Skip to content

B
binwalk
Commit d95e015d by devttys0
Options

Re-working code to better fit with new magic module

parent 9fc088e0
Showing with 583 additions and 609 deletions
setup.py
...@@ -119,29 +119,13 @@ class CleanCommand(Command): ...@@ -119,29 +119,13 @@ class CleanCommand(Command):
pass pass
if "install" in sys.argv: if "install" in sys.argv:
# If an older version of binwalk is currently installed, completely remove it to prevent conflicts # If a previous version of binwalk is currently installed, completely remove it to prevent conflicts
existing_binwalk_modules = find_binwalk_module_paths() if find_binwalk_module_paths():
if existing_binwalk_modules and not os.path.exists(os.path.join(existing_binwalk_modules[0], "core")):
remove_binwalk_module() remove_binwalk_module()
# Re-build the magic file during a build/install
if "install" in sys.argv or "build" in sys.argv:
# Generate a new magic file from the files in the magic directory
print("creating %s magic file" % MODULE_NAME)
magic_files = os.listdir("magic")
magic_files.sort()
fd = open("%s/magic/%s" % (MODULE_NAME, MODULE_NAME), "wb")
for magic in magic_files:
fpath = os.path.join("magic", magic)
if os.path.isfile(fpath):
fd.write(open(fpath, "rb").read())
fd.close()
# The data files to install along with the module # The data files to install along with the module
data_dirs = ["magic", "config", "plugins", "modules", "core"] install_data_files = []
install_data_files = [os.path.join("libs", "*.so"), os.path.join("libs", "*.dylib")] for data_dir in ["magic", "config", "plugins", "modules", "core"]:
for data_dir in data_dirs:
install_data_files.append("%s%s*" % (data_dir, os.path.sep)) install_data_files.append("%s%s*" % (data_dir, os.path.sep))
# Install the module, script, and support files # Install the module, script, and support files
......
src/binwalk/core/magic.py
...@@ -11,14 +11,35 @@ class SignatureTag(object): ...@@ -11,14 +11,35 @@ class SignatureTag(object):
for (k,v) in binwalk.core.compat.iterator(kwargs): for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v) setattr(self, k, v)
class SignatureResult(object):
def __init__(self, **kwargs):
# These are set by signature keyword tags
self.jump = 0
self.size = 0
self.name = None
self.offset = 0
self.adjust = 0
self.strlen = 0
self.string = False
self.invalid = False
# These are set by code internally
self.file = None
self.valid = True
self.display = True
self.description = ""
for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v)
class SignatureLine(object): class SignatureLine(object):
def __init__(self, line): def __init__(self, line):
self.tags = [] self.tags = []
self.original_text = line
line = line.replace('\\ ', '\x20') parts = line.replace('\\ ', '\\x20').split(None, 3)
parts = line.split(None, 3)
self.level = parts[0].count('>') self.level = parts[0].count('>')
...@@ -32,6 +53,10 @@ class SignatureLine(object): ...@@ -32,6 +53,10 @@ class SignatureLine(object):
(self.type, self.bitmask) = parts[1].split('&', 1) (self.type, self.bitmask) = parts[1].split('&', 1)
self.boolean = '&' self.boolean = '&'
self.bitmask = int(self.bitmask, 0) self.bitmask = int(self.bitmask, 0)
elif '|' in parts[1]:
(self.type, self.bitmask) = parts[1].split('|', 1)
self.boolean = '|'
self.bitmask = int(self.bitmask, 0)
else: else:
self.type = parts[1] self.type = parts[1]
self.boolean = None self.boolean = None
...@@ -171,22 +196,6 @@ class Signature(object): ...@@ -171,22 +196,6 @@ class Signature(object):
def append(self, line): def append(self, line):
self.lines.append(line) self.lines.append(line)
class SignatureResult(object):
def __init__(self, **kwargs):
self.offset = 0
self.adjust = 0
self.jump = 0
self.size = 0
self.description = ""
self.valid = True
self.invalid = False
self.display = True
self.file = None
for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v)
class Magic(object): class Magic(object):
def __init__(self, exclude=[], include=[], invalid=False): def __init__(self, exclude=[], include=[], invalid=False):
...@@ -209,6 +218,7 @@ class Magic(object): ...@@ -209,6 +218,7 @@ class Magic(object):
def filtered(self, text): def filtered(self, text):
filtered = None filtered = None
text = text.lower()
for include in self.includes: for include in self.includes:
if include.match(text): if include.match(text):
...@@ -230,6 +240,7 @@ class Magic(object): ...@@ -230,6 +240,7 @@ class Magic(object):
def parse(self, signature, offset): def parse(self, signature, offset):
description = [] description = []
tag_strlen = None
max_line_level = 0 max_line_level = 0
tags = {'offset' : offset, 'invalid' : False} tags = {'offset' : offset, 'invalid' : False}
...@@ -275,12 +286,19 @@ class Magic(object): ...@@ -275,12 +286,19 @@ class Magic(object):
except struct.error as e: except struct.error as e:
dvalue = 0 dvalue = 0
elif line.size: elif line.size:
dvalue = self.data[start:end] # Strings have line.value == None
if line.value is None: if line.value is None:
dvalue = dvalue.split('\x00')[0].split('\r')[0].split('\r')[0] if [x for x in line.tags if x.name == 'string'] and binwalk.core.compat.has_key(tags, 'strlen'):
dvalue = self.data[start:(start+tags['strlen'])]
else:
dvalue = self.data[start:end].split('\x00')[0].split('\r')[0].split('\r')[0]
else:
dvalue = self.data[start:end]
if line.boolean == '&': if line.boolean == '&':
dvalue &= line.bitmask dvalue &= line.bitmask
elif line.boolean == '|':
dvalue |= line.bitmask
if ((line.value is None) or if ((line.value is None) or
(line.condition == '=' and dvalue == line.value) or (line.condition == '=' and dvalue == line.value) or
...@@ -295,13 +313,22 @@ class Magic(object): ...@@ -295,13 +313,22 @@ class Magic(object):
dvalue = ts.strftime("%Y-%m-%d %H:%M:%S") dvalue = ts.strftime("%Y-%m-%d %H:%M:%S")
if '%' in line.format: if '%' in line.format:
description.append(line.format % dvalue) desc = line.format % dvalue
else: else:
description.append(line.format) desc = line.format
if desc:
description.append(desc)
for tag in line.tags: for tag in line.tags:
if isinstance(tag.value, str) and '%' in tag.value: if isinstance(tag.value, str) and '%' in tag.value:
tags[tag.name] = tag.value % dvalue tags[tag.name] = tag.value % dvalue
try:
tags[tag.name] = int(tags[tag.name], 0)
except KeyboardInterrupt as e:
raise e
except Exception as e:
pass
else: else:
try: try:
tags[tag.name] = int(tag.value, 0) tags[tag.name] = int(tag.value, 0)
...@@ -316,12 +343,19 @@ class Magic(object): ...@@ -316,12 +343,19 @@ class Magic(object):
max_line_level = line.level + 1 max_line_level = line.level + 1
else: else:
# No match on the first line, abort
if line.level == 0:
break
else:
max_line_level = line.level max_line_level = line.level
tags['description'] = self.bspace.sub('', " ".join(description)) tags['description'] = self.bspace.sub('', " ".join(description))
if (('\\' in tags['description']) or if not tags['description']:
(self.printable.match(tags['description']).group() != tags['description'])): tags['display'] = False
tags['invalid'] = True
if self.printable.match(tags['description']).group() != tags['description']:
tags['invalid'] = True tags['invalid'] = True
tags['valid'] = (not tags['invalid']) tags['valid'] = (not tags['invalid'])
...@@ -330,19 +364,20 @@ class Magic(object): ...@@ -330,19 +364,20 @@ class Magic(object):
def scan(self, data, dlen=None): def scan(self, data, dlen=None):
results = [] results = []
matched_offsets = set()
self.data = data self.data = data
if dlen is None: if dlen is None:
dlen = len(self.data) dlen = len(self.data)
for signature in self.signatures: for signature in self.signatures:
for match in signature.regex.finditer(self.data): for match in signature.regex.finditer(self.data):
offset = match.start() - signature.offset offset = match.start() - signature.offset
if offset >= 0 and offset <= dlen: if (offset not in matched_offsets or self.show_invalid) and offset >= 0 and offset <= dlen:
tags = self.parse(signature, offset) tags = self.parse(signature, offset)
if not tags['invalid'] or self.show_invalid: if not tags['invalid'] or self.show_invalid:
results.append(SignatureResult(**tags)) results.append(SignatureResult(**tags))
matched_offsets.add(offset)
results.sort(key=lambda x: x.offset, reverse=False) results.sort(key=lambda x: x.offset, reverse=False)
return results return results
...@@ -381,15 +416,3 @@ class Magic(object): ...@@ -381,15 +416,3 @@ class Magic(object):
self.signatures.sort(key=lambda x: x.confidence, reverse=True) self.signatures.sort(key=lambda x: x.confidence, reverse=True)
if __name__ == '__main__':
import sys
m = Magic(invalid=True)
m.load(sys.argv[1])
print ("Loaded %d signatures" % len(m.signatures))
for signature in m.scan(open(sys.argv[2], "r").read()):
if signature.valid:
print (signature.offset, signature.description)
src/binwalk/core/settings.py
...@@ -58,6 +58,20 @@ class Settings: ...@@ -58,6 +58,20 @@ class Settings:
prefix=self._system_path(self.BINWALK_CONFIG_DIR, self.PREFIX_FILE), prefix=self._system_path(self.BINWALK_CONFIG_DIR, self.PREFIX_FILE),
plugins=self._system_path(self.BINWALK_PLUGINS_DIR)) plugins=self._system_path(self.BINWALK_PLUGINS_DIR))
def magic_signature_files(self, system_only=False, user_only=False):
files = []
if not system_only:
user_dir = os.path.join(self.user_dir, self.BINWALK_USER_DIR, self.BINWALK_MAGIC_DIR)
files += [os.path.join(user_dir, x) for x in os.listdir(user_dir)]
if not user_only:
system_dir = os.path.join(self.system_dir, self.BINWALK_MAGIC_DIR)
files += [os.path.join(system_dir, x) for x in os.listdir(system_dir)]
if self.system.binarch in files:
files.remove(self.system.binarch)
return files
def find_magic_file(self, fname, system_only=False, user_only=False): def find_magic_file(self, fname, system_only=False, user_only=False):
''' '''
Finds the specified magic file name in the system / user magic file directories. Finds the specified magic file name in the system / user magic file directories.
......
src/binwalk/magic/archives 0 → 100644
# ----------------------------Archive Formats--------------------------------------
# POSIX tar archives
257 string ustar\000 POSIX tar archive
>8 byte !0
>>8 string x \b, owner user name: "%.32s"
>40 byte !0
>>40 string x \b, owner group name: "%.32s"
257 string ustar\040\040\000 POSIX tar archive (GNU)
>8 byte !0
>>8 string x \b, owner user name: "%.32s"
>40 byte !0
>>40 string x \b, owner group name: "%.32s"
# Incremental snapshot gnu-tar format from:
# http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
0 string GNU\x20tar- GNU tar incremental snapshot data,
>0 string x version: "%s"
# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
14 string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
0 string JARCS JAR (ARJ Software, Inc.) archive data
# PKZIP multi-volume archive
0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
# ZIP compression (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
0 string PK\003\004 Zip
>6 leshort &0x01 encrypted
>0 byte x archive data,
>4 byte 0x00 v0.0
>4 byte 0x09 at least v0.9 to extract,
>4 byte 0x0a at least v1.0 to extract,
>4 byte 0x0b at least v1.1 to extract,
>0x161 string WINZIP WinZIP self-extracting,
>4 byte 0x14
>>30 ubelong !0x6d696d65 at least v2.0 to extract,
>18 lelong !0
>>18 lelong <0 {invalid}
>>18 lelong x compressed size: %d,
>>18 lelong x {jump:%d}
>22 lelong !0
>>22 lelong <0 {invalid}
>>22 lelong x uncompressed size: %d,
>30 byte <0x2D {invalid}
>30 byte >0x7A {invalid}
>26 leshort x {strlen:%d}
>30 string x name: {string}%s
# ZIP footer
0 string PK\x05\x06 End of Zip archive
>20 leshort >0
>>20 leshort x \b, comment:
>>20 leshort x {strlen:%d}
>>22 string x {string}"%s"
# ARJ archiver (jason@jarthur.Claremont.EDU)
0 uleshort 0xea60 ARJ archive data,
>2 leshort x header size: %d,
>5 byte <1 {invalid}
>5 byte >16 {invalid}
>5 byte x version %d,
>6 byte <1 {invalid}
>6 byte >16 {invalid}
>6 byte x minimum version to extract: %d,
>8 byte <0 {invalid} flags,
>8 byte &0x04 multi-volume,
>8 byte &0x10 slash-switched,
>8 byte &0x20 backup,
>9 byte <0 {invalid},
>9 byte >4 {invalid},
>9 byte 0 compression method: stored,
>9 byte 1 compression method: compressed most,
>9 byte 2 compression method: compressed,
>9 byte 3 compression method: compressed faster,
>9 byte 4 compression method: compressed fastest,
>10 byte <0 {invalid}
>10 byte >4 {invalid}
>10 byte 0 file type: binary,
>10 byte 1 file type: 7-bit text,
>10 byte 2 file type: comment header,
>10 byte 3 file type: directory,
>10 byte 4 file type: volume label,
>34 byte !0
>>34 string x {name:%s}
>>34 string x original name: "%s",
>0xC ledate x original file date: %s,
>0x10 lelong <0 {invalid}
>0x10 lelong x compressed file size: %d,
>0x14 lelong <0 {invalid}
>0x14 lelong x uncompressed file size: %d,
>7 byte 0 os: MS-DOS
>7 byte 1 os: PRIMOS
>7 byte 2 os: Unix
>7 byte 3 os: Amiga
>7 byte 4 os: Macintosh
>7 byte 5 os: OS/2
>7 byte 6 os: Apple ][ GS
>7 byte 7 os: Atari ST
>7 byte 8 os: NeXT
>7 byte 9 os: VAX/VMS
>7 byte >9 {invalid}
>7 byte <0 {invalid}
# RAR archiver (http://kthoom.googlecode.com/hg/docs/unrar.html)
0 string \x52\x61\x72\x21\x1A\x07\x00 RAR archive data, first volume type:
>9 ubyte <0x72 {invalid}
>9 ubyte >0x7B {invalid}
>9 ubyte 0x72 MARK_HEAD
>9 ubyte 0x73 MAIN_HEAD
>9 ubyte 0x74 FILE_HEAD
>9 ubyte 0x75 COMM_HEAD
>9 ubyte 0x76 AV_HEAD
>9 ubyte 0x77 SUB_HEAD
>9 ubyte 0x78 PROTECT_HEAD
>9 ubyte 0x79 SIGN_HEAD
>9 ubyte 0x7A NEWSUB_HEAD
>9 ubyte 0x7B ENDARC_HEAD
# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
0 string HPAK HPACK archive data
# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
0 string \351,\001JAM JAM archive
# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
2 string -lzs- LHa 2.x? archive data [lzs] [NSRL|LHA2]
2 string -lh\40- LHa 2.x? archive data [lh ] [NSRL|LHA2]
2 string -lhd- LHa 2.x? archive data [lhd] [NSRL|LHA2]
2 string -lh2- LHa 2.x? archive data [lh2] [NSRL|LHA2]
2 string -lh3- LHa 2.x? archive data [lh3] [NSRL|LHA2]
2 string -lh4- LHa (2.x) archive data [lh4] [NSRL|LHA2]
2 string -lh5- LHa (2.x) archive data [lh5] [NSRL|LHA2]
2 string -lh6- LHa (2.x) archive data [lh6] [NSRL|LHA2]
2 string -lh7- LHa (2.x) archive data [lh7] [NSRL|LHA2]
# cpio archives
#
# The SVR4 "cpio(4)" hints that there are additional formats, but they
# are defined as "short"s; I think all the new formats are
# character-header formats and thus are strings, not numbers.
#0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
0 string 070701 ASCII cpio archive (SVR4 with no CRC),
>110 byte 0 {invalid}
>94 byte <0x30 {invalid}
>94 byte >0x66 {invalid}
>54 byte <0x30 {invalid}
>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
0 string 070702 ASCII cpio archive (SVR4 with CRC)
>110 byte 0 {invalid}
>94 byte <0x30 {invalid}
>94 byte >0x66 {invalid}
>54 byte <0x30 {invalid}
>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
# HP Printer Job Language
# The header found on Win95 HP plot files is the "Silliest Thing possible"
# (TM)
# Every driver puts the language at some random position, with random case
# (LANGUAGE and Language)
# For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10
# From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de>
#
0 string \033%-12345X@PJL HP Printer Job Language data,
>0 string x "%s"
#------------------------------------------------------------------------------
#
# RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com)
#
0 ubelong 0xedabeedb RPM
>4 byte x v%d
>6 beshort 0 bin
>6 beshort 1 src
>8 beshort 1 i386
>8 beshort 2 Alpha
>8 beshort 3 Sparc
>8 beshort 4 MIPS
>8 beshort 5 PowerPC
>8 beshort 6 68000
>8 beshort 7 SGI
>8 beshort 8 RS6000
>8 beshort 9 IA64
>8 beshort 10 Sparc64
>8 beshort 11 MIPSel
>8 beshort 12 ARM
>10 string x "%s"
# IBM AIX Backup File Format header and entry signatures
0 ulelong 0xea6b0009 BFF volume header,
>4 leshort x checksum: 0x%.4X,
>6 leshort <0 {invalid}
>6 leshort 0 {invalid}
>6 leshort x volume number: %d,
>8 ledate x current date: %s,
>12 ledate x starting date: %s,
>20 string x disk name: "%s",
>36 string x file system name: "%s",
>52 string x user name: "%s"
2 uleshort 0xea6b BFF volume entry,
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s"
2 uleshort 0xea6c BFF volume entry, compressed,
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s"
0 uleshort 0xea6d BFF volume entry, AIXv3,
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s"
#------------------------------------------------------------------------------
# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
# Microsoft Cabinet files
0 string MSCF\0\0\0\0 Microsoft Cabinet archive data
# According to libmagic comments, CAB version number is always 1.3
>25 byte !1 {invalid}
>24 byte !3 {invalid}
>8 lelong x \b, %u bytes
>28 leshort 0 {invalid}
>28 leshort 1 \b, 1 file
>28 leshort >1 \b, %u files
# InstallShield Cabinet files
0 string ISc( InstallShield Cabinet archive data
# TODO: Version number checks should be made more specific for false positive filtering
>5 byte&0xf0 =0x60 version 6,
>5 byte&0xf0 <0x60 version 4/5,
>5 byte&0xf0 >0x60 {invalid} version,
>12 lelong <0 {invalid} offset,
>12 lelong >100000 {invalid} offset,
>(12.l+40) lelong x %u files
# Windows CE package files
0 string MSCE\0\0\0\0 Microsoft WinCE install header
>20 lelong 0 \b, architecture-independent
>20 lelong 103 \b, Hitachi SH3
>20 lelong 104 \b, Hitachi SH4
>20 lelong 0xA11 \b, StrongARM
>20 lelong 4000 \b, MIPS R4000
>20 lelong 10003 \b, Hitachi SH3
>20 lelong 10004 \b, Hitachi SH3E
>20 lelong 10005 \b, Hitachi SH4
>20 lelong 70001 \b, ARM 7TDMI
>52 leshort 1 \b, 1 file
>52 leshort >1 \b, %u files
>56 leshort 1 \b, 1 registry entry
>56 leshort >1 \b, %u registry entries
0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
# Parity archive reconstruction file, the 'par' file format now used on Usenet.
0 string PAR\0 PARity archive data
>48 leshort =0 - Index file
>48 leshort >0 - file number %d
# Felix von Leitner <felix-file@fefe.de>
0 string d8:announce BitTorrent file
# BSA archives, based on http://forum.step-project.com/topic/5033-ramifications-of-bsa-extraction-in-mod-organizer/page-16
0 string BSA\x00\x67 BSA archive, version: 103,
>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
0 string BSA\x00\x68 BSA archive, version: 104,
>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
src/binwalk/magic/binarch
...@@ -3,13 +3,13 @@ ...@@ -3,13 +3,13 @@
# sw XX, XX($sp) # sw XX, XX($sp)
# 27 BD FF XX # 27 BD FF XX
# AF BX XX XX # AF BX XX XX
0 string \xFF\xBD\x27 MIPSEL instructions, function prologue{offset-adjust:-1} 1 string \xFF\xBD\x27 MIPSEL instructions, function prologue
>6 byte !0xAF (invalid) >6 byte !0xAF {invalid}
>5 byte&0xE0 !0xA0 (invalid) >5 byte&0xE0 !0xA0 {invalid}
0 string \x27\xBD\xFF MIPS instructions, function prologue 0 string \x27\xBD\xFF MIPS instructions, function prologue
>4 byte !0xAF (invalid) >4 byte !0xAF {invalid}
>5 byte&0xE0 !0xA0 (invalid) >5 byte&0xE0 !0xA0 {invalid}
# MIPS epilogue # MIPS epilogue
# jr $ra # jr $ra
...@@ -18,14 +18,14 @@ ...@@ -18,14 +18,14 @@
# addiu $sp, XX # addiu $sp, XX
# jr $ra # jr $ra
0 belong 0x03e00008 MIPS instructions, function epilogue 0 belong 0x03e00008 MIPS instructions, function epilogue
>4 beshort !0x27BD (invalid) >4 beshort !0x27BD {invalid}
0 beshort 0x27BD MIPS instructions, function epilogue 0 beshort 0x27BD MIPS instructions, function epilogue
>2 belong !0x03e00008 (invalid) >2 belong !0x03e00008 {invalid}
0 lelong 0x03e00008 MIPSEL instructions, function epilogue 0 lelong 0x03e00008 MIPSEL instructions, function epilogue
>6 leshort !0x27BD (invalid) >6 leshort !0x27BD {invalid}
0 leshort 0x27BD MIPS instructions, function epilogue 0 leshort 0x27BD MIPS instructions, function epilogue
>2 lelong !0x03e00008 (invalid) >2 lelong !0x03e00008 {invalid}
# MIPS16e # MIPS16e
# nop (x4) # nop (x4)
...@@ -36,17 +36,17 @@ ...@@ -36,17 +36,17 @@
# save a0-a1, XX # save a0-a1, XX
# addiu XX, XX # addiu XX, XX
0 string \xf0\x08\x64 MIPS16e instructions, function prologue 0 string \xf0\x08\x64 MIPS16e instructions, function prologue
>4 byte !0x01 (invalid) >4 byte !0x01 {invalid}
# move $sp, $s1 # move $sp, $s1
# restore XX, XX, XX # restore XX, XX, XX
# jrc $ra # jrc $ra
0 beshort 0x65B9 MIPS16e instructions, function epilogue 0 beshort 0x65B9 MIPS16e instructions, function epilogue
>3 byte !0x64 (invalid) >3 byte !0x64 {invalid}
>4 beshort !0xE8A0 (invalid) >4 beshort !0xE8A0 {invalid}
0 leshort 0x65B9 MIPSEL16e instructions, function epilogue 0 leshort 0x65B9 MIPSEL16e instructions, function epilogue
>3 byte !0x64 (invalid) >3 byte !0x64 {invalid}
>4 leshort !0xE8A0 (invalid) >4 leshort !0xE8A0 {invalid}
# jrc $ra # jrc $ra
# nop # nop
...@@ -68,19 +68,19 @@ ...@@ -68,19 +68,19 @@
# STMFD SP!, {XX} # STMFD SP!, {XX}
# <any instruction whose opcode begins with 0xE> # <any instruction whose opcode begins with 0xE>
0 beshort 0xE92D ARMEB instructions, function prologue 0 beshort 0xE92D ARMEB instructions, function prologue
>4 byte&0xF0 !0xE0 (invalid) >4 byte&0xF0 !0xE0 {invalid}
>8 byte&0xF0 !0xE0 (invalid) >8 byte&0xF0 !0xE0 {invalid}
0 leshort 0xE92D ARM instructions, function prologue{offset-adjust:-2} 0 leshort 0xE92D ARM instructions, function prologue{adjust:-2}
>5 byte&0xF0 !0xE0 (invalid) >5 byte&0xF0 !0xE0 {invalid}
>9 byte&0xF0 !0xE0 (invalid) >9 byte&0xF0 !0xE0 {invalid}
# ARM epilogue # ARM epilogue
# MOV R0, XX # MOV R0, XX
# LDMFD SP!, {XX} # LDMFD SP!, {XX}
0 beshort 0xE1A0 ARMEB instructions, function epilogue 0 beshort 0xE1A0 ARMEB instructions, function epilogue
>4 beshort !0xE8BD (invalid) >4 beshort !0xE8BD {invalid}
0 leshort 0xE1A0 ARM instructions, function epilogue{offset-adjust:-2} 0 leshort 0xE1A0 ARM instructions, function epilogue{adjust:-2}
>4 leshort !0xE8BD (invalid) >4 leshort !0xE8BD {invalid}
# Ubicom32 prologue # Ubicom32 prologue
...@@ -120,5 +120,5 @@ ...@@ -120,5 +120,5 @@
# push esi # push esi
0 string \x55\x89\xE5\x83\xEC Intel x86 instructions, function prologue 0 string \x55\x89\xE5\x83\xEC Intel x86 instructions, function prologue
0 string \x55\x89\xE5\x57\x56 Intel x86 instructions, function prologue 0 string \x55\x89\xE5\x57\x56 Intel x86 instructions, function prologue
0 string \x90\x90\x90\x90\x90\x90\x90\x90 Intel x86 instructions, nops{jump-to-offset:8} 0 string \x90\x90\x90\x90\x90\x90\x90\x90 Intel x86 instructions, nops{jump:8}
src/binwalk/magic/bincast deleted 100644 → 0
0 belong x Hex: 0x%.8X
#0 string x String: %s
#0 lequad x Little Endian Quad: %lld
#0 bequad x Big Endian Quad: %lld
0 lelong x Little Endian Long: %d
0 belong x Big Endian Long: %d
0 leshort x Little Endian Short: %d
0 beshort x Big Endian Short: %d
0 ledate x Little Endian Date: %s
0 bedate x Big Endian Date: %s
src/magic/bootloaders src/binwalk/magic/bootloaders
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
# U-Boot boot loader # U-Boot boot loader
0 string U-Boot\x20 U-Boot version string, 0 string U-Boot\x20 U-Boot version string,
>7 byte <48 {invalid}, >7 byte <48 {invalid}
>7 byte >57 {invalid}, >7 byte >57 {invalid}
>8 byte !0x2E {invalid}, >8 byte !0x2E {invalid}
>0 string x "%s" >0 string x "%s"
src/binwalk/magic/compressed 0 → 100644
#------------------Compression Formats-----------------------------
# AFX compressed files (Wolfram Kleff)
2 string -afx- AFX compressed file data
# bzip2
0 string BZh91AY&SY bzip2 compressed data, block size = 900k
0 string BZh81AY&SY bzip2 compressed data, block size = 800k
0 string BZh71AY&SY bzip2 compressed data, block size = 700k
0 string BZh61AY&SY bzip2 compressed data, block size = 600k
0 string BZh51AY&SY bzip2 compressed data, block size = 500k
0 string BZh41AY&SY bzip2 compressed data, block size = 400k
0 string BZh31AY&SY bzip2 compressed data, block size = 300k
0 string BZh21AY&SY bzip2 compressed data, block size = 200k
0 string BZh11AY&SY bzip2 compressed data, block size = 100k
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data,
>9 beshort >0x093F {invalid}
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>9 beshort&0x0fff <1 {invalid}
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
# lzip
0 string LZIP lzip compressed data,
>4 ubyte 0 {invalid}
# Current version is still 1.x
>4 ubyte >4 {invalid}
>4 byte x version: %d
# lrzip
0 string LRZI lrzip compressed data
# LZO
0 string \211LZO\000\015\012\032\012 LZO compressed data
# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 {invalid}
>6 byte 0
>>7 byte 0 {invalid}
>6 byte >20 {invalid}
>6 byte x version %d
>7 byte x \b.%d
# standard unix compress
# Disabled until a python alternative can be foudn for the compress binwalk plugin.
#0 string \x1f\x9d\x90 compress'd data, 16 bits
# http://tukaani.org/xz/xz-file-format.txt
0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods
# other than 8 ("deflate", the only method defined in RFC 1952).
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
>8 byte 1 \b, {invalid} extra flags
>8 byte 3 \b, {invalid} extra flags
>8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
>3 byte&0xC =0x08 \b, has original file name
>>10 string x \b{file-name:%s}
>>10 string x \b: "%s"
>3 byte &0x10 \b, has comment
>>3 byte&0xC 0
>>>10 string x \b: "%s"
>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9 byte =0x01 \b, from Amiga
>9 byte =0x02 \b, from VMS
>9 byte =0x03 \b, from Unix
>9 byte =0x04 \b, from VM/CMS
>9 byte =0x05 \b, from Atari
>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)
>9 byte =0x07 \b, from MacOS
>9 byte =0x08 \b, from Z-System
>9 byte =0x09 \b, from CP/M
>9 byte =0x0A \b, from TOPS/20
>9 byte =0x0B \b, from NTFS filesystem (NT)
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
>3 byte &0x20 \b, encrypted{invalid}
# Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
>4 lelong <0 {invalid}
>4 lelong >0
>>4 lelong <694224000 {invalid}
>>4 lelong =694224000 {invalid}
>>4 lelong >694224000 \b, last modified:
>>>4 ledate x %s
>>>4 lelong x {epoch:%d}
# Supplementary magic data for the file(1) command to support
# rzip(1). The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with
# this file.
#
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# JAR
0 belong 0xcafed00d JAR compressed with pack200,
>5 byte x version %d.
>4 byte x \b%d
# New LZMA format signature
# See lzma file for LZMA signatures
0 string \xFFLZMA\x00 LZMA compressed data (new),
>6 byte&0x10 0 single-block stream
>6 byte&0x10 0x10 multi-block stream
0 string \xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59 Snappy compression, stream identifier
#0 beshort 0x7801 Zlib header, no compression
0 beshort 0x789c Zlib compressed data, default compression
0 beshort 0x78da Zlib compressed data, best compression
0 beshort 0x785e Zlib compressed data, compressed
src/binwalk/modules/signature.py
...@@ -94,8 +94,7 @@ class Signature(Module): ...@@ -94,8 +94,7 @@ class Signature(Module):
# Use the system default magic file if no other was specified, or if -B was explicitly specified # Use the system default magic file if no other was specified, or if -B was explicitly specified
if (not self.magic_files) or (self.explicit_signature_scan and not self.cast_data_types): if (not self.magic_files) or (self.explicit_signature_scan and not self.cast_data_types):
self.magic_files.append(self.config.settings.user.binwalk) self.magic_files += self.config.settings.magic_signature_files()
self.magic_files.append(self.config.settings.system.binwalk)
# Initialize libmagic # Initialize libmagic
self.magic = binwalk.core.magic.Magic(include=self.include_filters, self.magic = binwalk.core.magic.Magic(include=self.include_filters,
...@@ -147,6 +146,8 @@ class Signature(Module): ...@@ -147,6 +146,8 @@ class Signature(Module):
if r.offset < current_block_offset: if r.offset < current_block_offset:
continue continue
relative_offset = r.offset
# Set the absolute offset inside the target file # Set the absolute offset inside the target file
# TODO: Don't need the offset adjust stuff anymore, get rid of it # TODO: Don't need the offset adjust stuff anymore, get rid of it
r.offset = block_start + r.offset + r.adjust r.offset = block_start + r.offset + r.adjust
...@@ -164,7 +165,7 @@ class Signature(Module): ...@@ -164,7 +165,7 @@ class Signature(Module):
# Is this a valid result and did it specify a jump-to-offset keyword, and are we doing a "smart" scan? # Is this a valid result and did it specify a jump-to-offset keyword, and are we doing a "smart" scan?
if r.valid and r.jump > 0 and not self.dumb_scan: if r.valid and r.jump > 0 and not self.dumb_scan:
absolute_jump_offset = r.offset + r.jump absolute_jump_offset = r.offset + r.jump
current_block_offset = candidate_offset + r.jump current_block_offset = relative_offset + r.jump
# If the jump-to-offset is beyond the confines of the current block, seek the file to # If the jump-to-offset is beyond the confines of the current block, seek the file to
# that offset and quit processing this block of data. # that offset and quit processing this block of data.
......
src/magic/archives deleted 100644 → 0
# ----------------------------Archive Formats--------------------------------------
# POSIX tar archives
0 string ustar\000 POSIX tar archive{offset-adjust:-257}
>8 byte !0
>>8 string x \b, owner user name: "%.32s"
>40 byte !0
>>40 string x \b, owner group name: "%.32s"
0 string ustar\040\040\000 POSIX tar archive (GNU){offset-adjust:-257}
>8 byte !0
>>8 string x \b, owner user name: "%.32s"
>40 byte !0
>>40 string x \b, owner group name: "%.32s"
# Incremental snapshot gnu-tar format from:
# http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
0 string GNU\x20tar- GNU tar incremental snapshot data,
>0 string x version: "%s"
# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
0 string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data{offset-adjust:-14}
0 string JARCS JAR (ARJ Software, Inc.) archive data
# PKZIP multi-volume archive
0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
# ZIP compression (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
0 string PK\003\004 Zip
>6 leshort &0x01 encrypted
>0 byte x archive data,
>4 byte 0x00 v0.0
>4 byte 0x09 at least v0.9 to extract,
>4 byte 0x0a at least v1.0 to extract,
>4 byte 0x0b at least v1.1 to extract,
>0x161 string WINZIP WinZIP self-extracting,
>4 byte 0x14
>>30 ubelong !0x6d696d65 at least v2.0 to extract,
>18 lelong !0
>>18 lelong <0 {invalid}
>>18 lelong x compressed size: %d,
>>18 lelong x {jump-to-offset:%d}
>22 lelong !0
>>22 lelong <0 {invalid}
>>22 lelong x uncompressed size: %d,{extract-delay:End of Zip archive}
>30 byte <0x2D {invalid} file name,
>30 byte >0x7A {invalid} file name,
>30 string x name: {raw-replace}
>26 leshort x {raw-string-length:%d}
>30 string x {raw-string:%s
>61 string x \b%s
>92 string x \b%s
>123 string x \b%s
>154 string x \b%s}
# ZIP footer
0 string PK\x05\x06 End of Zip archive
#>10 leshort x number of records: %d,
#>12 leshort x size of central directory: %d
#>20 leshort x {offset-adjust:22+%d}
>20 leshort >0
>>20 leshort x \b, comment: {raw-replace}
>>20 leshort x {raw-string-length:%d}
>>22 string x {raw-string:%s}
# ARJ archiver (jason@jarthur.Claremont.EDU)
0 leshort 0xea60 ARJ archive data,
>2 leshort x header size: %d,
>5 byte <1 {invalid}
>5 byte >16 {invalid}
>5 byte x version %d,
>6 byte <1 {invalid}
>6 byte >16 {invalid}
>6 byte x minimum version to extract: %d,
>8 byte <0 {invalid} flags,
>8 byte &0x04 multi-volume,
>8 byte &0x10 slash-switched,
>8 byte &0x20 backup,
>9 byte <0 {invalid} compression method,
>9 byte >4 {invalid} compression method,
>9 byte 0 compression method: stored,
>9 byte 1 compression method: compressed most,
>9 byte 2 compression method: compressed,
>9 byte 3 compression method: compressed faster,
>9 byte 4 compression method: compressed fastest,
>10 byte <0 {invalid} file type
>10 byte >4 {invalid} file type
>10 byte 0 file type: binary,
>10 byte 1 file type: 7-bit text,
>10 byte 2 file type: comment header,
>10 byte 3 file type: directory,
>10 byte 4 file type: volume label,
>34 byte !0
>>34 string x {file-name:%s}
>>34 string x original name: "%s",
>0xC ledate x original file date: %s,
>0x10 lelong <0 {invalid}
>0x10 lelong x compressed file size: %d,
>0x14 lelong <0 {invalid}
>0x14 lelong x uncompressed file size: %d,
>7 byte 0 os: MS-DOS
>7 byte 1 os: PRIMOS
>7 byte 2 os: Unix
>7 byte 3 os: Amiga
>7 byte 4 os: Macintosh
>7 byte 5 os: OS/2
>7 byte 6 os: Apple ][ GS
>7 byte 7 os: Atari ST
>7 byte 8 os: NeXT
>7 byte 9 os: VAX/VMS
>7 byte >9 {invalid} os
>7 byte <0 {invalid} os
# RAR archiver (http://kthoom.googlecode.com/hg/docs/unrar.html)
0 string \x52\x61\x72\x21\x1A\x07\x00 RAR archive data, first volume type:
>9 ubyte <0x72 {invalid}
>9 ubyte >0x7B {invalid}
>9 ubyte 0x72 MARK_HEAD
>9 ubyte 0x73 MAIN_HEAD
>9 ubyte 0x74 FILE_HEAD
>9 ubyte 0x75 COMM_HEAD
>9 ubyte 0x76 AV_HEAD
>9 ubyte 0x77 SUB_HEAD
>9 ubyte 0x78 PROTECT_HEAD
>9 ubyte 0x79 SIGN_HEAD
>9 ubyte 0x7A NEWSUB_HEAD
>9 ubyte 0x7B ENDARC_HEAD
# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
0 string HPAK HPACK archive data
# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
0 string \351,\001JAM JAM archive
# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
0 string -lzs- LHa 2.x? archive data [lzs] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh\40- LHa 2.x? archive data [lh ] [NSRL|LHA2]{offset-adjust:-2}
0 string -lhd- LHa 2.x? archive data [lhd] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh2- LHa 2.x? archive data [lh2] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh3- LHa 2.x? archive data [lh3] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh4- LHa (2.x) archive data [lh4] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh5- LHa (2.x) archive data [lh5] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh6- LHa (2.x) archive data [lh6] [NSRL|LHA2]{offset-adjust:-2}
0 string -lh7- LHa (2.x) archive data [lh7] [NSRL|LHA2]{offset-adjust:-2}
# cpio archives
#
# The SVR4 "cpio(4)" hints that there are additional formats, but they
# are defined as "short"s; I think all the new formats are
# character-header formats and thus are strings, not numbers.
#0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
# WARNING: The jump-to-offset value in the ASCII cpio signatures below is a terrible hack.
# This keyword is not intended to be passed a string (%s), and doing so can open
# up the possibility of keyword injection by a malicious file. This works here though, because:
#
# 1) It would result in an {invalid} CPIO file ({invalid} size)
# 2) All valid keywords require more than 8 bytes, so a valid one can't be
# injected in the %.8s field.
0 string 070701 ASCII cpio archive (SVR4 with no CRC),
>110 byte 0 {invalid}
#>110 byte !0x2F
#>>110 string !TRAILER!!! {invalid}
>94 byte <0x30 {invalid}
>94 byte >0x66 {invalid}
>54 byte <0x30 {invalid}
>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
>54 string x {jump-to-offset:0x%.8s+110+
>94 string x \b0x%.8s}
0 string 070702 ASCII cpio archive (SVR4 with CRC)
>110 byte 0 {invalid}
#>110 byte !0x2F
#>>110 string !TRAILER!!! {invalid}
>94 byte <0x30 {invalid}
>94 byte >0x66 {invalid}
>54 byte <0x30 {invalid}
>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
>54 string x {jump-to-offset:0x%.8s+110+
>94 string x \b0x%.8s}
# HP Printer Job Language
# The header found on Win95 HP plot files is the "Silliest Thing possible"
# (TM)
# Every driver puts the language at some random position, with random case
# (LANGUAGE and Language)
# For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10
# From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de>
#
0 string \033%-12345X@PJL HP Printer Job Language data, "
>0 string >\0 %s
>>128 string >\0 %s
>>>256 string >\0 %s
>0 byte x "
#------------------------------------------------------------------------------
#
# RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com)
#
0 belong 0xedabeedb RPM
>4 byte x v%d
>6 beshort 0 bin
>6 beshort 1 src
>8 beshort 1 i386
>8 beshort 2 Alpha
>8 beshort 3 Sparc
>8 beshort 4 MIPS
>8 beshort 5 PowerPC
>8 beshort 6 68000
>8 beshort 7 SGI
>8 beshort 8 RS6000
>8 beshort 9 IA64
>8 beshort 10 Sparc64
>8 beshort 11 MIPSel
>8 beshort 12 ARM
>10 string x "%s"
# IBM AIX Backup File Format header and entry signatures
0 lelong 0xea6b0009 BFF volume header,
>4 leshort x checksum: 0x%.4X,
>6 leshort <0 {invalid}
>6 leshort 0 {invalid}
>6 leshort x volume number: %d,
>8 ledate x current date: %s,
>12 ledate x starting date: %s,
>20 string x disk name: "%s",
>36 string x file system name: "%s",
>52 string x user name: "%s"
0 leshort 0xea6b BFF volume entry,{offset-adjust:-2}
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s
>92 string x \b%s"
0 leshort 0xea6c BFF volume entry, compressed,{offset-adjust:-2}
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s
>92 string x \b%s"
0 leshort 0xea6d BFF volume entry, AIXv3,{offset-adjust:-2}
>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
>>54 lelong <0 {invalid}
>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
>58 lelong !0 {invalid}
>62 byte 0 {invalid}
>62 byte !0x2e
>>62 byte !0x2f {invalid}
>62 string x file name: "%s
>92 string x \b%s"
#------------------------------------------------------------------------------
# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
# Microsoft Cabinet files
0 string MSCF\0\0\0\0 Microsoft Cabinet archive data
# According to libmagic comments, CAB version number is always 1.3
>25 byte !1 \b,{invalid} major version
>24 byte !3 \b,{invalid} minor version
>8 lelong x \b, %u bytes
>28 leshort 0 \b, 0 files ({invalid})
>28 leshort 1 \b, 1 file
>28 leshort >1 \b, %u files
# InstallShield Cabinet files
0 string ISc( InstallShield Cabinet archive data
# TODO: Version number checks should be made more specific for false positive filtering
>5 byte&0xf0 =0x60 version 6,
>5 byte&0xf0 <0x60 version 4/5,
>5 byte&0xf0 >0x60 {invalid} version,
>12 lelong <0 {invalid} offset,
>12 lelong >100000 {invalid} offset,
>(12.l+40) lelong x %u files
# Windows CE package files
0 string MSCE\0\0\0\0 Microsoft WinCE install header
>20 lelong 0 \b, architecture-independent
>20 lelong 103 \b, Hitachi SH3
>20 lelong 104 \b, Hitachi SH4
>20 lelong 0xA11 \b, StrongARM
>20 lelong 4000 \b, MIPS R4000
>20 lelong 10003 \b, Hitachi SH3
>20 lelong 10004 \b, Hitachi SH3E
>20 lelong 10005 \b, Hitachi SH4
>20 lelong 70001 \b, ARM 7TDMI
>52 leshort 1 \b, 1 file
>52 leshort >1 \b, %u files
>56 leshort 1 \b, 1 registry entry
>56 leshort >1 \b, %u registry entries
0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
# Parity archive reconstruction file, the 'par' file format now used on Usenet.
0 string PAR\0 PARity archive data
>48 leshort =0 - Index file
>48 leshort >0 - file number %d
# Felix von Leitner <felix-file@fefe.de>
0 string d8:announce BitTorrent file
# BSA archives, based on http://forum.step-project.com/topic/5033-ramifications-of-bsa-extraction-in-mod-organizer/page-16
0 string BSA\x00\x67 BSA archive, version: 103,
>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
0 string BSA\x00\x68 BSA archive, version: 104,
>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
src/magic/compressed deleted 100644 → 0
#------------------Compression Formats-----------------------------
# AFX compressed files (Wolfram Kleff)
0 string -afx- AFX compressed file data{offset-adjust:-2}
# bzip2
0 string BZh91AY&SY bzip2 compressed data, block size = 900k
0 string BZh81AY&SY bzip2 compressed data, block size = 800k
0 string BZh71AY&SY bzip2 compressed data, block size = 700k
0 string BZh61AY&SY bzip2 compressed data, block size = 600k
0 string BZh51AY&SY bzip2 compressed data, block size = 500k
0 string BZh41AY&SY bzip2 compressed data, block size = 400k
0 string BZh31AY&SY bzip2 compressed data, block size = 300k
0 string BZh21AY&SY bzip2 compressed data, block size = 200k
0 string BZh11AY&SY bzip2 compressed data, block size = 100k
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data
>9 beshort >0x093F {invalid}
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>9 beshort&0x0fff <1 {invalid},
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
## >>22 bedate >0 last modified: %s,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
## >>25 bedate >0 last modified: %s,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
# lzip
0 string LZIP lzip compressed data,
>4 ubyte 0 {invalid}
# Current version is still 1.x
>4 ubyte >4 {invalid}
>4 byte x version: %d
# lrzip
0 string LRZI lrzip compressed data
# LZO
0 string \211LZO\000\015\012\032\012 LZO compressed data
# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 {invalid}
>6 byte 0
>>7 byte 0 {invalid}
>6 byte >20 {invalid}
>6 byte x version %d
>7 byte x \b.%d
# standard unix compress
# Disabled until a python alternative can be foudn for the compress binwalk plugin.
#0 string \x1f\x9d\x90 compress'd data, 16 bits
# http://tukaani.org/xz/xz-file-format.txt
0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods
# other than 8 ("deflate", the only method defined in RFC 1952).
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
>8 byte 1 \b, {invalid} extra flags
>8 byte 3 \b, {invalid} extra flags
>8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
>3 byte&0xC =0x08 \b, has original file name
>>10 string x \b{file-name:%s}
>>10 string x \b: "%s"
>3 byte &0x10 \b, has comment
>>3 byte&0xC 0
>>>10 string x \b: "%s"
>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9 byte =0x01 \b, from Amiga
>9 byte =0x02 \b, from VMS
>9 byte =0x03 \b, from Unix
>9 byte =0x04 \b, from VM/CMS
>9 byte =0x05 \b, from Atari
>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)
>9 byte =0x07 \b, from MacOS
>9 byte =0x08 \b, from Z-System
>9 byte =0x09 \b, from CP/M
>9 byte =0x0A \b, from TOPS/20
>9 byte =0x0B \b, from NTFS filesystem (NT)
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
#>9 byte =0xFF \b, from ZyNOS
#>9 byte >0x0D \b, {invalid}
#>>9 byte x source: 0x%.2X
#>9 byte <0 \b, {invalid}
#>>9 byte x source: 0x%.2X
>3 byte &0x20 \b, encrypted ({invalid})
# Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
>4 lelong <0 \b, {invalid} date:
>4 lelong >0
>>4 lelong <694224000 \b, {invalid} date:
>>4 lelong =694224000 \b, {invalid} date:
>>4 lelong >694224000 \b, last modified:
>4 ledate x %s
>4 lelong x \b{file-epoch:%d}
# Supplementary magic data for the file(1) command to support
# rzip(1). The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with
# this file.
#
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# JAR
0 belong 0xcafed00d JAR compressed with pack200,
>5 byte x version %d.
>4 byte x \b%d
# New LZMA format signature
# See lzma file for LZMA signatures
0 string \xFFLZMA\x00 LZMA compressed data (new),
>6 byte&0x10 0 single-block stream
>6 byte&0x10 0x10 multi-block stream
0 string \xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59 Snappy compression, stream identifier
#0 beshort 0x7801 Zlib header, no compression
0 beshort 0x789c Zlib compressed data, default compression
0 beshort 0x78da Zlib compressed data, best compression
0 beshort 0x785e Zlib compressed data, compressed
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment