Skip to content

B
binwalk
Commit d95e015d by devttys0
Options

Re-working code to better fit with new magic module

parent 9fc088e0
Showing with 591 additions and 617 deletions
setup.py
...@@ -119,30 +119,14 @@ class CleanCommand(Command): ...@@ -119,30 +119,14 @@ class CleanCommand(Command):
pass pass
if "install" in sys.argv: if "install" in sys.argv:
# If an older version of binwalk is currently installed, completely remove it to prevent conflicts # If a previous version of binwalk is currently installed, completely remove it to prevent conflicts
existing_binwalk_modules = find_binwalk_module_paths() if find_binwalk_module_paths():
if existing_binwalk_modules and not os.path.exists(os.path.join(existing_binwalk_modules[0], "core")):
remove_binwalk_module() remove_binwalk_module()
# Re-build the magic file during a build/install
if "install" in sys.argv or "build" in sys.argv:
# Generate a new magic file from the files in the magic directory
print("creating %s magic file" % MODULE_NAME)
magic_files = os.listdir("magic")
magic_files.sort()
fd = open("%s/magic/%s" % (MODULE_NAME, MODULE_NAME), "wb")
for magic in magic_files:
fpath = os.path.join("magic", magic)
if os.path.isfile(fpath):
fd.write(open(fpath, "rb").read())
fd.close()
# The data files to install along with the module # The data files to install along with the module
data_dirs = ["magic", "config", "plugins", "modules", "core"] install_data_files = []
install_data_files = [os.path.join("libs", "*.so"), os.path.join("libs", "*.dylib")] for data_dir in ["magic", "config", "plugins", "modules", "core"]:
install_data_files.append("%s%s*" % (data_dir, os.path.sep))
for data_dir in data_dirs:
install_data_files.append("%s%s*" % (data_dir, os.path.sep))
# Install the module, script, and support files # Install the module, script, and support files
setup(name = MODULE_NAME, setup(name = MODULE_NAME,
......
src/binwalk/core/magic.py
...@@ -11,14 +11,35 @@ class SignatureTag(object): ...@@ -11,14 +11,35 @@ class SignatureTag(object):
for (k,v) in binwalk.core.compat.iterator(kwargs): for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v) setattr(self, k, v)
class SignatureResult(object):
def __init__(self, **kwargs):
# These are set by signature keyword tags
self.jump = 0
self.size = 0
self.name = None
self.offset = 0
self.adjust = 0
self.strlen = 0
self.string = False
self.invalid = False
# These are set by code internally
self.file = None
self.valid = True
self.display = True
self.description = ""
for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v)
class SignatureLine(object): class SignatureLine(object):
def __init__(self, line): def __init__(self, line):
self.tags = [] self.tags = []
self.original_text = line
line = line.replace('\\ ', '\x20') parts = line.replace('\\ ', '\\x20').split(None, 3)
parts = line.split(None, 3)
self.level = parts[0].count('>') self.level = parts[0].count('>')
...@@ -32,6 +53,10 @@ class SignatureLine(object): ...@@ -32,6 +53,10 @@ class SignatureLine(object):
(self.type, self.bitmask) = parts[1].split('&', 1) (self.type, self.bitmask) = parts[1].split('&', 1)
self.boolean = '&' self.boolean = '&'
self.bitmask = int(self.bitmask, 0) self.bitmask = int(self.bitmask, 0)
elif '|' in parts[1]:
(self.type, self.bitmask) = parts[1].split('|', 1)
self.boolean = '|'
self.bitmask = int(self.bitmask, 0)
else: else:
self.type = parts[1] self.type = parts[1]
self.boolean = None self.boolean = None
...@@ -171,22 +196,6 @@ class Signature(object): ...@@ -171,22 +196,6 @@ class Signature(object):
def append(self, line): def append(self, line):
self.lines.append(line) self.lines.append(line)
class SignatureResult(object):
def __init__(self, **kwargs):
self.offset = 0
self.adjust = 0
self.jump = 0
self.size = 0
self.description = ""
self.valid = True
self.invalid = False
self.display = True
self.file = None
for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v)
class Magic(object): class Magic(object):
def __init__(self, exclude=[], include=[], invalid=False): def __init__(self, exclude=[], include=[], invalid=False):
...@@ -209,6 +218,7 @@ class Magic(object): ...@@ -209,6 +218,7 @@ class Magic(object):
def filtered(self, text): def filtered(self, text):
filtered = None filtered = None
text = text.lower()
for include in self.includes: for include in self.includes:
if include.match(text): if include.match(text):
...@@ -230,6 +240,7 @@ class Magic(object): ...@@ -230,6 +240,7 @@ class Magic(object):
def parse(self, signature, offset): def parse(self, signature, offset):
description = [] description = []
tag_strlen = None
max_line_level = 0 max_line_level = 0
tags = {'offset' : offset, 'invalid' : False} tags = {'offset' : offset, 'invalid' : False}
...@@ -275,12 +286,19 @@ class Magic(object): ...@@ -275,12 +286,19 @@ class Magic(object):
except struct.error as e: except struct.error as e:
dvalue = 0 dvalue = 0
elif line.size: elif line.size:
dvalue = self.data[start:end] # Strings have line.value == None
if line.value is None: if line.value is None:
dvalue = dvalue.split('\x00')[0].split('\r')[0].split('\r')[0] if [x for x in line.tags if x.name == 'string'] and binwalk.core.compat.has_key(tags, 'strlen'):
dvalue = self.data[start:(start+tags['strlen'])]
else:
dvalue = self.data[start:end].split('\x00')[0].split('\r')[0].split('\r')[0]
else:
dvalue = self.data[start:end]
if line.boolean == '&': if line.boolean == '&':
dvalue &= line.bitmask dvalue &= line.bitmask
elif line.boolean == '|':
dvalue |= line.bitmask
if ((line.value is None) or if ((line.value is None) or
(line.condition == '=' and dvalue == line.value) or (line.condition == '=' and dvalue == line.value) or
...@@ -295,13 +313,22 @@ class Magic(object): ...@@ -295,13 +313,22 @@ class Magic(object):
dvalue = ts.strftime("%Y-%m-%d %H:%M:%S") dvalue = ts.strftime("%Y-%m-%d %H:%M:%S")
if '%' in line.format: if '%' in line.format:
description.append(line.format % dvalue) desc = line.format % dvalue
else: else:
description.append(line.format) desc = line.format
if desc:
description.append(desc)
for tag in line.tags: for tag in line.tags:
if isinstance(tag.value, str) and '%' in tag.value: if isinstance(tag.value, str) and '%' in tag.value:
tags[tag.name] = tag.value % dvalue tags[tag.name] = tag.value % dvalue
try:
tags[tag.name] = int(tags[tag.name], 0)
except KeyboardInterrupt as e:
raise e
except Exception as e:
pass
else: else:
try: try:
tags[tag.name] = int(tag.value, 0) tags[tag.name] = int(tag.value, 0)
...@@ -316,12 +343,19 @@ class Magic(object): ...@@ -316,12 +343,19 @@ class Magic(object):
max_line_level = line.level + 1 max_line_level = line.level + 1
else: else:
max_line_level = line.level # No match on the first line, abort
if line.level == 0:
break
else:
max_line_level = line.level
tags['description'] = self.bspace.sub('', " ".join(description)) tags['description'] = self.bspace.sub('', " ".join(description))
if (('\\' in tags['description']) or if not tags['description']:
(self.printable.match(tags['description']).group() != tags['description'])): tags['display'] = False
tags['invalid'] = True
if self.printable.match(tags['description']).group() != tags['description']:
tags['invalid'] = True tags['invalid'] = True
tags['valid'] = (not tags['invalid']) tags['valid'] = (not tags['invalid'])
...@@ -330,19 +364,20 @@ class Magic(object): ...@@ -330,19 +364,20 @@ class Magic(object):
def scan(self, data, dlen=None): def scan(self, data, dlen=None):
results = [] results = []
matched_offsets = set()
self.data = data self.data = data
if dlen is None: if dlen is None:
dlen = len(self.data) dlen = len(self.data)
for signature in self.signatures: for signature in self.signatures:
for match in signature.regex.finditer(self.data): for match in signature.regex.finditer(self.data):
offset = match.start() - signature.offset offset = match.start() - signature.offset
if offset >= 0 and offset <= dlen: if (offset not in matched_offsets or self.show_invalid) and offset >= 0 and offset <= dlen:
tags = self.parse(signature, offset) tags = self.parse(signature, offset)
if not tags['invalid'] or self.show_invalid: if not tags['invalid'] or self.show_invalid:
results.append(SignatureResult(**tags)) results.append(SignatureResult(**tags))
matched_offsets.add(offset)
results.sort(key=lambda x: x.offset, reverse=False) results.sort(key=lambda x: x.offset, reverse=False)
return results return results
...@@ -381,15 +416,3 @@ class Magic(object): ...@@ -381,15 +416,3 @@ class Magic(object):
self.signatures.sort(key=lambda x: x.confidence, reverse=True) self.signatures.sort(key=lambda x: x.confidence, reverse=True)
if __name__ == '__main__':
import sys
m = Magic(invalid=True)
m.load(sys.argv[1])
print ("Loaded %d signatures" % len(m.signatures))
for signature in m.scan(open(sys.argv[2], "r").read()):
if signature.valid:
print (signature.offset, signature.description)
src/binwalk/core/settings.py
...@@ -7,7 +7,7 @@ from binwalk.core.compat import * ...@@ -7,7 +7,7 @@ from binwalk.core.compat import *
class Settings: class Settings:
''' '''
Binwalk settings class, used for accessing user and system file paths and general configuration settings. Binwalk settings class, used for accessing user and system file paths and general configuration settings.
After instatiating the class, file paths can be accessed via the self.paths dictionary. After instatiating the class, file paths can be accessed via the self.paths dictionary.
System file paths are listed under the 'system' key, user file paths under the 'user' key. System file paths are listed under the 'system' key, user file paths under the 'user' key.
...@@ -58,6 +58,20 @@ class Settings: ...@@ -58,6 +58,20 @@ class Settings:
prefix=self._system_path(self.BINWALK_CONFIG_DIR, self.PREFIX_FILE), prefix=self._system_path(self.BINWALK_CONFIG_DIR, self.PREFIX_FILE),
plugins=self._system_path(self.BINWALK_PLUGINS_DIR)) plugins=self._system_path(self.BINWALK_PLUGINS_DIR))
def magic_signature_files(self, system_only=False, user_only=False):
files = []
if not system_only:
user_dir = os.path.join(self.user_dir, self.BINWALK_USER_DIR, self.BINWALK_MAGIC_DIR)
files += [os.path.join(user_dir, x) for x in os.listdir(user_dir)]
if not user_only:
system_dir = os.path.join(self.system_dir, self.BINWALK_MAGIC_DIR)
files += [os.path.join(system_dir, x) for x in os.listdir(system_dir)]
if self.system.binarch in files:
files.remove(self.system.binarch)
return files
def find_magic_file(self, fname, system_only=False, user_only=False): def find_magic_file(self, fname, system_only=False, user_only=False):
''' '''
Finds the specified magic file name in the system / user magic file directories. Finds the specified magic file name in the system / user magic file directories.
...@@ -83,7 +97,7 @@ class Settings: ...@@ -83,7 +97,7 @@ class Settings:
loc = fpath loc = fpath
return fpath return fpath
def _get_user_dir(self): def _get_user_dir(self):
''' '''
Get the user's home directory. Get the user's home directory.
...@@ -102,7 +116,7 @@ class Settings: ...@@ -102,7 +116,7 @@ class Settings:
@dirname - Directory path. @dirname - Directory path.
@filename - File name. @filename - File name.
Returns a full path of 'dirname/filename'. Returns a full path of 'dirname/filename'.
''' '''
if not os.path.exists(dirname): if not os.path.exists(dirname):
...@@ -112,7 +126,7 @@ class Settings: ...@@ -112,7 +126,7 @@ class Settings:
raise e raise e
except Exception: except Exception:
pass pass
fpath = os.path.join(dirname, filename) fpath = os.path.join(dirname, filename)
if not os.path.exists(fpath): if not os.path.exists(fpath):
...@@ -144,10 +158,10 @@ class Settings: ...@@ -144,10 +158,10 @@ class Settings:
def _system_path(self, subdir, basename=''): def _system_path(self, subdir, basename=''):
''' '''
Gets the full path to the 'subdir/basename' file in the system binwalk directory. Gets the full path to the 'subdir/basename' file in the system binwalk directory.
@subdir - Subdirectory inside the system binwalk directory. @subdir - Subdirectory inside the system binwalk directory.
