Skip to content

B
binwalk
Commit d95e015d by devttys0
Options

Re-working code to better fit with new magic module

parent 9fc088e0
Showing with 283 additions and 279 deletions
setup.py
......@@ -119,30 +119,14 @@ class CleanCommand(Command):
pass
if "install" in sys.argv:
# If an older version of binwalk is currently installed, completely remove it to prevent conflicts
existing_binwalk_modules = find_binwalk_module_paths()
if existing_binwalk_modules and not os.path.exists(os.path.join(existing_binwalk_modules[0], "core")):
# If a previous version of binwalk is currently installed, completely remove it to prevent conflicts
if find_binwalk_module_paths():
remove_binwalk_module()
# Re-build the magic file during a build/install
if "install" in sys.argv or "build" in sys.argv:
# Generate a new magic file from the files in the magic directory
print("creating %s magic file" % MODULE_NAME)
magic_files = os.listdir("magic")
magic_files.sort()
fd = open("%s/magic/%s" % (MODULE_NAME, MODULE_NAME), "wb")
for magic in magic_files:
fpath = os.path.join("magic", magic)
if os.path.isfile(fpath):
fd.write(open(fpath, "rb").read())
fd.close()
# The data files to install along with the module
data_dirs = ["magic", "config", "plugins", "modules", "core"]
install_data_files = [os.path.join("libs", "*.so"), os.path.join("libs", "*.dylib")]
for data_dir in data_dirs:
install_data_files.append("%s%s*" % (data_dir, os.path.sep))
install_data_files = []
for data_dir in ["magic", "config", "plugins", "modules", "core"]:
install_data_files.append("%s%s*" % (data_dir, os.path.sep))
# Install the module, script, and support files
setup(name = MODULE_NAME,
......
src/binwalk/core/magic.py
......@@ -11,14 +11,35 @@ class SignatureTag(object):
for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v)
class SignatureResult(object):
def __init__(self, **kwargs):
# These are set by signature keyword tags
self.jump = 0
self.size = 0
self.name = None
self.offset = 0
self.adjust = 0
self.strlen = 0
self.string = False
self.invalid = False
# These are set by code internally
self.file = None
self.valid = True
self.display = True
self.description = ""
for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v)
class SignatureLine(object):
def __init__(self, line):
self.tags = []
self.original_text = line
line = line.replace('\\ ', '\x20')
parts = line.split(None, 3)
parts = line.replace('\\ ', '\\x20').split(None, 3)
self.level = parts[0].count('>')
......@@ -32,6 +53,10 @@ class SignatureLine(object):
(self.type, self.bitmask) = parts[1].split('&', 1)
self.boolean = '&'
self.bitmask = int(self.bitmask, 0)
elif '|' in parts[1]:
(self.type, self.bitmask) = parts[1].split('|', 1)
self.boolean = '|'
self.bitmask = int(self.bitmask, 0)
else:
self.type = parts[1]
self.boolean = None
......@@ -171,22 +196,6 @@ class Signature(object):
def append(self, line):
self.lines.append(line)
class SignatureResult(object):
def __init__(self, **kwargs):
self.offset = 0
self.adjust = 0
self.jump = 0
self.size = 0
self.description = ""
self.valid = True
self.invalid = False
self.display = True
self.file = None
for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v)
class Magic(object):
def __init__(self, exclude=[], include=[], invalid=False):
......@@ -209,6 +218,7 @@ class Magic(object):
def filtered(self, text):
filtered = None
text = text.lower()
for include in self.includes:
if include.match(text):
......@@ -230,6 +240,7 @@ class Magic(object):
def parse(self, signature, offset):
description = []
tag_strlen = None
max_line_level = 0
tags = {'offset' : offset, 'invalid' : False}
......@@ -275,12 +286,19 @@ class Magic(object):
except struct.error as e:
dvalue = 0
elif line.size:
dvalue = self.data[start:end]
# Strings have line.value == None
if line.value is None:
dvalue = dvalue.split('\x00')[0].split('\r')[0].split('\r')[0]
if [x for x in line.tags if x.name == 'string'] and binwalk.core.compat.has_key(tags, 'strlen'):
dvalue = self.data[start:(start+tags['strlen'])]
else:
dvalue = self.data[start:end].split('\x00')[0].split('\r')[0].split('\r')[0]
else:
dvalue = self.data[start:end]
if line.boolean == '&':
dvalue &= line.bitmask
elif line.boolean == '|':
dvalue |= line.bitmask
if ((line.value is None) or
(line.condition == '=' and dvalue == line.value) or
......@@ -295,13 +313,22 @@ class Magic(object):
dvalue = ts.strftime("%Y-%m-%d %H:%M:%S")
if '%' in line.format:
description.append(line.format % dvalue)
desc = line.format % dvalue
else:
description.append(line.format)
desc = line.format
if desc:
description.append(desc)
for tag in line.tags:
if isinstance(tag.value, str) and '%' in tag.value:
tags[tag.name] = tag.value % dvalue
try:
tags[tag.name] = int(tags[tag.name], 0)
except KeyboardInterrupt as e:
raise e
except Exception as e:
pass
else:
try:
tags[tag.name] = int(tag.value, 0)
......@@ -316,12 +343,19 @@ class Magic(object):
max_line_level = line.level + 1
else:
max_line_level = line.level
# No match on the first line, abort
if line.level == 0:
break
else:
max_line_level = line.level
tags['description'] = self.bspace.sub('', " ".join(description))
if (('\\' in tags['description']) or
(self.printable.match(tags['description']).group() != tags['description'])):
if not tags['description']:
tags['display'] = False
tags['invalid'] = True
if self.printable.match(tags['description']).group() != tags['description']:
tags['invalid'] = True
tags['valid'] = (not tags['invalid'])
......@@ -330,19 +364,20 @@ class Magic(object):
def scan(self, data, dlen=None):
results = []
matched_offsets = set()
self.data = data
if dlen is None:
dlen = len(self.data)
for signature in self.signatures:
for match in signature.regex.finditer(self.data):
offset = match.start() - signature.offset
if offset >= 0 and offset <= dlen:
if (offset not in matched_offsets or self.show_invalid) and offset >= 0 and offset <= dlen:
tags = self.parse(signature, offset)
if not tags['invalid'] or self.show_invalid:
results.append(SignatureResult(**tags))
matched_offsets.add(offset)
results.sort(key=lambda x: x.offset, reverse=False)
return results
......@@ -381,15 +416,3 @@ class Magic(object):
self.signatures.sort(key=lambda x: x.confidence, reverse=True)
if __name__ == '__main__':
import sys
m = Magic(invalid=True)
m.load(sys.argv[1])
print ("Loaded %d signatures" % len(m.signatures))
for signature in m.scan(open(sys.argv[2], "r").read()):
if signature.valid:
print (signature.offset, signature.description)
src/binwalk/core/settings.py
......@@ -7,7 +7,7 @@ from binwalk.core.compat import *
class Settings:
'''
Binwalk settings class, used for accessing user and system file paths and general configuration settings.
After instatiating the class, file paths can be accessed via the self.paths dictionary.
System file paths are listed under the 'system' key, user file paths under the 'user' key.
......@@ -58,6 +58,20 @@ class Settings:
prefix=self._system_path(self.BINWALK_CONFIG_DIR, self.PREFIX_FILE),
plugins=self._system_path(self.BINWALK_PLUGINS_DIR))
def magic_signature_files(self, system_only=False, user_only=False):
files = []
if not system_only:
user_dir = os.path.join(self.user_dir, self.BINWALK_USER_DIR, self.BINWALK_MAGIC_DIR)
files += [os.path.join(user_dir, x) for x in os.listdir(user_dir)]
if not user_only:
system_dir = os.path.join(self.system_dir, self.BINWALK_MAGIC_DIR)
files += [os.path.join(system_dir, x) for x in os.listdir(system_dir)]
if self.system.binarch in files:
files.remove(self.system.binarch)
return files
def find_magic_file(self, fname, system_only=False, user_only=False):
'''
Finds the specified magic file name in the system / user magic file directories.
