Difference between revisions of "ReNamer:Binary Signatures"

From den4b Wiki
Jump to: navigation, search
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This is ReNamer's internal binary signature base of extensions. Those signatures are seen using specialized applications. One of them is&nbsp;'''Hex Editor XVI32'''&nbsp;[http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm].<br>"I HAD HUGE PROBLEMS TO SET THIS PAGE AS IT SHOULD BE BUT IT HAS SO MANY BUGS THAT I CANNOT HANDLE. PLEASE SOMEBODY CORRECT IT" (REMOVE THIS TEXT)<br><br>
+
ReNamer's [[ReNamer:Rules:Extension|Extension]] rule uses an internal binary signature base for detecting file extensions.
 
  
If you want to know how many extensions are present till now you can see here [http://mark0.net/soft-trid-deflist.html mark0.net/soft-trid-deflist.html]
+
These signatures are in binary (hex) format and in files can be seen only using specialized applications, such as [http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm Hex Editor XVI32]. This list if up to date for '''ReNamer 5.50+ Beta 32''', from 19 July 2010.
 
  
<br>
+
<pre style="overflow:auto">
<br>
+
482B424544562050726F6475637473204C6963656E7365204B65792046696C650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001A, KEY, Avira Product Key
+
FFFE570069006E0064006F0077007300200052006500670069007300740072007900200045006400690074006F0072002000560065007200730069006F006E00200035002E0030003000, REG, Registry Data File 5.00
 
+
41565020416E7469766972616C2044617461626173652E202863294B6173706572736B79204C616220313939372D32, AVC, Kaspersky Anti-Virus Database
<br>
+
00000002FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000, MAC, MacPaint Bitmap Graphic
+
1A45DFA3934282886D6174726F736B61428781014285810118538067, MKV, Matroska Video Stream
 
+
24464C3240282329205350535320444154412046494C45, SAV, SPSS Data
*
+
4C0000000114020000000000C000000000000046, LNK, Windows Shortcut
<pre>482B424544562050726F6475637473204C6963656E7365204B65792046696C650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001A, '''KEY''', ''Avira Product Key''
+
5B436C6F6E6543445D0D0A56657273696F6E3D, CCD, CloneCD Control File
 +
000100005374616E6461726420414345204442, ACCDB, Access 2007 Database File
 +
000100005374616E64617264204A6574204442, MDB, Microsoft Access Database
 +
4D454449412044455343524950544F52, MDS, Media Descriptor CD Image File
 +
0006156100000002000004D200001000, DB, Netscape Navigator (v4) database file
 +
52494646????????43444441666D7420, CDA, Compact Disc Digital Audio (CD-DA)
 +
52494646????????415649204C495354, AVI, Windows Audio Video Interleave
 +
52494646????????524D494464617461, RMI, Windows Musical Instrument Digital Interface
 +
52494646????????57415645666D7420, WAV, Waveform Audio
 +
89504E470D0A1A0A0000000D49484452, PNG, Portable Network Graphics
 +
50532D58204558450000000000000000, EXE, Playstation Executable
 +
3026B2758E66CF11A6D900AA0062CE6C, WMA|WMV|ASF, Windows Media File
 +
4F67675300020000000000000000, OGG, Ogg Vorbis Audio
 +
??BE000000AB0000000000000000, WRI, Microsoft Write Document
 +
0000000020000000FFFF0000FFFF, RES, Resource File
 +
0000020006040600080000000000, WK1, 1-2-3 Spreadsheet
 +
38425053000100000000000000, PSD, Photoshop Image
 +
??????10123A001019040010, SIS, Symbian OS Installer File
 +
414F4C204665656462616720, BAG, AOL Instant Messenger Buddy List
 +
52494646????????41434F4E, ANI, Windows Animated Cursor
 +
EFBBBF234558544D33550D0A, M3U8, MP3 Playlist (UTF-8)
 +
110000005343410F000000, PF, Windows Prefetch
 +
4D54686400000006000100, MID, Musical Instrument Digital Interface (MIDI)
 +
5B6175746F72756E5D0D0A, INF, Autorun File
 +
64383A616E6E6F756E6365, TORRENT, BitTorrent Metainfo File
 +
504B0304140008000800, JAR, Java Archive
 +
424547494E3A564D5347, VMG, Nokia Text Message
 +
5B706C61796C6973745D, PLS, Winamp Playlist
 +
2E524D460000001200, RM, RealMedia Streaming Media
 +
67696D702078636620, GZ, GIMP Image
 +
234558544D33550D0A, M3U, MP3 Playlist
 +
D0CF11E0A1B11AE1, DOC|PPT|XLS, Microsoft Office Document
 +
5245474544495434, REG, Windows Registry Data
 +
300000004C664C65, EVT, Windows NT/2000 Event Viewer Log
 +
4D53434600000000, CAB, Microsoft Cabinet File
 +
????????6D6F6F76, MOV, QuickTime Movie
 +
FF4B455942202020, SYS, Keyboard Driver
 +
255044462D312E, PDF, Adobe Portable Document Format
 +
526172211A0700, RAR, WinRAR Compressed Archive
 +
000001BA210001, MPG, MPEG 1 System Stream
 +
52454745444954, REG, Registry Data File
 +
377ABCAF271C, 7Z, 7-Zip Compressed Archive
 +
AC9EBD8F0000, QDF, Quicken Data
 +
D7CDC69A0000, WMF, Windows Metafile
 +
010009000003, WMF, Windows 3.x Metafile
 +
4A4152435300, JAR, JARCS Compressed Archive
 +
424547494E3A, VCF, vCard File
 +
2E7261FD00, RA, RealMedia Streaming Media
 +
7B5C727466, RTF, Rich Text Format File
 +
000001BA44, MPG, ProgDVBR MPEG2 Video
 +
464F524D00, AIFF, Audio Interchange File
 +
49735A21, ISZ, UltraISO ISO Zipped Format
 +
4B4C7377, KEY, Kaspersky Anti-Virus Key
 +
4D502B07, MPC, Musepack Audio
 +
93B20000, LNG, SourceEdit Language Definition
 +
DF0000?F, DCU, Delphi Compiled Unit
 +
00000100, ICO, Windows Icon
 +
01000000, EMF, Extended (Enhanced) Windows Metafile Format
 +
CFAD12FE, DBX, Outlook Express E-mail Folder
 +
47494638, GIF, Graphic Interchange Format
 +
49492A00, TIF, Tagged Image Format
 +
4D4D002A, TIF, Tagged Image Format
 +
00000200, CUR, Windows Cursor
 +
C5D0D3C6, EPS, Encapsulated PostScript
 +
3F5F0300, HLP, Windows Help File
 +
49536328, CAB, Install Shield v5.x or 6.x Compressed File
 +
504B0304, ZIP, ZIP Compressed Archive
 +
E3828596, PWL, Windows Password List
 +
EDABEEDB, RPM, RedHat Package Manager
 +
50533244, SYS, PlayStation 2 Icon
 +
FF575043, WPD, WordPerfect Document
 +
464C5601, FLV, Flash Video
 +
000001, MPG, MPEG Video File
 +
465753, SWF, Macromedia Flash Format
 +
435753, SWF, Shockwave Flash (v5+)
 +
FFD8FF, JPG, JPEG/JIFF Image
 +
1F8B08, GZ, GZip Compressed Archive
 +
1F9D90, Z, UNIX Compressed Archive
 +
494433, MP3, MP3 Audio
 +
FFFB, MP3, MP3 Audio
 +
FFFA, MP3, MP3 Audio
 +
4D5A, EXE|COM|DLL|SYS, Windows Executable
 +
424D, BMP, Windows OS/2 Bitmap Graphics
 +
9501, SKR, PGP Private Keyring
 +
9901, PKR, PGP Public Keyring
 
</pre>
 
</pre>
<br>
 
 
 
<br>
 
<br>
 
 
 
<br>
 
 
  
FFFE570069006E0064006F0077007300200052006500670069007300740072007900200045006400690074006F0072002000560065007200730069006F006E00200035002E0030003000, '''REG''', ''Registry Data File 5.00''
+
For more information regarding known file signatures look here:
41565020416E7469766972616C2044617461626173652E202863294B6173706572736B79204C616220313939372D32, '''AVC''', ''Kaspersky Anti-Virus Database''
+
* http://mark0.net/soft-trid-e.html (TrID)
D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF090006, '''MSI''', ''Windows Installer File''
+
* http://filext.com/
1A45DFA3934282886D6174726F736B61428781014285810118538067, '''MKV''', ''Matroska Video Stream''
+
* http://file-extension.net/seeker/
00000002FFFFFFFFFFFFFFFF0000000000000000000000, '''MAC''', ''MacPaint Bitmap Graphic''
+
* http://www.garykessler.net/library/file_sigs.html
24464C3240282329205350535320444154412046494C45, '''SAV''', ''SPSS Data''
+
[[Category:ReNamer]]
4C0000000114020000000000C000000000000046, '''LNK''', ''Windows Shortcut''
 
''5B436C6F6E6543445D0D0A56657273696F6E3D, '''CCD''', CloneCD Control File''
 
 
000100005374616E6461726420414345204442, '''ACCDB''', ''Access 2007 Database File''
 
 
000100005374616E64617264204A6574204442, '''MDB''', ''Microsoft Access Database''
 
''3026B2758E66CF11A6D900AA0062CE6C, '''WMA|WMV|ASF''', Windows Media File''
 
 
''89504E470D0A1A0A0000000D49484452, '''PNG''', Portable Network Graphics''
 
 
0006156100000002000004D200001000, '''DB''', ''Netscape Navigator (v4) database file''
 
52494646????????43444441666D7420, '''CDA''', ''Compact Disc Digital Audio (CD-DA)''
 
52494646????????415649204C495354, '''AVI''', ''Windows Audio Video Interleave''
 
4D454449412044455343524950544F52, '''MDS''', ''Media Descriptor CD Image File''
 
52494646????????524D494464617461, '''RMI''', ''Windows Musical Instrument Digital Interface''
 
52494646????????57415645666D7420, '''WAV''', ''Waveform Audio''
 
 
50532D58204558450000000000000000, '''EXE''', ''Playstation Executable''
 
 
??BE000000AB0000000000000000, '''WRI''', ''Microsoft Write Document''
 
0000000020000000FFFF0000FFFF, '''RES''', ''Resource File''
 
''4F67675300020000000000000000, '''OGG''', Ogg Vorbis Audio''
 
 
0000020006040600080000000000, '''WK1''', ''1-2-3 Spreadsheet''
 
''EFBBBF234558544D33550D0A, '''M3U8''', MP3 Playlist (UTF-8)''
 
 
38425053000100000000000000, '''PSD''', ''Photoshop Image''
 
 
414F4C204665656462616720, '''BAG''', AOL ''Instant Messenger Buddy List''
 
 
52494646????????41434F4E, '''ANI''', ''Windows Animated Cursor''
 
??????10123A001019040010, '''SIS''', ''Symbian OS Installer File''
 
64383A616E6E6F756E6365, '''TORRENT''', ''BitTorrent Metainfo File''
 
5B6175746F72756E5D0D0A, '''INF''', ''Autorun File''
 
110000005343410F000000, '''PF''', ''Windows Prefetch''
 
4D54686400000006000100, '''MID''', ''Musical Instrument Digital Interface (MIDI)''
 
504B0304140008000800, '''JAR''', ''Java Archive''
 
424547494E3A564D5347, '''VMG''', ''Nokia Text Message''
 
5B706C61796C6973745D, '''PLS''', ''Winamp Playlist''
 
2E524D460000001200, '''RM''', ''RealMedia Streaming Media''
 
67696D702078636620, '''GZ''', ''GIMP Image''
 
234558544D33550D0A, '''M3U''', ''MP3 Playlist''
 
D0CF11E0A1B11AE1, '''DOC|PPT|XLS''', ''Microsoft Office Document''
 
5245474544495434, '''REG''', ''Windows Registry Data''
 
300000004C664C65, '''EVT''', ''Windows NT/2000 Event Viewer Log''
 
4D53434600000000, '''CAB''', ''Microsoft Cabinet File''
 
????????6D6F6F76, '''MOV''', ''QuickTime Movie''
 
FF4B455942202020, '''SYS''', ''Keyboard Driver''
 
255044462D312E, '''PDF''', ''Adobe Portable Document Format''
 
526172211A0700, '''RAR''', ''WinRAR Compressed Archive''
 
52454745444954, '''REG''', ''Registry Data File''
 
000001BA210001, '''MPG''', ''MPEG 1 System Stream''
 
377ABCAF271C, '''7Z''', ''7-Zip Compressed Archive''
 
424547494E3A, '''VCF''', ''vCard File''
 
AC9EBD8F0000, '''QDF''', ''Quicken Data''
 
D7CDC69A0000, '''WMF''', ''Windows Metafile''
 
010009000003, '''WMF''', ''Windows 3.x Metafile''
 
4A4152435300, '''JAR''', ''JARCS Compressed Archive''
 
2E7261FD00, '''RA''', ''RealMedia Streaming Media''
 
7B5C727466, '''RTF''', ''Rich Text Format File''
 
000001BA44, '''MPG''', ''ProgDVBR MPEG2 Video''
 
464F524D00, '''AIFF''', ''Audio Interchange File''
 
DF0000?F, '''DCU''', ''Delphi Compiled Unit''
 
00000100, '''ICO''', ''Windows Icon''
 
01000000, '''EMF''', ''Extended (Enhanced) Windows Metafile Format''
 
CFAD12FE, '''DBX''', ''Outlook Express E-mail Folder''
 
47494638, '''GIF''', ''Graphic Interchange Format''
 
49492A00, '''TIF''', ''Tagged Image Format''
 
4D4D002A, '''TIF''', ''Tagged Image Format''
 
00000200, '''CUR''', ''Windows Cursor''
 
C5D0D3C6, '''EPS''', ''Encapsulated PostScript''
 
3F5F0300, '''HLP''', ''Windows Help File''
 
49536328, '''CAB''', ''Install Shield v5.x or 6.x Compressed File''
 
504B0304, '''ZIP''', ''ZIP Compressed Archive''
 
E3828596, '''PWL''', ''Windows Password List''
 
EDABEEDB, '''RPM''', ''RedHat Package Manager''
 
50533244, '''SYS''', ''PlayStation 2 Icon''
 
FF575043, '''WPD''', ''WordPerfect Document''
 
464C5601, '''FLV''', ''Flash Video''
 
49735A21, '''ISZ''', ''UltraISO ISO Zipped Format''
 
4B4C7377, '''KEY''', ''Kaspersky Anti-Virus Key''
 
4D502B07, '''MPC''', ''Musepack Audio''
 
93B20000, '''LNG''', ''SourceEdit Language Definition''
 
000001BA, '''VOB''', '''DVD''' ''Video Movie File''
 
465753, '''SWF''', ''Macromedia Flash Format''
 
435753, '''SWF''', ''Shockwave Flash (v5+)''
 
FFD8FF, '''JPG''', ''JPEG/JIFF Image''
 
1F8B08, '''GZ''', ''Gzip Compressed Archive''
 
1F9D90, '''Z''', ''UNIX Compressed Archive''
 
494433, '''MP3''', ''MP3 Audio''
 
FFFB, '''MP3''', ''MP3 Audio''
 
FFFA, '''MP3''', ''MP3 Audio''
 
4D5A, '''EXE|COM|DLL|DRV|SYS|OCX|CPL|SCR|VXD''', ''Windows Executable''
 
424D, '''BMP''', ''Windows OS/2 Bitmap Graphics''
 
9501, '''SKR''', ''PGP Private Keyring''
 
9901, '''PKR''', ''PGP Public Keyring)''
 

Latest revision as of 03:38, 27 September 2010

ReNamer's Extension rule uses an internal binary signature base for detecting file extensions.

These signatures are in binary (hex) format and in files can be seen only using specialized applications, such as Hex Editor XVI32. This list if up to date for ReNamer 5.50+ Beta 32, from 19 July 2010.

482B424544562050726F6475637473204C6963656E7365204B65792046696C650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001A, KEY, Avira Product Key
FFFE570069006E0064006F0077007300200052006500670069007300740072007900200045006400690074006F0072002000560065007200730069006F006E00200035002E0030003000, REG, Registry Data File 5.00
41565020416E7469766972616C2044617461626173652E202863294B6173706572736B79204C616220313939372D32, AVC, Kaspersky Anti-Virus Database
00000002FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000, MAC, MacPaint Bitmap Graphic
1A45DFA3934282886D6174726F736B61428781014285810118538067, MKV, Matroska Video Stream
24464C3240282329205350535320444154412046494C45, SAV, SPSS Data
4C0000000114020000000000C000000000000046, LNK, Windows Shortcut
5B436C6F6E6543445D0D0A56657273696F6E3D, CCD, CloneCD Control File
000100005374616E6461726420414345204442, ACCDB, Access 2007 Database File
000100005374616E64617264204A6574204442, MDB, Microsoft Access Database
4D454449412044455343524950544F52, MDS, Media Descriptor CD Image File
0006156100000002000004D200001000, DB, Netscape Navigator (v4) database file
52494646????????43444441666D7420, CDA, Compact Disc Digital Audio (CD-DA)
52494646????????415649204C495354, AVI, Windows Audio Video Interleave
52494646????????524D494464617461, RMI, Windows Musical Instrument Digital Interface
52494646????????57415645666D7420, WAV, Waveform Audio
89504E470D0A1A0A0000000D49484452, PNG, Portable Network Graphics
50532D58204558450000000000000000, EXE, Playstation Executable
3026B2758E66CF11A6D900AA0062CE6C, WMA|WMV|ASF, Windows Media File
4F67675300020000000000000000, OGG, Ogg Vorbis Audio
??BE000000AB0000000000000000, WRI, Microsoft Write Document
0000000020000000FFFF0000FFFF, RES, Resource File
0000020006040600080000000000, WK1, 1-2-3 Spreadsheet
38425053000100000000000000, PSD, Photoshop Image
??????10123A001019040010, SIS, Symbian OS Installer File
414F4C204665656462616720, BAG, AOL Instant Messenger Buddy List
52494646????????41434F4E, ANI, Windows Animated Cursor
EFBBBF234558544D33550D0A, M3U8, MP3 Playlist (UTF-8)
110000005343410F000000, PF, Windows Prefetch
4D54686400000006000100, MID, Musical Instrument Digital Interface (MIDI)
5B6175746F72756E5D0D0A, INF, Autorun File
64383A616E6E6F756E6365, TORRENT, BitTorrent Metainfo File
504B0304140008000800, JAR, Java Archive
424547494E3A564D5347, VMG, Nokia Text Message
5B706C61796C6973745D, PLS, Winamp Playlist
2E524D460000001200, RM, RealMedia Streaming Media
67696D702078636620, GZ, GIMP Image
234558544D33550D0A, M3U, MP3 Playlist
D0CF11E0A1B11AE1, DOC|PPT|XLS, Microsoft Office Document
5245474544495434, REG, Windows Registry Data
300000004C664C65, EVT, Windows NT/2000 Event Viewer Log
4D53434600000000, CAB, Microsoft Cabinet File
????????6D6F6F76, MOV, QuickTime Movie
FF4B455942202020, SYS, Keyboard Driver
255044462D312E, PDF, Adobe Portable Document Format
526172211A0700, RAR, WinRAR Compressed Archive
000001BA210001, MPG, MPEG 1 System Stream
52454745444954, REG, Registry Data File
377ABCAF271C, 7Z, 7-Zip Compressed Archive
AC9EBD8F0000, QDF, Quicken Data
D7CDC69A0000, WMF, Windows Metafile
010009000003, WMF, Windows 3.x Metafile
4A4152435300, JAR, JARCS Compressed Archive
424547494E3A, VCF, vCard File
2E7261FD00, RA, RealMedia Streaming Media
7B5C727466, RTF, Rich Text Format File
000001BA44, MPG, ProgDVBR MPEG2 Video
464F524D00, AIFF, Audio Interchange File
49735A21, ISZ, UltraISO ISO Zipped Format
4B4C7377, KEY, Kaspersky Anti-Virus Key
4D502B07, MPC, Musepack Audio
93B20000, LNG, SourceEdit Language Definition
DF0000?F, DCU, Delphi Compiled Unit
00000100, ICO, Windows Icon
01000000, EMF, Extended (Enhanced) Windows Metafile Format
CFAD12FE, DBX, Outlook Express E-mail Folder
47494638, GIF, Graphic Interchange Format
49492A00, TIF, Tagged Image Format
4D4D002A, TIF, Tagged Image Format
00000200, CUR, Windows Cursor
C5D0D3C6, EPS, Encapsulated PostScript
3F5F0300, HLP, Windows Help File
49536328, CAB, Install Shield v5.x or 6.x Compressed File
504B0304, ZIP, ZIP Compressed Archive
E3828596, PWL, Windows Password List
EDABEEDB, RPM, RedHat Package Manager
50533244, SYS, PlayStation 2 Icon
FF575043, WPD, WordPerfect Document
464C5601, FLV, Flash Video
000001, MPG, MPEG Video File
465753, SWF, Macromedia Flash Format
435753, SWF, Shockwave Flash (v5+)
FFD8FF, JPG, JPEG/JIFF Image
1F8B08, GZ, GZip Compressed Archive
1F9D90, Z, UNIX Compressed Archive
494433, MP3, MP3 Audio
FFFB, MP3, MP3 Audio
FFFA, MP3, MP3 Audio
4D5A, EXE|COM|DLL|SYS, Windows Executable
424D, BMP, Windows OS/2 Bitmap Graphics
9501, SKR, PGP Private Keyring
9901, PKR, PGP Public Keyring

For more information regarding known file signatures look here: