1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
#------------------------------------------------------------------------------
# $File: linux,v 1.47 2013/02/06 14:18:52 christos Exp $
# linux: file(1) magic for Linux files
#
# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
# The following basic Linux magic is useful for reference, but using
# "long" magic is a better practice in order to avoid collisions.
#
# 2 leshort 100 Linux/i386
# >0 leshort 0407 impure executable (OMAGIC)
# >0 leshort 0410 pure executable (NMAGIC)
# >0 leshort 0413 demand-paged executable (ZMAGIC)
# >0 leshort 0314 demand-paged executable (QMAGIC)
#
0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC)
>16 lelong 0 \b, stripped
0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC)
>16 lelong 0 \b, stripped
0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC)
>16 lelong 0 \b, stripped
0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC)
>16 lelong 0 \b, stripped
#
0 string \007\001\000 Linux/i386 object file
>20 lelong >0x1020 \b, DLL library
# Linux-8086 stuff:
0 string \01\03\020\04 Linux-8086 impure executable
>28 long !0 not stripped
0 string \01\03\040\04 Linux-8086 executable
>28 long !0 not stripped
#
0 string \243\206\001\0 Linux-8086 object file
#
0 string \01\03\020\20 Minix-386 impure executable
>28 long !0 not stripped
0 string \01\03\040\20 Minix-386 executable
>28 long !0 not stripped
0 string \01\03\04\20 Minix-386 NSYM/GNU executable
>28 long !0 not stripped
# core dump file, from Bill Reynolds <bill@goshawk.lanl.gov>
216 lelong 0421 Linux/i386 core file
>220 string >\0 of '%s'
>200 lelong >0 (signal %d)
#
# LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com>
# this can be overridden by the DOS executable (COM) entry
2 string LILO Linux/i386 LILO boot/chain loader
#
# Linux make config build file, from Ole Aamot <oka@oka.no>
28 string make\ config Linux make config build file
#
# PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com>
# Updated by Adam Buchbinder <adam.buchbinder@gmail.com>
# See: http://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html
0 leshort 0x0436 Linux/i386 PC Screen Font v1 data,
>2 byte&0x01 0 256 characters,
>2 byte&0x01 !0 512 characters,
>2 byte&0x02 0 no directory,
>2 byte&0x02 !0 Unicode directory,
>3 byte >0 8x%d
0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data,
>16 lelong x %d characters,
>12 lelong&0x01 0 no directory,
>12 lelong&0x01 !0 Unicode directory,
>24 lelong x %d
>28 lelong x \bx%d
# Linux swap file, from Daniel Quinlan <quinlan@yggdrasil.com>
4086 string SWAP-SPACE Linux/i386 swap file
# From: Jeff Bailey <jbailey@ubuntu.com>
# Linux swap file with swsusp1 image, from Jeff Bailey <jbailey@ubuntu.com>
4076 string SWAPSPACE2S1SUSPEND Linux/i386 swap file (new style) with SWSUSP1 image
# From: James Hunt <james.hunt@ubuntu.com>
4076 string SWAPSPACE2LINHIB0001 Linux/i386 swap file (new style) (compressed hibernate)
# according to man page of mkswap (8) March 1999
# volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
4086 string SWAPSPACE2 Linux/i386 swap file (new style),
>0x400 long x version %d (4K pages),
>0x404 long x size %d pages,
>1052 string \0 no label,
>1052 string >\0 LABEL=%s,
>0x40c belong x UUID=%08x
>0x410 beshort x \b-%04x
>0x412 beshort x \b-%04x
>0x414 beshort x \b-%04x
>0x416 belong x \b-%08x
>0x41a beshort x \b%04x
# From Daniel Novotny <dnovotny@redhat.com>
# swap file for PowerPC
65526 string SWAPSPACE2 Linux/ppc swap file
16374 string SWAPSPACE2 Linux/ia64 swap file
#
# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
# and Nicolas Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
# Linux kernel boot images (i386 arch) (Wolfram Kleff)
514 string HdrS Linux kernel
!:strength + 5
>510 leshort 0xAA55 x86 boot executable
>>518 leshort >0x1ff
>>>529 byte 0 zImage,
>>>529 byte 1 bzImage,
>>>(526.s+0x200) string >\0 version %s,
>>498 leshort 1 RO-rootFS,
>>498 leshort 0 RW-rootFS,
>>508 leshort >0 root_dev 0x%X,
>>502 leshort >0 swap_dev 0x%X,
>>504 leshort >0 RAMdisksize %u KB,
>>506 leshort 0xFFFF Normal VGA
>>506 leshort 0xFFFE Extended VGA
>>506 leshort 0xFFFD Prompt for Videomode
>>506 leshort >0 Video mode %d
# This also matches new kernels, which were caught above by "HdrS".
0 belong 0xb8c0078e Linux kernel
>0x1e3 string Loading version 1.3.79 or older
>0x1e9 string Loading from prehistoric times
# System.map files - Nicolas Lichtmaier <nick@debian.org>
8 search/1 \ A\ _text Linux kernel symbol map text
# LSM entries - Nicolas Lichtmaier <nick@debian.org>
0 search/1 Begin3 Linux Software Map entry text
0 search/1 Begin4 Linux Software Map entry text (new format)
# From Matt Zimmerman, enhanced for v3 by Matthew Palmer
0 belong 0x4f4f4f4d User-mode Linux COW file
>4 belong <3 \b, version %d
>>8 string >\0 \b, backing file %s
>4 belong >2 \b, version %d
>>32 string >\0 \b, backing file %s
############################################################################
# Linux kernel versions
0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux
>497 leshort 0 x86 boot sector
>>514 belong 0x8e of a kernel from the dawn of time!
>>514 belong 0x908ed8b4 version 0.99-1.1.42
>>514 belong 0x908ed8b8 for memtest86
>497 leshort !0 x86 kernel
>>504 leshort >0 RAMdisksize=%u KB
>>502 leshort >0 swap=0x%X
>>508 leshort >0 root=0x%X
>>>498 leshort 1 \b-ro
>>>498 leshort 0 \b-rw
>>506 leshort 0xFFFF vga=normal
>>506 leshort 0xFFFE vga=extended
>>506 leshort 0xFFFD vga=ask
>>506 leshort >0 vga=%d
>>514 belong 0x908ed881 version 1.1.43-1.1.45
>>514 belong 0x15b281cd
>>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0
>>>0xa99 belong 0x55AA5a5a version 1.3.1,2
>>>0xaa3 belong 0x55AA5a5a version 1.3.3-1.3.30
>>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41
>>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45
>>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72
>>514 string HdrS
>>>518 leshort >0x1FF
>>>>529 byte 0 \b, zImage
>>>>529 byte 1 \b, bzImage
>>>>(526.s+0x200) string >\0 \b, version %s
# Linux boot sector thefts.
0 belong 0xb8c0078e Linux
>0x1e6 belong 0x454c4b53 ELKS Kernel
>0x1e6 belong !0x454c4b53 style boot sector
############################################################################
# Linux S390 kernel image
# Created by: Jan Kaluza <jkaluza@redhat.com>
8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390
>0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc
# 64bit
>>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel
>>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel
>>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel
>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel
# 32bit
>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel
>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel
>>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel
>>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel
# Linux ARM compressed kernel image
# From: Kevin Cernekee <cernekee@gmail.com>
36 lelong 0x016f2818 Linux kernel ARM boot executable zImage (little-endian)
36 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian)
############################################################################
# Linux 8086 executable
0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless
>5 string .
>>4 string >\0 \b, libc version %s
0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable
>2 byte&0x01 !0 \b, unmapped zero page
>2 byte&0x20 0 \b, impure
>2 byte&0x20 !0
>>2 byte&0x10 !0 \b, A_EXEC
>2 byte&0x02 !0 \b, A_PAL
>2 byte&0x04 !0 \b, A_NSYM
>2 byte&0x08 !0 \b, A_STAND
>2 byte&0x40 !0 \b, A_PURE
>2 byte&0x80 !0 \b, A_TOVLY
>28 long !0 \b, not stripped
>37 string .
>>36 string >\0 \b, libc version %s
# 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable
# 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable
# 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable
# 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable
# SYSLINUX boot logo files (from 'ppmtolss16' sources)
# http://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename:
# file extension .lss .16
0 lelong =0x1413f33d SYSLINUX' LSS16 image data
# syslinux-4.05/mime/image/x-lss16.xml
!:mime image/x-lss16
>4 leshort x \b, width %d
>6 leshort x \b, height %d
0 string OOOM User-Mode-Linux's Copy-On-Write disk image
>4 belong x version %d
# SE Linux policy database
# From: Mike Frysinger <vapier@gentoo.org>
0 lelong 0xf97cff8c SE Linux policy
>16 lelong x v%d
>20 lelong 1 MLS
>24 lelong x %d symbols
>28 lelong x %d ocons
# Linux Logical Volume Manager (LVM)
# Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net>
#
# System ID, UUID and volume group name are 128 bytes long
# but they should never be full and initialized with zeros...
#
# LVM1
#
0x0 string HM\001 LVM1 (Linux Logical Volume Manager), version 1
>0x12c string >\0 , System ID: %s
0x0 string HM\002 LVM1 (Linux Logical Volume Manager), version 2
>0x12c string >\0 , System ID: %s
# LVM2
#
# It seems that the label header can be in one the four first sector
# of the disk... (from _find_labeller in lib/label/label.c of LVM2)
#
# 0x200 seems to be the common case
0x218 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
# read the offset to add to the start of the header, and the header
# start in 0x200
>&(&-12.l-0x21) byte x
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>>&0x0 string >\x2f \b, UUID: %.6s
>>&0x6 string >\x2f \b-%.4s
>>&0xa string >\x2f \b-%.4s
>>&0xe string >\x2f \b-%.4s
>>&0x12 string >\x2f \b-%.4s
>>&0x16 string >\x2f \b-%.4s
>>&0x1a string >\x2f \b-%.6s
>>&0x20 lequad x \b, size: %lld
0x018 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
>&(&-12.l-0x21) byte x
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>>&0x0 string >\x2f \b, UUID: %.6s
>>&0x6 string >\x2f \b-%.4s
>>&0xa string >\x2f \b-%.4s
>>&0xe string >\x2f \b-%.4s
>>&0x12 string >\x2f \b-%.4s
>>&0x16 string >\x2f \b-%.4s
>>&0x1a string >\x2f \b-%.6s
>>&0x20 lequad x \b, size: %lld
0x418 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
>&(&-12.l-0x21) byte x
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>>&0x0 string >\x2f \b, UUID: %.6s
>>&0x6 string >\x2f \b-%.4s
>>&0xa string >\x2f \b-%.4s
>>&0xe string >\x2f \b-%.4s
>>&0x12 string >\x2f \b-%.4s
>>&0x16 string >\x2f \b-%.4s
>>&0x1a string >\x2f \b-%.6s
>>&0x20 lequad x \b, size: %lld
0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
>&(&-12.l-0x21) byte x
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>>&0x0 string >\x2f \b, UUID: %.6s
>>&0x6 string >\x2f \b-%.4s
>>&0xa string >\x2f \b-%.4s
>>&0xe string >\x2f \b-%.4s
>>&0x12 string >\x2f \b-%.4s
>>&0x16 string >\x2f \b-%.4s
>>&0x1a string >\x2f \b-%.6s
>>&0x20 lequad x \b, size: %lld
# LVM snapshot
# from Jason Farrel
0 string SnAp LVM Snapshot (CopyOnWrite store)
>4 lelong !0 - valid,
>4 lelong 0 - invalid,
>8 lelong x version %d,
>12 lelong x chunk_size %d
# SE Linux policy database
0 lelong 0xf97cff8c SE Linux policy
>16 lelong x v%d
>20 lelong 1 MLS
>24 lelong x %d symbols
>28 lelong x %d ocons
# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec
# Anthon van der Neut (anthon@mnt.org)
0 string LUKS\xba\xbe LUKS encrypted file,
>6 beshort x ver %d
>8 string x [%s,
>40 string x %s,
>72 string x %s]
>168 string x UUID: %s
# Summary: Xen saved domain file
# Created by: Radek Vokal <rvokal@redhat.com>
0 string LinuxGuestRecord Xen saved domain
>20 search/256 (name
>>&1 string x (name %s)
# Type: Xen, the virtual machine monitor
# From: Radek Vokal <rvokal@redhat.com>
0 string LinuxGuestRecord Xen saved domain
#>2 regex \(name\ [^)]*\) %s
>20 search/256 (name (name
>>&1 string x %s...)