none
To find magic number of a file using file signature in mini-filter driver.

    Question

  • Hi all. I have a file system mini-filter driver.I am trying to find the magic number of a file using file signature.For example magic number of a png file is 7F 45 4C 46 .ELF
    Thanks in advance. Can you provide any solutions for this.
    Monday, April 29, 2019 10:46 AM

All replies

  • Hello fighterphilip,

    This forum is for "Discuss application compatibility testing, common compatibility issues, and best practices for creating Windows-based applications."

    Since this is a driver development issue I'll move it to the right forum. Thanks for your cooperation.

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, April 30, 2019 2:33 AM
  • That is certainly NOT the "magic number" of a PNG file.  That is the magic number for an ELF, which is the format of a Linux executable app.  A PNG starts out "\x89PNG".

    There is no easy rule for this.  Some file types do have a recognizable sequence, but many file types do not.  You might want to check the source code for the Linux "file" utility.  It uses a file about 5 megabytes long that has rules for determining many file types.

    What are you going to do with this information?  In general on Windows, the file extension is just about as good as anything else.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Tuesday, April 30, 2019 6:14 AM
  • @Tim I am actually trying to find the file type. In case if the user has changed the file type(ie from .png to .txt) the the original file type can be identified. This can be determined by the magic number. Is it possible to read the first four bytes of a file.Can you provide some ideas. 
    Tuesday, April 30, 2019 9:39 AM
  • If ALL you want to look for is PNGs, then yes, you can determine that by looking at the first 4 bytes.  My first answer was trying to tell you that you can't generalize that to other types of files.

    And you didn't answer my question.  What are you going to do with this information?  You certainly won't want to read the first 4 bytes of a file every time you get an I/O request.  You could certainly monitor file operations to watch for writes to the first 4 bytes by creating an IRP_MJ_READ request and sending it down, but why?


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Wednesday, May 1, 2019 6:56 AM
  • there is no such thing as magic number for all file types. E.g. a text file doesn't have a signature. 

    if you are trying to detect file format in a file system driver, because there are so many file types out there, your driver gonna be so slow to that the user would use all means possible to uninstall your driver. 



    Visual C++ MVP

    Saturday, May 11, 2019 8:46 PM