#------------------Standard file formats------------------------------------
#------------------------------------------------------------------------------
# elf: file(1) magic for ELF executables
#
# We have to check the byte order flag to see what byte order all the
# other stuff in the header is in.
#
# What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
#
# updated by Daniel Quinlan (quinlan@yggdrasil.com)
0 string \177ELF ELF
>4 byte 0 invalid class
>4 byte 1 32-bit
# only for MIPS - in the future, the ABI field of e_flags should be used.
>>18 leshort 8
>>>36 lelong &0x20 N32
>>18 leshort 10
>>>36 lelong &0x20 N32
>>18 beshort 8
>>>36 belong &0x20 N32
>>18 beshort 10
>>>36 belong &0x20 N32
>4 byte 2 64-bit
>4 byte >2
>>4 byte x unknown ELF class: 0x%X
>5 byte !1
>>5 byte !2 invalid byte order
>5 byte 1 LSB
# The official e_machine number for MIPS is now #8, regardless of endianness.
# The second number (#10) will be deprecated later. For now, we still
# say something if #10 is encountered, but only gory details for #8.
>>18 leshort 8
# only for 32-bit
>>>4 byte 1
>>>>36 lelong&0xf0000000 0x00000000 MIPS-I
>>>>36 lelong&0xf0000000 0x10000000 MIPS-II
>>>>36 lelong&0xf0000000 0x20000000 MIPS-III
>>>>36 lelong&0xf0000000 0x30000000 MIPS-IV
>>>>36 lelong&0xf0000000 0x40000000 MIPS-V
>>>>36 lelong&0xf0000000 0x60000000 MIPS32
>>>>36 lelong&0xf0000000 0x70000000 MIPS64
>>>>36 lelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>36 lelong&0xf0000000 0x90000000 MIPS64 rel2
# only for 64-bit
>>>4 byte 2
>>>>48 lelong&0xf0000000 0x00000000 MIPS-I
>>>>48 lelong&0xf0000000 0x10000000 MIPS-II
>>>>48 lelong&0xf0000000 0x20000000 MIPS-III
>>>>48 lelong&0xf0000000 0x30000000 MIPS-IV
>>>>48 lelong&0xf0000000 0x40000000 MIPS-V
>>>>48 lelong&0xf0000000 0x60000000 MIPS32
>>>>48 lelong&0xf0000000 0x70000000 MIPS64
>>>>48 lelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>48 lelong&0xf0000000 0x90000000 MIPS64 rel2
>>16 leshort 0 no file type,
>>16 leshort 1 relocatable,
>>16 leshort 2 executable,
>>16 leshort 3 shared object,
# Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de>
# corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de>
>>16 leshort 4 core file
# Core file detection is not reliable.
#>>>(0x38+0xcc) string >\0 of '%s'
#>>>(0x38+0x10) lelong >0 (signal %d),
>>16 leshort &0xff00 processor-specific,
>>18 leshort 0 no machine,
>>18 leshort 1 AT&T WE32100 - invalid byte order,
>>18 leshort 2 SPARC - invalid byte order,
>>18 leshort 3 Intel 80386,
>>18 leshort 4 Motorola
>>>36 lelong &0x01000000 68000 - invalid byte order,
>>>36 lelong &0x00810000 CPU32 - invalid byte order,
>>>36 lelong 0 68020 - invalid byte order,
>>18 leshort 5 Motorola 88000 - invalid byte order,
>>18 leshort 6 Intel 80486,
>>18 leshort 7 Intel 80860,
>>18 leshort 8 MIPS,
>>18 leshort 9 Amdahl - invalid byte order,
>>18 leshort 10 MIPS (deprecated),
>>18 leshort 11 RS6000 - invalid byte order,
>>18 leshort 15 PA-RISC - invalid byte order,
>>>50 leshort 0x0214 2.0
>>>48 leshort &0x0008 (LP64),
>>18 leshort 16 nCUBE,
>>18 leshort 17 Fujitsu VPP500,
>>18 leshort 18 SPARC32PLUS,
>>18 leshort 20 PowerPC,
>>18 leshort 22 IBM S/390,
>>18 leshort 36 NEC V800,
>>18 leshort 37 Fujitsu FR20,
>>18 leshort 38 TRW RH-32,
>>18 leshort 39 Motorola RCE,
>>18 leshort 40 ARM,
>>18 leshort 41 Alpha,
>>18 leshort 0xa390 IBM S/390 (obsolete),
>>18 leshort 42 Hitachi SH,
>>18 leshort 43 SPARC V9 - invalid byte order,
>>18 leshort 44 Siemens Tricore Embedded Processor,
>>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>>18 leshort 46 Hitachi H8/300,
>>18 leshort 47 Hitachi H8/300H,
>>18 leshort 48 Hitachi H8S,
>>18 leshort 49 Hitachi H8/500,
>>18 leshort 50 IA-64 (Intel 64 bit architecture)
>>18 leshort 51 Stanford MIPS-X,
>>18 leshort 52 Motorola Coldfire,
>>18 leshort 53 Motorola M68HC12,
>>18 leshort 62 AMD x86-64,
>>18 leshort 75 Digital VAX,
>>18 leshort 97 NatSemi 32k,
>>18 leshort 0x9026 Alpha (unofficial),
>>20 lelong 0 invalid version
>>20 lelong 1 version 1
>>36 lelong 1 MathCoPro/FPU/MAU Required
>5 byte 2 MSB
# only for MIPS - see comment in little-endian section above.
>>18 beshort 8
# only for 32-bit
>>>4 byte 1
>>>>36 belong&0xf0000000 0x00000000 MIPS-I
>>>>36 belong&0xf0000000 0x10000000 MIPS-II
>>>>36 belong&0xf0000000 0x20000000 MIPS-III
>>>>36 belong&0xf0000000 0x30000000 MIPS-IV
>>>>36 belong&0xf0000000 0x40000000 MIPS-V
>>>>36 belong&0xf0000000 0x60000000 MIPS32
>>>>36 belong&0xf0000000 0x70000000 MIPS64
>>>>36 belong&0xf0000000 0x80000000 MIPS32 rel2
>>>>36 belong&0xf0000000 0x90000000 MIPS64 rel2
# only for 64-bit
>>>4 byte 2
>>>>48 belong&0xf0000000 0x00000000 MIPS-I
>>>>48 belong&0xf0000000 0x10000000 MIPS-II
>>>>48 belong&0xf0000000 0x20000000 MIPS-III
>>>>48 belong&0xf0000000 0x30000000 MIPS-IV
>>>>48 belong&0xf0000000 0x40000000 MIPS-V
>>>>48 belong&0xf0000000 0x60000000 MIPS32
>>>>48 belong&0xf0000000 0x70000000 MIPS64
>>>>48 belong&0xf0000000 0x80000000 MIPS32 rel2
>>>>48 belong&0xf0000000 0x90000000 MIPS64 rel2
>>16 beshort 0 no file type,
>>16 beshort 1 relocatable,
>>16 beshort 2 executable,
>>16 beshort 3 shared object,
>>16 beshort 4 core file,
#>>>(0x38+0xcc) string >\0 of '%s'
#>>>(0x38+0x10) belong >0 (signal %d),
>>16 beshort &0xff00 processor-specific,
>>18 beshort 0 no machine,
>>18 beshort 1 AT&T WE32100,
>>18 beshort 2 SPARC,
>>18 beshort 3 Intel 80386 - invalid byte order,
>>18 beshort 4 Motorola
>>>36 belong &0x01000000 68000,
>>>36 belong &0x00810000 CPU32,
>>>36 belong 0 68020,
>>18 beshort 5 Motorola 88000,
>>18 beshort 6 Intel 80486 - invalid byte order,
>>18 beshort 7 Intel 80860,
>>18 beshort 8 MIPS,
>>18 beshort 9 Amdahl,
>>18 beshort 10 MIPS (deprecated),
>>18 beshort 11 RS6000,
>>18 beshort 15 PA-RISC
>>>50 beshort 0x0214 2.0
>>>48 beshort &0x0008 (LP64)
>>18 beshort 16 nCUBE,
>>18 beshort 17 Fujitsu VPP500,
>>18 beshort 18 SPARC32PLUS,
>>>36 belong&0xffff00 &0x000100 V8+ Required,
>>>36 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required,
>>>36 belong&0xffff00 &0x000400 HaL R1 Extensions Required,
>>>36 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required,
>>18 beshort 20 PowerPC or cisco 4500,
>>18 beshort 21 cisco 7500,
>>18 beshort 22 IBM S/390,
>>18 beshort 24 cisco SVIP,
>>18 beshort 25 cisco 7200,
>>18 beshort 36 NEC V800 or cisco 12000,
>>18 beshort 37 Fujitsu FR20,
>>18 beshort 38 TRW RH-32,
>>18 beshort 39 Motorola RCE,
>>18 beshort 40 ARM,
>>18 beshort 41 Alpha,
>>18 beshort 42 Hitachi SH,
>>18 beshort 43 SPARC V9,
>>18 beshort 44 Siemens Tricore Embedded Processor,
>>18 beshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>>18 beshort 46 Hitachi H8/300,
>>18 beshort 47 Hitachi H8/300H,
>>18 beshort 48 Hitachi H8S,
>>18 beshort 49 Hitachi H8/500,
>>18 beshort 50 Intel Merced Processor,
>>18 beshort 51 Stanford MIPS-X,
>>18 beshort 52 Motorola Coldfire,
>>18 beshort 53 Motorola M68HC12,
>>18 beshort 73 Cray NV1,
>>18 beshort 75 Digital VAX,
>>18 beshort 97 NatSemi 32k,
>>18 beshort 0x9026 Alpha (unofficial),
>>18 beshort 0xa390 IBM S/390 (obsolete),
>>18 beshort 0xde3d Ubicom32,
>>20 belong 0 invalid version
>>20 belong 1 version 1
>>36 belong 1 MathCoPro/FPU/MAU Required
# Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed
# like proper ELF, but extracting the string had bad results.
>4 byte <0x80
>>8 string >\0 ("%s")
>8 string \0
>>7 byte 0 (SYSV)
>>7 byte 1 (HP-UX)
>>7 byte 2 (NetBSD)
>>7 byte 3 (GNU/Linux)
>>7 byte 4 (GNU/Hurd)
>>7 byte 5 (86Open)
>>7 byte 6 (Solaris)
>>7 byte 7 (Monterey)
>>7 byte 8 (IRIX)
>>7 byte 9 (FreeBSD)
>>7 byte 10 (Tru64)
>>7 byte 11 (Novell Modesto)
>>7 byte 12 (OpenBSD)
>>7 byte 97 (ARM)
>>7 byte 255 (embedded)
# Some simple Microsoft executable signatures
0 string MZ\0\0\0\0\0\0 Microsoft
>0x3c lelong <4 invalid
>(0x3c.l) string !PE\0\0 MS-DOS executable
>(0x3c.l) string PE\0\0 portable executable
0 string MZ Microsoft
>0x3c lelong <4 invalid
>(0x3c.l) string !PE\0\0 invalid
>(0x3c.l) string PE\0\0 portable executable
#------------------------------------------------------------------------------
# bFLT: file(1) magic for BFLT uclinux binary files
#
# From Philippe De Muyter <phdm@macqel.be>
#
# Additional fields added by Craig Heffner
#
0 string bFLT BFLT executable
>4 belong <1 invalid
>4 belong >4 invalid
>4 belong x version %d,
>4 belong 4
>8 belong x code offset: 0x%.8X,
>12 belong x data segment starts at: 0x%.8X,
>16 belong x bss segment starts at: 0x%.8X,
>20 belong x bss segment ends at: 0x%.8X,
>24 belong x stack size: %d bytes,
>28 belong x relocation records start at: 0x%.8X,
>32 belong x number of reolcation records: %d,
>>36 belong&0x1 0x1 ram
>>36 belong&0x2 0x2 gotpic
>>36 belong&0x4 0x4 gzip
>>36 belong&0x8 0x8 gzdata
# Windows CE package files
0 string MSCE\0\0\0\0 Microsoft WinCE installer
>20 lelong 0 \b, architecture-independent
>20 lelong 103 \b, Hitachi SH3
>20 lelong 104 \b, Hitachi SH4
>20 lelong 0xA11 \b, StrongARM
>20 lelong 4000 \b, MIPS R4000
>20 lelong 10003 \b, Hitachi SH3
>20 lelong 10004 \b, Hitachi SH3E
>20 lelong 10005 \b, Hitachi SH4
>20 lelong 70001 \b, ARM 7TDMI
>52 leshort 1 \b, 1 file
>52 leshort >1 \b, %u files
>56 leshort 1 \b, 1 registry entry
>56 leshort >1 \b, %u registry entries
#------------------------------------------------------------------------------
# Microsoft Xbox executables .xbe (Esa Hyytiä <ehyytia@cc.hut.fi>)
0 string XBEH XBE, Microsoft Xbox executable
# probabilistic checks whether signed or not
>0x0004 ulelong =0x0
>>&2 ulelong !0x0 \b, invalid
>>&2 ulelong =0x0
>>>&2 ulelong !0x0 \b, invalid
>>>&2 ulelong =0x0 \b, not signed
>0x0004 ulelong >0
>>&2 ulelong =0x0 \b, invalid
>>&2 ulelong >0
>>>&2 ulelong =0x0 \b, invalid
>>>&2 ulelong >0 \b, signed
>0x0104 lelong <0 \b, invalid base address
# expect base address of 0x10000
>0x0104 ulelong =0x10000
>>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions
>>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007
>>>(0x0118-0x0FF60) ulelong >0 (regions:
>>>>(0x0118-0x0FF60) ulelong &0x00000001 NA
>>>>(0x0118-0x0FF60) ulelong &0x00000002 Japan
>>>>(0x0118-0x0FF60) ulelong &0x00000004 Rest_of_World
>>>>(0x0118-0x0FF60) ulelong &0x80000000 Manufacturer
>>>(0x0118-0x0FF60) ulelong >0 \b)
#------------------------------------------------------------------------------
# motorola: file(1) magic for Motorola 68K and 88K binaries
#
# 68K
#
# These signatures are useless without further sanity checking. Disable them until
# that can be implemented.
#0 beshort 0x0208 mc68k COFF
#>18 beshort ^00000020 object
#>18 beshort &00000020 executable
#>12 belong >0 not stripped
#>168 string .lowmem Apple toolbox
#>20 beshort 0407 (impure)
#>20 beshort 0410 (pure)
#>20 beshort 0413 (demand paged)
#>20 beshort 0421 (standalone)
#0 beshort 0x0209 mc68k executable (shared)
#>12 belong >0 not stripped
#0 beshort 0x020A mc68k executable (shared demand paged)
#>12 belong >0 not stripped
#------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0 string PS-X\x20EXE Sony Playstation executable
# Area:
>113 string x ("%s")
#------------------------------------------------------------------------------
# cisco: file(1) magic for cisco Systems routers
#
# Most cisco file-formats are covered by the generic elf code
0 string \x85\x01\x14 Cisco IOS microcode
>7 string >\0
>>7 string x for "%s"
0 string \x85\x01\xcb Cisco IOS experimental microcode
>7 string >\0
>>7 string x for "%s"
# EST flat binary format (which isn't, but anyway)
# From: Mark Brown <broonie@sirena.org.uk>
0 string ESTFBINR EST flat binary
# These are not the binaries themselves, but string references to them
# are a strong indication that they exist elsewhere...
#0 string /bin/busybox Busybox string reference: "%s"{one-of-many}
#0 string /bin/sh Shell string reference: "%s"{one-of-many}
# Mach-O's
0 string \xca\xfe\xba\xbe\x00\x00\x00\x01 Mach-O universal binary with 1 architecture
0 string \xca\xfe\xba\xbe\x00\x00\x00\x02 Mach-O universal binary with 2 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x03 Mach-O universal binary with 3 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x04 Mach-O universal binary with 4 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x05 Mach-O universal binary with 5 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x06 Mach-O universal binary with 6 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x07 Mach-O universal binary with 7 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x08 Mach-O universal binary with 8 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0a Mach-O universal binary with 9 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0b Mach-O universal binary with 10 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0c Mach-O universal binary with 11 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0d Mach-O universal binary with 12 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0e Mach-O universal binary with 13 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0f Mach-O universal binary with 14 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x10 Mach-O universal binary with 15 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x11 Mach-O universal binary with 16 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x12 Mach-O universal binary with 17 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x13 Mach-O universal binary with 18 architectures
# The magic bytes for Java .class files is 0xcafebabe, but AFAIK all major version numbers are less than 255
# and all minor version numbers are 0. This gives us three more bytes we can signature on.
0 string \xca\xfe\xba\xbe\x00\x00\x00 Compiled Java class data,
>6 beshort x version %d.
