diff options
Diffstat (limited to 'contrib/file/magic/Magdir/windows')
| -rw-r--r-- | contrib/file/magic/Magdir/windows | 243 |
1 files changed, 3 insertions, 240 deletions
diff --git a/contrib/file/magic/Magdir/windows b/contrib/file/magic/Magdir/windows index faaa7e2..7e0d4d1 100644 --- a/contrib/file/magic/Magdir/windows +++ b/contrib/file/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.14 2015/12/15 01:06:17 christos Exp $ +# $File: windows,v 1.12 2015/08/29 07:10:35 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -64,148 +64,10 @@ # Summary: Old format help files -# URL: https://en.wikipedia.org/wiki/WinHelp -# Reference: http://www.oocities.org/mwinterhoff/helpfile.htm -# Update: Joerg Jenderek +# Extension: .hlp # Created by: Dirk Jagdmann <doj@cubic.org> -# -# check and then display version and date inside MS Windows HeLP file fragment -0 name help-ver-date -# look for Magic of SYSTEMHEADER ->0 leshort 0x036C -# version Major 1 for right file fragment ->>4 leshort 1 Windows -# print non empty string above to avoid error message -# Warning: Current entry does not yet have a description for adding a MIME type -!:mime application/winhelp -!:ext hlp -# version Minor of help file format is hint for windows version ->>>2 leshort 0x0F 3.x ->>>2 leshort 0x15 3.0 ->>>2 leshort 0x21 3.1 ->>>2 leshort 0x27 x.y ->>>2 leshort 0x33 95 ->>>2 default x y.z ->>>>2 leshort x 0x%x -# to complete message string like "MS Windows 3.x help file" ->>>2 leshort x help -# GenDate often older than file creation date ->>>6 ldate x \b, %s -# -# Magic for HeLP files -0 lelong 0x00035f3f -# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" -# file header magic 0x293B at DirectoryStart+9 ->(4.l+9) uleshort 0x293B MS -# look for @VERSION bmf.. like IBMAVW.ANN ->>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation -!:mime application/x-winhelp -!:ext ann ->>0xD4 string !\x62\x6D\x66\x01\x00 -# "GID Help index" by TrID ->>>(4.l+0x65) string =|Pete Windows help Global Index -!:mime application/x-winhelp -!:ext gid -# HeLP Bookmark or -# "Windows HELP File" by TrID ->>>(4.l+0x65) string !|Pete -# maybe there exist a cleaner way to detect HeLP fragments -# brute search for Magic 0x036C with matching Major maximal 7 iterations -# discapp.hlp ->>>>16 search/0x49AF/s \x6c\x03 ->>>>>&0 use help-ver-date ->>>>>&4 leshort !1 -# putty.hlp ->>>>>>&0 search/0x69AF/s \x6c\x03 ->>>>>>>&0 use help-ver-date ->>>>>>>&4 leshort !1 ->>>>>>>>&0 search/0x49AF/s \x6c\x03 ->>>>>>>>>&0 use help-ver-date ->>>>>>>>>&4 leshort !1 ->>>>>>>>>>&0 search/0x49AF/s \x6c\x03 ->>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 ->>>>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 ->>>>>>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 -# GCC.HLP is detected after 7 iterations ->>>>>>>>>>>>>>>>>&0 use help-ver-date -# this only happens if bigger hlp file is detected after used search iterations ->>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help -!:mime application/winhelp -!:ext hlp -# repeat search again or following default line does not work ->>>>16 search/0x49AF/s \x6c\x03 -# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) ->>>>16 default x Windows help Bookmark -!:mime application/x-winhelp -!:ext /bmk -## FirstFreeBlock normally FFFFFFFFh 10h for *ANN -##>>8 lelong x \b, FirstFreeBlock 0x%8.8x -# EntireFileSize ->>12 lelong x \b, %d bytes -## ReservedSpace normally 042Fh AFh for *.ANN -#>>(4.l) lelong x \b, ReservedSpace 0x%8.8x -## UsedSpace normally 0426h A6h for *.ANN -#>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x -## FileFlags normally 04... -#>>(4.l+5) lelong x \b, FileFlags 0x%8.8x -## file header magic 0x293B -#>>(4.l+9) uleshort x \b, file header magic 0x%4.4x -## file header Flags 0x0402 -#>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x -## file header PageSize 0400h 80h for *.ANN -#>>(4.l+13) uleshort x \b, PageSize 0x%4.4x -## Structure[16] z4 -#>>(4.l+15) string >\0 \b, Structure_"%-.16s" -## MustBeZero 0 -#>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x -## PageSplits -#>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x -## RootPage -#>>(4.l+35) uleshort x \b, RootPage 0x%4.4x -## MustBeNegOne 0xffff -#>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x -## TotalPages 1 -#>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x -## NLevels 0x0001 -#>>(4.l+41) uleshort x \b, NLevels 0x%4.4x -## TotalBtreeEntries -#>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x -## pages of the B+ tree -#>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx +0 lelong 0x00035f3f MS Windows 3.x help file -# start with colon or semicolon for comment line like Back2Life.cnt -0 regex \^(:|;) -# look for first keyword Base ->0 search/45 :Base ->>&0 use cnt-name -# only solution to search again from beginning , because relative offsets changes when use is called ->0 search/45 :Base ->0 default x -# look for other keyword Title like in putty.cnt ->>0 search/45 :Title ->>>&0 use cnt-name -# -# display mime type and name of Windows help Content source -0 name cnt-name -# skip space at beginning ->0 string \ -# name without extension and greater character or name with hlp extension ->>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" -!:mime text/plain -!:apple ????TEXT -!:ext cnt -# -# Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing -0 string tfMR MS Windows help Full Text Search index -!:mime application/x-winhelp-fts -!:ext fts ->16 string >\0 for "%s" # Summary: Hyper terminal # Extension: .ht @@ -474,102 +336,3 @@ >>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(84.l) string >\0 InfName "%s" -# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 -# Extension: .bkf -# Created by: Joerg Jenderek -# URL: http://en.wikipedia.org/wiki/NTBackup -# Reference: http://laytongraphics.com/mtf/MTF_100a.PDF -# Descriptor BloCK name of Microsoft Tape Format -0 string TAPE -# Format Logical Address is zero ->20 ulequad 0 -# Reserved for MBC is zero ->>28 uleshort 0 -# Control Block ID is zero ->>>36 ulelong 0 -# BIT4-BIT15, BIT18-BIT31 of block attributes are unused ->>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive -#!:mime application/x-ntbackup -!:ext bkf -# OS ID ->>>>>10 ubyte 1 \b NetWare ->>>>>10 ubyte 13 \b NetWare SMS ->>>>>10 ubyte 14 \b NT ->>>>>10 ubyte 24 \b 3 ->>>>>10 ubyte 25 \b OS/2 ->>>>>10 ubyte 26 \b 95 ->>>>>10 ubyte 27 \b Macintosh ->>>>>10 ubyte 28 \b UNIX -# OS Version (2) -#>>>>>11 ubyte x OS V=%x -# MTF_CONTINUATION Media Sequence Number > 1 -#>>>>>4 ulelong&0x00000001 !0 \b, continued -# MTF_COMPRESSION ->>>>>4 ulelong&0x00000004 !0 \b, compressed -# MTF_EOS_AT_EOM End Of Medium was hit during end of set processing ->>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit ->>>>>4 ulelong&0x00020000 0 -# MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape ->>>>>>4 ulelong&0x00010000 !0 \b, with catalog -# MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present ->>>>>4 ulelong&0x00020000 !0 \b, with file catalog -# Offset To First Event 238h,240h,28Ch -#>>>>>8 uleshort x \b, event offset %4.4x -# Displayable Size (20e0230h 20e024ch 20e0224h) -#>>>>>8 ulequad x dis. size %16.16llx -# Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) -#>>>>>52 ulelong x family ID %8.8x -# TAPE Attributes (3) -#>>>>>56 ulelong x TAPE %8.8x -# Media Sequence Number ->>>>>60 uleshort >1 \b, sequence %u -# Password Encryption Algorithm (3) ->>>>>62 uleshort >0 \b, 0x%x encrypted -# Soft Filemark Block Size * 512 (2) -#>>>>>64 uleshort =2 \b, soft size %u*512 ->>>>>64 uleshort !2 \b, soft size %u*512 -# Media Based Catalog Type (1,2) -#>>>>>66 uleshort x \b, catalog type %4.4x -# size of Media Name (66,68,6Eh) ->>>>>68 uleshort >0 -# offset of Media Name (5Eh) ->>>>>>70 uleshort >0 -# 0~, 1~ANSI, 2~UNICODE ->>>>>>>48 ubyte 1 -# size terminated ansi coded string normally followed by "MTF Media Label" ->>>>>>>>(70.s) string >\0 \b, name: %s ->>>>>>>48 ubyte 2 -# Not null, but size terminated unicoded string ->>>>>>>>(70.s) lestring16 x \b, name: %s -# size of Media Label (104h) ->>>>>72 uleshort >0 -# offset of Media Label (C4h,C6h,CCh) ->>>>>74 uleshort >0 ->>>>>>48 ubyte 1 -#Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields ->>>>>>>(74.s) string >\0 \b, label: %s ->>>>>>48 ubyte 2 ->>>>>>>(74.s) lestring16 x \b, label: %s -# size of password name (0,1Ch) -#>>>>>76 uleshort >0 \b, password size %4.4x -# Software Vendor ID (CBEh) ->>>>>86 uleshort x \b, software (0x%x) -# size of Software Name (6Eh) ->>>>>80 uleshort >0 -# offset of Software Name (1C8h,1CAh,1D0h) ->>>>>>82 uleshort >0 -# 1~ANSI, 2~UNICODE ->>>>>>>48 ubyte 1 ->>>>>>>>(82.s) string >\0 \b: %s ->>>>>>>48 ubyte 2 -# size terminated unicoded coded string normally followed by "SPAD" ->>>>>>>>(82.s) lestring16 x \b: %s -# Format Logical Block Size (512,1024) -#>>>>>84 uleshort =1024 \b, block size %u ->>>>>84 uleshort !1024 \b, block size %u -# Media Date of MTF_DATE_TIME type with 5 bytes -#>>>>>>88 ubequad x DATE %16.16llx -# MTF Major Version (1) -#>>>>>>93 ubyte x \b, MFT version %x -# - |
