├── $I File Structure.tpl
├── .github
└── FUNDING.yml
├── Acronis - TIB File Header.tpl
├── ETL_Header_x64.tpl
├── EVTX Chunk Header.tpl
├── EVTX File Header.tpl
├── EVTX Record Structure.tpl
├── ExFAT Directory Entries.tpl
├── ExFAT_VBR.tpl
├── FAT_VBR.tpl
├── GPT.tpl
├── INFO2 Structure.tpl
├── LICENSE
├── MBR-GPT.tpl
├── MBR.tpl
├── NTFS - $AttrDef Structure.tpl
├── NTFS - $EFS Stream.tpl
├── NTFS - $R INDX Structure.tpl
├── NTFS - MFT Attribute List.tpl
├── NTFS - MFT FILE Record.tpl
├── NTFS MFT FILE Record.tpl
├── NTFS_VBR.tpl
├── README.md
├── REFS - $AttrDef Structure.tpl
├── ReFS CheckPoint.tpl
├── ReFS SuperBlock.tpl
├── ReFS_FSRS.tpl
├── SHD spool shadow file.tpl
├── VHD Header.tpl
├── VHDX Header.tpl
├── VMDK Header.tpl
├── WinHex_additional
├── AFP_Structured_Fields.tpl
├── BMP.tpl
├── CDFS Directory Entry Ascii.tpl
├── CDFS Directory Entry Unicode.tpl
├── CDFS Path Tables Ascii.tpl
├── CDFS Path Tables Unicode.tpl
├── CDFS Volume Descriptor.tpl
├── DOS_exe.tpl
├── EVT_Cursor.tpl
├── EVT_Event.tpl
├── EVT_Header.tpl
├── FAT16_Entry.tpl
├── FAT32_Entry.tpl
├── FSINFO_Sector.tpl
├── HFSPlus_B-Tree_Header.tpl
├── HFSPlus_Catalog_Key.tpl
├── HFSPlus_Index_Node.tpl
├── HFSPlus_Volume_Header.tpl
├── JFS Superblock.tpl
├── LNK FILE Record.tpl
├── NTFS Data Runs.tpl
├── NTFS FILE Record.tpl
├── Non-Unicode LNK FILE Record.tpl
├── OLYMPUS_WMA_v03.tpl
├── PCAP.tpl
├── POS_File_Format_1.1.tpl
├── POS_File_Format_2.0.tpl
├── Palm PDB 6 records.tpl
├── Palm PDB.tpl
├── README.md
├── Reiser Superblock.tpl
├── Reiser4 Directory Entries.tpl
├── Reiser4 Item Header Large.tpl
├── Reiser4 Item Header Small.tpl
├── Reiser4 Node Header.tpl
├── Reiser4 Stat Data.tpl
├── Reiser4 Superblock.tpl
├── SFF_File_Format.tpl
├── SQLite Header.tpl
├── TIFF File Format.tpl
├── TIFF File IFD.tpl
├── UFS directory entry BE.tpl
├── UFS directory entry LE.tpl
├── UFS1 Cylinder Group Descriptor BE.tpl
├── UFS1 Cylinder Group Descriptor LE.tpl
├── UFS1 Inode BE.tpl
├── UFS1 Inode LE.tpl
├── UFS1 Superblock BE.tpl
├── UFS1 Superblock LE.tpl
├── UFS2 Cylinder Group Descriptor BE.tpl
├── UFS2 Cylinder Group Descriptor LE.tpl
├── UFS2 Inode BE.tpl
├── UFS2 Inode LE.tpl
├── UFS2 Superblock BE.tpl
├── UFS2 Superblock LE.tpl
├── WAVPCM.tpl
├── ZIP.tpl
├── ZIP_Central_Directory_Structure.tpl
├── ZIP_Data_Descriptor_Structure.tpl
├── ZIP_End_of_Central_Dir_Structure.tpl
├── ZIP_Local_File_Header_Structure.tpl
├── dbf field.tpl
├── dbf header.tpl
├── dbf sample records.tpl
├── dbf tutorial.zip
├── exFAT Boot Sector 2.tpl
├── exFAT Boot Sector.tpl
├── exFAT Regular File.tpl
├── exFAT type code 81.tpl
├── exFAT type code 82.tpl
├── exFAT type code 83.tpl
├── exFAT type code 85.tpl
├── exFAT type code A0.tpl
├── exFAT type code C0.tpl
├── exFAT type code C1.tpl
└── exFAT.zip
├── WinHex_default
├── Boot Sector FAT.tpl
├── Boot Sector FAT32.tpl
├── Boot Sector NTFS.tpl
├── Ext Directory Entry.tpl
├── Ext Group Descriptor.tpl
├── Ext Inode.tpl
├── Ext Superblock.tpl
├── FAT Directory Entry.tpl
├── FAT LFN Entry.tpl
├── GUID Partition Table.tpl
├── HFS+ Volume Header.tpl
├── Master Boot Record.tpl
├── NTFS FILE Record.tpl
└── README.md
└── test
└── REFS_AttrDef_from_refs.sys
/$I File Structure.tpl:
--------------------------------------------------------------------------------
1 | template "$I File Structure"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 | //
7 | // To be applied to $I files at
8 | // offset 0 of the file
9 |
10 | description "$I File Structure"
11 | applies_to file
12 | read-only
13 |
14 | // ref: https://github.com/libyal/dtformats/blob/main/documentation/Windows%20Recycle.Bin%20file%20formats.asciidoc
15 |
16 | begin
17 | Section "Header"
18 | int64 "Version"
19 | int64 "Original File Size"
20 | FileTime "Deletion date and time"
21 |
22 | ifEqual Version 1 // Introduced in Windows Vista
23 | string16 256 "Original filename"
24 | else
25 | ifEqual Version 2 // Introduced in Windows 10
26 | uint32 "Nr_of_Filename_Characters"
27 | string16 Nr_of_Filename_Characters "Original filename [UTF-16]"
28 | endIF
29 |
30 | endSection
31 | end
--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 |
3 | github: kacos2000
4 |
--------------------------------------------------------------------------------
/Acronis - TIB File Header.tpl:
--------------------------------------------------------------------------------
1 | template "Acronis - TIB File Header"
2 |
3 | // Costas Katsavounidis - 2021 v0.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | // To be applied on byte 0 of a .tib archive file
8 |
9 | description "Acronis - TIB File Header"
10 | applies_to file
11 | requires 0 "CE 24 B9 A2" // Signature
12 | read-only
13 |
14 | // Reference: https://github.com/dennisss/acronis-tib
15 |
16 | begin
17 | section "Acronis .tib file header"
18 | hex 4 "Signature"
19 | uint16 "Header Length"
20 | uint16 "Version (0=Win, 1=Mac)"
21 | hex 4 "Archive Key"
22 | hex 4 "Slice Key"
23 | hex 4 "Volume Key"
24 | uint32 "Sequence Nr"
25 | hex 4 "Header Checksum"
26 | uint32 "BlockSize" // Win: 32, Mac: 4096
27 | endSection
28 | end
--------------------------------------------------------------------------------
/ETL_Header_x64.tpl:
--------------------------------------------------------------------------------
1 | template "ETL Header (x64)"
2 |
3 | // Template by Gabriele Zambelli (@gazambelli)
4 | // Version 1.0 - 20181227
5 |
6 | // https://docs.microsoft.com/en-us/windows/desktop/etw/eventtrace-header
7 | // https://docs.microsoft.com/en-us/windows/desktop/etw/trace-logfile-header
8 |
9 | // https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions
10 | // https://en.wikipedia.org/wiki/Windows_10_version_history
11 | // https://windows10dll.nirsoft.net/tzres_dll.html
12 |
13 | description "Header of .ETL log files created on a 64-bit OS"
14 |
15 | applies_to file
16 | read-only
17 | fixed_start 0x80 //'aa' or 'Zb'
18 |
19 | begin
20 | move -24
21 | section "Event Trace Log Header (x64)"
22 | uint32 "BufferSize (Bytes)"
23 | uint8 "OS MajorVersion"
24 | uint8 "OS MinorVersion"
25 | move 2
26 | uint32 "OS Build Number"
27 | uint32 "NumberOfProcessors"
28 | FileTime "EndTime (UTC)"
29 | uint32 "TimerResolution"
30 | uint32 "MaxFileSize (MB)"
31 | uint32 "LogFileMode"
32 | uint32 "BuffersWritten"
33 | uint32 "StartBuffers"
34 | uint32 "PointerSize"
35 | uint32 "EventsLost"
36 | uint32 "CPUSpeed (MHz)"
37 | int64 "LoggerName: pointerValue"
38 | int64 "LogFileName: pointerValue"
39 | move 4
40 | zstring16 "TimeZoneInformation"
41 | gotoex 0x80
42 | move 224
43 | FileTime "BootTime (UTC)"
44 | int64 "PerfFreq"
45 | FileTime "StartTime (UTC)"
46 | uint32 "ReservedFlags"
47 | uint32 "BuffersLost"
48 | zstring16 "SessionNameString"
49 | zstring16 "LogFileNameString"
50 | endsection
51 |
52 | end
53 |
--------------------------------------------------------------------------------
/EVTX Chunk Header.tpl:
--------------------------------------------------------------------------------
1 | Template "EVTX Chunk Header"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | description "EVTX File Header"
8 | // Ref: https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#3-chunk
9 |
10 | read-only
11 | requires 0 "456C6643686E6B00"
12 |
13 | begin
14 | Section "EVTX Chunk Header"
15 | char[8] "Signature" //Must be 0x456C6643686E6B00
16 | int64 "First event record number"
17 | int64 "Last event record number"
18 | int64 "First event record ID"
19 | int64 "Last event record ID"
20 | uint32 "Header size"
21 | uint32 "Last event record data offset"
22 | uint32 "Free space offset"
23 | hex 4 "CRC32 of the events records data"
24 | goto 120
25 | move 4
26 | hex 4 "CRC32 (1st 120 + 128-512 bytes of the chunk)"
27 | endSection
28 | end
--------------------------------------------------------------------------------
/EVTX File Header.tpl:
--------------------------------------------------------------------------------
1 | Template "EVTX File Header"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | description "EVTX File Header"
8 | // Ref: https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#2-file-header
9 |
10 | read-only
11 | requires 0 "456C6646696C6500"
12 |
13 | begin
14 | Section "EVTX File Header"
15 | char[8] "Signature" //Must be 0x456C6646696C6500
16 | int64 "First chunk number"
17 | int64 "Last chunk number"
18 | int64 "Next record identifier"
19 | uint32 "Header size"
20 | move 2
21 | uint16 "Major version"
22 | move -4
23 | uint16 "Minor version"
24 | move 3
25 | uint16 "Header block size"
26 | uint16 "Number of chunks"
27 | goto 120
28 | uint32 "Flags"
29 | ifEqual Flags 1
30 | move -4
31 | Hex 1 "=> Is dirty"
32 | move 3
33 | else
34 | ifEqual Flags 2
35 | move -4
36 | Hex 1 "=> Is full"
37 | move 3
38 | endIf
39 | little-endian hex 4 "CRC32 (1st 120 bytes of Header)"
40 | endSection
41 | end
--------------------------------------------------------------------------------
/EVTX Record Structure.tpl:
--------------------------------------------------------------------------------
1 | Template "EVTX Record Structure"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | description "EVTX Record Structure"
8 | // Ref: https://svch0st.medium.com/event-log-tampering-part-2-manipulating-individual-event-logs-3de37f7e3a85
9 |
10 | read-only
11 | multiple
12 | requires 0 "2A2A00"
13 |
14 | begin
15 | Section "EVTX Record Header"
16 | hex 4 "Signature" //Must be 0x2A2A00
17 | uint32 "Record_Size"
18 | int64 "Record ID"
19 | FileTime "Record Timestamp"
20 | endSection
21 |
22 | Section "EVTX Record XML"
23 | hex (Record_Size-28) "Record (Binary XML)"
24 | endSection
25 | Section "EVTX Record Footer"
26 | uint32 "Record Size (Copy)"
27 | endSection
28 | end
--------------------------------------------------------------------------------
/ExFAT Directory Entries.tpl:
--------------------------------------------------------------------------------
1 | template "ExFAT Directory Entries"
2 |
3 | // Costas Katsavounidis - 2021 v.1c
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | description "ExFAT Directory Entries"
8 | // Ref: https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification#6-directory-structure
9 | applies_to disk
10 | read-only
11 |
12 | // requires 0 "81"
13 | // requires 0 "82"
14 | // requires 0 "83"
15 | // requires 0 "85"
16 | // requires 0 "05"
17 | // requires 0 "A0"
18 |
19 | begin
20 | Section "Directory File Entry"
21 | hex 1 "Type Code"
22 | move -1
23 | binary[1] "Type Code binary"
24 | move -1
25 | uint_flex "0" " | Bit 0 - TypeCode"
26 | move -4
27 | uint_flex "1" " | Bit 1 - TypeCode"
28 | move -4
29 | uint_flex "2" " | Bit 2 - TypeCode"
30 | move -4
31 | uint_flex "3" " | Bit 3 - TypeCode"
32 | move -4
33 | uint_flex "4" " | Bit 4 - TypeCode"
34 | move -4
35 | uint_flex "5" " | Bit 5 - 0: Critical, 1: Benign" //TypeImportance
36 | move -4
37 | uint_flex "6" " | Bit 6 - 0: Primary, 1: Secondary" //TypeCategory
38 | move -4
39 | uint_flex "7" " | Bit 7 - 0: Not In Use, 1: In Use" //InUse
40 | move -3
41 | ifEqual "Type Code" 0x81
42 | uint8 "0: 1st bitmap, 1: 2nd bitmap"
43 | hex 18 "Reserved"
44 | uint32 "First Cluster"
45 | int64 "Bitmap Data Length"
46 | end
47 | else ifEqual "Type Code" 0x82
48 | hex 3 "Reserved"
49 | little-endian hex 4 "Table checksum"
50 | hex 12 "Reserved"
51 | uint32 "FirstCluster"
52 | int64 "Up-Case Table Data Length"
53 | end
54 | else ifEqual "Type Code" 0x83
55 | uint8 "Character Count"
56 | little-endian string16 "Character Count" "Volume Label"
57 | hex 8 "Reserved"
58 | end
59 | else ifEqual "Type Code" 0x85
60 | move 0
61 | else ifEqual "Type Code" 0x05
62 | move 0
63 | else ifEqual "Type Code" 0xA0 //Volume GUID Directory Entry
64 | int8 "Number_of_Secondary_entries" //the valid value for this field is 0
65 | little-endian hex 2 "SetChecksum"
66 | little-endian hex 2 "General Primary Flags"
67 | GUID "Volume GUID"
68 | hex 10 "Reserved"
69 | end
70 | else ifEqual "Type Code" 0xA1 //exFAT Padding Directory Entry
71 | end
72 | else ifEqual "Type Code" 0xA2 //Windows CE Access Control Table Directory Entry
73 | end
74 | else
75 | end
76 | endIF
77 | uint8 "Number_of_Secondary_entries"
78 | little-endian hex 2 "SetChecksum"
79 | binary[1] "File Attributes "
80 | move -1
81 | uint_flex "0" " | Bit 0 - Read Only"
82 | move -4
83 | uint_flex "1" " | Bit 1 - Hidden"
84 | move -4
85 | uint_flex "2" " | Bit 2 - System"
86 | move -4
87 | uint_flex "3" " | Bit 3 - Reserved1"
88 | move -4
89 | uint_flex "4" " | Bit 4 - Directory"
90 | move -4
91 | uint_flex "5" " | Bit 5 - Archive"
92 | move -4
93 | uint_flex "6,7,8,9,10,11,12,13,14,15" " | Bits 6-15 - Reserved2"
94 | move -2
95 | hex 2 "Reserved1"
96 | uint_flex "4,3,2,1,0" "|Bits 0 - 4 - Create DoubleSeconds (x2)" //two-second multiples
97 | move -4
98 | uint_flex "10,9,8,7,6,5" "|Bits 5 -10 - Create Minutes"
99 | move -4
100 | uint_flex "15,14,13,12,11" "|Bits 11-15 - Create Hour"
101 | move -4
102 | uint_flex "20,19,18,17,16" "|Bits 16-20 - Create Day"
103 | move -4
104 | uint_flex "24,23,22,21" "|Bits 21-24 - Create Month"
105 | move -4
106 | uint_flex "31,30,29,28,27,26,25" "|Bits 25-31 - Create Year (+1980)"
107 | move -4
108 | dosdatetime "CreateTimestamp"
109 | uint_flex "4,3,2,1,0" "|Bits 0 - 4 - Modified DoubleSeconds (x2)" //two-second multiples
110 | move -4
111 | uint_flex "10,9,8,7,6,5" "|Bits 5 -10 - Modified Minutes"
112 | move -4
113 | uint_flex "15,14,13,12,11" "|Bits 11-15 - Modified Hour"
114 | move -4
115 | uint_flex "20,19,18,17,16" "|Bits 16-20 - Modified Day"
116 | move -4
117 | uint_flex "24,23,22,21" "|Bits 21-24 - Modified Month"
118 | move -4
119 | uint_flex "31,30,29,28,27,26,25" "|Bits 25-31 - Modified Year (+1980)"
120 | move -4
121 | dosdatetime "Last Modified Timestamp"
122 | uint_flex "4,3,2,1,0" "|Bits 0 - 4 - Accessed DoubleSeconds (x2)" //two-second multiples
123 | move -4
124 | uint_flex "10,9,8,7,6,5" "|Bits 5 -10 - Accessed Minutes"
125 | move -4
126 | uint_flex "15,14,13,12,11" "|Bits 11-15 - Accessed Hour"
127 | move -4
128 | uint_flex "20,19,18,17,16" "|Bits 16-20 - Accessed Day"
129 | move -4
130 | uint_flex "24,23,22,21" "|Bits 21-24 - Accessed Month"
131 | move -4
132 | uint_flex "31,30,29,28,27,26,25" "|Bits 25-31 - Accessed Year (+1980)"
133 | move -4
134 | dosdatetime "Last Accessed Timestamp"
135 | byte "Create 10ms Increment"
136 | byte "Last Modified 10ms Increment"
137 | int8 "CreateUtcOffset (Signed Equiv)"
138 | move -1
139 | little-endian uint_flex "0,1,2,3,4,5,6" "Bits 0-6 - CreateUtcOffset (15')" //15 minute interval
140 | move -4
141 | uint_flex "7" "Bit 7 - CreateOffsetValid (1: Valid)"
142 | move -3
143 | int8 "LastModifiedUtcOffset (Signed Equiv)"
144 | move -1
145 | little-endian uint_flex "0,1,2,3,4,5,6" "Bits 0-6 - LastModifiedUtcOffset (15')" //15 minute interval
146 | move -4
147 | uint_flex "7" "Bit 7 - LastModifiedOffsetValid (1: Valid)"
148 | move -3
149 | int8 "LastAccessedUtcOffset (Signed Equiv)"
150 | move -1
151 | little-endian uint_flex "0,1,2,3,4,5,6" "Bits 0-6 - LastAccessedUtcOffset (15')" //15 minute interval
152 | move -4
153 | uint_flex "7" "Bit 7 - LastAccessedOffsetValid (1: Valid)"
154 | move -3
155 | hex 7 "Reserved2"
156 | endsection
157 |
158 | Section "Stream Extension"
159 | hex 1 "Type Code" // 0xC0 or 0x40
160 | move -1
161 | binary[1] "Type Code binary"
162 | move -1
163 | uint_flex "0" " | Bit 0 - TypeCode"
164 | move -4
165 | uint_flex "1" " | Bit 1 - TypeCode"
166 | move -4
167 | uint_flex "2" " | Bit 2 - TypeCode"
168 | move -4
169 | uint_flex "3" " | Bit 3 - TypeCode"
170 | move -4
171 | uint_flex "4" " | Bit 4 - TypeCode"
172 | move -4
173 | uint_flex "5" " | Bit 5 - 0: Critical, 1: Benign" //TypeImportance
174 | move -4
175 | uint_flex "6" " | Bit 6 - 0: Primary, 1: Secondary" //TypeCategory
176 | move -4
177 | uint_flex "7" " | Bit 7 - 0: Not In Use, 1: In Use" //InUse
178 | move -3
179 | binary[1] "Secondary Flags"
180 | move -1
181 | uint_flex "0" " | AllocationPossible (0: No, 1: Yes)"
182 | move -4
183 | uint_flex "1" " | NoFatChain (0: Valid, 1: Invalid)"
184 | move -4
185 | uint_flex "2,3,4,5,6,7" " | Custom bits [2-7]"
186 | move -3
187 | hex 1 "Reserved1"
188 | byte "Name Length"
189 | little-endian hex 2 "Name hash"
190 | hex 2 "Reserved2"
191 | int64 "Valid Data Length"
192 | hex 4 "Reserved3"
193 | uint32 "First Cluster"
194 | int64 "Data Length"
195 | endsection
196 |
197 | numbering 1{
198 | Section "File Name Directory Entry #~"
199 | hex 1 "Type Code" // 0xC1 or 0x41
200 | move -1
201 | binary[1] "Type Code binary"
202 | move -1
203 | uint_flex "0" " | Bit 0 - TypeCode"
204 | move -4
205 | uint_flex "1" " | Bit 1 - TypeCode"
206 | move -4
207 | uint_flex "2" " | Bit 2 - TypeCode"
208 | move -4
209 | uint_flex "3" " | Bit 3 - TypeCode"
210 | move -4
211 | uint_flex "4" " | Bit 4 - TypeCode"
212 | move -4
213 | uint_flex "5" " | Bit 5 - 0: Critical, 1: Benign" //TypeImportance
214 | move -4
215 | uint_flex "6" " | Bit 6 - 0: Primary, 1: Secondary" //TypeCategory
216 | move -4
217 | uint_flex "7" " | Bit 7 - 0: Not In Use, 1: In Use" //InUse
218 | move -3
219 | binary[1] "Secondary Flags"
220 | little-endian string16 15 "Filename Unicode"
221 | endSection
222 | }[(Number_of_Secondary_entries-1)]
223 |
224 |
225 | end
--------------------------------------------------------------------------------
/ExFAT_VBR.tpl:
--------------------------------------------------------------------------------
1 | template "ExFAT - VBR"
2 |
3 | // Costas Katsavounidis - 2021 v.2
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | // To be applied to first sector (sector 0) of a Volume, OR
8 | // to the last sector of a Volume
9 |
10 | description "ExFAT - Volume Boot Record Structure"
11 | applies_to disk
12 | sector-aligned
13 | read-only
14 |
15 | requires 0x03 "45 58 46 41 54 20 20 20" // ExFAT signature, including trailing spaces
16 | requires 0x1FE "55 AA"
17 |
18 | begin
19 | section "Boot Sector Structure"
20 | hex 2 "JMP instruction" //Valid: EBh 76h
21 | move 1 //0x90 in assembly = "no op"; short for no operation
22 | // https://thestarman.pcministry.com/asm/mbr/NTFSBR.htm
23 | char[8] "File System Name"
24 | move 53 //skip 'MustBeZero' part - helps to prevent FAT12/16/32 implementations from mistakenly mounting an exFAT volume
25 | int64 "Partition Offset"
26 | int64 "Volume Length (sectors)"
27 | uint32 "FAT Offset (sectors)" //At least 24. Volume-relative
28 | uint32 "FAT Length (sectors)" //length, in sectors, of each FAT table
29 | uint32 "Cluster Heap Offset"
30 | uint32 "Cluster Count"
31 | uint32 "First Cluster Of Root Directory" //Min: 2, Max: ClusterCount + 1
32 | hex 4 "Volume Serial Number" //Implementations should generate the serial number by combining the date and time of formatting the exFAT volume.
33 | // File System Revision
34 | // The high-order byte is the major revision number and the low-order byte is the minor revision number
35 | move 1
36 | uint8 "File System Revision: Major" //Range 0-1
37 | move -2
38 | uint8 "File System Revision: Minor" //Range 0-99
39 | move 1
40 | hex 2 "VolumeFlags"
41 | move -2
42 | uint_flex "0" "Bit 0 - Active FAT"
43 | move -4
44 | uint_flex "1" "Bit 1 - Volume Dirty"
45 | move -4
46 | uint_flex "2" "Bit 2 - Media Failure"
47 | move -4
48 | uint_flex "3" "Bit 3 - Clear to Zero"
49 | move -2
50 | uint8 "Bytes per Sector (2^x)" //Range 9-12
51 | uint8 "Sectors per Cluster (2^x)" //Range 0-25
52 | uint8 "Number Of Fats" //Range 1 or (2: volume contains 1st FAT, 2nd FAT, 1st Allocation Bitmap, and 2nd Allocation Bitmap; only valid for TexFAT volumes)
53 | hex 1 "Drive Select (INT 13h drive Nr)"
54 | //0x00: 1st floppy disk ( "drive A:" )
55 | //0x01: 2nd floppy disk ( "drive B:" )
56 | //..
57 | //0x7F: 128th floppy disk
58 | //0x80: 1st hard disk
59 | //0x81 2nd hard disk
60 | //0x82: 3rd hard disk
61 | //..
62 | //0xFF: 128th hard disk
63 | uint8 "% of clusters in the Cluster Heap In Use"
64 | move 7 //skip 'Reserved' part
65 | endsection
66 | Section "Boot Code"
67 | hex 390 "Boot Code"
68 | endsection
69 | goto 0x1FE
70 | Section "Signature"
71 | hex 2 "Boot Signature" //describes whether the intent of a given sector is for it to be a Boot Sector (=AA55h) or not
72 | endsection
73 | end
74 |
75 | // Reference:
76 | // https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification#31-main-and-backup-boot-sector-sub-regions
--------------------------------------------------------------------------------
/FAT_VBR.tpl:
--------------------------------------------------------------------------------
1 | template "FAT12/16/32 VBR"
2 |
3 | // Costas Katsavounidis - 2021 v.1a
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | // To be applied to sector 0 of a FAT Volume
8 | // If the Volume is FAT32, it also reads the Backup VBR, otherwise
9 | // if the Volume is FAT12/16, the template must be applied to byte 0 of the backup VBR
10 |
11 | description "FAT12/16/32 - Volume Boot Record Structure"
12 | applies_to disk
13 | sector-aligned
14 | read-only
15 |
16 | requires 0x1FE "55 AA" //Valid boot sector signature
17 |
18 | begin
19 | section "Boot Sector & BPB Structure"
20 | hex 2 "JMP instruction" //Valid: 0xEB?? or 0xE9??
21 | move 1 //0x90 in assembly = "no op"; short for no operation
22 | // https://thestarman.pcministry.com/asm/mbr/NTFSBR.htm
23 | char[8] "OEM Name" //Microsoft OSs don't pay any attention to this field.
24 | uint16 "Bytes_per_sector" //Range: 512, 1024, 2048 or 4096
25 | uint8 "Sectors per cluster"
26 | uint16 "Reserved sectors (> 0)" //This field must not be 0
27 | ifGreater "Reserved sectors (> 0)" 0
28 | move 0
29 | else
30 | endSection
31 | end
32 | endIf
33 | uint8 "Nr of FATs"
34 | uint16 "Nr of Root entries (12/16 bit)"
35 | uint16 "Total Sectors (12/16 bit)"
36 | hex 1 "Media descriptor (hex)" //Range: F0, F8, F9, FA, FB, FC, FD, FE, and FF
37 | uint16 "Sectors per FAT (12/16 bit)"
38 | uint16 "Sectors per track (for INT 13h)"
39 | uint16 "Nr of Heads (for INT 13h)"
40 | uint32 "Nr of Hidden sectors"
41 | uint32 "Total Sectors (32 bit)"
42 | endSection
43 |
44 | // Read the rest of the structure according to the File System type
45 | // FAT12/16 specific structure
46 |
47 | ifGreater "Nr of Root entries (12/16 bit)" 0
48 | section "FAT12/16 Section"
49 | hex 1 "Drive Select (INT 13h drive Nr)"
50 | move 1 //Skip reserved byte used by Windows NT
51 | hex 1 "Extended boot signature (12/16 bit)" //Specifies if the next 3 fields are used (= 0x29)
52 | hex 4 "Volume Serial Number" // This ID is usually generated by simply combining the current date and time into a 32-bit value.
53 | char[11] "Volume Label"
54 | char[8] "File System type" //FAT12, FAT16 or FAT
55 | goto 0x1FE
56 | hex 2 "Boot Signature" //describes whether the intent of a given sector is for it to be a Boot Sector (=AA55h) or not
57 | endSection
58 | end
59 | // FAT32 specific structure + Backup VBR
60 |
61 | else
62 | goto 36
63 | section "FAT32 Section"
64 | uint32 "Nr. of Sectors per FAT" //Sectors occupied by ONE FAT
65 | hex 2 "Extended flags (hex)"
66 | move -2
67 | uint_flex "0" "bit 0: FAT1 active"
68 | move -4
69 | uint_flex "1" "bit 1: FAT2 active"
70 | move -4
71 | uint_flex "2" "bit 2: FAT3 active"
72 | move -4
73 | uint_flex "3" "bit 3: FAT4 active"
74 | move -4
75 | uint_flex "7" "bit 7: FAT mirroring off - only 1 FAT active"
76 | move -2
77 | uint8 "File system major version"
78 | uint8 "File system minor version"
79 | uint32 "Root Directory 1st cluster" //Usually 2 but not required to be 2
80 | uint16 "Sector Nr of FSINFO structure" //Usually 1
81 | uint16 "Backup_boot_sector" //In the reserved area of the volume - Usually 6. No value other than 6 is recommended.
82 | move 12 //Skip Reserved bytes - must be 0
83 | hex 1 "Drive Select (INT 13h drive Nr)"
84 | move 1 //Skip Reserved1 bytes
85 | hex 1 "Extended boot signature (0x29) (32bit)" //Specifies if the next 3 fields are used (= 0x29)
86 | hex 4 "Volume Serial Number (32bit)"
87 | char[11] "Volume Label (32bit)"
88 | char[8] "File System type (32bit)" //FAT32
89 | goto 0x1FE
90 | hex 2 "Boot Signature" //describes whether the intent of a given sector is for it to be a Boot Sector (=AA55h) or not
91 | endsection
92 |
93 | //Read the backup VBR:
94 |
95 | goto ((Backup_boot_sector)*(Bytes_per_sector))
96 | section "[Backup] Boot Sector & BPB Structure"
97 | hex 2 "JMP instruction" //Valid: 0xEB?? or 0xE9??
98 | move 1 //0x90 in assembly = "no op"; short for no operation
99 | // https://thestarman.pcministry.com/asm/mbr/NTFSBR.htm
100 | char[8] "OEM Name" //Microsoft OSs don't pay any attention to this field.
101 | uint16 "Bytes_per_sector" //Range: 512, 1024, 2048 or 4096
102 | uint8 "Sectors per cluster"
103 | uint16 "Reserved sectors" //This field must not be 0
104 | uint8 "Nr of FATs"
105 | uint16 "Nr of Root entries (12/16 bit)"
106 | uint16 "Total Sectors (12/16 bit)"
107 | hex 1 "Media descriptor (hex)" //Range: F0, F8, F9, FA, FB, FC, FD, FE, and FF
108 | uint16 "Sectors per FAT (12/16 bit)"
109 | uint16 "Sectors per track (for INT 13h)"
110 | uint16 "Nr of Heads (for INT 13h)"
111 | uint32 "Nr of Hidden sectors"
112 | uint32 "Total Sectors (32 bit)"
113 | endSection
114 | section "[Backup] FAT32 Section"
115 | uint32 "Nr. of Sectors per FAT" //Sectors occupied by ONE FAT
116 | hex 2 "Extended flags (hex)"
117 | move -2
118 | uint_flex "0" "bit 0: FAT1 active"
119 | move -4
120 | uint_flex "1" "bit 1: FAT2 active"
121 | move -4
122 | uint_flex "2" "bit 2: FAT3 active"
123 | move -4
124 | uint_flex "3" "bit 3: FAT4 active"
125 | move -4
126 | uint_flex "7" "bit 7: FAT mirroring off - only 1 FAT active"
127 | move -2
128 | uint8 "File system major version"
129 | uint8 "File system minor version"
130 | uint32 "Root Directory 1st cluster" //Usually 2 but not required to be 2
131 | uint16 "Sector Nr of FSINFO structure" //Usually 1
132 | uint16 "Backup boot sector" //In the reserved area of the volume - Usually 6. No value other than 6 is recommended.
133 | move 12 //Skip Reserved bytes - must be 0
134 | hex 1 "Drive Select (INT 13h drive Nr)"
135 | move 1 //Skip Reserved1 bytes
136 | hex 1 "Extended boot signature (0x29) (32bit)" //Specifies if the next 3 fields are used (= 0x29)
137 | hex 4 "Volume Serial Number (32bit)"
138 | char[11] "Volume Label (32bit)"
139 | char[8] "File System type (32bit)" //FAT32
140 | move 420
141 | hex 2 "Boot Signature" //describes whether the intent of a given sector is for it to be a Boot Sector (=AA55h) or not
142 | endsection
143 | goto 0
144 | endIf
145 |
146 | end
147 |
148 | //Reference (Hardware White Paper):
149 |
150 | //Title: Microsoft Extensible Firmware Initiative
151 | // FAT32 File System Specification
152 | // FAT: General Overview of On-Disk Format
153 | //Link: https://download.microsoft.com/download/1/6/1/161ba512-40e2-4cc9-843a-923143f3456c/fatgen103.doc
--------------------------------------------------------------------------------
/GPT.tpl:
--------------------------------------------------------------------------------
1 | template "GPT Partition Table"
2 |
3 | // Based on Template by Stefan Fleischmann
4 | // X-Ways Software Technology AG
5 | //
6 | // modified by
7 | //
8 | // Costas Katsavounidis - 2021 v.1
9 | // kacos2000 [at] gmail.com
10 | // https://github.com/kacos2000
11 |
12 | // To be applied to sector 0 of a physical hard disk
13 |
14 | description "GPT Partition Table"
15 | applies_to disk
16 | sector-aligned
17 | requires 512 "45 46 49 20 50 41 52 54" //EFI PART
18 | read-only
19 |
20 | begin
21 | goto 0
22 | move 446
23 |
24 | section "Protective MBR (if Partition Type = 0xEE)"
25 | uint8 "Boot Indicator (0x80=Bootable)" //If TRUE (0x80), the partition is active and can be booted
26 | hex 1 "Starting Head"
27 | hex 1 "Starting Sector"
28 | hex 1 "Starting Cylinder"
29 | hex 1 "Partition Type (Should be 0xEE)" //Protective MBR area exists on a GPT partition layout for backward compatibility
30 | hex 1 "Ending Head"
31 | hex 1 "Ending Sector"
32 | hex 1 "Ending Cylinder"
33 | uint32 "Starting LBA"
34 | uint32 "Size in LBA"
35 | endsection
36 |
37 | move 50
38 |
39 | section "GPT - Header"
40 | char[8] "GPT Signature"
41 | hex 4 "Revision No"
42 | move -2
43 | uint16 "- Revision: Major"
44 | move -4
45 | uint16 "- Revision: Minor"
46 | move 2
47 | uint32 "Header Size (Nr of bytes)"
48 | hexadecimal uint32 "Header CRC32"
49 | move 4 // Skip 4 reserved bytes
50 | int64 "Primary LBA"
51 | int64 "Backup LBA"
52 | int64 "First Usable LBA"
53 | int64 "Last Usable LBA"
54 | hex 16 "Disk GUID (hex)"
55 | move -16
56 | GUID "Disk GUID"
57 | int64 "Partition Entry LBA" // Always 2 in the Primary GPT
58 | uint32 "(Max) Nr of Partition Entries"
59 | uint32 "Size of Partition Entries (bytes)"
60 | hexadecimal uint32 "Partition Entry Array CRC32"
61 | endsection
62 | // https://www.ntfs.com/guid-part-table.htm
63 |
64 | move 420
65 | // GPT Partitions list
66 | numbering 1
67 | {
68 | section "GPT - Partition Entry #~"
69 |
70 | hex 16 "Partition Type (hex)"
71 | IfEqual "Partition Type (hex)" 0x00000000000000000000000000000000
72 | ExitLoop
73 | else
74 | IfEqual "Partition Type (hex)" 0xA4BB94DED106404DA16ABFD50179D6AC
75 | move -16
76 | GUID "=> MS Recovery Partition"
77 | else
78 | IfEqual "Partition Type (hex)" 0x28732AC11FF8D211BA4B00A0C93EC93B
79 | move -16
80 | GUID "=> EFI System Partition"
81 | else
82 | IfEqual "Partition Type (hex)" 0x16E3C9E35C0BB84D817DF92DF00215AE
83 | move -16
84 | GUID "=> MS Reserved Partition"
85 | else
86 | IfEqual "Partition Type (hex)" 0xA2A0D0EBE5B9334487C068B6B72699C7
87 | move -16
88 | GUID "=> Basic data partition (Win)"
89 | else
90 | move -16
91 | GUID "Partition Type GUID"
92 | EndIf
93 | // https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt
94 |
95 | GUID "Unique Partition GUID"
96 | int64 "Starting LBA"
97 | IfEqual "Starting LBA" 0
98 | ExitLoop
99 | EndIf
100 | int64 "Ending LBA"
101 | hex 8 "Attribute Bits (hex)"
102 | move -8
103 | uint_flex "0" "- [0x01]: Platform Required" //0x0000000000000001
104 | move 3
105 | uint_flex "7" "- [0x80]: No Drive Letter" //0x8000000000000000
106 | move -4
107 | uint_flex "6" "- [0x40]: Hidden" //0x4000000000000000
108 | move -4
109 | uint_flex "5" "- [0x20]: Shadow Copy" //0x2000000000000000
110 | move -4
111 | uint_flex "4" "- [0x10]: Read Only" //0x1000000000000000
112 | move -3
113 | // https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt
114 | string16 36 "Partition #~ Name"
115 | endsection
116 | }[128]
117 |
118 | end
--------------------------------------------------------------------------------
/INFO2 Structure.tpl:
--------------------------------------------------------------------------------
1 | template "INFO2 Structure"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 | //
7 | // To be applied to INFO2 files at
8 | // offset 0 of the file
9 |
10 | description "INFO2 Structure"
11 | applies_to file
12 | read-only
13 |
14 | // ref: https://github.com/libyal/dtformats/blob/main/documentation/Windows%20Recycler%20file%20formats.asciidoc
15 |
16 | begin
17 | Section "Header"
18 | uint32 "Version"
19 | uint32 "Number_of_file_entries"
20 | uint32 "Previous Number of file entries"
21 | uint32 "Record_Size"
22 | hex 4 "Unknown"
23 | endSection
24 |
25 | ifGreater Number_of_file_entries 0
26 | move 0
27 | else
28 | end
29 | endIF
30 | numbering 1{
31 | Section "File Entry #~"
32 | char[260] "Original filename [ASCII]"
33 | uint32 "Index within INFO2"
34 | uint32 "Drive Number"
35 | FileTime "Deletion date and time"
36 | uint32 "Original File size"
37 | ifGreater Record_Size 280
38 | string16 260 "Original filename [UTF-16]"
39 | endIf
40 | endSection
41 | }[Number_of_file_entries]
42 | end
--------------------------------------------------------------------------------
/MBR-GPT.tpl:
--------------------------------------------------------------------------------
1 | template "MBR & GPT Partition Table"
2 |
3 | // Based on Template by Stefan Fleischmann
4 | // X-Ways Software Technology AG
5 | //
6 | // modified by
7 | //
8 | // Costas Katsavounidis - 2021 v.2
9 | // kacos2000 [at] gmail.com
10 | // https://github.com/kacos2000
11 |
12 | // To be applied to sector 0 of a physical hard disk
13 |
14 | // Checks for GPT Partition, and if found,
15 | // reads the GPT Partition entries too
16 | // Updated to work with both 512 & 4096 byte sector
17 |
18 | description "MBR & GPT Partition Table"
19 | applies_to disk
20 | sector-aligned
21 | requires 510 "55 AA"
22 | read-only
23 |
24 | begin
25 | goto 239
26 | char[4] "Hardware Supports TPM (=TCPA)" //TCPA = "Trusted Computing Platform Alliance" => tests for the existence of a TPM chip
27 | // https://thestarman.pcministry.com/asm/mbr/W7MBR.htm#INTRO
28 | goto 440
29 | section "MBR - Disk Signature"
30 | hex 4 "Disk Signature (hex)"
31 | move -4
32 | hexadecimal uint32 "Same reversed (hex)" // as seen in Windows Registry
33 | endSection
34 | move 2
35 |
36 | // MBR Partitions list
37 | numbering 1
38 | {
39 | section "MBR - Partition Entry #~"
40 | hex 1 "Boot Indicator (0x80=Bootable)" //If TRUE (0x80), the partition is active and can be booted
41 | uint8 "Start head"
42 | uint_flex "5,4,3,2,1,0" "Start sector" // sectors start counting at 1
43 | move -4
44 | uint_flex "7,6,15,14,13,12,11,10,9,8" "Start cylinder"
45 | move -2
46 | hex 1 "Partition type indicator (hex)"
47 | ifEqual "Partition type indicator (hex)" 0xEE
48 | move -1
49 | hex 1 " => Protective MBR (GPT part. follows)" //Protective MBR area exists on a GPT partition layout for backward compatibility
50 | else
51 | // ref: https://docs.microsoft.com/en-us/windows/win32/fileio/basic-and-dynamic-disks
52 |
53 | ifEqual "Partition type indicator (hex)" 0x00
54 | move -1
55 | hex 1 " => Unused Partition"
56 | else
57 | ifEqual "Partition type indicator (hex)" 0x05
58 | move -1
59 | hex 1 " => Extended Partition"
60 | else
61 | ifEqual "Partition type indicator (hex)" 0x01
62 | move -1
63 | hex 1 " => FAT12 partition"
64 | else
65 | ifEqual "Partition type indicator (hex)" 0x04
66 | move -1
67 | hex 1 " => FAT16 partition"
68 | else
69 | ifEqual "Partition type indicator (hex)" 0x0B
70 | move -1
71 | hex 1 " => FAT32 partition"
72 | else
73 | ifEqual "Partition type indicator (hex)" 0x07
74 | move -1
75 | hex 1 " => IFS partition" //NTFS
76 | else
77 | ifEqual "Partition type indicator (hex)" 0x42
78 | move -1
79 | hex 1 " => logical disk manager (LDM) partition"
80 | else
81 | ifEqual "Partition type indicator (hex)" 0x80
82 | move -1
83 | hex 1 " => NTFT partition"
84 | else
85 | ifEqual "Partition type indicator (hex)" 0xC0
86 | move -1
87 | hex 1 " => NTFT mirror or striped array"
88 | else
89 | // upto here ref: https://docs.microsoft.com/en-us/windows/win32/fileio/disk-partition-types
90 | // and
91 | // https://docs.microsoft.com/en-us/windows/win32/api/vds/ns-vds-create_partition_parameters
92 |
93 | ifEqual "Partition type indicator (hex)" 0x0E
94 | move -1
95 | hex 1 " => FAT (LBA-mapped*) - (FAT16)" //Extended-INT13 equivalent of 0x06 (FAT16 formated from Win10)
96 | else
97 | ifEqual "Partition type indicator (hex)" 0x06
98 | move -1
99 | hex 1 " => UDF partition" //UDF formated from Win10
100 | else
101 | ifEqual "Partition type indicator (hex)" 0x0C
102 | move -1
103 | hex 1 " => FAT32 (LBA-mapped*) " //FAT32 formated from Win10 - Extended-INT13 equivalent of 0x0B
104 | else
105 | ifEqual "Partition type indicator (hex)" 0x0F
106 | move -1
107 | hex 1 " => Extended partition (LBA-mapped*)" //Extended-INT13 equivalent of 0x05
108 | else
109 | move -1
110 | hex 1 " => https://www.win.tue.nl/~aeb/partitions/partition_types-1.html <="
111 | //*Full list: https://www.win.tue.nl/~aeb/partitions/partition_types-1.html
112 | EndIf
113 | uint8 "End head"
114 | uint_flex "5,4,3,2,1,0" "End sector" // Max value = 63
115 | move -4
116 | uint_flex "7,6,15,14,13,12,11,10,9,8" "End cylinder"
117 | move -2
118 | uint32 "Sectors preceding partition ~"
119 | uint32 "Sectors in partition ~"
120 | } [4]
121 |
122 | endsection
123 |
124 | hex 2 "MBR Boot Signature" //describes whether the intent of a given sector is for it to be a Boot Sector (=AA55h) or not
125 | // End of Master Boot Record (MBR)
126 | // **********************************************************
127 | Section "GPT - Signature (512 byte sector)"
128 | // Check if there is a GUID (GPT) Partition Table
129 | char[8] "GPT Signature at 0x200"
130 | ifEqual "GPT Signature at 0x200" "EFI PART"
131 | move 0
132 | endSection
133 | else
134 | goto 4096
135 | Section "GPT - Signature (4096 byte sector)"
136 | // Check if there is a GUID (GPT) Partition Table at 0x1000
137 | char[8] "GPT Signature at 0x1000"
138 | ifEqual "GPT Signature at 0x1000" "EFI PART"
139 | move 0
140 | endSection
141 | else
142 | end
143 | endif
144 |
145 | section "GPT - Header"
146 | hex 4 "Revision (hex)"
147 | move -2
148 | uint16 "- Revision: Major"
149 | move -4
150 | uint16 "- Revision: Minor"
151 | move 2
152 | uint32 "Header Size (Nr of bytes)"
153 | hexadecimal uint32 "Header CRC32"
154 | move 4 // Skip 4 reserved bytes
155 | int64 "Primary LBA"
156 | int64 "Backup LBA"
157 | int64 "First Usable LBA"
158 | int64 "Last Usable LBA"
159 | hex 16 "Disk GUID (hex)"
160 | move -16
161 | GUID "Disk GUID"
162 | int64 "Partition_Entry_LBA" // Always 2 in the Primary GPT
163 | uint32 "(Max) Nr of Partition Entries"
164 | uint32 "Size of Partition Entries (bytes)"
165 | hexadecimal uint32 "Partition Entry Array CRC32"
166 | endsection
167 | // https://www.ntfs.com/guid-part-table.htm
168 |
169 | ifEqual "GPT Signature at 0x200" "EFI PART"
170 | goto ((Partition_Entry_LBA)*512)
171 | else
172 | ifEqual "GPT Signature at 0x1000" "EFI PART"
173 | goto ((Partition_Entry_LBA)*4096)
174 | endIf
175 |
176 | // GPT Partitions list
177 | numbering 1
178 | {
179 | section "GPT - Partition Entry #~"
180 |
181 | hex 16 "Partition Type (hex)"
182 | IfEqual "Partition Type (hex)" 0x00000000000000000000000000000000
183 | ExitLoop
184 | else
185 | IfEqual "Partition Type (hex)" 0xA4BB94DED106404DA16ABFD50179D6AC
186 | move -16
187 | GUID "=> MS Recovery Partition"
188 | else
189 | IfEqual "Partition Type (hex)" 0x28732AC11FF8D211BA4B00A0C93EC93B
190 | move -16
191 | GUID "=> EFI System Partition"
192 | else
193 | IfEqual "Partition Type (hex)" 0x16E3C9E35C0BB84D817DF92DF00215AE
194 | move -16
195 | GUID "=> MS Reserved Partition"
196 | else
197 | IfEqual "Partition Type (hex)" 0xA2A0D0EBE5B9334487C068B6B72699C7
198 | move -16
199 | GUID "=> Basic data partition (Win)"
200 | else
201 | move -16
202 | GUID "Partition Type GUID"
203 | EndIf
204 | // https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt
205 |
206 | GUID "Unique Partition GUID"
207 | int64 "Starting LBA"
208 | IfEqual "Starting LBA" 0
209 | ExitLoop
210 | EndIf
211 | int64 "Ending LBA"
212 | // Note: Partition size =
213 | // ((Ending LBA - Starting LBA)+1)*(sector size)
214 | hex 8 "Attribute Bits (hex)"
215 | move -8
216 | uint_flex "0" "- [0x01]: Platform Required" //0x0000000000000001
217 | move 3
218 | uint_flex "7" "- [0x80]: No Drive Letter" //0x8000000000000000
219 | move -4
220 | uint_flex "6" "- [0x40]: Hidden" //0x4000000000000000
221 | move -4
222 | uint_flex "5" "- [0x20]: Shadow Copy" //0x2000000000000000
223 | move -4
224 | uint_flex "4" "- [0x10]: Read Only" //0x1000000000000000
225 | move -3
226 | // https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt
227 | string16 36 "Partition #~ Name"
228 | endsection
229 | }[128]
230 | end
--------------------------------------------------------------------------------
/MBR.tpl:
--------------------------------------------------------------------------------
1 | template "MBR Partition Table"
2 |
3 | // Based on Template by Stefan Fleischmann
4 | // X-Ways Software Technology AG
5 | //
6 | // modified by
7 | //
8 | // Costas Katsavounidis - 2021 v.1
9 | // kacos2000 [at] gmail.com
10 | // https://github.com/kacos2000
11 |
12 | // To be applied to sector 0 of a physical hard disk
13 |
14 | description "MBR Partition Table"
15 | applies_to disk
16 | sector-aligned
17 | requires 510 "55 AA"
18 | read-only
19 |
20 | begin
21 | goto 440
22 | section "MBR - Disk Signature"
23 | hex 4 "Disk Signature (hex)"
24 | move -4
25 | hexadecimal uint32 "Same reversed (hex)" // as seen in Windows Registry
26 | endSection
27 | move 2
28 |
29 | // MBR Partitions list
30 | numbering 1
31 | {
32 | section "MBR - Partition Entry #~"
33 | hex 1 "Boot Indicator (0x80=Bootable)" //If TRUE (0x80), the partition is active and can be booted
34 | uint8 "Start head"
35 | uint_flex "5,4,3,2,1,0" "Start sector"
36 | move -4
37 | uint_flex "7,6,15,14,13,12,11,10,9,8" "Start cylinder"
38 | move -2
39 | hex 1 "Partition type indicator (hex)"
40 | ifEqual "Partition type indicator (hex)" 0xEE
41 | move -1
42 | hex 1 " => Protective MBR (GPT part. follows)" //Protective MBR area exists on a GPT partition layout for backward compatibility
43 | else
44 | // ref: https://docs.microsoft.com/en-us/windows/win32/fileio/basic-and-dynamic-disks
45 |
46 | ifEqual "Partition type indicator (hex)" 0x00
47 | move -1
48 | hex 1 " => Unused Partition"
49 | else
50 | ifEqual "Partition type indicator (hex)" 0x05
51 | move -1
52 | hex 1 " => Extended Partition"
53 | else
54 | ifEqual "Partition type indicator (hex)" 0x01
55 | move -1
56 | hex 1 " => FAT12 partition"
57 | else
58 | ifEqual "Partition type indicator (hex)" 0x04
59 | move -1
60 | hex 1 " => FAT16 partition"
61 | else
62 | ifEqual "Partition type indicator (hex)" 0x0B
63 | move -1
64 | hex 1 " => FAT32 partition"
65 | else
66 | ifEqual "Partition type indicator (hex)" 0x07
67 | move -1
68 | hex 1 " => IFS partition"
69 | else
70 | ifEqual "Partition type indicator (hex)" 0x42
71 | move -1
72 | hex 1 " => logical disk manager (LDM) partition"
73 | else
74 | ifEqual "Partition type indicator (hex)" 0x80
75 | move -1
76 | hex 1 " => NTFT partition"
77 | else
78 | ifEqual "Partition type indicator (hex)" 0xC0
79 | move -1
80 | hex 1 " => NTFT mirror or striped array"
81 | else
82 | // upto here ref: https://docs.microsoft.com/en-us/windows/win32/fileio/disk-partition-types
83 | // and
84 | // https://docs.microsoft.com/en-us/windows/win32/api/vds/ns-vds-create_partition_parameters
85 |
86 | ifEqual "Partition type indicator (hex)" 0x0E
87 | move -1
88 | hex 1 " => FAT (LBA-mapped*) - (FAT16)" //Extended-INT13 equivalent of 0x06 (FAT16 formated from Win10)
89 | else
90 | ifEqual "Partition type indicator (hex)" 0x06
91 | move -1
92 | hex 1 " => UDF partition" //UDF formated from Win10
93 | else
94 | ifEqual "Partition type indicator (hex)" 0x0C
95 | move -1
96 | hex 1 " => FAT32 (LBA-mapped*) " //FAT32 formated from Win10 - Extended-INT13 equivalent of 0x0B
97 | else
98 | ifEqual "Partition type indicator (hex)" 0x0F
99 | move -1
100 | hex 1 " => Extended partition (LBA-mapped*)" //Extended-INT13 equivalent of 0x05
101 | else
102 | move -1
103 | hex 1 " => https://www.win.tue.nl/~aeb/partitions/partition_types-1.html <="
104 | //*Full list: https://www.win.tue.nl/~aeb/partitions/partition_types-1.html
105 | EndIf
106 | uint8 "End head"
107 | uint_flex "5,4,3,2,1,0" "End sector"
108 | move -4
109 | uint_flex "7,6,15,14,13,12,11,10,9,8" "End cylinder"
110 | move -2
111 | uint32 "Sectors preceding partition ~"
112 | uint32 "Sectors in partition ~"
113 | endsection
114 | } [4]
115 |
116 | hex 2 "MBR Boot Signature" //describes whether the intent of a given sector is for it to be a Boot Sector (=AA55h) or not
117 | // End of Master Boot Record (MBR)
118 | end
--------------------------------------------------------------------------------
/NTFS - $AttrDef Structure.tpl:
--------------------------------------------------------------------------------
1 | Template "NTFS - $AttrDef Structure"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | description "NTFS - $AttrDef Metafile Structure"
8 | // Ref: https://flatcap.org/linux-ntfs/ntfs/files/attrdef.html
9 |
10 | read-only
11 |
12 | begin
13 |
14 | Numbering 1
15 | {
16 | Section "Attribute #~"
17 | little-endian string16 64 "Attribute Label"
18 | uint32 "Attribute Type (Decimal)"
19 | move -4
20 | hex 4 "Attribute Type (Hex)"
21 | hex 4 "Display rule"
22 | hex 4 "Collation rule"
23 | ifEqual "Collation rule" 0x00000000
24 | move -4
25 | hexadecimal uint32 "-> Binary"
26 | else
27 | ifEqual "Collation rule" 0x00000001
28 | move -4
29 | hexadecimal uint32 "-> Filename"
30 | else
31 | ifEqual "Collation rule" 0x00000002
32 | move -4
33 | hexadecimal uint32 "-> Unicode String"
34 | else
35 | ifEqual "Collation rule" 0x00000010
36 | move -4
37 | hexadecimal uint32 "-> Unsigned Long"
38 | else
39 | ifEqual "Collation rule" 0x00000011
40 | move -4
41 | hexadecimal uint32 "-> SID"
42 | else
43 | ifEqual "Collation rule" 0x00000012
44 | move -4
45 | hexadecimal uint32 "-> Security Hash"
46 | else
47 | ifEqual "Collation rule" 0x00000013
48 | move -4
49 | hexadecimal uint32 "-> Multiple Unsigned Longs"
50 | EndIf
51 | hex 4 "Flags"
52 | ifEqual "Flags" 0x02000000
53 | move -4
54 | hexadecimal uint32 "-> Indexed"
55 | else
56 | ifEqual "Flags" 0x40000000
57 | move -4
58 | hexadecimal uint32 "-> Always Resident"
59 | else
60 | ifEqual "Flags" 0x42000000
61 | move -4
62 | hexadecimal uint32 "-> Always Resident & Indexed"
63 | else
64 | ifEqual "Flags" 0x80000000
65 | move -4
66 | hexadecimal uint32 "-> Allowed to be Non-Resident"
67 | EndIf
68 | int64 "Minimum Attribute Size"
69 | int64 "Maximum Attribute Size"
70 | endSection
71 | }[16]
72 |
73 | end
--------------------------------------------------------------------------------
/NTFS - $EFS Stream.tpl:
--------------------------------------------------------------------------------
1 | Template "NTFS - $EFS Stream"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | description "NTFS - $EFS Stream (EFSRPC Metadata Version3)"
8 | // 2.2.2.3 EFSRPC Metadata Version 3:
9 | // https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-EFSR/%5BMS-EFSR%5D.pdf
10 |
11 | //Should be applied to the start of the Resident Content of
12 | //a $Logged_Utility named stream $EFS
13 | //
14 | // Aplies to:
15 | requires 0 "2E617070785F" //.appx_
16 | // requires 0 "2E7066696C65" //.pfile
17 | read-only
18 |
19 | begin
20 | section "Preamble"
21 | char[6]"Signature"
22 | uint32 "Major Version"
23 | uint32 "Minor Version"
24 | uint32 "ClearTextRedirectionLength"
25 | IfGreater ClearTextRedirectionLength 0
26 | string16 ClearTextRedirectionLength "ClearTextRedirectionString"
27 | EndIf
28 | uint32 "Total Header Length"
29 | endSection
30 |
31 | section "Header"
32 | uint32 "OriginalFileExtensionOffset" // from the start of the header
33 | uint32 "OriginalFileExtensionLength" // in bytes
34 | uint32 "Publishing_License_Data_Offset" // from the start of the header
35 | uint32 "EncryptedDataOffset" // from the start of the header
36 | int64 "OriginalFileSize" // in bytes
37 | move 4
38 | uint32 "MetaDataOffset" //
39 | uint32 "MetaDataLength" // in bytes
40 | // Get the data
41 | ifGreater OriginalFileExtensionOffset 0
42 | goto OriginalFileExtensionOffset
43 | endIf
44 | string16 OriginalFileExtensionLength "Original File Extension Data"
45 | ifGreater Publishing_License_Data_Offset 0
46 | goto (Publishing_License_Data_Offset+4)
47 | uint32 "Publishing_License_Data_Length"
48 | move -8
49 | endIf
50 | hex Publishing_License_Data_Length "Publishing License Data" // "Rights Management Services Publishing License, defined in [MS-RMPR] section 2.2.9.7"
51 | endIf
52 | ifGreater MetaDataOffset 0
53 | goto MetaDataOffset
54 | hex MetaDataLength "MetaData"
55 | endIf
56 | endSection
57 |
58 | ifGreater EncryptedDataOffset 0
59 | goto EncryptedDataOffset
60 | section "Encrypted Data"
61 | hex (OriginalFileSize-EncryptedDataOffset) "Encrypted Data"
62 | endSection
63 | endIf
64 | end
--------------------------------------------------------------------------------
/NTFS - $R INDX Structure.tpl:
--------------------------------------------------------------------------------
1 | Template "NTFS - $R INDX Structure"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 | // Extend/$Reparse Index ($R) entries
7 |
8 | description "NTFS - $Reparse ($R) INDX Structure"
9 |
10 | // Should be applied to the start of an
11 | // $R INDX Header
12 | //
13 |
14 | requires 0 "494E4458" //INDX
15 | read-only
16 | multiple 4096
17 |
18 | Begin
19 | Section "Index Header"
20 | char[4] "Signature"
21 | uint16 "Offset to FixUp Array"
22 | uint16 "Number_of_FixUps"
23 | int64 "Last $LogFile Sequence Number" // LSN
24 | int64 "VCN of this INDX buffer"
25 | endSection
26 |
27 | Section "Index Node Header" //starts at offset 24 (0x18)
28 | uint32 "Offset_to_Index_Entries" // Relative to the Node Header (offset 24)
29 | uint32 "Size of Index Node"
30 | uint32 "Allocated_Size_of_Index_Node" // Starting from the Node Header (+24 should be 4096)
31 | uint32 "1 = Leaf Node"
32 | goto "Offset to FixUp Array"
33 | uint16 "Update Sequence Nr."
34 | move -2
35 | hex 2 "FixUp Value"
36 | Numbering 1 {
37 | hex 2 "FixUp ~"
38 | }[((Number_of_FixUps)-1)]
39 | endSection
40 |
41 | goto ((Offset_to_Index_Entries)+24)
42 |
43 | numbering 1 {
44 | Section "Index Node Entry ~"
45 | uint16 "Offset to Data"
46 | uint16 "Size of Data"
47 | move 4
48 | uint16 "Size of Index Entry"
49 | uint16 "Size of Index Key"
50 | uint16 "Flags" // 0: Active, 2: Not Allocated (?)
51 | move 2
52 | hexadecimal uint32 "Reparse Tag"
53 | uint48 "MFT Record Nr."
54 | uint16 "MFT Record Seq. Nr."
55 | move 4
56 | endSection
57 | }[(((Allocated_Size_of_Index_Node)-(Offset_to_Index_Entries)-(24)) / 32)]
58 | End
--------------------------------------------------------------------------------
/NTFS - MFT Attribute List.tpl:
--------------------------------------------------------------------------------
1 | template "NTFS - MFT Attribute List"
2 |
3 | // Costas Katsavounidis - 2021.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 | //
7 | // To be applied to the start of an $Attribute_list Attribute
8 |
9 | description "NTFS - MFT Attribute List"
10 | applies_to file/disk
11 | read-only
12 | requires 0 "20 00 00 00" //$Attribute_list attribute type Signature
13 |
14 | begin
15 | hex 4 "Attribute"
16 | ifEqual Attribute 0x20000000
17 | move 20
18 | else
19 | move -4
20 | endIf
21 |
22 | numbering 1 {
23 | section "Attribute #~"
24 | hex 4 "Attribute Type"
25 | ifEqual "Attribute Type" 0xFFFFFFFF
26 | endSection
27 | end
28 | endIf
29 | uint16 "Record_length"
30 | ifEqual "Record_length" 0
31 | endSection
32 | end
33 | endIf
34 | uint8 "Stream_Name_Length"
35 | uint8 "Stream_Name_Offset"
36 | int64 "Start VCN"
37 | uint48 "Base Record Number"
38 | ifEqual "Base Record Number" 0
39 | endSection
40 | end
41 | else
42 | ifGreater "Base Record Number" 4294967295 // Limit to uint32
43 | endSection
44 | end
45 | endIf
46 | uint16 "Base Record Sequence Nr"
47 | uint16 "Attribute ID"
48 | ifGreater Stream_Name_Length 0
49 | move -26
50 | move Stream_Name_Offset
51 | string16 Stream_Name_Length "Stream Name"
52 | move -4
53 | move ((Stream_Name_Offset)*(-1))
54 | move ((Stream_Name_Length)*(-1))
55 | move Record_length
56 | else
57 | move -26
58 | move Record_length
59 | endIf
60 | endSection
61 | }[32]
62 | end
--------------------------------------------------------------------------------
/NTFS_VBR.tpl:
--------------------------------------------------------------------------------
1 | template "NTFS VBR"
2 |
3 | // Costas Katsavounidis - 2021 v.1b
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | // To be applied to sector 0 of an NTFS Volume
8 | // Template also reads the last sector of the Volume (Backup Boot Record)
9 |
10 | description "NTFS - Volume Boot Record Structure"
11 | //applies_to file
12 | sector-aligned
13 | read-only
14 |
15 | //requires 0x03 "4E 54 46 53 20 20 20 20" // ID must be "NTFS", including trailing spaces
16 | //requires 0x03 "2D 46 56 45 2D 46 53 2D" // ID can be "-FVE-FS-"
17 | requires 0x1FE "55 AA" //Valid boot sector signature
18 |
19 | begin
20 | section "NTFS Boot Sector & BPB Structure"
21 | hex 2 "JMP instruction"
22 | move 1 //0x90 in assembly = "no op"; short for no operation
23 | // https://thestarman.pcministry.com/asm/mbr/NTFSBR.htm
24 | char[8] "System Name"
25 | uint16 "Bytes_per_sector"
26 | uint8 "Sectors_per_cluster"
27 | uint16 "Reserved sectors"
28 | move 5 // skip 3* always zero bytes & 2* unused by NTFS bytes
29 | hex 1 "Media descriptor (hex)" //Range: F0, F8, F9, FA, FB, FC, FD, FE, and FF
30 | move 2 // skip unused by NTFS bytes
31 | uint16 "Sectors per track"
32 | uint16 "Nr of Heads"
33 | uint32 "Nr of Hidden sectors"
34 | move 4 // skip 4 unused by NTFS bytes
35 | hex 1 "Drive Select (INT 13h drive Nr)" // (usuallly 0x80 => First HDD)
36 | // 0x80:1st hard disk
37 | // 0x81 2nd hard disk
38 | // 0x82:3rd hard disk
39 | // ..
40 | // 0xFF:128th hard disk
41 | // https://thestarman.pcministry.com/asm/mbr/NTFSBR.htm
42 | move 3 // skip (usually 0x00800)
43 | int64 "Total_sectors_excl_backup_boot_sector"
44 | int64 "LCN of $MFT"
45 | int64 "LCN of $MFTMirr"
46 | int8 "Clusters Per File Record Segment"
47 | move 3
48 | uint8 "Clusters Per Index Buffer"
49 | move 3 // skip unused by NTFS bytes
50 | hex 4 "32-bit serial number (hex)"
51 | move -4
52 | hexadecimal uint32 "32-bit SN (hex, reversed)"
53 | move -4
54 | hex 8 "64-bit serial number (hex)"
55 | uint32 "Checksum"
56 | goto 0x1FE
57 | hex 2 "Boot Signature" //describes whether the intent of a given sector is for it to be a Boot Sector (=AA55h) or not
58 | endSection
59 |
60 | //Read the backup boot sector
61 |
62 | ifGreater ((Bytes_per_sector)*(Total_sectors_excl_backup_boot_sector)) 0
63 | goto ((Bytes_per_sector)*(Total_sectors_excl_backup_boot_sector))
64 | section "[Backup] NTFS Boot Sector & BPB Structure"
65 | hex 2 "JMP instruction"
66 | move 1 //0x90 in assembly = "no op"; short for no operation
67 | // https://thestarman.pcministry.com/asm/mbr/NTFSBR.htm
68 | char[8] "File System Name"
69 | uint16 "Bytes_per_sector"
70 | uint8 "Sectors_per_cluster"
71 | uint16 "Reserved sectors"
72 | move 5 // skip 3* always zero bytes & 2* unused by NTFS bytes
73 | hex 1 "Media descriptor (hex)" //Range: F0, F8, F9, FA, FB, FC, FD, FE, and FF
74 | move 2 // skip 2 unused by NTFS bytes
75 | uint16 "Sectors per track"
76 | uint16 "Nr of Heads"
77 | uint32 "Nr of Hidden sectors"
78 | move 4 // skip 4 unused by NTFS bytes
79 | hex 1 "Drive Select (INT 13h drive Nr)"
80 | move 3 // skip (usually 0x00800)
81 | int64 "Total sectors (excl. backup boot sector)"
82 | int64 "LCN_of_$MFT"
83 | int64 "LCN_of_$MFTMirr"
84 | int8 "Clusters Per File Record Segment"
85 | move 3
86 | uint8 "Clusters Per Index Buffer"
87 | move 3 // skip unused by NTFS bytes
88 | hex 4 "32-bit serial number (hex)"
89 | move -4
90 | hexadecimal uint32 "32-bit SN (hex, reversed)"
91 | move -4
92 | hex 8 "64-bit serial number (hex)"
93 | uint32 "Checksum"
94 | move 426
95 | hex 2 "Boot Signature" //describes whether the intent of a given sector is for it to be a Boot Sector (=AA55h) or not
96 | endSection
97 | endIf
98 | end
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # X-Ways Forensic/ WinHex templates
2 |
3 | Just download and save/move to your WinHex or X-Ways Forensics program folder.
4 | Templates are .txt files with a .tpl file extension, and can be viewed /edited with any
5 | text editor, or from 'View', 'Template Manager' in WinHex/XWF.
6 |
7 | Note 1: References/notes are included within each template file.
8 | Note 2: [Template Editing](https://documentation.help/WinHex-X-Ways/topic52.htm)
9 | Note 3: [X-Ways Forensic & WinHex user manual (pdf)](https://www.x-ways.net/winhex/manual.pdf) *(template editing: Ch.7.6 Page 159)*
10 |
11 | Other templates included here:
12 | - [Gabriele Zambelli© (@gazambelli) ETL Header template](https://github.com/kacos2000/WinHex_Templates/blob/master/ETL_Header_x64.tpl)
13 | - [X-Ways© default templates](https://github.com/kacos2000/WinHex_Templates/tree/master/WinHex_default)
14 | - [X-Ways© additional/user templates](https://github.com/kacos2000/WinHex_Templates/tree/master/WinHex_additional)
15 |
16 | *Download the above templates in one [ZIP](https://github.com/kacos2000/WinHex_Templates/archive/refs/heads/master.zip) file*
17 |
18 | Other templates NOT included here:
19 | - [Jens Kirschner](https://res.jens-training.com/)'s [templates](https://res.jens-training.com/templates/)
20 |
--------------------------------------------------------------------------------
/REFS - $AttrDef Structure.tpl:
--------------------------------------------------------------------------------
1 | Template "REFS - $AttrDef Structure"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | description "REFS - $AttrDef Metafile Structure"
8 |
9 | read-only
10 |
11 | begin
12 |
13 | Numbering 1
14 | {
15 | Section "Attribute #~"
16 | little-endian string16 64 "Attribute Label"
17 | uint32 "Attribute Type (Decimal)"
18 | ifEqual "Attribute Type (Decimal)" 0
19 | end
20 | endIf
21 | move -4
22 | hex 4 "Attribute Type (Hex)"
23 | hex 4 "Display rule"
24 | hex 4 "Collation rule"
25 | ifEqual "Collation rule" 0x00000000
26 | move -4
27 | hexadecimal uint32 "-> Binary"
28 | else
29 | ifEqual "Collation rule" 0x00000001
30 | move -4
31 | hexadecimal uint32 "-> Filename"
32 | else
33 | ifEqual "Collation rule" 0x00000002
34 | move -4
35 | hexadecimal uint32 "-> Unicode String"
36 | else
37 | ifEqual "Collation rule" 0x00000010
38 | move -4
39 | hexadecimal uint32 "-> Unsigned Long"
40 | else
41 | ifEqual "Collation rule" 0x00000011
42 | move -4
43 | hexadecimal uint32 "-> SID"
44 | else
45 | ifEqual "Collation rule" 0x00000012
46 | move -4
47 | hexadecimal uint32 "-> Security Hash"
48 | else
49 | ifEqual "Collation rule" 0x00000013
50 | move -4
51 | hexadecimal uint32 "-> Multiple Unsigned Longs"
52 | EndIf
53 | hex 4 "Flags"
54 | ifEqual "Flags" 0x02000000
55 | move -4
56 | hexadecimal uint32 "-> Indexed"
57 | else
58 | ifEqual "Flags" 0x40000000
59 | move -4
60 | hexadecimal uint32 "-> Always Resident"
61 | else
62 | ifEqual "Flags" 0x42000000
63 | move -4
64 | hexadecimal uint32 "-> Always Resident & Indexed"
65 | else
66 | ifEqual "Flags" 0x80000000
67 | move -4
68 | hexadecimal uint32 "-> Allowed to be Non-Resident"
69 | EndIf
70 | int32 "Minimum Attribute Size"
71 | int64 "Maximum Attribute Size"
72 | // total refs AttrDef entry size = 156
73 | endSection
74 | }[16]
75 |
76 | end
--------------------------------------------------------------------------------
/ReFS CheckPoint.tpl:
--------------------------------------------------------------------------------
1 | template "ReFS CheckPoint"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | // CheckPoint offsets can be obtained from the SuperBlock
8 | // There are usually 2 CheckPoints in a Volume
9 |
10 | // Reference:
11 | // Forensic Analysis of the Resilient File System (ReFS) Version 3.4 Technical Report CS-2019-05
12 | // https://opus4.kobv.de/opus4-fau/files/12526/refs_report.pdf
13 |
14 | // To be applied to byte 0 of a SuperBlock
15 |
16 | description "ReFS - CHKP CheckPoint"
17 | applies_to disk
18 | sector-aligned
19 | read-only
20 | requires 0 "43 48 4B 50" //CHKP CheckPoint Signature
21 |
22 | begin
23 | section "Page Header"
24 | char[4] "Signature"
25 | uint32 "Unknown" // Always 0x2
26 | move 4
27 | little-endian hexadecimal uint32 "Volume signature (hex)"
28 | int64 "Virtual Allocator Clock"
29 | int64 "Tree Update Clock"
30 | int64 "VCN 0 - CheckPoint Offset"
31 | int64 "VCN 1"
32 | int64 "VCN 2"
33 | int64 "VCN 3"
34 | int64 "Table Identifier (High)"
35 | int64 "Table Identifier (Low)"
36 | endSection
37 |
38 | Section "Main"
39 | move 4 // unknown
40 | uint16 "Major ReFS Version"
41 | uint16 "Minor ReFS Version"
42 | uint32 "Offset to self-descriptor" // from the start of the CheckPoint
43 | uint32 "Length of self-descriptor"
44 | int64 "Checkpoint virtual clock"
45 | int64 "Allocator virtual clock"
46 | hex 8 "Oldest log record reference"
47 | uint32 "Unknown"
48 | move 12
49 | uint32 "Unknown buffer offset"
50 | uint32 "Unknown buffer length"
51 | uint32 "Pointer Count"
52 | endSection
53 | section "Offsets from the start of the CheckPoint" // Pointers from the start of the CheckPoint
54 | uint32 "=> Object ID Table ref"
55 | uint32 "=> Medium Allocator Table ref"
56 | uint32 "=> Container Allocator Table ref"
57 | uint32 "=> Schema Table ref #1"
58 | uint32 "=> Parent Child Table ref"
59 | uint32 "=> Object ID Table duplicate ref"
60 | uint32 "=> Block Reference Count Table ref"
61 | uint32 "=> Container Table ref"
62 | uint32 "=> Container Table duplicate ref"
63 | uint32 "=> Schema Table duplicate ref"
64 | uint32 "=> Container Index Table ref"
65 | uint32 "=> Integrity State Table ref"
66 | uint32 "=> Small Allocator Table ref"
67 | endSection
68 | section "Self-descriptor"
69 | move -200
70 | goto "Offset to self-descriptor"
71 | hex "Length of self-descriptor" "Self-descriptor (hex)"
72 | endSection
73 | // Self-descriptor
74 | // Tables
75 | end
76 |
--------------------------------------------------------------------------------
/ReFS SuperBlock.tpl:
--------------------------------------------------------------------------------
1 | template "ReFS SuperBlock"
2 |
3 | // Costas Katsavounidis - 2021 v.2
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 |
8 | // First SuperBlock starts at Cluster 30
9 | // There are 2 Additional copies of the SuperBlock in the 3rd and 2nd last clusters of the Volume
10 |
11 | // Reference:
12 | // Forensic Analysis of the Resilient File System (ReFS) Version 3.4 Technical Report CS-2019-05
13 | // https://opus4.kobv.de/opus4-fau/files/12526/refs_report.pdf
14 |
15 | // To be applied to byte 0 of a SuperBlock
16 |
17 | description "ReFS - SUPB SuperBlock"
18 | applies_to disk
19 | sector-aligned
20 | read-only
21 | requires 0 "53 55 50 42" //SUPB SuperBlock Signature
22 |
23 | begin
24 | section "Page Header"
25 | char[4] "Signature"
26 | uint32 "Unknown" // Always 0x2
27 | move 4
28 | little-endian hexadecimal uint32 "Volume signature (hex)"
29 | int64 "Virtual Allocator Clock"
30 | int64 "Tree Update Clock"
31 | //int64 "VCN 0" // SuperBlock start offset
32 | int64 "Superblock start (offset)" // offset sector from start of Volume
33 | //int64 "VCN 1"
34 | //int64 "VCN 2"
35 | //int64 "VCN 3"
36 | //int64 "Table Identifier (High)"
37 | //int64 "Table Identifier (Low)"
38 | move 40
39 | endSection
40 |
41 | Section "GUID"
42 | guid "Guid"
43 | endSection
44 | Section "Volume Signature: x1 -bxor x2 -bxor .."
