zoukankan      html  css  js  c++  java

  • 文件签名列表-文件头和文件尾

    Image files / Archivos de imagen

    • JPEG
      • Header: FFD8
      • Footer: FFD9
    • GIF87a
      • Header: 47 49 46 38 37 61
      • Footer: 00 3B
    • GIF89a
      • Header: 47 49 46 38 39 61
      • Footer: 00 3B
    • BMP
      • Header: 42 4D
      • Footer: Don’t have footer, but size is in bytes 2,3,4,5 in little-endian order (low byte first).
        • Example: 00 00 C0 38 == 49208 bytes
    • PNG
      • Header: 89 50 4E 47 0D 0A 1A 0A
      • Footer: 49 45 4E 44 AE 42 60 82

    Microsoft Office >2007

    All this documents have the same header and footer, because of this, we need search the middle bytes. This type uses a ZIP file package.

    Los documentos de Microsoft Office >2007 tienen la misma cabecera y pie, por lo que necesitamos bytes intermedios para distinguirlos. Usan encapsulado ZIP.

    • DOCX
      • Header: 50 4B 03 04 14 00 06 00
        • Middle: 77 6F 72 64 (word)
      • Footer: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
    • XLSX
      • Header: 50 4B 03 04 14 00 06 00
        • Middle: 77 6F 72 6B 73 68 65 65 74 73 (worksheets)
      • Footer: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
    • PPTX
      • Header: 50 4B 03 04 14 00 06 00
        • Middle: 70 72 65 73 65 6E 74 61 74 69 6F 6E (presentation)
      • Footer: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
    • MDB / ACCDB
      • Header: 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 (….Standard Jet DB)
      • Footer: Don’t have footer.

    Open Office

    All this documents have the same header and footer, because of this, we need some bytes to differentiate them. In this case we can do this jumping 73 bytes from header. This type uses a ZIP file package.

    Los documentos de OpenOffice tienen la misma cabecera y pie, por lo que necesitamos bytes intermedios para distinguirlos. Usan encapsulado ZIP.

    • ODS
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 73 70 72 65 (spre)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODT
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 74 65 78 64 (text)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODB
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 62 61 73 65 (base)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODG
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 67 72 61 70 (grap)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODF
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 66 6F 72 6D (form)
      • Tail: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODP
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 70 72 65 73 (pres)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.

    Autocad

    • DWG (R11/R12 versions)
      • Header: 41 43 31 30 30 39
      • Footer: CD 06 B2 F5 1F E6
    • DWG (R14 version)
      • Header: 41 43 31 30 31 34
      • Footer: 62 A8 35 C0 62 BB EF D4
    • DWG (2000 version)
      • Header: 41 43 31 30 31 34
      • Footer: DB BF F6 ED C3 55 FE
    • DWG (>2007 versions)
      • Header: 41 43 31 30 XX XX
      • Footer: Don’t have

    Note: >2007 versions have two patterns and the key is the position 0x80. If in this position we get the bytes «68 40 F8 F7 92», we need to search again for this bytes and displace 107 bytes to find the end of the file. If in the position 0x80 we get another different bytes, we need to search again this bytes and displace 1024 bytes to find the end of the file.

    Nota: Las versiones >2007 siguen dos patrones y la clave está en la posición 0x80. Si en la posicion 0x80 obtenemos los bytes «68 40 F8 F7 92», los buscamos una segunda vez y ha 107 bytes encontramos el final del archivo. Si en la posición 0x80 obtenemos otros bytes diferentes a los del primer caso, los volvemos a buscar y a 1024 bytes hallaremos el final del archivo.

    Others / Otros

    • PDF
      • Header: 25 50 44 46 (%PDF)
      • Footers:
        • 0A 25 25 45 4F 46 (.%%EOF) or
        • 0A 25 25 45 4F 46 0A (.%%EOF.) or
        • 0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..) or
        • 0D 25 25 45 4F 46 0D (.%%EOF.)
    • ZIP
      • Header: 50 4B 03 04
      • Footer: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
    • RAR (< 4.x version)
      • Header: 52 61 72 21 1A 07 00
      • Tail: C4 3D 7B 00 40 07 00
    • 7ZIP
      • Header: 37 7A BC AF 27 1C 00 03 (7z¼¯’…)
      • Footer: 01 15 06 01 00 20 followed by 5 additional bytes at the end of the file.
    • RTF
      • Header: 7B 5C 72 74 66 31
      • Footer: 5C 70 61 72 20 7D

    Links / Enlaces

    referer:

    List_of_file_signatures

    list-of-file-signatures-wikipedia

    常见文件文件头和隐写术总结

    逆水行舟,不进则退。
  • 相关阅读:
    python测试开发django(16)--admin后台中文版
    python测试开发django(15)--admin后台管理,python3.7与django3.06冲突,降低django为2.2
    python测试开发django(14)--JsonResponse返回中文编码问题
    python测试开发django(13)--查询结果转json(serializers)
    python测试开发django(12)--ORM查询表结果
    [二分,multiset] 2019 Multi-University Training Contest 10 Welcome Party
    [概率] HDU 2019 Multi-University Training Contest 10
    [dfs] HDU 2019 Multi-University Training Contest 10
    [bfs,深度记录] East Central North America Regional Contest 2016 (ECNA 2016) D Lost in Translation
    [状态压缩,折半搜索] 2019牛客暑期多校训练营(第九场)Knapsack Cryptosystem
  • 原文地址:https://www.cnblogs.com/rab3it/p/15393170.html
Copyright © 2011-2022 走看看