• 文件签名列表-文件头和文件尾

    Image files / Archivos de imagen

    • JPEG
      • Header: FFD8
      • Footer: FFD9
    • GIF87a
      • Header: 47 49 46 38 37 61
      • Footer: 00 3B
    • GIF89a
      • Header: 47 49 46 38 39 61
      • Footer: 00 3B
    • BMP
      • Header: 42 4D
      • Footer: Don’t have footer, but size is in bytes 2,3,4,5 in little-endian order (low byte first).
        • Example: 00 00 C0 38 == 49208 bytes
    • PNG
      • Header: 89 50 4E 47 0D 0A 1A 0A
      • Footer: 49 45 4E 44 AE 42 60 82

    Microsoft Office >2007

    All this documents have the same header and footer, because of this, we need search the middle bytes. This type uses a ZIP file package.

    Los documentos de Microsoft Office >2007 tienen la misma cabecera y pie, por lo que necesitamos bytes intermedios para distinguirlos. Usan encapsulado ZIP.

    • DOCX
      • Header: 50 4B 03 04 14 00 06 00
        • Middle: 77 6F 72 64 (word)
      • Footer: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
    • XLSX
      • Header: 50 4B 03 04 14 00 06 00
        • Middle: 77 6F 72 6B 73 68 65 65 74 73 (worksheets)
      • Footer: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
    • PPTX
      • Header: 50 4B 03 04 14 00 06 00
        • Middle: 70 72 65 73 65 6E 74 61 74 69 6F 6E (presentation)
      • Footer: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
    • MDB / ACCDB
      • Header: 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 (….Standard Jet DB)
      • Footer: Don’t have footer.

    Open Office

    All this documents have the same header and footer, because of this, we need some bytes to differentiate them. In this case we can do this jumping 73 bytes from header. This type uses a ZIP file package.

    Los documentos de OpenOffice tienen la misma cabecera y pie, por lo que necesitamos bytes intermedios para distinguirlos. Usan encapsulado ZIP.

    • ODS
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 73 70 72 65 (spre)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODT
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 74 65 78 64 (text)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODB
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 62 61 73 65 (base)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODG
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 67 72 61 70 (grap)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODF
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 66 6F 72 6D (form)
      • Tail: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
    • ODP
      • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 70 72 65 73 (pres)
      • Footer: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.

    Autocad

    • DWG (R11/R12 versions)
      • Header: 41 43 31 30 30 39
      • Footer: CD 06 B2 F5 1F E6
    • DWG (R14 version)
      • Header: 41 43 31 30 31 34
      • Footer: 62 A8 35 C0 62 BB EF D4
    • DWG (2000 version)
      • Header: 41 43 31 30 31 34
      • Footer: DB BF F6 ED C3 55 FE
    • DWG (>2007 versions)
      • Header: 41 43 31 30 XX XX
      • Footer: Don’t have

    Note: >2007 versions have two patterns and the key is the position 0x80. If in this position we get the bytes «68 40 F8 F7 92», we need to search again for this bytes and displace 107 bytes to find the end of the file. If in the position 0x80 we get another different bytes, we need to search again this bytes and displace 1024 bytes to find the end of the file.

    Nota: Las versiones >2007 siguen dos patrones y la clave está en la posición 0x80. Si en la posicion 0x80 obtenemos los bytes «68 40 F8 F7 92», los buscamos una segunda vez y ha 107 bytes encontramos el final del archivo. Si en la posición 0x80 obtenemos otros bytes diferentes a los del primer caso, los volvemos a buscar y a 1024 bytes hallaremos el final del archivo.

    Others / Otros

    • PDF
      • Header: 25 50 44 46 (%PDF)
      • Footers:
        • 0A 25 25 45 4F 46 (.%%EOF) or
        • 0A 25 25 45 4F 46 0A (.%%EOF.) or
        • 0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..) or
        • 0D 25 25 45 4F 46 0D (.%%EOF.)
    • ZIP
      • Header: 50 4B 03 04
      • Footer: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
    • RAR (< 4.x version)
      • Header: 52 61 72 21 1A 07 00
      • Tail: C4 3D 7B 00 40 07 00
    • 7ZIP
      • Header: 37 7A BC AF 27 1C 00 03 (7z¼¯’…)
      • Footer: 01 15 06 01 00 20 followed by 5 additional bytes at the end of the file.
    • RTF
      • Header: 7B 5C 72 74 66 31
      • Footer: 5C 70 61 72 20 7D

    Links / Enlaces

    referer:

    List_of_file_signatures

    list-of-file-signatures-wikipedia

    常见文件文件头和隐写术总结

    逆水行舟,不进则退。
  • 相关阅读:
    [LintCode] Flatten Nested List Iterator 压平嵌套链表迭代器
    [LintCode] Reverse Pairs 翻转对
    [CareerCup] 17.9 Word Frequency in a Book 书中单词频率
    [CareerCup] 17.8 Contiguous Sequence with Largest Sum 连续子序列之和最大
    [CareerCup] 17.7 English Phrase Describe Integer 英文单词表示数字
    [LeetCode] Reverse Vowels of a String 翻转字符串中的元音字母
    [CareerCup] 17.6 Sort Array 排列数组
    [LeetCode] 344. Reverse String 翻转字符串
    [CareerCup] 17.5 Game of Master Mind 猜字游戏
    [CareerCup] 17.4 Maximum of Two Numbers 两数中的较大值
  • 原文地址:https://www.cnblogs.com/rab3it/p/15393170.html
Copyright © 2020-2023  润新知