各类文件的文件头尾总结

0x00 背景

    近来处理webshell的时候,发现文件类型被篡改了,如何从HEX编码从判断是否为正常的文件,例如jpg是否为普通jpg还是合成了恶意代码的jpg,故需要分析文件头文件尾,进行一个简单的判断

0x01安装工具

相对来说,简单快捷的是安装notepad++,然后安装Hex-Editor插件。当前使用其他的,例如UltraEdit、winhex、IDA pro也是不错的选择。

notepad++下载地址:https://notepad-plus-plus.org/   注意:请选择 Notepad++ Installer 32-bit x86,因为64位的软件无法直接安装Hex-Editor插件。

notepad++安装成功,选择【插件】- 【插件管理】,如下图

各类文件的文件头尾总结_第1张图片

各类文件的文件头尾总结_第2张图片

安装成功,重启notepad++即可。

0x02 文件头文件尾

1.图片文件
JPEG (jpg/jpe/jpeg)                文件头:FFD8FF     文件尾:FF D9               
PNG (png)                        文件头:89504E47    文件尾:AE 42 60 82
GIF (gif)                        文件头:47494638    文件尾:00 3B         
TIFF (tif),                       文件头:49492A00        文件尾:
Windows Bitmap (bmp),             文件头:424D            文件尾:
ico(ico)                        文件头:00 00 01 00 
Adobe Photoshop (psd),         文件头:38425053        文件尾:

各类文件的文件头尾总结_第3张图片
2.office文件
MS Word/Excel (xls.or.doc),    文件头:D0CF11E0
MS Access (mdb),               文件头:5374616E64617264204A
WordPerfect (wpd),             文件头:FF575043
Adobe Acrobat (pdf),           文件头:255044462D312E
application/vnd.visio(vsd)        文件头:d0cf11e0a1b11ae1
Email [thorough only] (eml),   文件头:44656C69766572792D646174653A
Outlook Express (dbx),         文件头:CFAD12FEC5FD746F
Outlook (pst),                 文件头:2142444E
Rich Text Format (rtf),        文件头:7B5C727466        

txt 文件(txt) ,         文件头:Unicode:feff     / Unicode big endian:fffe    / UTF-8:efbbbf    /ANSI编码是没有文件头的

3.压缩包文件
ZIP Archive (zip),               文件头:504B0304        文件尾:50 4B
RAR Archive (rar),             文件头:52617221
4.音频文件
Wave (wav),                    文件头:57415645
audio(Audio),                    文件头: 4D546864,
audio/x-aac(aac)              文件头:fff1 / fff9

4.视频文件
AVI (avi),                     文件头:41564920
Real Audio (ram),              文件头:2E7261FD
Real Media (rm),               文件头:2E524D46
MPEG (mpg),                    文件头:000001BA
MPEG (mpg),                    文件头:000001B3
Quicktime (mov),               文件头:6D6F6F76
Windows Media (asf),           文件头:3026B2758E66CF11
MIDI (mid),                    文件头:4D546864

5.代码文件
XML (xml),                     文件头:3C3F786D6C            文件尾:
HTML (html),                   文件头:68746D6C3E

Quicken (qdf),                 文件头:AC9EBD8F
Windows Password (pwl),        文件头:E3828596

6.其他类型

windows证书文件(der)       文件头:30 82 03 C9
CAD (dwg),                      文件头:41433130     文件尾:
Windows Shortcut (lnk)        文件头:4C000000
Windows reg, (reg)                    文件头:5245474544495434

0x03 其他参考

Mime Type(Content-Type) 文件扩展名 签名
video/3gpp 3gp 00 00 00 14 66 74 79 70
00 00 00 14 66 74 79 70
00 00 00 20 66 74 79 70
00 00 00 20 66 74 79 70
video/mp4 mp4 00 00 00 14 66 74 79 70 69 73 6f 6d
00 00 00 18 66 74 79 70
00 00 00 1c 66 74 79 70
video/3gpp2 3g2 00 00 00 14 66 74 79 70
00 00 00 20 66 74 79 70
video/x-m4v m4v 00 00 00 18 66 74 79 70
audio/mp4 m4a 00 00 00 20 66 74 79 70 4d 34 41
image/x-icon ico 00 00 01 00
application/x-futuresplash spl 00 00 01 00
video/mpeg mpg 00 00 01 b3
00 00 01 ba
video/x-ms-vob vob 00 00 01 ba
application/vnd.lotus-1-2-3 123 00 00 1a 00 05 10 04
application/vnd.quark.quarkxpress qxd 00 00 49 49 58 50 52
00 00 4d 4d 58 50 52
application/x-font-ttf ttf 00 01 00 00 00
application/x-msmoney mny 00 01 00 00 4d 53 49 53 41 4d 20 44 61 74 61 62 61 73 65
application/x-msaccess mdb 00 01 00 00 53 74 61 6e 64 61 72 64 20 4a 65 74 20 44 42
video/x-fli fli 00 11
image/x-rgb rgb 01 da 01 01 00 03
application/xml-dtd dtd 07 64 74 32 64 64 74 64
image/x-pcx pcx 0a 02 01 01
0a 03 01 01
0a 05 01 01
application/msword doc 0d 44 4f 43
dot cf 11 e0 a1 b1 1a e1 00
  d0 cf 11 e0 a1 b1 1a e1
  db a5 2d 00
application/vnd.ms-works wks 0e 57 4b 53
wps ff 00 02 00 04 04 05 54
  d0 cf 11 e0 a1 b1 1a e1
application/vnd.nitf ntf 1a 00 00
30 31 4f 52 44 4e 41 4e
4e 49 54 46 30
application/vnd.lotus-notes nsf 1a 00 00 04 00 00
4e 45 53 4d 1a 01
application/x-freearc arc 1a 02
1a 03
1a 04
1a 08
1a 09
41 72 43 01
video/webm webm 1a 45 df a3
video/x-matroska mkv 1a 45 df a3 93 42 82 88
application/x-msdownload msi 23 20
com d0 cf 11 e0 a1 b1 1a e1
dll 4d 5a
exe e8
  e9
  eb
audio/silk sil 23 21 53 49 4c 4b 0a
application/postscript eps 25 21 50 53 2d 41 64 6f
c5 d0 d3 c6
application/pdf pdf 25 50 44 46
application/vnd.fdf fdf 25 50 44 46
application/mac-binhex40 hqx 28 54 68 69 73 20 66 69
text/plain log 00 2a 2a 2a 20 20 49 6e 73
application/vnd.rn-realmedia rm 2e 52 4d 46
application/vnd.rn-realmedia-vbr rmvb 2e 52 4d 46
audio/x-pn-realaudio ra 2e 52 4d 46 00 00 00 12
ram 2e 72 61 fd 00
  72 74 73 70 3a 2f 2f
audio/basic au 2e 73 6e 64
64 6e 73 2e
application/vnd.epson.msf msf 2f 2f 20 3c 21 2d 2d 20 3c 6d 64 62 3a 6d 6f 72 6b 3a 7a
application/vnd.ms-pki.seccat cat 30
video/x-ms-asf asf 30 26 b2 75 8e 66 cf 11
asx 3c
audio/x-ms-wma wma 30 26 b2 75 8e 66 cf 11
video/x-ms-wmv wmv 30 26 b2 75 8e 66 cf 11
application/x-mswrite wri 31 be
32 be
be 00 00 00 ab
application/x-7z-compressed 7z 37 7a bc af 27 1c
image/vnd.adobe.photoshop psd 38 42 50 53
application/xml xml 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3f 3e
application/vnd.framemaker fm 3c 4d 61 6b 65 72 46 69
application/vnd.mif mif 3c 4d 61 6b 65 72 46 69
56 65 72 73 69 6f 6e 20
application/gpx+xml gpx 3c 67 70 78 20 76 65 72 73 69 6f 6e 3d 22 31 2e
application/winhlp hlp 3f 5f 03 00
4c 4e 02 00
image/vnd.dwg dwg 41 43 31 30
application/vnd.lotus-organizer org 41 4f 4c 56 4d 31 30 30
text/x-vcard vcf 42 45 47 49 4e 3a 56 43
application/octet-stream bin 42 4c 49 32 32 33
dms 44 4d 53 21
mar 4d 41 52 31 00
  4d 41 52 43
  4d 41 72 30 00
image/bmp bmp 42 4d
application/x-mobipocket-ebook prc 42 4f 4f 4b 4d 4f 42 49
application/x-bzip2 bz2 42 5a 68
application/x-iso9660-image iso 43 44 30 30 31
application/mac-compactpro cpt 43 50 54 37 46 49 4c 45
43 50 54 46 49 4c 45
application/x-shockwave-flash swf 43 57 53
46 57 53
5a 57 53
application/x-cdlink vcd 45 4e 54 52 59 56 43 44
image/vnd.ms-modi mdi 45 50
video/x-flv flv 46 4c 56
audio/x-aiff aiff 46 4f 52 4d 00
message/rfc822 eml 46 72 6f 6d
52 65 74 75 72 6e 2d 50
58 2d
image/gif gif 47 49 46 38
image/tiff tif 49 20 49
tiff 49 49 2a 00
  4d 4d 00 2a
  4d 4d 00 2b
audio/mpeg mp3 49 44 33
application/vnd.ms-cab-compressed cab 49 53 63 28
4d 53 43 46
application/vnd.ms-htmlhelp chm 49 54 53 46
application/java-archive jar 4a 41 52 43 53 00
50 4b 03 04
50 4b 03 04 14 00 08 00
5f 27 a8 89
application/x-ms-shortcut lnk 4c 00 00 00 01 14 02 00
application/x-tgif obj 4c 01
80
application/vnd.palm pdb 4d 2d 57 20 50 6f 63 6b
4d 69 63 72 6f 73 6f 66 74 20 43 2f 43 2b 2b 20
73 6d 5f
73 7a 65 7a
ac ed 00 05 73 72 00 12
application/vnd.tcpdump.pcap dmp 4d 44 4d 50 93 a7
cap 50 41 47 45 44 55
  52 54 53 53
  58 43 50 00
application/vnd.smaf mmf 4d 4d 4d 44 00 00
audio/midi mid 4d 54 68 64
midi 52 49 46 46
rmi  
application/vnd.rim.cod cod 4e 61 6d 65 3a 20
audio/ogg oga 4f 67 67 53 00 02 00 00
ogg
video/ogg ogv 4f 67 67 53 00 02 00 00
application/ogg ogx 4f 67 67 53 00 02 00 00
image/x-portable-graymap pgm 50 35 0a
application/zip zip 50 4b 03 04
50 4b 03 04
50 4b 03 04 14 00 01 00
50 4b 05 06
50 4b 07 08
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx 50 4b 03 04
50 4b 03 04 14 00 06 00
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx 50 4b 03 04
50 4b 03 04 14 00 06 00
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx 50 4b 03 04
50 4b 03 04 14 00 06 00
application/vnd.google-earth.kmz kmz 50 4b 03 04
application/vnd.kde.kword kwd 50 4b 03 04
application/vnd.oasis.opendocument.text odt 50 4b 03 04
application/vnd.oasis.opendocument.presentation odp 50 4b 03 04
application/vnd.oasis.opendocument.text-template ott 50 4b 03 04
application/vnd.sun.xml.calc sxc 50 4b 03 04
50 4b 03 04
application/vnd.sun.xml.draw sxd 50 4b 03 04
application/vnd.sun.xml.impress sxi 50 4b 03 04
application/vnd.sun.xml.writer sxw 50 4b 03 04
application/x-msmetafile wmz 50 4b 03 04
wmf d7 cd c6 9a
application/x-xpinstall xpi 50 4b 03 04
application/vnd.ms-xpsdocument xps 50 4b 03 04
application/epub+zip epub 50 4b 03 04 0a 00 02 00
image/x-cmx cmx 52 49 46 46
video/x-msvideo avi 52 49 46 46
audio/x-wav wav 52 49 46 46
image/webp webp 52 49 46 46
application/x-rar-compressed rar 52 61 72 21 1a 07 00
application/x-stuffit sit 53 49 54 21 00
53 74 75 66 66 49 74 20
application/vnd.yamaha.smaf-phrase spf 53 50 46 49 00
application/vnd.lotus-wordpro lwp 57 6f 72 64 50 72 6f
application/pls+xml pls 5b 70 6c 61 79 6c 69 73 74 5d
audio/x-caf caf 63 61 66 66
application/x-csh csh 63 75 73 68 00 00 00 02
application/pkcs10 p10 64 00 00 00
audio/x-flac flac 66 4c 61 43 00 00 00 22
application/pkix-attr-cert ac 72 69 66 66
application/x-apple-diskimage dmg 78 01 73 0d 62 62 60
application/vnd.xara xar 78 61 72 21
application/rtf rtf 7b 5c 72 74 66 31
image/png png 89 50 4e 47 0d 0a 1a 0a
application/applixware aw 8a 01 09 00 00 00 e1 08
application/java-vm class ca fe ba be
application/vnd.ms-powerpoint pps d0 cf 11 e0 a1 b1 1a e1
ppt
application/vnd.ms-excel xla d0 cf 11 e0 a1 b1 1a e1
xls
audio/adpcm adp d0 cf 11 e0 a1 b1 1a e1
application/vnd.lotus-approach apr d0 cf 11 e0 a1 b1 1a e1
application/x-mspublisher pub d0 cf 11 e0 a1 b1 1a e1
application/vnd.visio vsd d0 cf 11 e0 a1 b1 1a e1
application/x-xz xz fd 37 7a 58 5a 00
application/vnd.wordperfect wpd ff 57 50 43
image/jpeg jpe ff d8 ff
jpeg
jpg
audio/x-aac aac ff f1
ff f9

欢迎大家分享更好的思路,热切期待^^_^^ !!!

你可能感兴趣的:(安全技术,技术译文,信息安全理论)