>4 beshort x \b%d
# Which is which?
>4 belong 0x032d (Java 1.0/1.1)
#>4 belong 0x032d (Java 1.1)
>4 belong 0x002e (Java 1.2)
>4 belong 0x002f (Java 1.3)
>4 belong 0x0030 (Java 1.4)
>4 belong 0x0031 (Java 1.5)
>4 belong 0x0032 (Java 1.6)
>4 belong >0x0050 invalid
# Summary: HP-38/39 calculator
0 string HP38Bin HP 38 binary
>7 string A (Directory List)
>7 string B (Zaplet)
>7 string C (Note)
>7 string D (Program)
>7 string E (Variable)
>7 string F (List)
>7 string G (Matrix)
>7 string H (Library)
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
>7 byte <0x41 invalid
>7 byte >0x4B invalid
0 string HP39Bin HP 39 binary
>7 string A (Directory List)
>7 string B (Zaplet)
>7 string C (Note)
>7 string D (Program)
>7 string E (Variable)
>7 string F (List)
>7 string G (Matrix)
>7 string H (Library)
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
>7 byte <0x41 invalid
>7 byte >0x4B invalid
0 string HP38Asc HP 38 ASCII
>7 string A (Directory List)
>7 string B (Zaplet)
>7 string C (Note)
>7 string D (Program)
>7 string E (Variable)
>7 string F (List)
>7 string G (Matrix)
>7 string H (Library)
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
>7 byte <0x41 invalid
>7 byte >0x4B invalid
0 string HP39Asc HP 39 ASCII
>7 string A (Directory List)
>7 string B (Zaplet)
>7 string C (Note)
>7 string D (Program)
>7 string E (Variable)
>7 string F (List)
>7 string G (Matrix)
>7 string H (Library)
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
>7 byte <0x41 invalid
>7 byte >0x4B invalid
# Summary: HP-48/49 calculator
0 string HPHP48 HP 48 binary
>8 leshort 0x2911 (ADR)
>8 leshort 0x2933 (REAL)
>8 leshort 0x2955 (LREAL)
>8 leshort 0x2977 (COMPLX)
>8 leshort 0x299d (LCOMPLX)
>8 leshort 0x29bf (CHAR)
>8 leshort 0x29e8 (ARRAY)
>8 leshort 0x2a0a (LNKARRAY)
>8 leshort 0x2a2c (STRING)
>8 leshort 0x2a4e (HXS)
>8 leshort 0x2a74 (LIST)
>8 leshort 0x2a96 (DIR)
>8 leshort 0x2ab8 (ALG)
>8 leshort 0x2ada (UNIT)
>8 leshort 0x2afc (TAGGED)
>8 leshort 0x2b1e (GROB)
>8 leshort 0x2b40 (LIB)
>8 leshort 0x2b62 (BACKUP)
>8 leshort 0x2b88 (LIBDATA)
>8 leshort 0x2d9d (PROG)
>8 leshort 0x2dcc (CODE)
>8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB)
>8 leshort <0x2911 (invalid)
>8 leshort >0x2e92 (invalid)
0 string HPHP49 HP 49 binary
>8 leshort 0x2911 (ADR)
>8 leshort 0x2933 (REAL)
>8 leshort 0x2955 (LREAL)
>8 leshort 0x2977 (COMPLX)
>8 leshort 0x299d (LCOMPLX)
>8 leshort 0x29bf (CHAR)
>8 leshort 0x29e8 (ARRAY)
>8 leshort 0x2a0a (LNKARRAY)
>8 leshort 0x2a2c (STRING)
>8 leshort 0x2a4e (HXS)
>8 leshort 0x2a74 (LIST)
>8 leshort 0x2a96 (DIR)
>8 leshort 0x2ab8 (ALG)
>8 leshort 0x2ada (UNIT)
>8 leshort 0x2afc (TAGGED)
>8 leshort 0x2b1e (GROB)
>8 leshort 0x2b40 (LIB)
>8 leshort 0x2b62 (BACKUP)
>8 leshort 0x2b88 (LIBDATA)
>8 leshort 0x2d9d (PROG)
>8 leshort 0x2dcc (CODE)
>8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB)
>8 leshort <0x2911 (invalid)
>8 leshort >0x2e92 (invalid)
0 string \x23!/ Executable script,
>6 byte !0x2F
>>7 byte !0x2F invalid
>2 string x shebang: "%s"
0 string \x23!\x20/ Executable script,
>7 byte !0x2F
>>8 byte !0x2F invalid
>3 string x shebang: "%s"