2 #------------------------------------------------------------------------------
3 # $File: linux,v 1.82 2022/09/07 11:23:44 christos Exp $
4 # linux: file(1) magic for Linux files
6 # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
7 # The following basic Linux magic is useful for reference, but using
8 # "long" magic is a better practice in order to avoid collisions.
10 # 2 leshort 100 Linux/i386
11 # >0 leshort 0407 impure executable (OMAGIC)
12 # >0 leshort 0410 pure executable (NMAGIC)
13 # >0 leshort 0413 demand-paged executable (ZMAGIC)
14 # >0 leshort 0314 demand-paged executable (QMAGIC)
16 0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC)
17 >16 lelong 0 \b, stripped
18 0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC)
19 >16 lelong 0 \b, stripped
20 0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC)
21 >16 lelong 0 \b, stripped
22 0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC)
23 >16 lelong 0 \b, stripped
25 0 string \007\001\000 Linux/i386 object file
26 >20 lelong >0x1020 \b, DLL library
28 0 string \01\03\020\04 Linux-8086 impure executable
29 >28 long !0 not stripped
30 0 string \01\03\040\04 Linux-8086 executable
31 >28 long !0 not stripped
33 0 string \243\206\001\0 Linux-8086 object file
35 0 string \01\03\020\20 Minix-386 impure executable
36 >28 long !0 not stripped
37 0 string \01\03\040\20 Minix-386 executable
38 >28 long !0 not stripped
39 0 string \01\03\04\20 Minix-386 NSYM/GNU executable
40 >28 long !0 not stripped
41 # core dump file, from Bill Reynolds <bill@goshawk.lanl.gov>
42 216 lelong 0421 Linux/i386 core file
44 >220 string >\0 of '%s'
45 >200 lelong >0 (signal %d)
47 # LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com>
48 # this can be overridden by the DOS executable (COM) entry
49 2 string LILO Linux/i386 LILO boot/chain loader
51 # Linux make config build file, from Ole Aamot <oka@oka.no>
52 # Updated by Ken Sharp
53 28 string make\ config Linux make config build file (old)
54 49 search/70 Kernel\ Configuration Linux make config build file
57 # PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com>
58 # Updated by Adam Buchbinder <adam.buchbinder@gmail.com>
59 # See: https://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html
60 0 leshort 0x0436 Linux/i386 PC Screen Font v1 data,
61 >2 byte&0x01 0 256 characters,
62 >2 byte&0x01 !0 512 characters,
63 >2 byte&0x02 0 no directory,
64 >2 byte&0x02 !0 Unicode directory,
66 0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data,
67 >16 lelong x %d characters,
68 >12 lelong&0x01 0 no directory,
69 >12 lelong&0x01 !0 Unicode directory,
73 # Linux swap and hibernate files
74 # Linux kernel: include/linux/swap.h
75 # util-linux: libblkid/src/superblocks/swap.c
77 # format v0, unsupported since 2002
78 0xff6 string SWAP-SPACE Linux old swap file, 4k page size
79 0x1ff6 string SWAP-SPACE Linux old swap file, 8k page size
80 0x3ff6 string SWAP-SPACE Linux old swap file, 16k page size
81 0x7ff6 string SWAP-SPACE Linux old swap file, 32k page size
82 0xfff6 string SWAP-SPACE Linux old swap file, 64k page size
84 # format v1, supported since 1998
86 >0x400 lelong 1 little endian, version %u,
87 >>0x404 lelong x size %u pages,
88 >>0x408 lelong x %u bad pages,
89 >0x400 belong 1 big endian, version %u,
90 >>0x404 belong x size %u pages,
91 >>0x408 belong x %u bad pages,