......@@ -83,7 +97,7 @@ class Settings:
loc = fpath
return fpath
def _get_user_dir(self):
'''
Get the user's home directory.
......@@ -102,7 +116,7 @@ class Settings:
@dirname - Directory path.
@filename - File name.
Returns a full path of 'dirname/filename'.
'''
if not os.path.exists(dirname):
......@@ -112,7 +126,7 @@ class Settings:
raise e
except Exception:
pass
fpath = os.path.join(dirname, filename)
if not os.path.exists(fpath):
......@@ -144,10 +158,10 @@ class Settings:
def _system_path(self, subdir, basename=''):
'''
Gets the full path to the 'subdir/basename' file in the system binwalk directory.
@subdir - Subdirectory inside the system binwalk directory.
@basename - File name inside the subdirectory.
Returns the full path to the 'subdir/basename' file.
'''
try:
......
src/binwalk/magic/binarch
......@@ -3,13 +3,13 @@
# sw XX, XX($sp)
# 27 BD FF XX
# AF BX XX XX
0 string \xFF\xBD\x27 MIPSEL instructions, function prologue{offset-adjust:-1}
>6 byte !0xAF (invalid)
>5 byte&0xE0 !0xA0 (invalid)
1 string \xFF\xBD\x27 MIPSEL instructions, function prologue
>6 byte !0xAF {invalid}
>5 byte&0xE0 !0xA0 {invalid}
0 string \x27\xBD\xFF MIPS instructions, function prologue
>4 byte !0xAF (invalid)
>5 byte&0xE0 !0xA0 (invalid)
>4 byte !0xAF {invalid}
>5 byte&0xE0 !0xA0 {invalid}
# MIPS epilogue
# jr $ra
......@@ -18,14 +18,14 @@
# addiu $sp, XX
# jr $ra
0 belong 0x03e00008 MIPS instructions, function epilogue
>4 beshort !0x27BD (invalid)
>4 beshort !0x27BD {invalid}
0 beshort 0x27BD MIPS instructions, function epilogue
>2 belong !0x03e00008 (invalid)
>2 belong !0x03e00008 {invalid}
0 lelong 0x03e00008 MIPSEL instructions, function epilogue
>6 leshort !0x27BD (invalid)
>6 leshort !0x27BD {invalid}
0 leshort 0x27BD MIPS instructions, function epilogue
>2 lelong !0x03e00008 (invalid)
>2 lelong !0x03e00008 {invalid}
# MIPS16e
# nop (x4)
......@@ -36,17 +36,17 @@
# save a0-a1, XX
# addiu XX, XX
0 string \xf0\x08\x64 MIPS16e instructions, function prologue
>4 byte !0x01 (invalid)
>4 byte !0x01 {invalid}
# move $sp, $s1
# restore XX, XX, XX
# jrc $ra
0 beshort 0x65B9 MIPS16e instructions, function epilogue
>3 byte !0x64 (invalid)
>4 beshort !0xE8A0 (invalid)
>3 byte !0x64 {invalid}
>4 beshort !0xE8A0 {invalid}
0 leshort 0x65B9 MIPSEL16e instructions, function epilogue
>3 byte !0x64 (invalid)
>4 leshort !0xE8A0 (invalid)
>3 byte !0x64 {invalid}
>4 leshort !0xE8A0 {invalid}
# jrc $ra
# nop
......@@ -68,19 +68,19 @@
# STMFD SP!, {XX}
# <any instruction whose opcode begins with 0xE>
0 beshort 0xE92D ARMEB instructions, function prologue
>4 byte&0xF0 !0xE0 (invalid)
>8 byte&0xF0 !0xE0 (invalid)
0 leshort 0xE92D ARM instructions, function prologue{offset-adjust:-2}
>5 byte&0xF0 !0xE0 (invalid)
>9 byte&0xF0 !0xE0 (invalid)
>4 byte&0xF0 !0xE0 {invalid}
>8 byte&0xF0 !0xE0 {invalid}
0 leshort 0xE92D ARM instructions, function prologue{adjust:-2}
>5 byte&0xF0 !0xE0 {invalid}
>9 byte&0xF0 !0xE0 {invalid}
# ARM epilogue
# MOV R0, XX
# LDMFD SP!, {XX}
0 beshort 0xE1A0 ARMEB instructions, function epilogue
>4 beshort !0xE8BD (invalid)
0 leshort 0xE1A0 ARM instructions, function epilogue{offset-adjust:-2}
>4 leshort !0xE8BD (invalid)
>4 beshort !0xE8BD {invalid}
0 leshort 0xE1A0 ARM instructions, function epilogue{adjust:-2}
>4 leshort !0xE8BD {invalid}
# Ubicom32 prologue
......@@ -120,5 +120,5 @@
# push esi
0 string \x55\x89\xE5\x83\xEC Intel x86 instructions, function prologue
0 string \x55\x89\xE5\x57\x56 Intel x86 instructions, function prologue
0 string \x90\x90\x90\x90\x90\x90\x90\x90 Intel x86 instructions, nops{jump-to-offset:8}
0 string \x90\x90\x90\x90\x90\x90\x90\x90 Intel x86 instructions, nops{jump:8}
src/binwalk/magic/bincast deleted 100644 → 0
0 belong x Hex: 0x%.8X
#0 string x String: %s
#0 lequad x Little Endian Quad: %lld
#0 bequad x Big Endian Quad: %lld
0 lelong x Little Endian Long: %d
0 belong x Big Endian Long: %d
0 leshort x Little Endian Short: %d
0 beshort x Big Endian Short: %d
0 ledate x Little Endian Date: %s
0 bedate x Big Endian Date: %s
src/magic/bootloaders src/binwalk/magic/bootloaders
......@@ -7,7 +7,7 @@
# U-Boot boot loader
0 string U-Boot\x20 U-Boot version string,
>7 byte <48 {invalid},
>7 byte >57 {invalid},
>8 byte !0x2E {invalid},
>7 byte <48 {invalid}
>7 byte >57 {invalid}
>8 byte !0x2E {invalid}
>0 string x "%s"
src/binwalk/magic/compressed 0 → 100644
#------------------Compression Formats-----------------------------
# AFX compressed files (Wolfram Kleff)
2 string -afx- AFX compressed file data
# bzip2
0 string BZh91AY&SY bzip2 compressed data, block size = 900k
0 string BZh81AY&SY bzip2 compressed data, block size = 800k
0 string BZh71AY&SY bzip2 compressed data, block size = 700k
0 string BZh61AY&SY bzip2 compressed data, block size = 600k
0 string BZh51AY&SY bzip2 compressed data, block size = 500k
0 string BZh41AY&SY bzip2 compressed data, block size = 400k
0 string BZh31AY&SY bzip2 compressed data, block size = 300k
0 string BZh21AY&SY bzip2 compressed data, block size = 200k
0 string BZh11AY&SY bzip2 compressed data, block size = 100k
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data,
>9 beshort >0x093F {invalid}
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>9 beshort&0x0fff <1 {invalid}
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
# lzip
0 string LZIP lzip compressed data,
>4 ubyte 0 {invalid}
# Current version is still 1.x
>4 ubyte >4 {invalid}
>4 byte x version: %d
# lrzip
0 string LRZI lrzip compressed data
# LZO
0 string \211LZO\000\015\012\032\012 LZO compressed data
# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 {invalid}
>6 byte 0
>>7 byte 0 {invalid}
>6 byte >20 {invalid}
>6 byte x version %d
>7 byte x \b.%d
# standard unix compress
# Disabled until a python alternative can be foudn for the compress binwalk plugin.
#0 string \x1f\x9d\x90 compress'd data, 16 bits
# http://tukaani.org/xz/xz-file-format.txt
0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods
# other than 8 ("deflate", the only method defined in RFC 1952).
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
>8 byte 1 \b, {invalid} extra flags
>8 byte 3 \b, {invalid} extra flags
>8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
>3 byte&0xC =0x08 \b, has original file name
>>10 string x \b{file-name:%s}
>>10 string x \b: "%s"
>3 byte &0x10 \b, has comment
>>3 byte&0xC 0
>>>10 string x \b: "%s"
>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9 byte =0x01 \b, from Amiga
>9 byte =0x02 \b, from VMS
>9 byte =0x03 \b, from Unix
>9 byte =0x04 \b, from VM/CMS
>9 byte =0x05 \b, from Atari
>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)
>9 byte =0x07 \b, from MacOS
>9 byte =0x08 \b, from Z-System
>9 byte =0x09 \b, from CP/M
>9 byte =0x0A \b, from TOPS/20
>9 byte =0x0B \b, from NTFS filesystem (NT)
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
>3 byte &0x20 \b, encrypted{invalid}
# Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
>4 lelong <0 {invalid}
>4 lelong >0
>>4 lelong <694224000 {invalid}
>>4 lelong =694224000 {invalid}
>>4 lelong >694224000 \b, last modified:
>>>4 ledate x %s
>>>4 lelong x {epoch:%d}
# Supplementary magic data for the file(1) command to support
# rzip(1). The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with
# this file.
#
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# JAR
0 belong 0xcafed00d JAR compressed with pack200,
>5 byte x version %d.
>4 byte x \b%d
# New LZMA format signature
# See lzma file for LZMA signatures
0 string \xFFLZMA\x00 LZMA compressed data (new),
>6 byte&0x10 0 single-block stream
>6 byte&0x10 0x10 multi-block stream
0 string \xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59 Snappy compression, stream identifier
#0 beshort 0x7801 Zlib header, no compression
0 beshort 0x789c Zlib compressed data, default compression
0 beshort 0x78da Zlib compressed data, best compression
0 beshort 0x785e Zlib compressed data, compressed
src/binwalk/modules/signature.py
......@@ -94,8 +94,7 @@ class Signature(Module):
# Use the system default magic file if no other was specified, or if -B was explicitly specified
if (not self.magic_files) or (self.explicit_signature_scan and not self.cast_data_types):
self.magic_files.append(self.config.settings.user.binwalk)
self.magic_files.append(self.config.settings.system.binwalk)
self.magic_files += self.config.settings.magic_signature_files()
# Initialize libmagic
self.magic = binwalk.core.magic.Magic(include=self.include_filters,
......@@ -147,6 +146,8 @@ class Signature(Module):
if r.offset < current_block_offset:
continue
relative_offset = r.offset
# Set the absolute offset inside the target file
# TODO: Don't need the offset adjust stuff anymore, get rid of it
r.offset = block_start + r.offset + r.adjust
......@@ -164,7 +165,7 @@ class Signature(Module):
# Is this a valid result and did it specify a jump-to-offset keyword, and are we doing a "smart" scan?
if r.valid and r.jump > 0 and not self.dumb_scan:
absolute_jump_offset = r.offset + r.jump
current_block_offset = candidate_offset + r.jump
current_block_offset = relative_offset + r.jump
# If the jump-to-offset is beyond the confines of the current block, seek the file to
# that offset and quit processing this block of data.
......
src/magic/compressed deleted 100644 → 0
#------------------Compression Formats-----------------------------
# AFX compressed files (Wolfram Kleff)
0 string -afx- AFX compressed file data{offset-adjust:-2}
# bzip2
0 string BZh91AY&SY bzip2 compressed data, block size = 900k
0 string BZh81AY&SY bzip2 compressed data, block size = 800k
0 string BZh71AY&SY bzip2 compressed data, block size = 700k
0 string BZh61AY&SY bzip2 compressed data, block size = 600k
0 string BZh51AY&SY bzip2 compressed data, block size = 500k
0 string BZh41AY&SY bzip2 compressed data, block size = 400k
0 string BZh31AY&SY bzip2 compressed data, block size = 300k
0 string BZh21AY&SY bzip2 compressed data, block size = 200k
0 string BZh11AY&SY bzip2 compressed data, block size = 100k
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data
>9 beshort >0x093F {invalid}
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>9 beshort&0x0fff <1 {invalid},
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
## >>22 bedate >0 last modified: %s,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
## >>25 bedate >0 last modified: %s,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
# lzip
0 string LZIP lzip compressed data,
>4 ubyte 0 {invalid}
# Current version is still 1.x
>4 ubyte >4 {invalid}
>4 byte x version: %d
# lrzip
0 string LRZI lrzip compressed data
# LZO
0 string \211LZO\000\015\012\032\012 LZO compressed data
# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 {invalid}
>6 byte 0
>>7 byte 0 {invalid}
>6 byte >20 {invalid}
>6 byte x version %d
>7 byte x \b.%d
# standard unix compress
# Disabled until a python alternative can be foudn for the compress binwalk plugin.
#0 string \x1f\x9d\x90 compress'd data, 16 bits
# http://tukaani.org/xz/xz-file-format.txt
0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods
# other than 8 ("deflate", the only method defined in RFC 1952).
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
>8 byte 1 \b, {invalid} extra flags
>8 byte 3 \b, {invalid} extra flags
>8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
>3 byte&0xC =0x08 \b, has original file name
>>10 string x \b{file-name:%s}
>>10 string x \b: "%s"
>3 byte &0x10 \b, has comment
>>3 byte&0xC 0
>>>10 string x \b: "%s"
>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9 byte =0x01 \b, from Amiga
>9 byte =0x02 \b, from VMS
>9 byte =0x03 \b, from Unix
>9 byte =0x04 \b, from VM/CMS
>9 byte =0x05 \b, from Atari
>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)
>9 byte =0x07 \b, from MacOS
>9 byte =0x08 \b, from Z-System
>9 byte =0x09 \b, from CP/M
>9 byte =0x0A \b, from TOPS/20
>9 byte =0x0B \b, from NTFS filesystem (NT)
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
#>9 byte =0xFF \b, from ZyNOS
#>9 byte >0x0D \b, {invalid}
#>>9 byte x source: 0x%.2X
#>9 byte <0 \b, {invalid}
#>>9 byte x source: 0x%.2X
>3 byte &0x20 \b, encrypted ({invalid})
# Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
>4 lelong <0 \b, {invalid} date:
>4 lelong >0
>>4 lelong <694224000 \b, {invalid} date:
>>4 lelong =694224000 \b, {invalid} date:
>>4 lelong >694224000 \b, last modified:
>4 ledate x %s
>4 lelong x \b{file-epoch:%d}
# Supplementary magic data for the file(1) command to support
# rzip(1). The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with
# this file.
#
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# JAR
0 belong 0xcafed00d JAR compressed with pack200,
>5 byte x version %d.
>4 byte x \b%d
# New LZMA format signature
# See lzma file for LZMA signatures
0 string \xFFLZMA\x00 LZMA compressed data (new),
>6 byte&0x10 0 single-block stream
>6 byte&0x10 0x10 multi-block stream
0 string \xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59 Snappy compression, stream identifier
#0 beshort 0x7801 Zlib header, no compression
0 beshort 0x789c Zlib compressed data, default compression
0 beshort 0x78da Zlib compressed data, best compression
0 beshort 0x785e Zlib compressed data, compressed
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment