« back to all changes in this revision
Viewing changes to doc/magic.man
- browse files at revision 1.1.7
- compare with another revision
- download diff
- download tarball
- view history from revision 1.1.7
- Committer: Bazaar Package Importer
- Author(s): Daniel Baumann
- Date: 2007-06-01 20:29:00 UTC
- mto: This revision was merged to the branch mainline in revision 15.
- Revision ID: james.westby@ubuntu.com-20070601202900-gzjrg1s331z9632p
Tags: upstream-4.21
ImportĀ upstreamĀ versionĀ 4.21
- files modified:
- ChangeLog
added
removed
doc/magic.man
1
.\" $File: magic.man,v 1.36 2007/01/10 22:56:49 christos Exp $
1
.\" $File: magic.man,v 1.38 2007/01/27 00:52:08 ljt Exp $
2
2
.Dd January 10, 2007
3
3
.Dt MAGIC __FSECTION__
4
4
.Os
49
49
A string of bytes.
50
50
The string type specification can be optionally followed
51
51
by /[Bbc]*.
52
The
52
The
53
53
.Dq B
54
54
flag compacts whitespace in the target, which must
55
55
contain at least one whitespace character.
58
58
consecutive blanks, the target needs at least
59
59
.Dv n
60
60
consecutive blanks to match.
61
The
61
The
62
62
.Dq b
63
63
flag treats every blank in the target as an optional blank.
64
64
Finally the
69
69
characters in the target.
70
70
.It Dv pstring
71
71
A pascal style string where the first byte is interpreted as the an
72
unsigned length. The string is not NUL terminated.
72
unsigned length.
73
The string is not NUL terminated.
73
74
.It Dv date
74
75
A four-byte value interpreted as a UNIX date.
75
76
.It Dv qdate
137
138
A regular expression match in extended POSIX regular expression syntax
138
139
(much like egrep).
139
140
The type specification can be optionally followed by /[cse]*.
140
The
141
The
141
142
.Dq c
142
143
flag makes the match case insensitive, while the
143
144
.Dq s
158
159
will match the beginning and end of individual lines, respectively,
159
160
not beginning and end of file.
160
161
.It Dv search
161
A literal string search starting at the given offset. It must be followed by
162
.Dv /<number>
162
A literal string search starting at the given offset.
163
It must be followed by
164
.Dv \*[Lt]number\*[Gt]
163
165
which specifies how many matches shall be attempted (the range).
164
166
This is suitable for searching larger binary expressions with variable
165
167
offsets, using
166
168
.Dv \e
167
169
escapes for special characters.
168
.It Dv default
170
.It Dv default
169
171
This is intended to be used with the text
170
172
.Dv x
171
173
(which is always true) and a message that is to be used if there are
174
176
.El
175
177
.Pp
176
178
The numeric types may optionally be followed by
177
.Dv &
179
.Dv \*[Am]
178
180
and a numeric value,
179
181
to specify that the value is to be AND'ed with the
180
182
numeric value before any comparisons are done.
194
196
It may be
195
197
.Dv = ,
196
198
to specify that the value from the file must equal the specified value,
197
.Dv < ,
199
.Dv \*[Lt] ,
198
200
to specify that the value from the file must be less than the specified
199
201
value,
200
.Dv > ,
202
.Dv \*[Gt] ,
201
203
to specify that the value from the file must be greater than the specified
202
204
value,
203
.Dv & ,
205
.Dv \*[Am] ,
204
206
to specify that the value from the file must have set all of the bits
205
207
that are set in the specified value,
206
208
.Dv ^ ,
215
217
For all tests except
216
218
.Em string
217
219
and
218
.Em regex,
220
.Em regex ,
219
221
operation
220
222
.Dv !
221
223
specifies that the line matches if the test does
234
236
file must match the specified byte string.
235
237
The operators
236
238
.Dv = ,
237
.Dv <
239
.Dv \*[Lt]
238
240
and
239
.Dv >
241
.Dv \*[Gt]
240
242
(but not
241
.Dv & )
243
.Dv \*[Am] )
242
244
can be applied to strings.
243
245
The length used for matching is that of the string argument
244
246
in the magic file.
245
247
This means that a line can match any string, and
246
248
then presumably print that string, by doing
247
.Em >\e0
249
.Em \*[Gt]\e0
248
250
(because all strings are greater than the null string).
249
251
.Pp
250
252
The special test
251
253
.Em x
252
254
always evaluates to true.
253
255
.Dv message
254
The message to be printed if the comparison succeeds. If the string
255
contains a
256
The message to be printed if the comparison succeeds.
257
If the string contains a
256
258
.Xr printf 3
257
259
format specification, the value from the file (with any specified masking
258
260
performed) is printed using the message as the format string.
265
267
along with the file type or need additional tests to determine the true
266
268
file type.
267
269
These additional tests are introduced by one or more
268
.Em >
270
.Em \*[Gt]
269
271
characters preceding the offset.
270
272
The number of
271
.Em >
273
.Em \*[Gt]
272
274
on the line indicates the level of the test; a line with no
273
.Em >
275
.Em \*[Gt]
274
276
at the beginning is considered to be at level 0.
275
277
Tests are arranged in a tree-like hierarchy:
276
278
If a the test on a line at level
283
285
(or less) appears.
284
286
For more complex files, one can use empty messages to get just the
285
287
"if/then" effect, in the following way:
286
.Bd -literal -offset indent
288
.Bd -literal -offset indent
287
289
0 string MZ
288
>0x18 leshort <0x40 MS-DOS executable
289
>0x18 leshort >0x3f extended PC executable (e.g., MS Windows)
290
\*[Gt]0x18 leshort \*[Lt]0x40 MS-DOS executable
291
\*[Gt]0x18 leshort \*[Gt]0x3f extended PC executable (e.g., MS Windows)
290
292
.Ed
291
293
.Pp
292
294
Offsets do not need to be constant, but can also be read from the file
293
295
being examined.
294
296
If the first character following the last
295
.Em >
297
.Em \*[Gt]
296
298
is a
297
299
.Em (
298
300
then the string after the parenthesis is interpreted as an indirect offset.
301
303
The value at that offset is read, and is used again as an offset
302
304
in the file.
303
305
Indirect offsets are of the form:
304
.Em (( x [.[bslBSL]][+\-][ y ]).
306
.Em (( x [.[bslBSL]][+\-][ y ]) .
305
307
The value of
306
308
.Em x
307
is used as an offset in the file. A byte, short or long is read at that offset
308
depending on the
309
is used as an offset in the file.
310
A byte, short or long is read at that offset depending on the
309
311
.Em [bslBSLm]
310
312
type specifier.
311
313
The capitalized types interpret the number as a big endian
320
322
The default type if one is not specified is long.
321
323
.Pp
322
324
That way variable length structures can be examined:
323
.Bd -literal -offset indent
325
.Bd -literal -offset indent
324
326
# MS Windows executables are also valid MS-DOS executables
325
327
0 string MZ
326
>0x18 leshort <0x40 MZ executable (MS-DOS)
328
\*[Gt]0x18 leshort \*[Lt]0x40 MZ executable (MS-DOS)
327
329
# skip the whole block below if it is not an extended executable
328
>0x18 leshort >0x3f
329
>>(0x3c.l) string PE\e0\e0 PE executable (MS-Windows)
330
>>(0x3c.l) string LX\e0\e0 LX executable (OS/2)
330
\*[Gt]0x18 leshort \*[Gt]0x3f
331
\*[Gt]\*[Gt](0x3c.l) string PE\e0\e0 PE executable (MS-Windows)
332
\*[Gt]\*[Gt](0x3c.l) string LX\e0\e0 LX executable (OS/2)
331
333
.Ed
332
334
.Pp
333
335
This strategy of examining has one drawback: You must make sure that
336
338
.Pp
337
339
If this indirect offset cannot be used as-is, there are simple calculations
338
340
possible: appending
339
.Em [+-*/%&|^]<number>
341
.Em [+-*/%\*[Am]|^]\*[Lt]number\*[Gt]
340
342
inside parentheses allows one to modify
341
343
the value read from the file before it is used as an offset:
342
.Bd -literal -offset indent
344
.Bd -literal -offset indent
343
345
# MS Windows executables are also valid MS-DOS executables
344
346
0 string MZ
345
347
# sometimes, the value at 0x18 is less that 0x40 but there's still an
346
348
# extended executable, simply appended to the file
347
>0x18 leshort <0x40
348
>>(4.s*512) leshort 0x014c COFF executable (MS-DOS, DJGPP)
349
>>(4.s*512) leshort !0x014c MZ executable (MS-DOS)
349
\*[Gt]0x18 leshort \*[Lt]0x40
350
\*[Gt]\*[Gt](4.s*512) leshort 0x014c COFF executable (MS-DOS, DJGPP)
351
\*[Gt]\*[Gt](4.s*512) leshort !0x014c MZ executable (MS-DOS)
350
352
.Ed
351
353
.Pp
352
354
Sometimes you do not know the exact offset as this depends on the length or
353
position (when indirection was used before) of preceding fields. You can
354
specify an offset relative to the end of the last up-level field using
355
.Sq &
355
position (when indirection was used before) of preceding fields.
356
You can specify an offset relative to the end of the last up-level
357
field using
358
.Sq \*[Am]
356
359
as a prefix to the offset:
357
.Bd -literal -offset indent
360
.Bd -literal -offset indent
358
361
0 string MZ
359
>0x18 leshort >0x3f
360
>>(0x3c.l) string PE\e0\e0 PE executable (MS-Windows)
362
\*[Gt]0x18 leshort \*[Gt]0x3f
363
\*[Gt]\*[Gt](0x3c.l) string PE\e0\e0 PE executable (MS-Windows)
361
364
# immediately following the PE signature is the CPU type
362
>>>&0 leshort 0x14c for Intel 80386
363
>>>&0 leshort 0x184 for DEC Alpha
365
\*[Gt]\*[Gt]\*[Gt]\*[Am]0 leshort 0x14c for Intel 80386
366
\*[Gt]\*[Gt]\*[Gt]\*[Am]0 leshort 0x184 for DEC Alpha
364
367
.Ed
365
368
.Pp
366
369
Indirect and relative offsets can be combined:
367
.Bd -literal -offset indent
370
.Bd -literal -offset indent
368
371
0 string MZ
369
>0x18 leshort <0x40
370
>>(4.s*512) leshort !0x014c MZ executable (MS-DOS)
372
\*[Gt]0x18 leshort \*[Lt]0x40
373
\*[Gt]\*[Gt](4.s*512) leshort !0x014c MZ executable (MS-DOS)
371
374
# if it's not COFF, go back 512 bytes and add the offset taken
372
375
# from byte 2/3, which is yet another way of finding the start
373
376
# of the extended executable
374
>>>&(2.s-514) string LE LE executable (MS Windows VxD driver)
377
\*[Gt]\*[Gt]\*[Gt]\*[Am](2.s-514) string LE LE executable (MS Windows VxD driver)
375
378
.Ed
376
379
.Pp
377
380
Or the other way around:
378
.Bd -literal -offset indent
381
.Bd -literal -offset indent
379
382
0 string MZ
380
>0x18 leshort >0x3f
381
>>(0x3c.l) string LE\e0\e0 LE executable (MS-Windows)
383
\*[Gt]0x18 leshort \*[Gt]0x3f
384
\*[Gt]\*[Gt](0x3c.l) string LE\e0\e0 LE executable (MS-Windows)
382
385
# at offset 0x80 (-4, since relative offsets start at the end
383
386
# of the up-level match) inside the LE header, we find the absolute
384
387
# offset to the code area, where we look for a specific signature
385
>>>(&0x7c.l+0x26) string UPX \eb, UPX compressed
388
\*[Gt]\*[Gt]\*[Gt](\*[Am]0x7c.l+0x26) string UPX \eb, UPX compressed
386
389
.Ed
387
390
.Pp
388
391
Or even both!
389
.Bd -literal -offset indent
392
.Bd -literal -offset indent
390
393
0 string MZ
391
>0x18 leshort >0x3f
392
>>(0x3c.l) string LE\e0\e0 LE executable (MS-Windows)
394
\*[Gt]0x18 leshort \*[Gt]0x3f
395
\*[Gt]\*[Gt](0x3c.l) string LE\e0\e0 LE executable (MS-Windows)
393
396
# at offset 0x58 inside the LE header, we find the relative offset
394
397
# to a data area where we look for a specific signature
395
>>>&(&0x54.l-3) string UNACE \eb, ACE self-extracting archive
398
\*[Gt]\*[Gt]\*[Gt]\*[Am](\*[Am]0x54.l-3) string UNACE \eb, ACE self-extracting archive
396
399
.Ed
397
400
.Pp
398
401
Finally, if you have to deal with offset/length pairs in your file, even the
399
402
second value in a parenthesized expression can be taken from the file itself,
400
using another set of parentheses. Note that this additional indirect offset
401
is always relative to the start of the main indirect offset.
402
.Bd -literal -offset indent
403
using another set of parentheses.
404
Note that this additional indirect offset is always relative to the
405
start of the main indirect offset.
406
.Bd -literal -offset indent
403
407
0 string MZ
404
>0x18 leshort >0x3f
405
>>(0x3c.l) string PE\e0\e0 PE executable (MS-Windows)
408
\*[Gt]0x18 leshort \*[Gt]0x3f
409
\*[Gt]\*[Gt](0x3c.l) string PE\e0\e0 PE executable (MS-Windows)
406
410
# search for the PE section called ".idata"...
407
>>>&0xf4 search/0x140 .idata
411
\*[Gt]\*[Gt]\*[Gt]\*[Am]0xf4 search/0x140 .idata
408
412
# ...and go to the end of it, calculated from start+length;
409
413
# these are located 14 and 10 bytes after the section name
410
>>>>(&0xe.l+(-4)) string PK\e3\e4 \eb, ZIP self-extracting archive
414
\*[Gt]\*[Gt]\*[Gt]\*[Gt](\*[Am]0xe.l+(-4)) string PK\e3\e4 \eb, ZIP self-extracting archive
411
415
.Ed
416
.Sh SEE ALSO
417
.Xr file __CSECTION__
418
\- the command that reads this file.
412
419
.Sh BUGS
413
420
The formats
414
421
.Dv long ,
430
437
of bytes (2B, 4B, etc),
431
438
since the files being recognized typically come from
432
439
a system on which the lengths are invariant.
433
.Sh SEE ALSO
434
.Xr file __CSECTION__
435
\- the command that reads this file.
436
440
.\"
437
441
.\" From: guy@sun.uucp (Guy Harris)
438
442
.\" Newsgroups: net.bugs.usg
446
450
.\" the changes I posted to the S5R2 version.
447
451
.\"
448
452
.\" Modified for Ian Darwin's version of the file command.
449
.\" @(#)$Id: magic.man,v 1.37 2007/01/12 17:38:27 christos Exp $
453
.\" @(#)$Id: magic.man,v 1.38 2007/01/27 00:52:08 ljt Exp $
Loggerhead is a web-based interface for Breezy
Version: 2.0.1