magic - file command's magic number file
/etc/magic
The file(1) command identifies the type of a file using, among other tests, a test for whether the file begins with a certain magic number. The /etc/magic file, or a file specified as an option-argument to the -m or -M options of file(1), specifies what magic numbers are to be tested for, what message to print if a particular magic number is found, and additional information to extract from the file.
Each line of the file specifies a position-sensitive test to perform. A test compares the data starting at a particular offset in the file with a 1-byte, 2-byte, 4-byte, or 8-byte numeric value or string. If the test succeeds, a message is printed. The line consists of the following fields (separated by tabs): offset type value message
offset
type
byte, d1, dC
short, d2, dS
long, d4, dI, dL, d
llong, d8
ubyte, u1, uC
ushort, u2, uS
ulong, u4, uI, uL, u
ullong, u8
string, s
All type specifiers, except for string and s, may be followed by a mask specifier of the form &number. If a mask specifier is given, the value is AND'ed with the number before any comparisons are done. The number is specified in C form. For instance, 13 is decimal, 013 is octal, and 0x13 is hexadecimal.
value
Numeric values may be preceded by a character indicating the operation to be performed, as follows:
=
<
>
&
^
x
If the character is omitted, it is assumed to be "=".
For comparison of numeric values, the sign and size of both the value in the file and the value from the value field of the magic entry will match that of the corresponding type field. If there is a non-zero mask (&) in the type field, the comparison will be unsigned.
For string values, the byte string from the file must match the specified byte string. The byte string from the file which is matched is the same length as the specified byte string. If the value is a string, it can contain the following sequences:
\character
\octal
message
Some file formats contain additional information which is to be printed along with the file type. A line which begins with the character ">" indicates additional tests and messages to be printed. If the test on the line preceding the first line with a ">" succeeds, the tests specified in all the subsequent lines beginning with ">" are performed, and the messages are printed if the tests succeed. The next line which does not begin with a ">" terminates this.
/etc/magic
In Solaris 9 and prior releases, the file utility may have performed unsigned comparisons for types byte, short, and long. Old user-defined magic files, which were specified with the -m option, will need modification of byte, short, and long entries to their corresponding unsigned types (ubyte, ushort, or ulong) for those entries for which all of the following are true:
For example, if the following entry is expected to match any non-zero, one-byte value from the file, including values for which the sign bit is on:
#offset type value message 0 byte >0 this matches any non-zero value
then that entry should be changed to:
0 ubyte >0 this matches any non-zero value
In Solaris 7 through Solaris 9, when applying tests for magic file entries whose type field is the numeric type "short" or "long", the file utility in the x86 environment would switch the byte order of the numeric values read. Starting in Solaris 10, the byte order will not be switched on x86. A test for a numeric value whose byte order is identical in both little- and big-endian architectures may require two magic file entries, to ensure that the test correctly identifies files in both environments. For example, a magic file entry that will match on a big-endian system may look like this:
0 long 0xf00000ff extended accounting file
Its corresponding magic file entry that will match the same value on a little-endian system would look like this:
0 long 0xff0000f0 extended accounting file
There should be more than one level of subtests, with the level indicated by the number of `>' at the beginning of the line.
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |