magic

format of the magic file

File Format

DESCRIPTION

The file command uses /etc/magic in its attempt to identify the type of a binary file. Essentially, /etc/magic contains templates showing what different types of files look like.

The magic file contains lines describing magic numbers which identify particular types of files. Lines beginning with a > or & character represent continuation lines to a preceding main entry:
>

If file finds a match on the main entry line, these additional patterns are checked. Any pattern which matches is used. This may generate additional output; a single blank separates each matching line's output (if any output exists for that line).

&

If file finds a match on the main entry line, and a following continuation line begins with this character, that continuation line's pattern must also match, or neither line is used. Output text associated with any line beginning with the & character is ignored.

Each line consists of four fields, separated by one or more tabs:

(a)

The first field is a byte offset in the file, consisting of an optional offset operator and a value. In continuation lines, the offset immediately follows a continuation character.

If no offset operator is specified, then the offset value indicates an offset from the beginning of the file.

The * offset operator specifies that the value located at the memory location following the operator be used as the offset. Thus, *0x3C indicates that the value contained in 0x3C should be used as the offset.

The + offset operator specifies an incremental offset, based upon the value of the last offset. Thus, +15 indicates that the offset value is 15 bytes from the last specified offset.

(b)

The next field is a type: byte, short, long, or string. byte, short, and long can be followed by an optional mask which is bitwise ANDed to the value prior to comparison, for example, byte &0x80 looks at the high bit.

(c)

The next field is a value, preceded by an optional operator. Operators only apply to non-string types: byte, short, and long. The default operator is = (exact match). The other operators are:

=        equal
!        not equal
>        greater than
<        less than
&        all bits in pattern must match
^        any bits in pattern may match
x or ?        any value matches (must be the only character in the field)
        (? is an extension to traditional implementations of magic)

string values to be matched may contain any valid ANSI C backslash sequence. Thus, to match a single backslash, \\ must be entered in the magic file.

Note:

Due to its format, the magic file must use a \t to match a tab character.

(d)

The rest of the line is a string to be printed if the particular file matches the template. Note that the contents of this field are ignored, if the line begins with the & continuation character. The fourth field may contain a printf-type format indicator to output the magic number (See printf for more details on format indicators).

EXAMPLES

Here are some sample entries: 
0       byte    0x80                    OMF object file (Microsoft relocatable)
0       short   0x5A4D                  extended DOS executable (.EXE)
>*0x3C  short   0x454C                  -- Windows VxD Linear format
>*0x3C  short   0x4550                  -- Win32 or NT Portable format
>+54    byte    2                       -- Windows format
>0x32   string  PKWARE                   Self extracting Zip
>0x24   string  LHA's                    Self extracting LHA
>0xE9   string  PKSFX2                   Self extracting Zip

SEE ALSO

Commands:
file

Miscellaneous:
envvar

Updated MKS Toolkit [3khat16.ico]HP3000 [3khat16.ico]3kMail [archive16.gif]