@basename - File name inside the subdirectory. @basename - File name inside the subdirectory.
Returns the full path to the 'subdir/basename' file. Returns the full path to the 'subdir/basename' file.
''' '''
try: try:
......
src/binwalk/magic/archives 0 → 100644
# ----------------------------Archive Formats--------------------------------------
# POSIX tar archives
257 string ustar\000 POSIX tar archive
>8 byte !0
>>8 string x \b, owner user name: "%.32s"
>40 byte !0
>>40 string x \b, owner group name: "%.32s"
257 string ustar\040\040\000 POSIX tar archive (GNU)
>8 byte !0
>>8 string x \b, owner user name: "%.32s"
>40 byte !0
>>40 string x \b, owner group name: "%.32s"
# Incremental snapshot gnu-tar format from:
# http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
0 string GNU\x20tar- GNU tar incremental snapshot data,
>0 string x version: "%s"
# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
14 string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
0 string JARCS JAR (ARJ Software, Inc.) archive data
# PKZIP multi-volume archive
0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
# ZIP compression (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
0 string PK\003\004 Zip
>6 leshort &0x01 encrypted
>0 byte x archive data,
>4 byte 0x00 v0.0
>4 byte 0x09 at least v0.9 to extract,
>4 byte 0x0a at least v1.0 to extract,
>4 byte 0x0b at least v1.1 to extract,
>0x161 string WINZIP WinZIP self-extracting,
>4 byte 0x14
>>30 ubelong !0x6d696d65 at least v2.0 to extract,
>18 lelong !0
>>18 lelong <0 {invalid}
>>18 lelong x compressed size: %d,
>>18 lelong x {jump:%d}
>22 lelong !0
>>22 lelong <0 {invalid}
>>22 lelong x uncompressed size: %d,
>30 byte <0x2D {invalid}
>30 byte >0x7A {invalid}
>26 leshort x {strlen:%d}
>30 string x name: {string}%s
# ZIP footer
0 string PK\x05\x06 End of Zip archive
>20 leshort >0
>>20 leshort x \b, comment:
>>20 leshort x {strlen:%d}
>>22 string x {string}"%s"
# ARJ archiver (jason@jarthur.Claremont.EDU)
0 uleshort 0xea60 ARJ archive data,
>2 leshort x header size: %d,
>5 byte <1 {invalid}
>5 byte >16 {invalid}
>5 byte x version %d,
>6 byte <1 {invalid}
>6 byte >16 {invalid}
>6 byte x minimum version to extract: %d,
>8 byte <0 {invalid} flags,
>8 byte &0x04 multi-volume,
>8 byte &0x10 slash-switched,
>8 byte &0x20 backup,
>9 byte <0 {invalid},
>9 byte >4 {invalid},
>9 byte 0 compression method: stored,
>9 byte 1 compression method: compressed most,
>9 byte 2 compression method: compressed,
>9 byte 3 compression method: compressed faster,
>9 byte 4 compression method: compressed fastest,
>10 byte <0 {invalid}
>10 byte >4 {invalid}
>10 byte 0 file type: binary,
>10 byte 1 file type: 7-bit text,
>10 byte 2 file type: comment header,
>10 byte 3 file type: directory,
>10 byte 4 file type: volume label,
>34 byte !0
>>34 string x {name:%s}
>>34 string x original name: "%s",
>0xC ledate x original file date: %s,
>0x10 lelong <0 {invalid}
>0x10 lelong x compressed file size: %d,
>0x14 lelong <0 {invalid}
>0x14 lelong x uncompressed file size: %d,
>7 byte 0 os: MS-DOS
>7 byte 1 os: PRIMOS
>7 byte 2 os: Unix
>7 byte 3 os: Amiga
>7 byte 4 os: Macintosh
>7 byte 5 os: OS/2
>7 byte 6 os: Apple ][ GS
>7 byte 7 os: Atari ST
>7 byte 8 os: NeXT
>7 byte 9 os: VAX/VMS
>7 byte >9 {invalid}
>7 byte <0 {invalid}
# RAR archiver (http://kthoom.googlecode.com/hg/docs/unrar.html)
0 string \x52\x61\x72\x21\x1A\x07\x00 RAR archive data, first volume type:
>9 ubyte <0x72 {invalid}
>9 ubyte >0x7B {invalid}
>9 ubyte 0x72 MARK_HEAD
>9 ubyte 0x73 MAIN_HEAD
>9 ubyte 0x74 FILE_HEAD
>9 ubyte 0x75 COMM_HEAD
>9 ubyte 0x76 AV_HEAD
>9 ubyte 0x77 SUB_HEAD
>9 ubyte 0x78 PROTECT_HEAD
>9 ubyte 0x79 SIGN_HEAD
>9 ubyte 0x7A NEWSUB_HEAD
>9 ubyte 0x7B ENDARC_HEAD
# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
0 string HPAK HPACK archive data
# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
0 string \351,\001JAM JAM archive
# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
2 string -lzs- LHa 2.x? archive data [lzs] [NSRL|LHA2]
2 string -lh\40- LHa 2.x? archive data [lh ] [NSRL|LHA2]
2 string -lhd- LHa 2.x? archive data [lhd] [NSRL|LHA2]
2 string -lh2- LHa 2.x? archive data [lh2] [NSRL|LHA2]
2 string -lh3- LHa 2.x? archive data [lh3] [NSRL|LHA2]
2 string -lh4- LHa (2.x) archive data [lh4] [NSRL|LHA2]
2 string -lh5- LHa (2.x) archive data [lh5] [NSRL|LHA2]
2 string -lh6- LHa (2.x) archive data [lh6] [NSRL|LHA2]
2 string -lh7- LHa (2.x) archive data [lh7] [NSRL|LHA2]
# cpio archives
#
# The SVR4 "cpio(4)" hints that there are additional formats, but they
# are defined as "short"s; I think all the new formats are
# character-header formats and thus are strings, not numbers.
#0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
0 string 070701 ASCII cpio archive (SVR4 with no CRC),
>110 byte 0 {invalid}
>94 byte <0x30 {invalid}
>94 byte >0x66 {invalid}
>54 byte <0x30 {invalid}
>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
0 string 070702 ASCII cpio archive (SVR4 with CRC)
>110 byte 0 {invalid}
>94 byte <0x30 {invalid}
>94 byte >0x66 {invalid}
>54 byte <0x30 {invalid}
>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
# HP Printer Job Language
# The header found on Win95 HP plot files is the "Silliest Thing possible"
# (TM)
# Every driver puts the language at some random position, with random case
# (LANGUAGE and Language)
# For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10
# From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de>
#
0 string \033%-12345X@PJL HP Printer Job Language data,
>0 string x "%s"
#------------------------------------------------------------------------------
#
# RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com)
#
0 ubelong 0xedabeedb RPM
>4 byte x v%d
>6 beshort 0 bin
>6 beshort 1 src
>8 beshort 1 i386
>8 beshort 2 Alpha
>8 beshort 3 Sparc
>8 beshort 4 MIPS
>8 beshort 5 PowerPC
>8 beshort 6 68000
>8 beshort 7 SGI
>8 beshort 8 RS6000
>8 beshort 9 IA64
>8 beshort 10 Sparc64
>8 beshort 11 MIPSel
>8 beshort 12 ARM
>10 string x "%s"
# IBM AIX Backup File Format header and entry signatures
0 ulelong 0xea6b0009 BFF volume header,
>4 leshort x checksum: 0x%.4X,
>6 leshort <0 {invalid}
>6 leshort 0 {invalid}
>6 leshort x volume number: %d,
>8 ledate x current date: %s,
>12 ledate x starting date: %s,
>20 string x disk name: "%s",
>36 string x file system name: "%s",
>52 string x user name: "%s"
2 uleshort 0xea6b BFF volume entry,
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s"
2 uleshort 0xea6c BFF volume entry, compressed,
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s"
0 uleshort 0xea6d BFF volume entry, AIXv3,
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s"
#------------------------------------------------------------------------------
# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
# Microsoft Cabinet files
0 string MSCF\0\0\0\0 Microsoft Cabinet archive data
# According to libmagic comments, CAB version number is always 1.3
>25 byte !1 {invalid}
>24 byte !3 {invalid}
>8 lelong x \b, %u bytes
>28 leshort 0 {invalid}
>28 leshort 1 \b, 1 file
>28 leshort >1 \b, %u files
# InstallShield Cabinet files
0 string ISc( InstallShield Cabinet archive data
# TODO: Version number checks should be made more specific for false positive filtering
>5 byte&0xf0 =0x60 version 6,
>5 byte&0xf0 <0x60 version 4/5,
>5 byte&0xf0 >0x60 {invalid} version,
>12 lelong <0 {invalid} offset,
>12 lelong >100000 {invalid} offset,
>(12.l+40) lelong x %u files
# Windows CE package files
0 string MSCE\0\0\0\0 Microsoft WinCE install header
>20 lelong 0 \b, architecture-independent
>20 lelong 103 \b, Hitachi SH3
>20 lelong 104 \b, Hitachi SH4
>20 lelong 0xA11 \b, StrongARM
>20 lelong 4000 \b, MIPS R4000
>20 lelong 10003 \b, Hitachi SH3
>20 lelong 10004 \b, Hitachi SH3E
>20 lelong 10005 \b, Hitachi SH4
>20 lelong 70001 \b, ARM 7TDMI
>52 leshort 1 \b, 1 file
>52 leshort >1 \b, %u files
>56 leshort 1 \b, 1 registry entry
>56 leshort >1 \b, %u registry entries
0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
# Parity archive reconstruction file, the 'par' file format now used on Usenet.
0 string PAR\0 PARity archive data
>48 leshort =0 - Index file
>48 leshort >0 - file number %d
# Felix von Leitner <felix-file@fefe.de>
0 string d8:announce BitTorrent file
# BSA archives, based on http://forum.step-project.com/topic/5033-ramifications-of-bsa-extraction-in-mod-organizer/page-16
0 string BSA\x00\x67 BSA archive, version: 103,
>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
0 string BSA\x00\x68 BSA archive, version: 104,
>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
src/binwalk/magic/binarch
...@@ -3,13 +3,13 @@ ...@@ -3,13 +3,13 @@
# sw XX, XX($sp) # sw XX, XX($sp)
# 27 BD FF XX # 27 BD FF XX
# AF BX XX XX # AF BX XX XX
0 string \xFF\xBD\x27 MIPSEL instructions, function prologue{offset-adjust:-1} 1 string \xFF\xBD\x27 MIPSEL instructions, function prologue
>6 byte !0xAF (invalid) >6 byte !0xAF {invalid}
>5 byte&0xE0 !0xA0 (invalid) >5 byte&0xE0 !0xA0 {invalid}
0 string \x27\xBD\xFF MIPS instructions, function prologue 0 string \x27\xBD\xFF MIPS instructions, function prologue
>4 byte !0xAF (invalid) >4 byte !0xAF {invalid}
>5 byte&0xE0 !0xA0 (invalid) >5 byte&0xE0 !0xA0 {invalid}
# MIPS epilogue # MIPS epilogue
# jr $ra # jr $ra
...@@ -18,14 +18,14 @@ ...@@ -18,14 +18,14 @@
# addiu $sp, XX # addiu $sp, XX
# jr $ra # jr $ra
0 belong 0x03e00008 MIPS instructions, function epilogue 0 belong 0x03e00008 MIPS instructions, function epilogue
>4 beshort !0x27BD (invalid) >4 beshort !0x27BD {invalid}
0 beshort 0x27BD MIPS instructions, function epilogue 0 beshort 0x27BD MIPS instructions, function epilogue
>2 belong !0x03e00008 (invalid) >2 belong !0x03e00008 {invalid}
0 lelong 0x03e00008 MIPSEL instructions, function epilogue 0 lelong 0x03e00008 MIPSEL instructions, function epilogue
>6 leshort !0x27BD (invalid) >6 leshort !0x27BD {invalid}
0 leshort 0x27BD MIPS instructions, function epilogue 0 leshort 0x27BD MIPS instructions, function epilogue
>2 lelong !0x03e00008 (invalid) >2 lelong !0x03e00008 {invalid}
# MIPS16e # MIPS16e
# nop (x4) # nop (x4)
...@@ -36,17 +36,17 @@ ...@@ -36,17 +36,17 @@
# save a0-a1, XX # save a0-a1, XX
# addiu XX, XX # addiu XX, XX
0 string \xf0\x08\x64 MIPS16e instructions, function prologue 0 string \xf0\x08\x64 MIPS16e instructions, function prologue
>4 byte !0x01 (invalid) >4 byte !0x01 {invalid}
# move $sp, $s1 # move $sp, $s1
# restore XX, XX, XX # restore XX, XX, XX
# jrc $ra # jrc $ra
0 beshort 0x65B9 MIPS16e instructions, function epilogue 0 beshort 0x65B9 MIPS16e instructions, function epilogue
>3 byte !0x64 (invalid) >3 byte !0x64 {invalid}
>4 beshort !0xE8A0 (invalid) >4 beshort !0xE8A0 {invalid}
0 leshort 0x65B9 MIPSEL16e instructions, function epilogue 0 leshort 0x65B9 MIPSEL16e instructions, function epilogue
>3 byte !0x64 (invalid) >3 byte !0x64 {invalid}
>4 leshort !0xE8A0 (invalid) >4 leshort !0xE8A0 {invalid}
# jrc $ra # jrc $ra
# nop # nop
...@@ -68,19 +68,19 @@ ...@@ -68,19 +68,19 @@
# STMFD SP!, {XX} # STMFD SP!, {XX}
# <any instruction whose opcode begins with 0xE> # <any instruction whose opcode begins with 0xE>
0 beshort 0xE92D ARMEB instructions, function prologue 0 beshort 0xE92D ARMEB instructions, function prologue
>4 byte&0xF0 !0xE0 (invalid) >4 byte&0xF0 !0xE0 {invalid}
>8 byte&0xF0 !0xE0 (invalid) >8 byte&0xF0 !0xE0 {invalid}
0 leshort 0xE92D ARM instructions, function prologue{offset-adjust:-2} 0 leshort 0xE92D ARM instructions, function prologue{adjust:-2}
>5 byte&0xF0 !0xE0 (invalid) >5 byte&0xF0 !0xE0 {invalid}
>9 byte&0xF0 !0xE0 (invalid) >9 byte&0xF0 !0xE0 {invalid}
# ARM epilogue # ARM epilogue
# MOV R0, XX # MOV R0, XX
# LDMFD SP!, {XX} # LDMFD SP!, {XX}
0 beshort 0xE1A0 ARMEB instructions, function epilogue 0 beshort 0xE1A0 ARMEB instructions, function epilogue
>4 beshort !0xE8BD (invalid) >4 beshort !0xE8BD {invalid}
0 leshort 0xE1A0 ARM instructions, function epilogue{offset-adjust:-2} 0 leshort 0xE1A0 ARM instructions, function epilogue{adjust:-2}
>4 leshort !0xE8BD (invalid) >4 leshort !0xE8BD {invalid}
# Ubicom32 prologue # Ubicom32 prologue
...@@ -120,5 +120,5 @@ ...@@ -120,5 +120,5 @@
# push esi # push esi
0 string \x55\x89\xE5\x83\xEC Intel x86 instructions, function prologue 0 string \x55\x89\xE5\x83\xEC Intel x86 instructions, function prologue
0 string \x55\x89\xE5\x57\x56 Intel x86 instructions, function prologue 0 string \x55\x89\xE5\x57\x56 Intel x86 instructions, function prologue
0 string \x90\x90\x90\x90\x90\x90\x90\x90 Intel x86 instructions, nops{jump-to-offset:8} 0 string \x90\x90\x90\x90\x90\x90\x90\x90 Intel x86 instructions, nops{jump:8}
src/binwalk/magic/bincast deleted 100644 → 0
0 belong x Hex: 0x%.8X
#0 string x String: %s
#0 lequad x Little Endian Quad: %lld
#0 bequad x Big Endian Quad: %lld
0 lelong x Little Endian Long: %d
0 belong x Big Endian Long: %d
0 leshort x Little Endian Short: %d
0 beshort x Big Endian Short: %d
0 ledate x Little Endian Date: %s
0 bedate x Big Endian Date: %s
src/magic/bootloaders src/binwalk/magic/bootloaders
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
# U-Boot boot loader # U-Boot boot loader
0 string U-Boot\x20 U-Boot version string, 0 string U-Boot\x20 U-Boot version string,
>7 byte <48 {invalid}, >7 byte <48 {invalid}
>7 byte >57 {invalid}, >7 byte >57 {invalid}
>8 byte !0x2E {invalid}, >8 byte !0x2E {invalid}
>0 string x "%s" >0 string x "%s"
src/binwalk/magic/compressed 0 → 100644
#------------------Compression Formats-----------------------------
# AFX compressed files (Wolfram Kleff)
2 string -afx- AFX compressed file data
# bzip2
0 string BZh91AY&SY bzip2 compressed data, block size = 900k
0 string BZh81AY&SY bzip2 compressed data, block size = 800k
0 string BZh71AY&SY bzip2 compressed data, block size = 700k
0 string BZh61AY&SY bzip2 compressed data, block size = 600k
0 string BZh51AY&SY bzip2 compressed data, block size = 500k
0 string BZh41AY&SY bzip2 compressed data, block size = 400k
0 string BZh31AY&SY bzip2 compressed data, block size = 300k
0 string BZh21AY&SY bzip2 compressed data, block size = 200k
0 string BZh11AY&SY bzip2 compressed data, block size = 100k
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data,
>9 beshort >0x093F {invalid}
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>9 beshort&0x0fff <1 {invalid}
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
# lzip
0 string LZIP lzip compressed data,
>4 ubyte 0 {invalid}
# Current version is still 1.x
>4 ubyte >4 {invalid}
>4 byte x version: %d
# lrzip
0 string LRZI lrzip compressed data
# LZO
0 string \211LZO\000\015\012\032\012 LZO compressed data
# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 {invalid}
>6 byte 0
>>7 byte 0 {invalid}
>6 byte >20 {invalid}
>6 byte x version %d
>7 byte x \b.%d
# standard unix compress
# Disabled until a python alternative can be foudn for the compress binwalk plugin.
#0 string \x1f\x9d\x90 compress'd data, 16 bits
# http://tukaani.org/xz/xz-file-format.txt
0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods
# other than 8 ("deflate", the only method defined in RFC 1952).
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
>8 byte 1 \b, {invalid} extra flags
>8 byte 3 \b, {invalid} extra flags
>8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
>3 byte&0xC =0x08 \b, has original file name
>>10 string x \b{file-name:%s}
>>10 string x \b: "%s"
>3 byte &0x10 \b, has comment
>>3 byte&0xC 0
>>>10 string x \b: "%s"
>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9 byte =0x01 \b, from Amiga
>9 byte =0x02 \b, from VMS
>9 byte =0x03 \b, from Unix
>9 byte =0x04 \b, from VM/CMS
>9 byte =0x05 \b, from Atari
>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)
>9 byte =0x07 \b, from MacOS
>9 byte =0x08 \b, from Z-System
>9 byte =0x09 \b, from CP/M
>9 byte =0x0A \b, from TOPS/20
>9 byte =0x0B \b, from NTFS filesystem (NT)
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
>3 byte &0x20 \b, encrypted{invalid}
# Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
>4 lelong <0 {invalid}
>4 lelong >0
>>4 lelong <694224000 {invalid}
>>4 lelong =694224000 {invalid}
>>4 lelong >694224000 \b, last modified:
>>>4 ledate x %s
>>>4 lelong x {epoch:%d}
# Supplementary magic data for the file(1) command to support
# rzip(1). The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with
# this file.
#
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# JAR
0 belong 0xcafed00d JAR compressed with pack200,
>5 byte x version %d.
>4 byte x \b%d
# New LZMA format signature
# See lzma file for LZMA signatures
0 string \xFFLZMA\x00 LZMA compressed data (new),
>6 byte&0x10 0 single-block stream
>6 byte&0x10 0x10 multi-block stream
0 string \xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59 Snappy compression, stream identifier
#0 beshort 0x7801 Zlib header, no compression
0 beshort 0x789c Zlib compressed data, default compression
0 beshort 0x78da Zlib compressed data, best compression
0 beshort 0x785e Zlib compressed data, compressed
src/binwalk/modules/signature.py
...@@ -94,8 +94,7 @@ class Signature(Module): ...@@ -94,8 +94,7 @@ class Signature(Module):
# Use the system default magic file if no other was specified, or if -B was explicitly specified # Use the system default magic file if no other was specified, or if -B was explicitly specified
if (not self.magic_files) or (self.explicit_signature_scan and not self.cast_data_types): if (not self.magic_files) or (self.explicit_signature_scan and not self.cast_data_types):
self.magic_files.append(self.config.settings.user.binwalk) self.magic_files += self.config.settings.magic_signature_files()
self.magic_files.append(self.config.settings.system.binwalk)
# Initialize libmagic # Initialize libmagic
self.magic = binwalk.core.magic.Magic(include=self.include_filters, self.magic = binwalk.core.magic.Magic(include=self.include_filters,
...@@ -147,6 +146,8 @@ class Signature(Module): ...@@ -147,6 +146,8 @@ class Signature(Module):
if r.offset < current_block_offset: if r.offset < current_block_offset:
continue continue
relative_offset = r.offset
# Set the absolute offset inside the target file # Set the absolute offset inside the target file
# TODO: Don't need the offset adjust stuff anymore, get rid of it # TODO: Don't need the offset adjust stuff anymore, get rid of it
r.offset = block_start + r.offset + r.adjust r.offset = block_start + r.offset + r.adjust
...@@ -164,7 +165,7 @@ class Signature(Module): ...@@ -164,7 +165,7 @@ class Signature(Module):
# Is this a valid result and did it specify a jump-to-offset keyword, and are we doing a "smart" scan? # Is this a valid result and did it specify a jump-to-offset keyword, and are we doing a "smart" scan?
if r.valid and r.jump > 0 and not self.dumb_scan: if r.valid and r.jump > 0 and not self.dumb_scan:
absolute_jump_offset = r.offset + r.jump absolute_jump_offset = r.offset + r.jump
current_block_offset = candidate_offset + r.jump current_block_offset = relative_offset + r.jump
# If the jump-to-offset is beyond the confines of the current block, seek the file to # If the jump-to-offset is beyond the confines of the current block, seek the file to
# that offset and quit processing this block of data. # that offset and quit processing this block of data.
......
src/magic/archives deleted 100644 → 0
# ----------------------------Archive Formats--------------------------------------
# POSIX tar archives
0 string ustar\000 POSIX tar archive{offset-adjust:-257}
>8 byte !0
>>8 string x \b, owner user name: "%.32s"
>40 byte !0
>>40 string x \b, owner group name: "%.32s"
0 string ustar\040\040\000 POSIX tar archive (GNU){offset-adjust:-257}
>8 byte !0
>>8 string x \b, owner user name: "%.32s"
>40 byte !0
>>40 string x \b, owner group name: "%.32s"
# Incremental snapshot gnu-tar format from:
# http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
0 string GNU\x20tar- GNU tar incremental snapshot data,
>0 string x version: "%s"
# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
0 string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data{offset-adjust:-14}
0 string JARCS JAR (ARJ Software, Inc.) archive data
# PKZIP multi-volume archive
0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
# ZIP compression (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
0 string PK\003\004 Zip
>6 leshort &0x01 encrypted
>0 byte x archive data,
>4 byte 0x00 v0.0
>4 byte 0x09 at least v0.9 to extract,
>4 byte 0x0a at least v1.0 to extract,
>4 byte 0x0b at least v1.1 to extract,
>0x161 string WINZIP WinZIP self-extracting,
>4 byte 0x14
>>30 ubelong !0x6d696d65 at least v2.0 to extract,
>18 lelong !0
>>18 lelong <0 {invalid}
>>18 lelong x compressed size: %d,
>>18 lelong x {jump-to-offset:%d}
>22 lelong !0
>>22 lelong <0 {invalid}
>>22 lelong x uncompressed size: %d,{extract-delay:End of Zip archive}
>30 byte <0x2D {invalid} file name,
>30 byte >0x7A {invalid} file name,
>30 string x name: {raw-replace}
>26 leshort x {raw-string-length:%d}
>30 string x {raw-string:%s
>61 string x \b%s
>92 string x \b%s
>123 string x \b%s
>154 string x \b%s}
# ZIP footer
0 string PK\x05\x06 End of Zip archive
#>10 leshort x number of records: %d,
#>12 leshort x size of central directory: %d
#>20 leshort x {offset-adjust:22+%d}
>20 leshort >0
>>20 leshort x \b, comment: {raw-replace}
>>20 leshort x {raw-string-length:%d}
>>22 string x {raw-string:%s}
# ARJ archiver (jason@jarthur.Claremont.EDU)
0 leshort 0xea60 ARJ archive data,
>2 leshort x header size: %d,
>5 byte <1 {invalid}
>5 byte >16 {invalid}
>5 byte x version %d,
>6 byte <1 {invalid}
>6 byte >16 {invalid}
>6 byte x minimum version to extract: %d,
>8 byte <0 {invalid} flags,
>8 byte &0x04 multi-volume,
>8 byte &0x10 slash-switched,
>8 byte &0x20 backup,
>9 byte <0 {invalid} compression method,
>9 byte >4 {invalid} compression method,
>9 byte 0 compression method: stored,
>9 byte 1 compression method: compressed most,
>9 byte 2 compression method: compressed,
>9 byte 3 compression method: compressed faster,
>9 byte 4 compression method: compressed fastest,
>10 byte <0 {invalid} file type
>10 byte >4 {invalid} file type
>10 byte 0 file type: binary,
>10 byte 1 file type: 7-bit text,
>10 byte 2 file type: comment header,
>10 byte 3 file type: directory,
>10 byte 4 file type: volume label,
>34 byte !0
>>34 string x {file-name:%s}
>>34 string x original name: "%s",
>0xC ledate x original file date: %s,
>0x10 lelong <0 {invalid}
>0x10 lelong x compressed file size: %d,
>0x14 lelong <0 {invalid}
>0x14 lelong x uncompressed file size: %d,
>7 byte 0 os: MS-DOS
>7 byte 1 os: PRIMOS
>7 byte 2 os: Unix
>7 byte 3 os: Amiga
>7 byte 4 os: Macintosh
>7 byte 5 os: OS/2
>7 byte 6 os: Apple ][ GS
>7 byte 7 os: Atari ST
>7 byte 8 os: NeXT
>7 byte 9 os: VAX/VMS
>7 byte >9 {invalid} os
>7 byte <0 {invalid} os
# RAR archiver (http://kthoom.googlecode.com/hg/docs/unrar.html)
0 string \x52\x61\x72\x21\x1A\x07\x00 RAR archive data, first volume type:
>9 ubyte <0x72 {invalid}
>9 ubyte >0x7B {invalid}
>9 ubyte 0x72 MARK_HEAD
>9 ubyte 0x73 MAIN_HEAD
>9 ubyte 0x74 FILE_HEAD
>9 ubyte 0x75 COMM_HEAD
>9 ubyte 0x76 AV_HEAD
>9 ubyte 0x77 SUB_HEAD
>9 ubyte 0x78 PROTECT_HEAD
>9 ubyte 0x79 SIGN_HEAD
>9 ubyte 0x7A NEWSUB_HEAD
>9 ubyte 0x7B ENDARC_HEAD
# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
0 string HPAK HPACK archive data
# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
0 string \351,\001JAM JAM archive
# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
0 string -lzs- LHa 2.x? archive data [lzs] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh\40- LHa 2.x? archive data [lh ] [NSRL|LHA2]{offset-adjust:-2}
0 string -lhd- LHa 2.x? archive data [lhd] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh2- LHa 2.x? archive data [lh2] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh3- LHa 2.x? archive data [lh3] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh4- LHa (2.x) archive data [lh4] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh5- LHa (2.x) archive data [lh5] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh6- LHa (2.x) archive data [lh6] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh7- LHa (2.x) archive data [lh7] [NSRL|LHA2]{offset-adjust:-2}
# cpio archives
#
# The SVR4 "cpio(4)" hints that there are additional formats, but they
# are defined as "short"s; I think all the new formats are
# character-header formats and thus are strings, not numbers.
#0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
# WARNING: The jump-to-offset value in the ASCII cpio signatures below is a terrible hack.
# This keyword is not intended to be passed a string (%s), and doing so can open
# up the possibility of keyword injection by a malicious file. This works here though, because:
#
# 1) It would result in an {invalid} CPIO file ({invalid} size)
# 2) All valid keywords require more than 8 bytes, so a valid one can't be
# injected in the %.8s field.
0 string 070701 ASCII cpio archive (SVR4 with no CRC),
>110 byte 0 {invalid}
#>110 byte !0x2F
#>>110 string !TRAILER!!! {invalid}
>94 byte <0x30 {invalid}
>94 byte >0x66 {invalid}
>54 byte <0x30 {invalid}
>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
>54 string x {jump-to-offset:0x%.8s+110+
>94 string x \b0x%.8s}
0 string 070702 ASCII cpio archive (SVR4 with CRC)
>110 byte 0 {invalid}
#>110 byte !0x2F
#>>110 string !TRAILER!!! {invalid}
>94 byte <0x30 {invalid}
>94 byte >0x66 {invalid}
>54 byte <0x30 {invalid}
>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
>54 string x {jump-to-offset:0x%.8s+110+
>94 string x \b0x%.8s}
# HP Printer Job Language
# The header found on Win95 HP plot files is the "Silliest Thing possible"
# (TM)
# Every driver puts the language at some random position, with random case
# (LANGUAGE and Language)
# For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10
# From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de>
#
0 string \033%-12345X@PJL HP Printer Job Language data, "
>0 string >\0 %s
>>128 string >\0 %s
>>>256 string >\0 %s
>0 byte x "
#------------------------------------------------------------------------------
#
# RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com)
#
0 belong 0xedabeedb RPM
>4 byte x v%d
>6 beshort 0 bin
>6 beshort 1 src
>8 beshort 1 i386
>8 beshort 2 Alpha
>8 beshort 3 Sparc
>8 beshort 4 MIPS
>8 beshort 5 PowerPC
>8 beshort 6 68000
>8 beshort 7 SGI
>8 beshort 8 RS6000
>8 beshort 9 IA64
>8 beshort 10 Sparc64
>8 beshort 11 MIPSel
>8 beshort 12 ARM
>10 string x "%s"
# IBM AIX Backup File Format header and entry signatures
0 lelong 0xea6b0009 BFF volume header,
>4 leshort x checksum: 0x%.4X,
>6 leshort <0 {invalid}
>6 leshort 0 {invalid}
>6 leshort x volume number: %d,
>8 ledate x current date: %s,
>12 ledate x starting date: %s,
>20 string x disk name: "%s",
>36 string x file system name: "%s",
>52 string x user name: "%s"
0 leshort 0xea6b BFF volume entry,{offset-adjust:-2}
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s
>92 string x \b%s"
0 leshort 0xea6c BFF volume entry, compressed,{offset-adjust:-2}
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s
>92 string x \b%s"
0 leshort 0xea6d BFF volume entry, AIXv3,{offset-adjust:-2}
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s
>92 string x \b%s"
#------------------------------------------------------------------------------
# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
# Microsoft Cabinet files
0 string MSCF\0\0\0\0 Microsoft Cabinet archive data
# According to libmagic comments, CAB version number is always 1.3
>25 byte !1 \b,{invalid} major version
>24 byte !3 \b,{invalid} minor version
>8 lelong x \b, %u bytes
>28 leshort 0 \b, 0 files ({invalid})
>28 leshort 1 \b, 1 file
>28 leshort >1 \b, %u files
# InstallShield Cabinet files
0 string ISc( InstallShield Cabinet archive data
# TODO: Version number checks should be made more specific for false positive filtering
>5 byte&0xf0 =0x60 version 6,
>5 byte&0xf0 <0x60 version 4/5,
>5 byte&0xf0 >0x60 {invalid} version,
>12 lelong <0 {invalid} offset,
>12 lelong >100000 {invalid} offset,
>(12.l+40) lelong x %u files
# Windows CE package files
0 string MSCE\0\0\0\0 Microsoft WinCE install header
>20 lelong 0 \b, architecture-independent
>20 lelong 103 \b, Hitachi SH3
>20 lelong 104 \b, Hitachi SH4
>20 lelong 0xA11 \b, StrongARM
>20 lelong 4000 \b, MIPS R4000
>20 lelong 10003 \b, Hitachi SH3
>20 lelong 10004 \b, Hitachi SH3E
>20 lelong 10005 \b, Hitachi SH4
>20 lelong 70001 \b, ARM 7TDMI
>52 leshort 1 \b, 1 file
>52 leshort >1 \b, %u files
>56 leshort 1 \b, 1 registry entry
>56 leshort >1 \b, %u registry entries
0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
# Parity archive reconstruction file, the 'par' file format now used on Usenet.
0 string PAR\0 PARity archive data
>48 leshort =0 - Index file
>48 leshort >0 - file number %d
# Felix von Leitner <felix-file@fefe.de>
0 string d8:announce BitTorrent file
# BSA archives, based on http://forum.step-project.com/topic/5033-ramifications-of-bsa-extraction-in-mod-organizer/page-16
0 string BSA\x00\x67 BSA archive, version: 103,
>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
0 string BSA\x00\x68 BSA archive, version: 104,
>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
src/magic/compressed deleted 100644 → 0
#------------------Compression Formats-----------------------------
# AFX compressed files (Wolfram Kleff)
0 string -afx- AFX compressed file data{offset-adjust:-2}
# bzip2
0 string BZh91AY&SY bzip2 compressed data, block size = 900k
0 string BZh81AY&SY bzip2 compressed data, block size = 800k
0 string BZh71AY&SY bzip2 compressed data, block size = 700k
0 string BZh61AY&SY bzip2 compressed data, block size = 600k
0 string BZh51AY&SY bzip2 compressed data, block size = 500k
0 string BZh41AY&SY bzip2 compressed data, block size = 400k
0 string BZh31AY&SY bzip2 compressed data, block size = 300k
0 string BZh21AY&SY bzip2 compressed data, block size = 200k
0 string BZh11AY&SY bzip2 compressed data, block size = 100k
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data
>9 beshort >0x093F {invalid}
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>9 beshort&0x0fff <1 {invalid},
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
## >>22 bedate >0 last modified: %s,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
## >>25 bedate >0 last modified: %s,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
# lzip
0 string LZIP lzip compressed data,
>4 ubyte 0 {invalid}
# Current version is still 1.x
>4 ubyte >4 {invalid}
>4 byte x version: %d
# lrzip
0 string LRZI lrzip compressed data
# LZO
0 string \211LZO\000\015\012\032\012 LZO compressed data
# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 {invalid}
>6 byte 0
>>7 byte 0 {invalid}
>6 byte >20 {invalid}
>6 byte x version %d
>7 byte x \b.%d
# standard unix compress
# Disabled until a python alternative can be foudn for the compress binwalk plugin.
#0 string \x1f\x9d\x90 compress'd data, 16 bits
# http://tukaani.org/xz/xz-file-format.txt
0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods
# other than 8 ("deflate", the only method defined in RFC 1952).
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
>8 byte 1 \b, {invalid} extra flags
>8 byte 3 \b, {invalid} extra flags
>8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
>3 byte&0xC =0x08 \b, has original file name
>>10 string x \b{file-name:%s}
>>10 string x \b: "%s"
>3 byte &0x10 \b, has comment
>>3 byte&0xC 0
>>>10 string x \b: "%s"
>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9 byte =0x01 \b, from Amiga
>9 byte =0x02 \b, from VMS
>9 byte =0x03 \b, from Unix
>9 byte =0x04 \b, from VM/CMS
>9 byte =0x05 \b, from Atari
>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)
>9 byte =0x07 \b, from MacOS
>9 byte =0x08 \b, from Z-System
>9 byte =0x09 \b, from CP/M
>9 byte =0x0A \b, from TOPS/20
>9 byte =0x0B \b, from NTFS filesystem (NT)
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
#>9 byte =0xFF \b, from ZyNOS
#>9 byte >0x0D \b, {invalid}
#>>9 byte x source: 0x%.2X
#>9 byte <0 \b, {invalid}
#>>9 byte x source: 0x%.2X
>3 byte &0x20 \b, encrypted ({invalid})
# Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
>4 lelong <0 \b, {invalid} date:
>4 lelong >0
>>4 lelong <694224000 \b, {invalid} date:
>>4 lelong =694224000 \b, {invalid} date:
>>4 lelong >694224000 \b, last modified:
>4 ledate x %s
>4 lelong x \b{file-epoch:%d}
# Supplementary magic data for the file(1) command to support
# rzip(1). The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with
# this file.
#
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# JAR
0 belong 0xcafed00d JAR compressed with pack200,
>5 byte x version %d.
>4 byte x \b%d
# New LZMA format signature
# See lzma file for LZMA signatures
0 string \xFFLZMA\x00 LZMA compressed data (new),
>6 byte&0x10 0 single-block stream
>6 byte&0x10 0x10 multi-block stream
0 string \xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59 Snappy compression, stream identifier
#0 beshort 0x7801 Zlib header, no compression
0 beshort 0x789c Zlib compressed data, default compression
0 beshort 0x78da Zlib compressed data, best compression
0 beshort 0x785e Zlib compressed data, compressed
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment