魔数简介:
在识别文件类型时,我们很多人都是通过文件的后缀来识别的,如苍老师.mp4, 波老师.avi, 玛利亚.jpg。 使用后缀名识别文件类型不是特别准确,尤其是后缀民可以手动修改的情况下。 另外一种识别文件名的方式是: 利用文件的头部信息中的标记,我们称这个标记为魔数。也许这个解析不是特准确,但它对识别文件类型比较准确。
常见文件类型魔数表:
| 类别 | 文件类型 | Magic数 | 起始偏移 | 结束偏移 |
| Exe, dll | Windows可执行文件 | "MZ" | 0 | 2 |
| Linux可执行文件 | "\x7F\x45\x4c\x46" | 0 | 4 | |
| Java类 | "\xCA\xFE\xBA\xBE" | 0 | 4 | |
|
文 档 类
| Office2003, WPS | "\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1" | 0 | 8 |
| Office2003, WPS | "WPS2001" | 2 | 9 | |
| Office2003, WPS | "\x64\x6f\x63\x50\x72\x6f\x70\x73" | 30 | 38 | |
| Office2007 | "_Types\x5d\x2exml" | 38 | 49 | |
| mdb | "\x00\x01\x00\x00Standard Jet DB" | 0 | 20 | |
| accdb | "\x00\x01\x00\x00Standard ACE DB" | 0 | 20 | |
| rtf | "\{\\rtf" | 0 | 5 | |
| hlp | "\x3F\x5F\x03\x00" | 0 | 4 | |
| hlp | "\x4C\x4E\x02\x00" | 0 | 4 | |
| chm | "ITSF" | 0 | 4 | |
| mht | "From:" | 0 | 5 | |
| reg | "REGEDIT" | 0 | 7 | |
| reg | "Windows Registry" | 0 | 16 | |
| reg | "R\x00e\x00g\x00i\x00s\x00t\x00r\x00y" | 18 | 33 | |
| | "%PDF-" | 0 | 5 | |
| eps | "%!PS-Adobe" | 0 | 10 | |
| Adobe FrameMaker | "<MakerFile" | 0 | 10 | |
|
压 缩 类
| rar | "Rar!" | 0 | 4 |
| zip | "PK\003\004" | 0 | 4 | |
| zip | "PK00PK\003\004" | 0 | 8 | |
| 7z | "7z\xBC\xAF\x27" | 0 | 5 | |
| arj | "\x60\xEA" | 0 | 2 | |
| bz2 | "BZh" | 0 | 3 | |
| gzip | "\037\213" | 0 | 2 | |
| gzip | "\x1F\x8B\x08\x08" | 0 | 4 | |
| tz | "TZ" | 0 | 2 | |
| compress | "SZDD" | 0 | 4 | |
| cab | "MSCF" | 0 | 4 | |
| rpm | "\xED\xAB\xEE\xDB" | 0 | 4 | |
| ace | "\x2A\x2A\x41\x43\x45\x2A\x2A" | 7 | 14 | |
|
图 片 类
| bmp | "BM" | 0 | 2 |
| jpeg | "\377\330\377" | 0 | 3 | |
| jpeg | "JFIF" | 6 | 10 | |
| jpeg | "Exif" | 6 | 10 | |
| png | "\x89PNG" | 0 | 4 | |
| gif | "GIF" | 0 | 3 | |
| swf | "FWS" | 0 | 3 | |
| swf | "CWS" | 0 | 3 | |
| flp | "FLhd" | 0 | 4 | |
| flp | "flash_project" | 4 | 17 | |
| dwg | "AC10" | 0 | 4 | |
| tiff | "MM\x00\x2B" | 0 | 4 | |
| tiff | "II*" | 0 | 3 | |
|
音 视 频 类 | rm | ".RMF" | 0 | 4 |
| rm | ".RMX" | 0 | 4 | |
| rm | "PROP" | 18 | 22 | |
| flv | "FLV" | 0 | 3 | |
| avi | "AVI LIST" | 8 | 16 | |
| wma | "\x30\x26\xb2\x75\x8e\x66\xcf\x11" | 0 | 8 | |
| wav | "WAVEfmt" | 8 | 15 | |
| mp4 | "ftypmp41" | 4 | 12 | |
| mp4 | "ftypmp42" | 4 | 12 | |
| mp4 | "ftypisom" | 4 | 12 | |
| 3gp | "ftyp3gp4 | 4 | 12 | |
| 3gp | "ftypmmp4" | 4 | 12 | |
| mp3 | "\xff\xff" | 11 | 1 | |
| mp3 | "\x49\x44\x33" | 0 | 3 | |
| mtv | "AMV" | 0 | 3 | |
| m4a | "ftypM4A\x20" | 4 | 12 | |
| m4a | "ftypM4V\x20" | 4 | 12 | |
| au | "dns" | 0 | 3 | |
| au | "\x2E\x73\x6E\x64" | 0 | 4 | |
| mdi | "EP" | 0 | 2 | |
| 其他 | vhd | "conectix" | 0 | 8 |
| gho | "\xFE\xEF\x01" | 0 | 3 | |
| nri | "\x0ENeroISO" | 0 | 8 | |
| pf | "SCCA" | 4 | 8 | |
| hqx | "(This file must be converted with BinHex 4.0)" | 0 | 45 | |
|
| Unknow |
| -1 | 0 |
- 注1: 上述表格中,有的为"\xAA" : 指的为十六进制的0xAA, 因为该数为非打印的字符,因此使用十六进制进行表示;还有一部分为“\223” : 指的为八进制数223(O), 原因和上述十六进制相同。
- 注2:用字符串来表示的优点有很多:1)方便扩展 2)以字符串常量的方式存储在字符串常量区 3)无论采用哪种方式存储,比较时仍然是二进制形式,所以匹配时和单独使用十六进制是相同的效果。
3. 如何查看一个文件类型的魔数信息
可使用的软件很多,我自己常用的是UltraEdit, 还有notepad++也可以,只不过需要安装个16进制的插件。
例如:
pdf类型:
wps创建的docx类型:
