summaryrefslogtreecommitdiffstats
path: root/magic/Magdir/coff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--magic/Magdir/coff98
1 files changed, 98 insertions, 0 deletions
diff --git a/magic/Magdir/coff b/magic/Magdir/coff
new file mode 100644
index 0000000..5123b72
--- /dev/null
+++ b/magic/Magdir/coff
@@ -0,0 +1,98 @@
+
+#------------------------------------------------------------------------------
+# $File: coff,v 1.7 2022/11/21 22:30:22 christos Exp $
+# coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures
+#
+# COFF
+#
+# by Joerg Jenderek at Oct 2015, Feb 2021
+# https://en.wikipedia.org/wiki/COFF
+# https://de.wikipedia.org/wiki/Common_Object_File_Format
+# http://www.delorie.com/djgpp/doc/coff/filhdr.html
+
+# display name+variables+flags of Common Object Files Format (32bit)
+# Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel,
+# mips,motorola,msdos,osf1,sharc,varied.out,vax
+0 name display-coff
+# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags
+>18 uleshort&0x8E80 0
+# skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections
+>>2 uleshort >0
+# skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections
+>>>2 uleshort <4207
+>>>>0 clear x
+# f_magic - magic number
+# DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel)
+>>>>0 uleshort 0x014C Intel 80386
+# Hitachi SH big-endian COFF (./hitachi-sh)
+>>>>0 uleshort 0x0500 Hitachi SH big-endian
+# Hitachi SH little-endian COFF (./hitachi-sh)
+>>>>0 uleshort 0x0550 Hitachi SH little-endian
+# executable (RISC System/6000 V3.1) or obj module (./ibm6000)
+#>>>>0 uleshort 0x01DF
+# MS Windows COFF Intel Itanium, AMD64
+# https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx
+>>>>0 uleshort 0x0200 Intel ia64
+>>>>0 uleshort 0x8664 Intel amd64
+# ARM COFF (./arm)
+>>>>0 uleshort 0xaa64 Aarch64
+>>>>0 uleshort 0x01c0 ARM
+>>>>0 uleshort 0xa641 ARM64EC
+>>>>0 uleshort 0x01c2 ARM Thumb
+>>>>0 uleshort 0x01c4 ARMv7 Thumb
+# TODO for other COFFs
+#>>>>0 uleshort 0xABCD COFF_TEMPLATE
+>>>>0 default x
+>>>>>0 uleshort x type %#04x
+>>>>0 uleshort x COFF
+# F_EXEC flag bit
+>>>>18 leshort ^0x0002 object file
+!:mime application/x-coff
+!:ext o/obj/lib
+# no cof sample found
+#!:ext cof/o/obj/lib
+>>>>18 leshort &0x0002 executable
+#!:mime application/x-coffexec
+# F_RELFLG flag bit,static object
+>>>>18 leshort &0x0001 \b, no relocation info
+# F_LNNO flag bit
+>>>>18 leshort &0x0004 \b, no line number info
+# F_LSYMS flag bit
+>>>>18 leshort &0x0008 \b, stripped
+>>>>18 leshort ^0x0008 \b, not stripped
+# flags in other COFF versions
+#0x0010 F_FDPR_PROF
+#0x0020 F_FDPR_OPTI
+#0x0040 F_DSA
+# F_AR32WR flag bit
+#>>>>18 leshort &0x0100 \b, 32 bit little endian
+#0x1000 F_DYNLOAD
+#0x2000 F_SHROBJ
+#0x4000 F_LOADONLY
+# f_nscns - number of sections like: 1 2 3 4 5 7 8 9 11 12 15 16 19 20 21 22 26 30 36 40 42 56 80 89 96 124
+>>>>2 uleshort <2 \b, %u section
+>>>>2 uleshort >1 \b, %u sections
+# f_symptr - symbol table pointer, only for not stripped
+# like: 0 0x7c 0xf4 0x104 0x182 0x1c2 0x1c6 0x468 0x948 0x416e 0x149a6 0x1c9d8 0x23a68 0x35120 0x7afa0
+>>>>8 ulelong >0 \b, symbol offset=%#x
+# f_nsyms - number of symbols, only for not stripped
+# like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546
+>>>>12 ulelong >0 \b, %d symbols
+# f_opthdr - optional header size. An object file should have a value of 0
+>>>>16 uleshort >0 \b, optional header size %u
+# f_timdat - file time & date stamp only for little endian
+>>>>4 ledate >0 \b, created %s
+# at offset 20 can be optional header, extra bytes FILHSZ-20 because
+# do not rely on sizeof(FILHDR) to give the correct size for header.
+# or first section header
+# additional variables for other COFF files
+>>>>16 uleshort =0
+# first section name s_name[8] like: .text .data .debug$S .drectve .testseg
+>>>>>20 string x \b, 1st section name "%.8s"
+# >20 beshort 0407 (impure)
+# >20 beshort 0410 (pure)
+# >20 beshort 0413 (demand paged)
+# >20 beshort 0421 (standalone)
+# >22 leshort >0 - version %d
+# >168 string .lowmem Apple toolbox
+