From: Christos Zoulas <christos@zoulas.com>
Date: Sun, 14 Feb 2016 15:46:52 +0000 (+0000)
Subject: Add support for windows minidump files (Joerg Jenderek)
X-Git-Tag: FILE5_26~23
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8f13fbb8e002e462f229deac7ab3f71610f4ff58;p=file

Add support for windows minidump files (Joerg Jenderek)
---

diff --git a/magic/Magdir/misctools b/magic/Magdir/misctools
index 7fdd2517..3ecdba2f 100644
--- a/magic/Magdir/misctools
+++ b/magic/Magdir/misctools
@@ -1,6 +1,6 @@
 
 #-----------------------------------------------------------------------------
-# $File: misctools,v 1.14 2014/03/06 16:08:58 christos Exp $
+# $File: misctools,v 1.15 2015/04/15 18:29:30 christos Exp $
 # misctools:  file(1) magic for miscellaneous UNIX tools.
 #
 0	search/1	%%!!			X-Post-It-Note text
@@ -29,7 +29,35 @@
 0	search/80	.lo\ -\ a\ libtool\ object\ file	libtool object file
 
 # From: Daniel Novotny <dnovotny@redhat.com>
-0	string		MDMP\x93\xA7				MDMP crash report data
+# Update: Joerg Jenderek
+# URL: https://en.wikipedia.org/wiki/Core_dump#User-mode_memory_dumps
+# Reference: https://msdn.microsoft.com/en-us/library/ms680378%28VS.85%29.aspx
+#
+# "Windows Minidump" by TrID
+# ./misctools (version 5.25) labeled the entry as "MDMP crash report data"
+0	string		MDMP					Mini DuMP crash report
+# http://filext.com/file-extension/DMP
+!:mime	application/x-dmp
+!:ext	dmp/mdmp
+# The high-order word is an internal value that is implementation specific.
+# The low-order word is MINIDUMP_VERSION 0xA793
+>4	ulelong&0x0000FFFF	!0xA793				\b, version 0x%4.4x
+# NumberOfStreams 8,9,10,13
+>8	ulelong			x				\b, %d streams
+# StreamDirectoryRva 0x20
+>12	ulelong			!0x20				\b, 0x%8.8x RVA
+# CheckSum 0
+>16	ulelong			!0				\b, CheckSum 0x%8.8x
+# Reserved or TimeDateStamp 
+>20	ledate			x				\b, %s
+# https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519%28v=vs.85%29.aspx
+# Flags MINIDUMP_TYPE enumeration type 0 0x121 0x800
+>24	ulelong			x				\b, 0x%x type
+# >24	ulelong			>0				\b; include
+# >>24	ulelong			&0x00000001			\b data sections,
+# >>24	ulelong			&0x00000020			\b list of unloaded modules,
+# >>24	ulelong			&0x00000100			\b process and thread information,
+# >>24	ulelong			&0x00000800			\b memory information,
 
 # Summary: abook addressbook file
 # Submitted by: Mark Schreiber <mark7@alumni.cmu.edu>