文件类型识别----魔数
魔数简介:
在识别文件类型时,我们很多人都是通过文件的后缀来识别的,如苍老师.mp4, 波老师.avi, 玛利亚.jpg。 使用后缀名识别文件类型不是特别准确,尤其是后缀民可以手动修改的情况下。 另外一种识别文件名的方式是: 利用文件的头部信息中的标记,我们称这个标记为魔数。也许这个解析不是特准确,但它对识别文件类型比较准确。
常见文件类型魔数表:
|
类别 |
文件类型 |
Magic数 |
起始偏移 |
结束偏移 |
|
Exe, dll |
Windows可执行文件 |
"MZ" |
0 |
2 |
|
Linux可执行文件 |
"\x7F\x45\x4c\x46" |
0 |
4 |
|
|
Java类 |
"\xCA\xFE\xBA\xBE" |
0 |
4 |
|
|
文 档 类
|
Office2003, WPS |
"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1" |
0 |
8 |
|
Office2003, WPS |
"WPS2001" |
2 |
9 |
|
|
Office2003, WPS |
"\x64\x6f\x63\x50\x72\x6f\x70\x73" |
30 |
38 |
|
|
Office2007 |
"_Types\x5d\x2exml" |
38 |
49 |
|
|
mdb |
"\x00\x01\x00\x00Standard Jet DB" |
0 |
20 |
|
|
accdb |
"\x00\x01\x00\x00Standard ACE DB" |
0 |
20 |
|
|
rtf |
"\{\\rtf" |
0 |
5 |
|
|
hlp |
"\x3F\x5F\x03\x00" |
0 |
4 |
|
|
hlp |
"\x4C\x4E\x02\x00" |
0 |
4 |
|
|
chm |
"ITSF" |
0 |
4 |
|
|
mht |
"From:" |
0 |
5 |
|
|
reg |
"REGEDIT" |
0 |
7 |
|
|
reg |
"Windows Registry" |
0 |
16 |
|
|
reg |
"R\x00e\x00g\x00i\x00s\x00t\x00r\x00y" |
18 |
33 |
|
|
|
"%PDF-" |
0 |
5 |
|
|
eps |
"%!PS-Adobe" |
0 |
10 |
|
|
Adobe FrameMaker |
"<MakerFile" |
0 |
10 |
|
|
压 缩 类
|
rar |
"Rar!" |
0 |
4 |
|
zip |
"PK\003\004" |
0 |
4 |
|
|
zip |
"PK00PK\003\004" |
0 |
8 |
|
|
7z |
"7z\xBC\xAF\x27" |
0 |
5 |
|
|
arj |
"\x60\xEA" |
0 |
2 |
|
|
bz2 |
"BZh" |
0 |
3 |
|
|
gzip |
"\037\213" |
0 |
2 |
|
|
gzip |
"\x1F\x8B\x08\x08" |
0 |
4 |
|
|
tz |
"TZ" |
0 |
2 |
|
|
compress |
"SZDD" |
0 |
4 |
|
|
cab |
"MSCF" |
0 |
4 |
|
|
rpm |
"\xED\xAB\xEE\xDB" |
0 |
4 |
|
|
ace |
"\x2A\x2A\x41\x43\x45\x2A\x2A" |
7 |
14 |
|
|
图 片 类
|
bmp |
"BM" |
0 |
2 |
|
jpeg |
"\377\330\377" |
0 |
3 |
|
|
jpeg |
"JFIF" |
6 |
10 |
|
|
jpeg |
"Exif" |
6 |
10 |
|
|
png |
"\x89PNG" |
0 |
4 |
|
|
gif |
"GIF" |
0 |
3 |
|
|
swf |
"FWS" |
0 |
3 |
|
|
swf |
"CWS" |
0 |
3 |
|
|
flp |
"FLhd" |
0 |
4 |
|
|
flp |
"flash_project" |
4 |
17 |
|
|
dwg |
"AC10" |
0 |
4 |
|
|
tiff |
"MM\x00\x2B" |
0 |
4 |
|
|
tiff |
"II*" |
0 |
3 |
|
|
音 视 频 类 |
rm |
".RMF" |
0 |
4 |
|
rm |
".RMX" |
0 |
4 |
|
|
rm |
"PROP" |
18 |
22 |
|
|
flv |
"FLV" |
0 |
3 |
|
|
avi |
"AVI LIST" |
8 |
16 |
|
|
wma |
"\x30\x26\xb2\x75\x8e\x66\xcf\x11" |
0 |
8 |
|
|
wav |
"WAVEfmt" |
8 |
15 |
|
|
mp4 |
"ftypmp41" |
4 |
12 |
|
|
mp4 |
"ftypmp42" |
4 |
12 |
|
|
mp4 |
"ftypisom" |
4 |
12 |
|
|
3gp |
"ftyp3gp4 |
4 |
12 |
|
|
3gp |
"ftypmmp4" |
4 |
12 |
|
|
mp3 |
"\xff\xff" |
11 |
1 |
|
|
mp3 |
"\x49\x44\x33" |
0 |
3 |
|
|
mtv |
"AMV" |
0 |
3 |
|
|
m4a |
"ftypM4A\x20" |
4 |
12 |
|
|
m4a |
"ftypM4V\x20" |
4 |
12 |
|
|
au |
"dns" |
0 |
3 |
|
|
au |
"\x2E\x73\x6E\x64" |
0 |
4 |
|
|
mdi |
"EP" |
0 |
2 |
|
|
其他 |
vhd |
"conectix" |
0 |
8 |
|
gho |
"\xFE\xEF\x01" |
0 |
3 |
|
|
nri |
"\x0ENeroISO" |
0 |
8 |
|
|
pf |
"SCCA" |
4 |
8 |
|
|
hqx |
"(This file must be converted with BinHex 4.0)" |
0 |
45 |
|
|
|
Unknow |
|
-1 |
0 |
- 注1: 上述表格中,有的为"\xAA" : 指的为十六进制的0xAA, 因为该数为非打印的字符,因此使用十六进制进行表示;还有一部分为“\223” : 指的为八进制数223(O), 原因和上述十六进制相同。
- 注2:用字符串来表示的优点有很多:1)方便扩展 2)以字符串常量的方式存储在字符串常量区 3)无论采用哪种方式存储,比较时仍然是二进制形式,所以匹配时和单独使用十六进制是相同的效果。
3. 如何查看一个文件类型的魔数信息
可使用的软件很多,我自己常用的是UltraEdit, 还有notepad++也可以,只不过需要安装个16进制的插件。
例如:
pdf类型:
wps创建的docx类型: