\20 Minix-386 impure executable >28 long !0 not stripped 0 string \01\03\040\20 Minix-386 executable >28 long !0 not stripped # core dump file, from Bill Reynolds 216 lelong 0421 Linux/i386 core file >220 string >\0 of '%s' >200 lelong >0 (signal %d) # # LILO boot/chain loaders, from Daniel Quinlan # this can be overridden by the DOS executable (COM) entry 2 string LILO Linux/i386 LILO boot/chain loader # # PSF fonts, from H. Peter Anvin 0 leshort 0x0436 Linux/i386 PC Screen Font data, >2 byte 0 256 characters, no directory, >2 byte 1 512 characters, no directory, >2 byte 2 256 characters, Unicode directory, >2 byte 3 512 characters, Unicode directory, >3 byte >0 8x%d # Linux swap file, from Daniel Quinlan 4086 string SWAP-SPACE Linux/i386 swap file # From: Jeff Bailey # Linux swap file with swsusp1 image, from Jeff Bailey 4076 string SWAPSPACE2S1SUSPEND Linux/i386 swap file (new style) with SWSUSP1 image # according to man page of mkswap (8) March 1999 4086 string SWAPSPACE2 Linux/i386 swap file (new style) >0x400 long x %d (4K pages) >0x404 long x size %d pages >>4086 string SWAPSPACE2 >>>1052 string >\0 Label %s # ECOFF magic for OSF/1 and Linux (only tested under Linux though) # # from Erik Troan (ewt@@redhat.com) examining od dumps, so this # could be wrong # updated by David Mosberger (davidm@@azstarnet.com) based on # GNU BFD and MIPS info found below. # 0 leshort 0x0183 ECOFF alpha >24 leshort 0407 executable >24 leshort 0410 pure >24 leshort 0413 demand paged >8 long >0 not stripped >8 long 0 stripped >23 leshort >0 - version %ld. # # Linux kernel boot images, from Albert Cahalan # and others such as Axel Kohlmeyer # and Nicolás Lichtmaier # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 # Linux kernel boot images (i386 arch) (Wolfram Kleff) 514 string HdrS Linux kernel >510 leshort 0xAA55 x86 boot executable >>518 leshort >0x1ff >>>529 byte 0 zImage, >>>529 byte 1 bzImage, >>>(526.s+0x200) string >\0 version %s, >>498 leshort 1 RO-rootFS, >>498 leshort 0 RW-rootFS, >>508 leshort >0 root_dev 0x%X, >>502 leshort >0 swap_dev 0x%X, >>504 leshort >0 RAMdisksize %u KB, >>506 leshort 0xFFFF Normal VGA >>506 leshort 0xFFFE Extended VGA >>506 leshort 0xFFFD Prompt for Videomode >>506 leshort >0 Video mode %d # This also matches new kernels, which were caught above by "HdrS". 0 belong 0xb8c0078e Linux kernel >0x1e3 string Loading version 1.3.79 or older >0x1e9 string Loading from prehistoric times # System.map files - Nicolás Lichtmaier 8 search/1 \ A\ _text Linux kernel symbol map text # LSM entries - Nicolás Lichtmaier 0 search/1 Begin3 Linux Software Map entry text 0 search/1 Begin4 Linux Software Map entry text (new format) # From Matt Zimmerman, enhanced for v3 by Matthew Palmer 0 belong 0x4f4f4f4d User-mode Linux COW file >4 belong <3 \b, version %d >>8 string >\0 \b, backing file %s >4 belong >2 \b, version %d >>32 string >\0 \b, backing file %s ############################################################################ # Linux kernel versions 0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux >497 leshort 0 x86 boot sector >>514 belong 0x8e of a kernel from the dawn of time! >>514 belong 0x908ed8b4 version 0.99-1.1.42 >>514 belong 0x908ed8b8 for memtest86 >497 leshort !0 x86 kernel >>504 leshort >0 RAMdisksize=%u KB >>502 leshort >0 swap=0x%X >>508 leshort >0 root=0x%X >>>498 leshort 1 \b-ro >>>498 leshort 0 \b-rw >>506 leshort 0xFFFF vga=normal >>506 leshort 0xFFFE vga=extended >>506 leshort 0xFFFD vga=ask >>506 leshort >0 vga=%d >>514 belong 0x908ed881 version 1.1.43-1.1.45 >>514 belong 0x15b281cd >>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0 >>>0xa99 belong 0x55AA5a5a version 1.3.1,2 >>>0xaa3 belong 0x55AA5a5a version 1.3.3-1.3.30 >>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41 >>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45 >>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72 >>514 string HdrS >>>518 leshort >0x1FF >>>>529 byte 0 \b, zImage >>>>529 byte 1 \b, bzImage >>>>(526.s+0x200) string >\0 \b, version %s # Linux boot sector thefts. 0 belong 0xb8c0078e Linux >0x1e6 belong 0x454c4b53 ELKS Kernel >0x1e6 belong !0x454c4b53 style boot sector ############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless >5 string . >>4 string >\0 \b, libc version %s 0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable >2 byte&0x01 !0 \b, unmapped zero page >2 byte&0x20 0 \b, impure >2 byte&0x20 !0 >>2 byte&0x10 !0 \b, A_EXEC >2 byte&0x02 !0 \b, A_PAL >2 byte&0x04 !0 \b, A_NSYM >2 byte&0x08 !0 \b, A_STAND >2 byte&0x40 !0 \b, A_PURE >2 byte&0x80 !0 \b, A_TOVLY >28 long !0 \b, not stripped >37 string . >>36 string >\0 \b, libc version %s # 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable # 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable # 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable # 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable # SYSLINUX boot logo files (from 'ppmtolss16' sources) # http://syslinux.zytor.com/ # 0 lelong =0x1413f33d SYSLINUX' LSS16 image data >4 leshort x \b, width %d >6 leshort x \b, height %d 0 string OOOM User-Mode-Linux's Copy-On-Write disk image >4 belong x version %d # SE Linux policy database # From: Mike Frysinger 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons # Linux Logical Volume Manager (LVM) # Emmanuel VARAGNAT # # System ID, UUID and volume group name are 128 bytes long # but they should never be full and initialized with zeros... # # LVM1 # 0x0 string HM\001 LVM1 (Linux Logical Volume Manager), version 1 >0x12c string >\0 , System ID: %s 0x0 string HM\002 LVM1 (Linux Logical Volume Manager), version 2 >0x12c string >\0 , System ID: %s # LVM2 # # It seems that the label header can be in one the four first sector # of the disk... (from _find_labeller in lib/label/label.c of LVM2) # # 0x200 seems to be the common case 0x218 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) # read the offset to add to the start of the header, and the header # start in 0x200 >(0x214.l+0x200) string >\0 , UUID: %s 0x018 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x014.l) string >\0 , UUID: %s 0x418 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x414.l+0x400) string >\0 , UUID: %s 0x618 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x614.l+0x600) string >\0 , UUID: %s # LVM snapshot # from Jason Farrel 0 string SnAp LVM Snapshot (CopyOnWrite store) >4 lelong !0 - valid, >4 lelong 0 - invalid, >8 lelong x version %d, >12 lelong x chunk_size %d # SE Linux policy database 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons # LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec # Anthon van der Neut (anthon@@mnt.org) 0 string LUKS\xba\xbe LUKS encrypted file, >6 beshort x ver %d >8 string x [%s, >40 string x %s, >72 string x %s] >168 string x UUID: %s # Summary: Xen saved domain file # Created by: Radek Vokal 0 string LinuxGuestRecord Xen saved domain >20 search/256 (name >>&1 string x (name %s) @