+2012-04-03 18:26 Christos Zoulas <christos@zoulas.com>
+
+ * Add windows date field types
+ * More info for windows shortcuts (incomplete)
+
2012-02-20 17:33 Christos Zoulas <christos@zoulas.com>
* Fix CDF parsing issues found by CERT's fuzzing tool (Will Dormann)
-.\" $File: magic.man,v 1.70 2011/12/05 22:58:35 rrt Exp $
-.Dd April 20, 2011
+.\" $File: magic.man,v 1.71 2011/12/07 11:58:24 rrt Exp $
+.Dd April 3, 2012
.Dt MAGIC __FSECTION__
.Os
.\" install as magic.4 on USG, magic.5 on V7, Berkeley and Linux systems.
.It Dv qldate
An eight-byte value interpreted as a UNIX-style date, but interpreted as
local time rather than UTC.
+.It Dv qwdate
+An eight-byte value interpreted as a Windows-style date.
.It Dv beid3
A 32-bit ID3 length in big-endian byte order.
.It Dv beshort
An eight-byte value in big-endian byte order,
interpreted as a UNIX-style date, but interpreted as local time rather
than UTC.
+.It Dv beqwdate
+An eight-byte value in big-endian byte order,
+interpreted as a Windows-style date.
.It Dv bestring16
A two-byte unicode (UCS16) string in big-endian byte order.
.It Dv leid3
An eight-byte value in little-endian byte order,
interpreted as a UNIX-style date, but interpreted as local time rather
than UTC.
+.It Dv leqwdate
+An eight-byte value in little-endian byte order,
+interpreted as a Windows-style date.
.It Dv lestring16
A two-byte unicode (UCS16) string in little-endian byte order.
.It Dv melong
#------------------------------------------------------------------------------
-# $File$
+# $File: windows,v 1.4 2009/09/19 16:28:13 christos Exp $
# windows: file(1) magic for Microsoft Windows
#
# This file is mainly reserved for files where programs
0 string HyperTerminal\
>15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile
-
+# http://ithreats.files.wordpress.com/2009/05/\
+# lnk_the_windows_shortcut_file_format.pdf
# Summary: Windows shortcut
# Extension: .lnk
# Created by: unknown
+# 'L' + GUUID
0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut
-
+>20 lelong&1 1 \b, Item id list present
+>20 lelong&2 2 \b, Points to a file or directory
+>20 lelong&4 4 \b, Has Description string
+>20 lelong&8 8 \b, Has Relative path
+>20 lelong&16 16 \b, Has Working directory
+>20 lelong&32 32 \b, Has command line arguments
+>20 lelong&64 64 \b, Icon
+>>56 lelong \b number=%d
+>24 lelong&1 1 \b, Read-Only
+>24 lelong&2 2 \b, Hidden
+>24 lelong&4 4 \b, System
+>24 lelong&8 8 \b, Volume Label
+>24 lelong&16 16 \b, Directory
+>24 lelong&32 32 \b, Archive
+>24 lelong&64 64 \b, Encrypted
+>24 lelong&128 128 \b, Normal
+>24 lelong&256 256 \b, Temporary
+>24 lelong&512 512 \b, Sparse
+>24 lelong&1024 1024 \b, Reparse point
+>24 lelong&2048 2048 \b, Compressed
+>24 lelong&4096 4096 \b, Offline
+>28 leqwdate x \b, ctime=%s
+>36 leqwdate x \b, mtime=%s
+>44 leqwdate x \b, atime=%s
+>52 lelong x \b, length=%u, window=
+>60 lelong&1 1 \bhide
+>60 lelong&2 2 \bnormal
+>60 lelong&4 4 \bshowminimized
+>60 lelong&8 8 \bshowmaximized
+>60 lelong&16 16 \bshownoactivate
+>60 lelong&32 32 \bminimize
+>60 lelong&64 64 \bshowminnoactive
+>60 lelong&128 128 \bshowna
+>60 lelong&256 256 \brestore
+>60 lelong&512 512 \bshowdefault
+#>20 lelong&1 0
+#>>20 lelong&2 2
+#>>>(72.l-64) pstring/h x \b [%s]
+#>20 lelong&1 1
+#>>20 lelong&2 2
+#>>>(72.s) leshort x
+#>>>&75 pstring/h x \b [%s]
# Summary: Outlook Personal Folders
# Created by: unknown
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: apprentice.c,v 1.172 2011/11/16 19:24:22 christos Exp $")
+FILE_RCSID("@(#)$File: apprentice.c,v 1.173 2011/12/08 12:38:24 rrt Exp $")
#endif /* lint */
#include "magic.h"
{ XX("leid3"), FILE_LEID3, FILE_FMT_NUM },
{ XX("beid3"), FILE_BEID3, FILE_FMT_NUM },
{ XX("indirect"), FILE_INDIRECT, FILE_FMT_NONE },
+ { XX("qwdate"), FILE_QWDATE, FILE_FMT_STR },
+ { XX("leqwdate"), FILE_LEQWDATE, FILE_FMT_STR },
+ { XX("beqwdate"), FILE_BEQWDATE, FILE_FMT_STR },
{ XX_NULL, FILE_INVALID, FILE_FMT_NONE },
# undef XX
# undef XX_NULL
case FILE_QLDATE:
case FILE_LEQLDATE:
case FILE_BEQLDATE:
+ case FILE_QWDATE:
+ case FILE_LEQWDATE:
+ case FILE_BEQWDATE:
case FILE_DOUBLE:
case FILE_BEDOUBLE:
case FILE_LEDOUBLE:
case FILE_QLDATE:
case FILE_LEQLDATE:
case FILE_BEQLDATE:
+ case FILE_QWDATE:
+ case FILE_LEQWDATE:
+ case FILE_BEQWDATE:
case FILE_FLOAT:
case FILE_BEFLOAT:
case FILE_LEFLOAT:
case FILE_LEQUAD:
case FILE_QDATE:
case FILE_QLDATE:
+ case FILE_QWDATE:
case FILE_BEQDATE:
case FILE_BEQLDATE:
+ case FILE_BEQWDATE:
case FILE_LEQDATE:
case FILE_LEQLDATE:
+ case FILE_LEQWDATE:
case FILE_DOUBLE:
case FILE_BEDOUBLE:
case FILE_LEDOUBLE:
*/
/*
* file.h - definitions for file(1) program
- * @(#)$File: file.h,v 1.134 2011/09/16 21:23:59 christos Exp $
+ * @(#)$File: file.h,v 1.135 2011/09/20 15:30:14 christos Exp $
*/
#ifndef __file_h__
#define FILE_BEID3 39
#define FILE_LEID3 40
#define FILE_INDIRECT 41
-#define FILE_NAMES_SIZE 42/* size of array to contain all names */
+#define FILE_QWDATE 42
+#define FILE_LEQWDATE 43
+#define FILE_BEQWDATE 44
+#define FILE_NAMES_SIZE 45/* size of array to contain all names */
#define IS_STRING(t) \
((t) == FILE_STRING || \
typedef unsigned long unichar;
struct stat;
-protected const char *file_fmttime(uint32_t, int);
+#define FILE_T_LOCAL 1
+#define FILE_T_WINDOWS 2
+protected const char *file_fmttime(uint64_t, int);
protected int file_buffer(struct magic_set *, int, const char *, const void *,
size_t);
protected int file_fsmagic(struct magic_set *, const char *, struct stat *);
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: print.c,v 1.70 2011/08/14 09:03:12 christos Exp $")
+FILE_RCSID("@(#)$File: print.c,v 1.71 2011/09/20 15:28:09 christos Exp $")
#endif /* lint */
#include <string.h>
case FILE_BEDATE:
case FILE_MEDATE:
(void)fprintf(stderr, "%s,",
- file_fmttime(m->value.l, 1));
+ file_fmttime(m->value.l, FILE_T_LOCAL));
break;
case FILE_LDATE:
case FILE_LELDATE:
case FILE_MELDATE:
(void)fprintf(stderr, "%s,",
file_fmttime(m->value.l, 0));
- break;
case FILE_QDATE:
case FILE_LEQDATE:
case FILE_BEQDATE:
(void)fprintf(stderr, "%s,",
- file_fmttime((uint32_t)m->value.q, 1));
+ file_fmttime(m->value.q, FILE_T_LOCAL));
break;
case FILE_QLDATE:
case FILE_LEQLDATE:
case FILE_BEQLDATE:
(void)fprintf(stderr, "%s,",
- file_fmttime((uint32_t)m->value.q, 0));
+ file_fmttime(m->value.q, 0));
+ break;
+ case FILE_QWDATE:
+ case FILE_LEQWDATE:
+ case FILE_BEQWDATE:
+ (void)fprintf(stderr, "%s,",
+ file_fmttime(m->value.q, FILE_T_WINDOWS));
break;
case FILE_FLOAT:
case FILE_BEFLOAT:
}
protected const char *
-file_fmttime(uint32_t v, int local)
+file_fmttime(uint64_t v, int flags)
{
char *pp;
time_t t = (time_t)v;
struct tm *tm;
- if (local) {
+ if (flags & FILE_T_WINDOWS) {
+ struct timespec ts;
+ cdf_timestamp_to_timespec(&ts, t);
+ t = ts.tv_sec;
+ }
+
+ if (flags & FILE_T_LOCAL) {
pp = ctime(&t);
} else {
#ifndef HAVE_DAYLIGHT
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: softmagic.c,v 1.146 2011/09/20 15:30:14 christos Exp $")
+FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11/05 15:44:22 rrt Exp $")
#endif /* lint */
#include "magic.h"
case FILE_BEDATE:
case FILE_LEDATE:
case FILE_MEDATE:
- if (file_printf(ms, m->desc, file_fmttime(p->l, 1)) == -1)
+ if (file_printf(ms, m->desc, file_fmttime(p->l,
+ FILE_T_LOCAL)) == -1)
return -1;
- t = ms->offset + sizeof(time_t);
+ t = ms->offset + sizeof(uint32_t);
break;
case FILE_LDATE:
case FILE_MELDATE:
if (file_printf(ms, m->desc, file_fmttime(p->l, 0)) == -1)
return -1;
- t = ms->offset + sizeof(time_t);
+ t = ms->offset + sizeof(uint32_t);
break;
case FILE_QDATE:
case FILE_BEQDATE:
case FILE_LEQDATE:
- if (file_printf(ms, m->desc, file_fmttime((uint32_t)p->q,
- 1)) == -1)
+ if (file_printf(ms, m->desc, file_fmttime(p->q,
+ FILE_T_LOCAL)) == -1)
return -1;
t = ms->offset + sizeof(uint64_t);
break;
case FILE_QLDATE:
case FILE_BEQLDATE:
case FILE_LEQLDATE:
- if (file_printf(ms, m->desc, file_fmttime((uint32_t)p->q,
- 0)) == -1)
+ if (file_printf(ms, m->desc, file_fmttime(p->q, 0)) == -1)
+ return -1;
+ t = ms->offset + sizeof(uint64_t);
+ break;
+
+ case FILE_QWDATE:
+ case FILE_BEQWDATE:
+ case FILE_LEQWDATE:
+ if (file_printf(ms, m->desc, file_fmttime(p->q,
+ FILE_T_WINDOWS)) == -1)
return -1;
t = ms->offset + sizeof(uint64_t);
break;
case FILE_BEDATE:
case FILE_LEDATE:
case FILE_MEDATE:
- return CAST(int32_t, (ms->offset + sizeof(time_t)));
+ return CAST(int32_t, (ms->offset + sizeof(uint32_t)));
case FILE_LDATE:
case FILE_BELDATE:
case FILE_LELDATE:
case FILE_MELDATE:
- return CAST(int32_t, (ms->offset + sizeof(time_t)));
+ return CAST(int32_t, (ms->offset + sizeof(uint32_t)));
case FILE_QDATE:
case FILE_BEQDATE:
case FILE_QUAD:
case FILE_QDATE:
case FILE_QLDATE:
+ case FILE_QWDATE:
cvt_64(p, m);
return 1;
case FILE_STRING:
case FILE_BEQUAD:
case FILE_BEQDATE:
case FILE_BEQLDATE:
+ case FILE_BEQWDATE:
p->q = (uint64_t)
(((uint64_t)p->hq[0]<<56)|((uint64_t)p->hq[1]<<48)|
((uint64_t)p->hq[2]<<40)|((uint64_t)p->hq[3]<<32)|
case FILE_LEQUAD:
case FILE_LEQDATE:
case FILE_LEQLDATE:
+ case FILE_LEQWDATE:
p->q = (uint64_t)
(((uint64_t)p->hq[7]<<56)|((uint64_t)p->hq[6]<<48)|
((uint64_t)p->hq[5]<<40)|((uint64_t)p->hq[4]<<32)|
case FILE_QLDATE:
case FILE_BEQLDATE:
case FILE_LEQLDATE:
+ case FILE_QWDATE:
+ case FILE_BEQWDATE:
+ case FILE_LEQWDATE:
v = p->q;
break;
projects / file / commitdiff