92 >0x41c string \0 no label,
93 >0x41c string >\0 LABEL=%s,
94 >0x40c ubelong x UUID=%08x
95 >0x410 ubeshort x \b-%04x
96 >0x412 ubeshort x \b-%04x
97 >0x414 ubeshort x \b-%04x
98 >0x416 ubelong x \b-%08x
99 >0x41a ubeshort x \b%04x
101 0xff6 string SWAPSPACE2 Linux swap file, 4k page size,
103 0x1ff6 string SWAPSPACE2 Linux swap file, 8k page size,
105 0x3ff6 string SWAPSPACE2 Linux swap file, 16k page size,
107 0x7ff6 string SWAPSPACE2 Linux swap file, 32k page size,
109 0xfff6 string SWAPSPACE2 Linux swap file, 64k page size,
112 0 name linux-hibernate
113 >0 string S1SUSPEND \b, with SWSUSP1 image
114 >0 string S2SUSPEND \b, with SWSUSP2 image
115 >0 string ULSUSPEND \b, with uswsusp image
116 >0 string LINHIB0001 \b, with compressed hibernate image
117 >0 string \xed\xc3\x02\xe9\x98\x56\xe5\x0c \b, with tuxonice image
118 >0 default x \b, with unknown hibernate image
120 0xfec string SWAPSPACE2 Linux swap file, 4k page size,
122 >0xff6 use linux-hibernate
123 0x1fec string SWAPSPACE2 Linux swap file, 8k page size,
125 >0x1ff6 use linux-hibernate
126 0x3fec string SWAPSPACE2 Linux swap file, 16k page size,
128 >0x3ff6 use linux-hibernate
129 0x7fec string SWAPSPACE2 Linux swap file, 32k page size,
131 >0x7ff6 use linux-hibernate
132 0xffec string SWAPSPACE2 Linux swap file, 64k page size,
134 >0xfff6 use linux-hibernate
137 # Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
138 # and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
139 # and Nicolas Lichtmaier <nick@debian.org>
140 # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
141 # Linux kernel boot images (i386 arch) (Wolfram Kleff)
142 # URL: https://www.kernel.org/doc/Documentation/x86/boot.txt
143 514 string HdrS Linux kernel
145 # often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes
146 # Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin
147 # DamnSmallLinux 1.5 damnsmll.lnx
149 >510 leshort 0xAA55 x86 boot executable
151 >>>529 byte 0 zImage,
152 >>>529 byte 1 bzImage,
154 >>>>(526.s+0x200) string >\0 version %s,
155 >>498 leshort 1 RO-rootFS,
156 >>498 leshort 0 RW-rootFS,
157 >>508 leshort >0 root_dev %#X,
158 >>502 leshort >0 swap_dev %#X,
159 >>504 leshort >0 RAMdisksize %u KB,
160 >>506 leshort 0xFFFF Normal VGA
161 >>506 leshort 0xFFFE Extended VGA
162 >>506 leshort 0xFFFD Prompt for Videomode
163 >>506 leshort >0 Video mode %d
164 # This also matches new kernels, which were caught above by "HdrS".
165 0 belong 0xb8c0078e Linux kernel
166 >0x1e3 string Loading version 1.3.79 or older
167 >0x1e9 string Loading from prehistoric times
169 # System.map files - Nicolas Lichtmaier <nick@debian.org>
170 8 search/1 \ A\ _text Linux kernel symbol map text
172 # LSM entries - Nicolas Lichtmaier <nick@debian.org>
173 0 search/1 Begin3 Linux Software Map entry text
174 0 search/1 Begin4 Linux Software Map entry text (new format)
176 # From Matt Zimmerman, enhanced for v3 by Matthew Palmer
177 0 belong 0x4f4f4f4d User-mode Linux COW file
178 >4 belong <3 \b, version %d
179 >>8 string >\0 \b, backing file %s
180 >4 belong >2 \b, version %d
181 >>32 string >\0 \b, backing file %s
183 ############################################################################
184 # Linux kernel versions
186 0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux
187 >497 leshort 0 x86 boot sector
188 >>514 belong 0x8e of a kernel from the dawn of time!
189 >>514 belong 0x908ed8b4 version 0.99-1.1.42
190 >>514 belong 0x908ed8b8 for memtest86
192 >497 leshort !0 x86 kernel
193 >>504 leshort >0 RAMdisksize=%u KB
194 >>502 leshort >0 swap=%#X
195 >>508 leshort >0 root=%#X
196 >>>498 leshort 1 \b-ro
197 >>>498 leshort 0 \b-rw
198 >>506 leshort 0xFFFF vga=normal
199 >>506 leshort 0xFFFE vga=extended
200 >>506 leshort 0xFFFD vga=ask
201 >>506 leshort >0 vga=%d
202 >>514 belong 0x908ed881 version 1.1.43-1.1.45
203 >>514 belong 0x15b281cd
204 >>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0
205 >>>0xa99 belong 0x55AA5a5a version 1.3.1,2
206 >>>0xaa3 belong 0x55AA5a5a version 1.3.3-1.3.30
207 >>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41
208 >>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45
209 >>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72
211 >>>518 leshort >0x1FF
212 >>>>529 byte 0 \b, zImage
213 >>>>529 byte 1 \b, bzImage
214 >>>>(526.s+0x200) string >\0 \b, version %s
216 # Linux boot sector thefts.
217 0 belong 0xb8c0078e Linux
218 >0x1e6 belong 0x454c4b53 ELKS Kernel
219 >0x1e6 belong !0x454c4b53 style boot sector
221 ############################################################################
222 # Linux S390 kernel image
223 # Created by: Jan Kaluza <jkaluza@redhat.com>
224 8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390
225 >0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc
227 >>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel
228 >>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel
229 >>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel
230 >>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel
232 >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel
233 >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel
234 >>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel
235 >>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel
237 ############################################################################
238 # Linux ARM compressed kernel image
239 # From: Kevin Cernekee <cernekee@gmail.com>
240 # Update: Joerg Jenderek
241 0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage
242 # There are three possible situations: LE, BE with LE bootloader and pure BE.
243 # In order to aid telling these apart a new endian flag was added. In order
244 # to support kernels before the flag and BE with LE bootloader was added we'll
245 # do a negative check against the BE variant of the flag when we see a LE magic.
246 >0x30 belong !0x04030201 (little-endian)
247 # raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin"
249 >0x30 belong 0x04030201 (big-endian)
250 0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian)
252 ############################################################################
253 # Linux AARCH64 kernel image
254 0x38 lelong 0x644d5241 Linux kernel ARM64 boot executable Image
255 >0x18 lelong ^1 \b, little-endian
256 >0x18 lelong &1 \b, big-endian
257 >0x18 lelong &2 \b, 4K pages
258 >0x18 lelong &4 \b, 16K pages
259 >0x18 lelong &6 \b, 32K pages
261 ############################################################################
262 # Linux 8086 executable
263 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless
265 >>4 string >\0 \b, libc version %s
267 0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable
268 >2 byte&0x01 !0 \b, unmapped zero page
269 >2 byte&0x20 0 \b, impure
271 >>2 byte&0x10 !0 \b, A_EXEC
272 >2 byte&0x02 !0 \b, A_PAL
273 >2 byte&0x04 !0 \b, A_NSYM
274 >2 byte&0x08 !0 \b, A_STAND
275 >2 byte&0x40 !0 \b, A_PURE
276 >2 byte&0x80 !0 \b, A_TOVLY
277 >28 long !0 \b, not stripped
279 >>36 string >\0 \b, libc version %s
281 # 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable
282 # 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable
283 # 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable
284 # 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable
286 # SYSLINUX boot logo files (from 'ppmtolss16' sources)
287 # https://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename:
288 # file extension .lss .16
289 0 lelong =0x1413f33d SYSLINUX' LSS16 image data
290 # syslinux-4.05/mime/image/x-lss16.xml
292 >4 leshort x \b, width %d
293 >6 leshort x \b, height %d
295 0 string OOOM User-Mode-Linux's Copy-On-Write disk image
296 >4 belong x version %d
298 # SE Linux policy database
299 # From: Mike Frysinger <vapier@gentoo.org>
300 0 lelong 0xf97cff8c SE Linux policy
303 >24 lelong x %d symbols
304 >28 lelong x %d ocons
306 # Linux Logical Volume Manager (LVM)
307 # Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net>
309 # System ID, UUID and volume group name are 128 bytes long
310 # but they should never be full and initialized with zeros...
314 0x0 string/b HM\001 LVM1 (Linux Logical Volume Manager), version 1
315 >0x12c string/b >\0 , System ID: %s
317 0x0 string/b HM\002 LVM1 (Linux Logical Volume Manager), version 2
318 >0x12c string/b >\0 , System ID: %s
322 # It seems that the label header can be in one the four first sector
323 # of the disk... (from _find_labeller in lib/label/label.c of LVM2)
325 # 0x200 seems to be the common case
327 # display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
328 >0x0 string >\x2f \b, UUID: %.6s
329 >0x6 string >\x2f \b-%.4s
330 >0xa string >\x2f \b-%.4s
331 >0xe string >\x2f \b-%.4s
332 >0x12 string >\x2f \b-%.4s
333 >0x16 string >\x2f \b-%.4s
334 >0x1a string >\x2f \b-%.6s
335 >0x20 lequad x \b, size: %lld
338 # read the offset to add to the start of the header, and the header
340 0x218 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
341 >&(&-12.l-0x20) use lvm2
343 0x018 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
344 >&(&-12.l-0x20) use lvm2
346 0x418 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
347 >&(&-12.l-0x20) use lvm2
349 0x618 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
350 >&(&-12.l-0x20) use lvm2
354 0 string SnAp LVM Snapshot (CopyOnWrite store)
355 >4 lelong !0 - valid,
356 >4 lelong 0 - invalid,
357 >8 lelong x version %d,
358 >12 lelong x chunk_size %d
360 # SE Linux policy database
361 0 lelong 0xf97cff8c SE Linux policy
364 >24 lelong x %d symbols
365 >28 lelong x %d ocons
367 # Summary: Xen saved domain file
368 # Created by: Radek Vokal <rvokal@redhat.com>
369 0 string LinuxGuestRecord Xen saved domain
371 >>&1 string x (name %s)
373 # Type: Xen, the virtual machine monitor
374 # From: Radek Vokal <rvokal@redhat.com>
375 0 string LinuxGuestRecord Xen saved domain
376 #>2 regex \(name\ [^)]*\) %s
377 >20 search/256 (name (name
380 # Systemd journald files
381 # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/.
382 # From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
386 # check that state is one of known values
388 # check that each half of three unique id128s is non-zero
394 >>>>>>>64 ubequad >0 Journal file
395 !:mime application/octet-stream
397 >>>>>>>>184 leqdate 0 empty
398 >>>>>>>>16 ubyte 0 \b, offline
399 >>>>>>>>16 ubyte 1 \b, online
400 >>>>>>>>16 ubyte 2 \b, archived
401 >>>>>>>>8 ulelong&1 1 \b, sealed
402 >>>>>>>>12 ulelong&1 1 \b, compressed
404 # BCache backing and cache devices
405 # From: Gabriel de Perthuis <g2p.code@gmail.com>
407 >0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache
408 >>0x1010 ulequad 0 cache device
409 >>0x1010 ulequad 1 backing device
410 >>0x1010 ulequad 3 cache device
411 >>0x1010 ulequad 4 backing device
412 >>0x1048 string >0 \b, label "%.32s"
413 >>0x1028 ubelong x \b, uuid %08x
414 >>0x102c ubeshort x \b-%04x
415 >>0x102e ubeshort x \b-%04x
416 >>0x1030 ubeshort x \b-%04x
417 >>0x1032 ubelong x \b-%08x
418 >>0x1036 ubeshort x \b%04x
419 >>0x1038 ubelong x \b, set uuid %08x
420 >>0x103c ubeshort x \b-%04x
421 >>0x103e ubeshort x \b-%04x
422 >>0x1040 ubeshort x \b-%04x
423 >>0x1042 ubelong x \b-%08x
424 >>0x1046 ubeshort x \b%04x
427 # File format description can be found in the Linux kernel sources at
428 # Documentation/devicetree/booting-without-of.txt
429 # From Christoph Biedl
431 # structure must be within blob, strings are omitted to handle devicetrees > 1M
433 >>20 belong >1 Device Tree Blob version %d
434 >>>4 belong x \b, size=%d
436 >>>>28 belong x \b, boot CPU=%d
438 >>>>32 belong x \b, string block size=%d
440 >>>>36 belong x \b, DT structure block size=%d
442 # glibc locale archive as defined in glibc locale/locarchive.h
443 0 lelong 0xde020109 locale archive
444 >24 lelong x %d strings
446 # Linux Software RAID (mdadm)
447 # Russell Coker <russell@coker.com.au>
449 >16 belong x UUID=%8x:
454 >72 lelong x level=%d
455 >92 lelong x disks=%d
457 4096 lelong 0xa92b4efc Linux Software RAID
458 >4100 lelong x version 1.2 (%d)
461 0 lelong 0xa92b4efc Linux Software RAID
462 >4 lelong x version 1.1 (%d)
465 # Summary: Database file for mlocate
466 # Description: A database file as used by mlocate, a fast implementation
467 # of locate/updatedb. It uses merging to reuse the existing
468 # database and avoid rereading most of the filesystem. It's
469 # the default version of locate on Arch Linux (and others).
470 # File path: /var/lib/mlocate/mlocate.db by default (but configurable)
471 # Site: https://fedorahosted.org/mlocate/
472 # Format docs: https://linux.die.net/man/5/mlocate.db
473 # Type: mlocate database file
474 # URL: https://fedorahosted.org/mlocate/
475 # From: Wander Nauta <info@wandernauta.nl>
476 0 string \0mlocate mlocate database
477 >12 byte x \b, version %d
478 >13 byte 1 \b, require visibility
479 >16 string x \b, root %s
481 # Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL:
482 # https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
483 # From: Pavel Emelyanov <xemul@parallels.com>
484 0 lelong 0x45311224 iproute2 routes dump
485 0 lelong 0x47361222 iproute2 addresses dump
487 # Image and service files for CRIU tool.
488 # URL: https://criu.org
489 # From: Pavel Emelyanov <xemul@parallels.com>
490 0 lelong 0x54564319 CRIU image file v1.1
491 0 lelong 0x55105940 CRIU service file
492 0 lelong 0x58313116 CRIU inventory
494 # Kdump compressed dump files
495 # https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION
497 0 string KDUMP Kdump compressed dump
499 >12 string >\0 \b, system %s
500 >77 string >\0 \b, node %s
501 >142 string >\0 \b, release %s
502 >207 string >\0 \b, version %s
503 >272 string >\0 \b, machine %s
504 >337 string >\0 \b, domain %s
507 0 search/1024 /dts-v1/ Device Tree File (v1)
513 # David Gilman <davidgilman1@gmail.com>
514 0 string E2UNDO02 e2fsck undo file, version 2
515 >44 lelong x \b, undo file is
516 >>44 lelong&1 0 not finished
517 >>44 lelong&1 1 finished
518 >48 lelong x \b, undo file features:
519 >>48 lelong&1 0 lacks filesystem offset
520 >>48 lelong&1 1 has filesystem offset
521 >>>64 lequad x at %#llx
523 # ansible vault (does not really belong here)
524 0 string $ANSIBLE_VAULT; Ansible Vault
525 >&0 regex [0-9]+\\.[0-9]+ \b, version %s
527 >>>&0 regex [A-Z0-9]+ \b, encryption %s
529 # From: Joerg Jenderek
530 # URL: https://www.gnu.org/software/grub
531 # Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz
532 # grub-2.06/include/grub/keyboard_layouts.h
533 # grub-2.06/grub-core/commands/keylayouts.c
534 # GRUB_KEYBOARD_LAYOUTS_FILEMAGIC
535 0 string GRUBLAYO GRUB Keyboard
536 !:mime application/x-grub-keyboard
538 # GRUB_KEYBOARD_LAYOUTS_VERSION like: 10
539 >8 ulelong !10 \b, version %u
540 # 4 grub_uint32_t grub_keyboard_layout[160]
541 # for normal french keyboard this is letter a
543 >>92 ubyte >0x40 \b, english q is %c
544 #>732 ubyte x \b, english Q is %c
545 # for normal german keyboard this is letter z
547 >>124 ubyte >0x40 \b, english y is %c
548 #>764 ubyte x \b, english Y is %c