45 | move -16
46 | // GUID = 4* DWORDS (x1.. x4)
47 | // In Powershel => Volume Signature = (x1 -bxor x2 -bxor x3 -bxor x4).ToString('X')
48 | uint32 "x1"
49 | uint32 "x2"
50 | uint32 "x3"
51 | uint32 "x4"
52 | move 8
53 | int64 "Superblock version"
54 |
55 | Section "References"
56 | uint32 "Offset to first CheckPoint entry"
57 | uint32 "Nr of CheckPoints"
58 | uint32 "Offset to Self-Descriptor"
59 | uint32 "Length of Self-Descriptor"
60 | goto "Offset to first CheckPoint entry"
61 | int64 "CheckPoint #1 offset (sector)" // offset sector from start of Volume
62 | int64 "CheckPoint #2 offset (sector)" // offset sector from start of Volume
63 | endSection
64 | end
65 |
66 |
--------------------------------------------------------------------------------
/ReFS_FSRS.tpl:
--------------------------------------------------------------------------------
1 | template "ReFS FSRS Structure (VBR)"
2 | // on-disk file system recognition information stored in the
3 | // volume's boot sector (logical disk sector zero)
4 |
5 | // Costas Katsavounidis - 2021 v.2
6 | // kacos2000 [at] gmail.com
7 | // https://github.com/kacos2000
8 |
9 | // To be applied to first sector (sector 0) of a Volume, OR
10 | // to the last sector of a Volume
11 |
12 | description "ReFS - File system recognition information"
13 | applies_to disk
14 | sector-aligned
15 | read-only
16 | requires 16 "46 53 52 53" //FSRS signature
17 |
18 | begin
19 | Section "ReFS - Volume Boot Record"
20 | hex 3 "Jump instruction" // not included in the Checksum
21 | char[8] "File system name" // ASCII
22 | hex 5 "Must be null" // Must be null
23 | char[4] "Structure Identifier" // Must be FSRS or 0x46535253
24 | uint16 "Structure Size (bytes)" // Number of bytes in this structure, from the beginning to the end, including the Jump data
25 | hex 2 "Checksum" // calculated over the bytes starting at the FsName data member and ending at the last byte of this structure,
26 | // excluding the Jmp and Checksum
27 | // not MS Documented:
28 | int64 "Sectors_in_volume"
29 | uint32 "Bytes_per_sector"
30 | uint32 "Sectors_per_cluster"
31 | uint8 "File system major version"
32 | uint8 "File systema minor version"
33 | move 14
34 | hex 8 "Volume Serial Number"
35 | // Source: https://www.sciencedirect.com/science/article/pii/S1742287619301252
36 | endsection // End of ReFS Volume Boot Record
37 |
38 | ifGreater "Sectors_in_volume" 0
39 | goto ((Sectors_in_volume)*(Bytes_per_sector)-(Bytes_per_sector)) //Go to the last sector of the volume and read the backup copy
40 |
41 | Section "ReFS - Backup Volume Boot Record"
42 | hex 3 "Jump instruction" // not included in the Checksum
43 | char[8] "File system name" // ASCII
44 | hex 5 "Must be null" // Must be null
45 | char[4] "Structure Identifier" // Must be FSRS or 0x46535253
46 | uint16 "Structure Size (bytes)" // Number of bytes in this structure, from the beginning to the end, including the Jump data
47 | hex 2 "Checksum" // calculated over the bytes starting at the FsName data member and ending at the last byte of this structure,
48 | // excluding the Jmp and Checksum
49 | int64 "Sectors in volume"
50 | uint32 "Bytes per sector"
51 | uint32 "Sectors per cluster"
52 | uint8 "File system major version"
53 | uint8 "File system minor version"
54 | move 14
55 | hex 8 "Volume Serial Number"
56 | endsection // End of ReFS backup Volume Boot Record
57 | EndIf
58 | end
59 |
60 | // Reference:
61 | // https://docs.microsoft.com/en-us/windows/win32/fileio/file-system-recognition-structure
62 | // https://docs.microsoft.com/en-us/windows/win32/fileio/computing-a-file-system-recognition-checksum
63 | // https://patents.google.com/patent/US8200895B2/en
--------------------------------------------------------------------------------
/SHD spool shadow file.tpl:
--------------------------------------------------------------------------------
1 | template "SHD spool shadow file"
2 |
3 | // Costas Katsavounidis - 2021 v1.0
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | // To be applied on byte 0 of a .SHD spool shadow file
8 |
9 | description "Windows - SHD spool shadow file"
10 | applies_to file
11 | read-only
12 |
13 | // Reference: https://www.codeproject.com/Articles/9720/The-Windows-NT-print-spool-shadow-file-format
14 | // Reference: http://www.undocprint.org/winspool/spool_files
15 | // SPL file viewer: http://www.lvbprint.de/html/splviewer1.html
16 |
17 | begin
18 | section "SHD - Microsoft Windows Spool Shadow File"
19 | hex 4 "Signature"
20 | move -4
21 | ifEqual Signature 0x23510000
22 | big-endian hexadecimal uint32 "=> Windows 10"
23 | uint32 "Header Size (bytes)"
24 | hexadecimal uint16 "Status Flags (hex)"
25 | move 2 // unknown
26 | uint32 "Print Job ID"
27 | uint32 "Priority (99 highest)" // values: 1-99
28 | // offsets
29 | move 4
30 | uint32 "Username_offset"
31 | move 4
32 | uint32 "NotifyName_offset"
33 | move 4
34 | uint32 "DocumentName_offset"
35 | move 4
36 | uint32 "PrinterPort_offset"
37 | move 4
38 | uint32 "PrinterName_offset"
39 | move 4
40 | uint32 "DriverName_offset"
41 | move 4
42 | uint32 "DevMode_offset"
43 | move 4
44 | uint32 "PrintProcessorName_offset"
45 | move 4
46 | uint32 "DataType_offset"
47 | move 12
48 | else
49 | ifEqual Signature 0x4B490000
50 | big-endian hexadecimal uint32 "=> Windows 98"
51 | hexadecimal uint16 "Status Flags (hex)"
52 | move 2 // unknown
53 | uint32 "Print Job ID"
54 | uint32 "Priority (99 highest)" // values: 1-99
55 | // offsets
56 | uint32 "Username_offset"
57 | uint32 "NotifyName_offset"
58 | uint32 "DocumentName_offset"
59 | uint32 "PrinterPort_offset"
60 | uint32 "PrinterName_offset"
61 | uint32 "DriverName_offset"
62 | uint32 "DevMode_offset"
63 | uint32 "PrintProcessorName_offset"
64 | uint32 "DataType_offset"
65 | move 4
66 | else
67 | ifEqual Signature 0x66490000
68 | big-endian hexadecimal uint32 "=> Windows NT"
69 | hexadecimal uint16 "Status Flags (hex)"
70 | move 2 // unknown
71 | uint32 "Print Job ID"
72 | uint32 "Priority (99 highest)" // values: 1-99
73 | // offsets
74 | uint32 "Username_offset"
75 | uint32 "NotifyName_offset"
76 | uint32 "DocumentName_offset"
77 | uint32 "PrinterPort_offset"
78 | uint32 "PrinterName_offset"
79 | uint32 "DriverName_offset"
80 | uint32 "DevMode_offset"
81 | uint32 "PrintProcessorName_offset"
82 | uint32 "DataType_offset"
83 | move 4
84 | else
85 | ifEqual Signature 0x67490000
86 | big-endian hexadecimal uint32 "=> Win2000/XP"
87 | uint32 "Header Size (bytes)"
88 | hexadecimal uint16 "Status Flags (hex)"
89 | move 2 // unknown
90 | uint32 "Print Job ID"
91 | uint32 "Priority (99 highest)" // values: 1-99
92 | // offsets
93 | uint32 "Username_offset"
94 | uint32 "NotifyName_offset"
95 | uint32 "DocumentName_offset"
96 | uint32 "PrinterPort_offset"
97 | uint32 "PrinterName_offset"
98 | uint32 "DriverName_offset"
99 | uint32 "DevMode_offset"
100 | uint32 "PrintProcessorName_offset"
101 | uint32 "DataType_offset"
102 | move 4
103 | else
104 | ifEqual Signature 0x68490000
105 | big-endian hexadecimal uint32 "=> Windows 2003"
106 | uint32 "Header Size (bytes)"
107 | hexadecimal uint16 "Status Flags (hex)"
108 | move 2 // unknown
109 | uint32 "Print Job ID"
110 | uint32 "Priority (99 highest)" // values: 1-99
111 | // offsets
112 | uint32 "Username_offset"
113 | uint32 "NotifyName_offset"
114 | uint32 "DocumentName_offset"
115 | uint32 "PrinterPort_offset"
116 | uint32 "PrinterName_offset"
117 | uint32 "DriverName_offset"
118 | uint32 "DevMode_offset"
119 | uint32 "PrintProcessorName_offset"
120 | uint32 "DataType_offset"
121 | move 4
122 | endIf
123 |
124 | uint16 "Year"
125 | uint16 "Month"
126 | uint16 "Day of Week"
127 | uint16 "Day"
128 | uint16 "Hour (UTC)"
129 | uint16 "Minute"
130 | uint16 "Second"
131 | uint16 "Millisecond"
132 | move 8
133 | uint32 "SPL FileSize (bytes)"
134 | uint32 "SPL PageCount"
135 | goto DataType_offset
136 | string16 6 "SPL Data type"
137 | endSection
138 |
139 | section "Metadata"
140 | ifGreater "Username_offset" 0
141 | goto "Username_offset"
142 | string16 (NotifyName_offset-Username_offset) "Username"
143 | endIf
144 | ifGreater "NotifyName_offset" 0
145 | goto "NotifyName_offset"
146 | string16 (DocumentName_offset-NotifyName_offset) "Notifyname"
147 | endIf
148 | ifGreater "DocumentName_offset" 0
149 | goto "DocumentName_offset"
150 | string16 (PrinterName_offset-DocumentName_offset) "Document Name"
151 | endIf
152 | ifGreater "PrinterName_offset" 0
153 | goto "PrinterName_offset"
154 | string16 (DriverName_offset-PrinterName_offset) "Printer Name"
155 | endIf
156 | ifGreater "DriverName_offset" 0
157 | goto "DriverName_offset"
158 | string16 (PrintProcessorName_offset-DriverName_offset) "Driver Name"
159 | endIf
160 | endSection
161 | end
162 |
--------------------------------------------------------------------------------
/VHD Header.tpl:
--------------------------------------------------------------------------------
1 | template "VHD - Header/Footer"
2 |
3 | // Costas Katsavounidis - 2021.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 | //
7 | // To be applied to VHD files at
8 | // offset 0 of the file, or at the start of the footer's 512 bytes
9 |
10 | description "VHD - Header/Footer"
11 | applies_to file
12 | requires 0 "63 6F 6E 65 63 74 69 78" // Signature: 'conectix'
13 | read-only
14 |
15 | // NOTE: All values, unless otherwise specified, are stored in big endian format.
