DESCRIPTION
The file command uses ROOTDIR/etc/magic in its attempt to identify the type of a binary file. Essentially, ROOTDIR/etc/magic contains templates showing what different types of files look like.
The magic file contains lines describing magic numbers which identify particular types of files. Lines beginning with a > or & character represent continuation lines to a preceding main entry:
- >
-
If file finds a match on the main entry line, these additional patterns are checked. Any pattern which matches is used. This may generate additional output; a single blank separates each matching line's output (if any output exists for that line).
- &
-
If file finds a match on the main entry line, and a following continuation line begins with this character, that continuation line's pattern must also match, or neither line is used. Output text associated with any line beginning with the & character is ignored.
Each line consists of four fields, separated by one or more tabs:
- (a)
-
The first field is a byte offset in the file, consisting of an optional offset operator and a value. In continuation lines, the offset immediately follows a continuation character.
If no offset operator is specified, then the offset value indicates an offset from the beginning of the file.
The * offset operator specifies that the value located at the memory location following the operator be used as the offset. Thus, *0x3C indicates that the value contained in 0x3C should be used as the offset.
The + offset operator specifies an incremental offset, based upon the value of the last offset. Thus, +15 indicates that the offset value is 15 bytes from the last specified offset.
- (b)
-
The next field is a type: byte, short, long, string, Ustring (Unicode string). byte, short, and long can be followed by an optional mask which is bitwise ANDed to the value prior to comparison, for example, byte &0x80 looks at the high bit.
- (c)
-
The next field is a value, preceded by an optional operator. Operators only apply to non-string types: byte, short, and long. The default operator is = (exact match). The other operators are:
= equal ! not equal > greater than < less than & all bits in pattern must match ^ any bits in pattern may match x or ? any value matches (must be the only character in the field) (? is an extension to traditional implementations of magic)
string or Ustring values to be matched may contain any valid ANSI C backslash sequence. Thus, to match a single backslash, \\ must be entered in the magic file.
- Note:
-
Due to its format, the magic file must use a \t to match a tab character.
- (d)
-
The rest of the line is a string to be printed if the particular file matches the template. Note that the contents of this field are ignored, if the line begins with the & continuation character. The fourth field may contain a printf-type format indicator to output the magic number (See printf for more details on format indicators).
EXAMPLES
Here are some sample entries:
0 byte 0x80 OMF object file (Microsoft relocatable) 0 short 0x5A4D extended DOS executable (.EXE) >*0x3C short 0x454C -- Windows VxD Linear format >*0x3C short 0x4550 -- Win32 or NT Portable format >+54 byte 2 -- Windows format >0x32 string PKWARE Self extracting Zip >0x24 string LHA's Self extracting LHA >0xE9 string PKSFX2 Self extracting Zip 0 short xFEFF Windows Registry exported text file (.REG) &2 Ustring Windows Registry Editor Version 5.00
AVAILABILITY
MKS Toolkit for Power Users
MKS Toolkit for System Administrators
MKS Toolkit for Developers
MKS Toolkit for Interoperability
MKS Toolkit for Professional Developers
MKS Toolkit for Enterprise Developers
MKS Toolkit for Enterprise Developers 64-Bit Edition
SEE ALSO
- Commands:
- file
- Miscellaneous:
- envvar
MKS Toolkit 9.2 Documentation Build 16.