diff options
Diffstat (limited to 'magic/Magdir/windows')
-rw-r--r-- | magic/Magdir/windows | 318 |
1 files changed, 278 insertions, 40 deletions
diff --git a/magic/Magdir/windows b/magic/Magdir/windows index 3f7bded..169d4f8 100644 --- a/magic/Magdir/windows +++ b/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.10 2014/09/24 19:52:46 christos Exp $ +# $File: windows,v 1.16 2017/03/17 22:20:22 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -29,7 +29,7 @@ # Created by: Andreas Schuster (http://computer.forensikblog.de/) # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) -0 string PAGE +0 string PAGE >4 string DUMP MS Windows 32bit crash dump >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE @@ -64,18 +64,156 @@ # Summary: Old format help files -# Extension: .hlp +# URL: https://en.wikipedia.org/wiki/WinHelp +# Reference: http://www.oocities.org/mwinterhoff/helpfile.htm +# Update: Joerg Jenderek # Created by: Dirk Jagdmann <doj@cubic.org> -0 lelong 0x00035f3f MS Windows 3.x help file +# +# check and then display version and date inside MS Windows HeLP file fragment +0 name help-ver-date +# look for Magic of SYSTEMHEADER +>0 leshort 0x036C +# version Major 1 for right file fragment +>>4 leshort 1 Windows +# print non empty string above to avoid error message +# Warning: Current entry does not yet have a description for adding a MIME type +!:mime application/winhelp +!:ext hlp +# version Minor of help file format is hint for windows version +>>>2 leshort 0x0F 3.x +>>>2 leshort 0x15 3.0 +>>>2 leshort 0x21 3.1 +>>>2 leshort 0x27 x.y +>>>2 leshort 0x33 95 +>>>2 default x y.z +>>>>2 leshort x 0x%x +# to complete message string like "MS Windows 3.x help file" +>>>2 leshort x help +# GenDate often older than file creation date +>>>6 ldate x \b, %s +# +# Magic for HeLP files +0 lelong 0x00035f3f +# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" +# file header magic 0x293B at DirectoryStart+9 +>(4.l+9) uleshort 0x293B MS +# look for @VERSION bmf.. like IBMAVW.ANN +>>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation +!:mime application/x-winhelp +!:ext ann +>>0xD4 string !\x62\x6D\x66\x01\x00 +# "GID Help index" by TrID +>>>(4.l+0x65) string =|Pete Windows help Global Index +!:mime application/x-winhelp +!:ext gid +# HeLP Bookmark or +# "Windows HELP File" by TrID +>>>(4.l+0x65) string !|Pete +# maybe there exist a cleaner way to detect HeLP fragments +# brute search for Magic 0x036C with matching Major maximal 7 iterations +# discapp.hlp +>>>>16 search/0x49AF/s \x6c\x03 +>>>>>&0 use help-ver-date +>>>>>&4 leshort !1 +# putty.hlp +>>>>>>&0 search/0x69AF/s \x6c\x03 +>>>>>>>&0 use help-ver-date +>>>>>>>&4 leshort !1 +>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>&0 use help-ver-date +>>>>>>>>>&4 leshort !1 +>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +# GCC.HLP is detected after 7 iterations +>>>>>>>>>>>>>>>>>&0 use help-ver-date +# this only happens if bigger hlp file is detected after used search iterations +>>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help +!:mime application/winhelp +!:ext hlp +# repeat search again or following default line does not work +>>>>16 search/0x49AF/s \x6c\x03 +# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) +>>>>16 default x Windows help Bookmark +!:mime application/x-winhelp +!:ext /bmk +## FirstFreeBlock normally FFFFFFFFh 10h for *ANN +##>>8 lelong x \b, FirstFreeBlock 0x%8.8x +# EntireFileSize +>>12 lelong x \b, %d bytes +## ReservedSpace normally 042Fh AFh for *.ANN +#>>(4.l) lelong x \b, ReservedSpace 0x%8.8x +## UsedSpace normally 0426h A6h for *.ANN +#>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x +## FileFlags normally 04... +#>>(4.l+5) lelong x \b, FileFlags 0x%8.8x +## file header magic 0x293B +#>>(4.l+9) uleshort x \b, file header magic 0x%4.4x +## file header Flags 0x0402 +#>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x +## file header PageSize 0400h 80h for *.ANN +#>>(4.l+13) uleshort x \b, PageSize 0x%4.4x +## Structure[16] z4 +#>>(4.l+15) string >\0 \b, Structure_"%-.16s" +## MustBeZero 0 +#>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x +## PageSplits +#>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x +## RootPage +#>>(4.l+35) uleshort x \b, RootPage 0x%4.4x +## MustBeNegOne 0xffff +#>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x +## TotalPages 1 +#>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x +## NLevels 0x0001 +#>>(4.l+41) uleshort x \b, NLevels 0x%4.4x +## TotalBtreeEntries +#>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x +## pages of the B+ tree +#>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx +# start with colon or semicolon for comment line like Back2Life.cnt +0 regex \^(:|;) +# look for first keyword Base +>0 search/45 :Base +>>&0 use cnt-name +# only solution to search again from beginning , because relative offsets changes when use is called +>0 search/45 :Base +>0 default x +# look for other keyword Title like in putty.cnt +>>0 search/45 :Title +>>>&0 use cnt-name +# +# display mime type and name of Windows help Content source +0 name cnt-name +# skip space at beginning +>0 string \040 +# name without extension and greater character or name with hlp extension +>>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" +!:mime text/plain +!:apple ????TEXT +!:ext cnt +# +# Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing +0 string tfMR MS Windows help Full Text Search index +!:mime application/x-winhelp-fts +!:ext fts +>16 string >\0 for "%s" # Summary: Hyper terminal # Extension: .ht # Created by: unknown -0 string HyperTerminal\ +0 string HyperTerminal\040 >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile -# http://ithreats.files.wordpress.com/2009/05/\ +# http://ithreats.files.wordpress.com/2009/05/\040 # lnk_the_windows_shortcut_file_format.pdf # Summary: Windows shortcut # Extension: .lnk @@ -89,7 +227,7 @@ >20 lelong&16 16 \b, Has Working directory >20 lelong&32 32 \b, Has command line arguments >20 lelong&64 64 \b, Icon ->>56 lelong \b number=%d +>>56 lelong x \b number=%d >24 lelong&1 1 \b, Read-Only >24 lelong&2 2 \b, Hidden >24 lelong&4 4 \b, System @@ -155,7 +293,7 @@ # Extension: .reg # Submitted by: Abel Cheung <abelcheung@gmail.com> 0 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above) -0 string Windows\ Registry\ Editor\ +0 string Windows\ Registry\ Editor\040 >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013 @@ -163,10 +301,10 @@ # PR/383: remove unicode BOM because it is not portable across regex impls 0 regex/s \\`(\\r\\n|;|[[]) # left bracket in section line ->&0 search/8192 [ +>&0 search/8192 [ # http://en.wikipedia.org/wiki/Autorun.inf # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx ->>&0 regex/c \^(autorun)]\r\n +>>&0 regex/c \^(autorun)]\r\n >>>&0 ubyte =0x5b INItialization configuration !:mime application/x-wine-extension-ini # From: Pal Tamas <folti@balabit.hu> @@ -205,31 +343,31 @@ # http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information >>&0 regex/c \^(boot\x20loader)] Windows boot.ini !:mime application/x-wine-extension-ini ->>>&0 ubyte x +>>>&0 ubyte x # http://en.wikipedia.org/wiki/CONFIG.SYS >>&0 regex/c \^(menu)]\r\n MS-DOS CONFIG.SYS # http://support.microsoft.com/kb/118579/ >>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS # VERS string unicoded case-independent ->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 # ION] string unicoded case-independent ->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation !:mime application/x-setupscript # STRI string unicoded case-independent ->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 # NGS] string unicoded case-independent ->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation !:mime application/x-setupscript # unknown keyword after opening bracket ->>&0 default x ->>>&0 search/8192 [ +>>&0 default x +>>>&0 search/8192 [ # version Strings FileIdentification ->>>>&0 string/c version Windows setup INFormation +>>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript # VERS string unicoded case-independent ->>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +>>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 # ION] string unicoded case-independent ->>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +>>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation !:mime application/x-setupscript # http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other #>>>>&0 default x Generic INItialization configuration @@ -238,20 +376,21 @@ # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp -0 leshort&0xFeFe 0x0000 +0 leshort&0xFeFe 0x0000 +!:strength -5 # test for unused null bits in PNF_FLAGs ->4 ulelong&0xFCffFe00 0x00000000 +>4 ulelong&0xFCffFe00 0x00000000 # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure ->>68 ulelong >0x57 +>>68 ulelong >0x57 # test for zero high byte of InfValueBlockSize, followed by WinDirPath like # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT >>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF !:mime application/x-pnf # currently only found Major Version=1 and Minor Version=1 -#>>>>0 uleshort =0x0101 +#>>>>0 uleshort =0x0101 #>>>>>1 ubyte x \b, version %u #>>>>>0 ubyte x \b.%u ->>>>0 uleshort !0x0101 +>>>>0 uleshort !0x0101 >>>>>1 ubyte x \b, version %u >>>>>0 ubyte x \b.%u # 1 ,2 (windows 98 SE) @@ -277,10 +416,10 @@ #>>>>16 ulelong x \b, InfVersionDataSize 0x%x # only found positive values lower 0x00ffFFff for InfVersionDataOffset >>>>20 ulelong x \b, at 0x%x ->>>>4 ulelong&0x00000001 =0x00000001 -# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature +>>>>4 ulelong&0x00000001 =0x00000001 +# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature >>>>>(20.l) lestring16 x "%s" ->>>>4 ulelong&0x00000001 !0x00000001 +>>>>4 ulelong&0x00000001 !0x00000001 >>>>>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx @@ -296,23 +435,23 @@ #>>>>64 ulelong x \b, InfValueBlockSize 0x%x # WinDirPathOffset #>>>>68 ulelong x \b, at 0x%x ->>>>68 ulelong >0x57 ->>>>>4 ulelong&0x00000001 =0x00000001 ->>>>>>(68.l) ubequad =0x43003a005c005700 +>>>>68 ulelong >0x57 +>>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>>(68.l) ubequad =0x43003a005c005700 # normally unicoded C:\Windows #>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" ->>>>>>(68.l) ubequad !0x43003a005c005700 +>>>>>>(68.l) ubequad !0x43003a005c005700 >>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 # normally ASCII C:\WINDOWS #>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" >>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" -# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF +# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF #>>>>72 ulelong >0 \b, at 0x%x >>>>72 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(72.l) lestring16 x OsLoaderPath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 # seldom C:\ instead empty >>>>>>(72.l) string x OsLoaderPath "%s" # 1fdh @@ -323,15 +462,114 @@ # InfSourcePathOffset often 0 #>>>>80 ulelong >0 \b, at 0x%x >>>>80 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(80.l) lestring16 x SourcePath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(80.l) string >\0 SourcePath "%s" # OriginalInfNameOffset often 0 #>>>>84 ulelong >0 \b, at 0x%x >>>>84 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(84.l) lestring16 x InfName "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(84.l) string >\0 InfName "%s" +# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 +# Extension: .bkf +# Created by: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/NTBackup +# Reference: http://laytongraphics.com/mtf/MTF_100a.PDF +# Descriptor BloCK name of Microsoft Tape Format +0 string TAPE +# Format Logical Address is zero +>20 ulequad 0 +# Reserved for MBC is zero +>>28 uleshort 0 +# Control Block ID is zero +>>>36 ulelong 0 +# BIT4-BIT15, BIT18-BIT31 of block attributes are unused +>>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive +#!:mime application/x-ntbackup +!:ext bkf +# OS ID +>>>>>10 ubyte 1 \b NetWare +>>>>>10 ubyte 13 \b NetWare SMS +>>>>>10 ubyte 14 \b NT +>>>>>10 ubyte 24 \b 3 +>>>>>10 ubyte 25 \b OS/2 +>>>>>10 ubyte 26 \b 95 +>>>>>10 ubyte 27 \b Macintosh +>>>>>10 ubyte 28 \b UNIX +# OS Version (2) +#>>>>>11 ubyte x OS V=%x +# MTF_CONTINUATION Media Sequence Number > 1 +#>>>>>4 ulelong&0x00000001 !0 \b, continued +# MTF_COMPRESSION +>>>>>4 ulelong&0x00000004 !0 \b, compressed +# MTF_EOS_AT_EOM End Of Medium was hit during end of set processing +>>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit +>>>>>4 ulelong&0x00020000 0 +# MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape +>>>>>>4 ulelong&0x00010000 !0 \b, with catalog +# MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present +>>>>>4 ulelong&0x00020000 !0 \b, with file catalog +# Offset To First Event 238h,240h,28Ch +#>>>>>8 uleshort x \b, event offset %4.4x +# Displayable Size (20e0230h 20e024ch 20e0224h) +#>>>>>8 ulequad x dis. size %16.16llx +# Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) +#>>>>>52 ulelong x family ID %8.8x +# TAPE Attributes (3) +#>>>>>56 ulelong x TAPE %8.8x +# Media Sequence Number +>>>>>60 uleshort >1 \b, sequence %u +# Password Encryption Algorithm (3) +>>>>>62 uleshort >0 \b, 0x%x encrypted +# Soft Filemark Block Size * 512 (2) +#>>>>>64 uleshort =2 \b, soft size %u*512 +>>>>>64 uleshort !2 \b, soft size %u*512 +# Media Based Catalog Type (1,2) +#>>>>>66 uleshort x \b, catalog type %4.4x +# size of Media Name (66,68,6Eh) +>>>>>68 uleshort >0 +# offset of Media Name (5Eh) +>>>>>>70 uleshort >0 +# 0~, 1~ANSI, 2~UNICODE +>>>>>>>48 ubyte 1 +# size terminated ansi coded string normally followed by "MTF Media Label" +>>>>>>>>(70.s) string >\0 \b, name: %s +>>>>>>>48 ubyte 2 +# Not null, but size terminated unicoded string +>>>>>>>>(70.s) lestring16 x \b, name: %s +# size of Media Label (104h) +>>>>>72 uleshort >0 +# offset of Media Label (C4h,C6h,CCh) +>>>>>74 uleshort >0 +>>>>>>48 ubyte 1 +#Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields +>>>>>>>(74.s) string >\0 \b, label: %s +>>>>>>48 ubyte 2 +>>>>>>>(74.s) lestring16 x \b, label: %s +# size of password name (0,1Ch) +#>>>>>76 uleshort >0 \b, password size %4.4x +# Software Vendor ID (CBEh) +>>>>>86 uleshort x \b, software (0x%x) +# size of Software Name (6Eh) +>>>>>80 uleshort >0 +# offset of Software Name (1C8h,1CAh,1D0h) +>>>>>>82 uleshort >0 +# 1~ANSI, 2~UNICODE +>>>>>>>48 ubyte 1 +>>>>>>>>(82.s) string >\0 \b: %s +>>>>>>>48 ubyte 2 +# size terminated unicoded coded string normally followed by "SPAD" +>>>>>>>>(82.s) lestring16 x \b: %s +# Format Logical Block Size (512,1024) +#>>>>>84 uleshort =1024 \b, block size %u +>>>>>84 uleshort !1024 \b, block size %u +# Media Date of MTF_DATE_TIME type with 5 bytes +#>>>>>>88 ubequad x DATE %16.16llx +# MTF Major Version (1) +#>>>>>>93 ubyte x \b, MFT version %x +# + |