16 |
17 | // Ref: https://www.microsoft.com/en-us/download/details.aspx?id=23850
18 |
19 | // Dynamic Disk header fields:
20 | // - Copy of hard disk footer (512 bytes)
21 | // - Dynamic Disk Header (1024 bytes)
22 | // - BAT (Block Allocation table)
23 | // - Data Block 1
24 | // - Data Block 2
25 | // - …
26 | // - Data Block n
27 | // - Hard Disk Footer (512 bytes)
28 |
29 |
30 | // Header
31 | begin
32 | Section "VHD - Hard Disk Footer (or copy = Header)"
33 | char[8] "Signature" // Microsoft call this 'cookie' :-D
34 | hex 4 "Features"
35 | move -1
36 | uint_flex "1" "- Bit 1 - Reserved" // This bit must always be set to 1
37 | move -4
38 | uint_flex "0" "- Bit 0 - Temporary"
39 | move -3
40 | big-endian uint16 "File Format Major version"
41 | big-endian uint16 "File Format Minor version"
42 | big-endian hexadecimal int64 "Data Offset (hex)" // absolute byte offset to the next structure
43 | move -8
44 | big-endian int64 "Data Offset (dec)" // For fixed disks, this field should be set to 0xFFFFFFFF
45 | big-endian uint32 "Creation Timestamp (sec since 1/1/2000)" // Hard disk image creation Time Stamp (seconds since January 1, 2000 12:00:00 AM in UTC/GMT)
46 | char[4] "Creator Application"
47 | big-endian uint16 "Creator Major version"
48 | big-endian uint16 "Creator Minor version"
49 | char[4] "Creator Host OS"
50 | big-endian int64 "Original Size"
51 | big-endian int64 "Current Size"
52 | big-endian uint16 "Geometry: Cylinders"
53 | uint8 "Geometry: Heads"
54 | uint8 "Geometry: Sectors (per track/cylinder)"
55 | big-endian uint32 "Disk Type:"
56 | move -4
57 | ifEqual "Disk Type:" 0
58 | big-endian hexadecimal uint32 " => None"
59 | else
60 | ifEqual "Disk Type:" 1
61 | big-endian hexadecimal uint32 " => Reserved (deprecated) "
62 | else
63 | ifEqual "Disk Type:" 2
64 | big-endian hexadecimal uint32 " => Fixed hard disk"
65 | else
66 | ifEqual "Disk Type:" 3
67 | big-endian hexadecimal uint32 " => Dynamic hard disk"
68 | else
69 | ifEqual "Disk Type:" 4
70 | big-endian hexadecimal uint32 " => Differencing hard disk"
71 | else
72 | ifEqual "Disk Type:" 5
73 | big-endian hexadecimal uint32 " => Reserved (deprecated)"
74 | else
75 | ifEqual "Disk Type:" 6
76 | big-endian hexadecimal uint32 " => Reserved (deprecated)"
77 | endIf
78 | hex 4 "Checksum"
79 | hex 16 "Unique ID (hex)"
80 | move -16
81 | GUID "Unique ID"
82 | // 427 bytes of Reserved space (zeros)
83 | endSection
84 |
85 | ifEqual "Disk Type:" 3
86 | gotoex "Data Offset (dec)"
87 | else
88 | ifEqual "Disk Type:" 4
89 | gotoex "Data Offset (dec)"
90 | else
91 | end
92 | endIf
93 |
94 | Section "VHD - Dynamic/Differencing Disk Header"
95 | char[8] "Dynamic header signature" // usually "cxsparse"
96 | hex 8 "Data Offset (hex)" // currently unused, should be 0xFFFFFFFF
97 | big-endian hexadecimal int64 "Block Allocation Table Offset (hex)" // absolute byte offset to the Block Allocation Table
98 | move -8
99 | big-endian int64 "Block Allocation Table Offset (dec)"
100 | big-endian uint16 "Header Major version"
101 | big-endian uint16 "Header Minor version"
102 | big-endian uint32 "Max_Table_Entries" //This should be equal to the number of blocks in the disk (disk size/block size)
103 | big-endian uint32 "Block Size (sector size in bytes)" // The sectors per block must always be a power of two
104 | hex 4 "Checksum"
105 | hex 16 "Parent Unique ID (hex)"
106 | move -16
107 | GUID "Parent Unique ID"
108 | big-endian uint32 "Parent Timestamp (sec since 1/1/2000)"
109 | move 4 // skip 4 reserved bytes
110 | big-endian string16 256 "Parent Unicode Name"
111 | endSection
112 |
113 | ifEqual "Disk Type:" 4
114 | move 0
115 | else
116 | end
117 | endIF
118 |
119 | ifGreater "Max_Table_Entries" 0
120 | numbering 0 {
121 | Section "Parent Locator Entry #~"
122 | char[4] "Platform Code"
123 | big-endian uint32 "Number of 512-byte sectors" // Platform Data Space
124 | big-endian uint32 "Size of Parent HD locator in bytes" // Platform Data Length
125 | move 4 // skip 4 reserved bytes
126 | big-endian hexadecimal int64 "Platform Data Offset (hex)"
127 | move -8
128 | big-endian int64 "Platform Data Offset (dec)"
129 | endSection
130 | }[Max_nr_of_BAT_entries]
131 | endIf
132 | End
133 |
134 |
135 |
136 |
--------------------------------------------------------------------------------
/VMDK Header.tpl:
--------------------------------------------------------------------------------
1 | template "VMDK Header"
2 |
3 | // Costas Katsavounidis - 2021 v.1
4 | // kacos2000 [at] gmail.com
5 | // https://github.com/kacos2000
6 |
7 | // To be applied to byte 0 of a vmdk file
8 |
9 | description "VMDK Header"
10 | applies_to file
11 | requires 0 "4B 44 4D 56" // Signature: 'VMDK' in le
12 | read-only
13 |
14 | // Reference: https://www.vmware.com/support/developer/vddk/vmdk_50_technote.pdf
15 |
16 | begin
17 | section "VMDK Header"
18 | hex 4 "File Signature"
19 | move -4
20 | little-endian char[4] "File Signature"
21 | uint32 "Version" // 1 or 2
22 | hex 4 "Flags"
23 | int64 "Capacity (Sectors)"
24 | int64 "Grain Size (Sectors - pow 2)"
25 | int64 "Descriptor Offset (sector)"
26 | int64 "Descriptor Size (sectors)"
27 | uint32 "Nr of # in a Grain Table"
28 | int64 "Offset to redundant level0 of Metadata"
29 | int64 "Offset to level0 of Metadata"
30 | int64 "Nr of Sectors occupied by Metadata"
31 | boolean "Unclean Shutdown"
32 | hex 1 "Single End of Line Ch (ASCII)"
33 | hex 1 "Non End of Line Ch (ASCII)"
34 | hex 1 "Double End of Line Ch 1 (ASCII)"
35 | hex 1 "Double End of Line Ch 2 (ASCII)"
36 | uint16 "Compression Algorithm"
37 | move 433 // Padding
38 | endSection
39 | ifEqual "Descriptor Offset (sector)" 1
40 | string 32 "Descriptor start"
41 | endIf
42 | end
43 |
--------------------------------------------------------------------------------
/WinHex_additional/AFP_Structured_Fields.tpl:
--------------------------------------------------------------------------------
1 | template "AFP Datastream"
2 |
3 | // IBM's Advanced Function Presentation Datastream
4 |
5 | description "IBM's AFP Datastream, with x'5A' Structured Fields"
6 |
7 | applies_to file
8 | fixed_start 00
9 | requires 00 "5A"
10 | big-endian
11 | multiple
12 |
13 | begin
14 | section "Introducer"
15 | read-only hex 1 "Carriage Control, 5A = AFP"
16 | uint16 "SF Length"
17 | endsection
18 |
19 | section "Structured Field Data"
20 | hex 3 "SF Identifier"
21 | move -3
22 | read-only hex 1 "> Class Code, D3 = MO:DCA"
23 | hex 1 "> Type Code"
24 | hex 1 "> Category Code"
25 | binary "Flags (SFI Ext/Segmentation)"
26 | read-only hex 2 "Reserved"
27 | endsection
28 |
29 | section "Entire MOD:CA Record"
30 | move -8
31 | read-only hex "SF Length" "AFP Record"
32 | endsection
33 |
34 | end
35 |
--------------------------------------------------------------------------------
/WinHex_additional/BMP.tpl:
--------------------------------------------------------------------------------
1 | template "BMP File Format (with Palette)"
2 |
3 | // Template by Khomenko Volodymyr, Ukraine.
4 |
5 | description "Structure of a BMP image file"
6 | appliesto file
7 |
8 | requires 0x00 "42 4D" // 'BM'
9 |
10 | begin
11 | section "BMP File Header"
12 | read-only char[2] "BMP_ID" // 00
13 | uint32 "File size" // 02
14 | uint32 "Reserved" // 06
15 | uint32 "ImageDataOffset" // 0A
16 | endsection
17 |
18 | section "BMP Info Header"
19 | uint32 "HeaderSize" // 0E
20 | uint32 "Width" // 12
21 | uint32 "Height" // 16
22 | uint16 "Planes" // 1A
23 | uint16 "BPP" // 1C
24 | uint32 "CompessionMethod" // 1E
25 | uint32 "ImageSize" // 22
26 | uint32 "XPixelsPerMeter" // 26
27 | uint32 "YPixelsPerMeter" // 2A
28 | uint32 "PaletteSize" // 2E
29 | uint32 "ColorsImportant" // 32
30 | endsection
31 |
32 | section "Palette(If PaletteSize=0 then no palette)"
33 | numbering 0
34 |
35 | {
36 | byte "B[~]"
37 | byte "G[~]"
38 | byte "R[~]"
39 | byte "A[~]"
40 |
41 | } [PaletteSize]
42 | endsection
43 | end
44 |
--------------------------------------------------------------------------------
/WinHex_additional/CDFS Directory Entry Ascii.tpl:
--------------------------------------------------------------------------------
1 | template "CDFS Directory Entries"
2 |
3 | // Template by Christopher Taylor
4 | // taylormade@rocketmail.com
5 |
6 |
7 | // Template for the Directory Entries on a CD
8 | //
9 |
10 |
11 | description "ISO9660 Directory Entries containing ASCII Filenames"
12 | applies_to disk
13 | sector-aligned
14 | multiple
15 |
16 | begin
17 |
18 | uint8 "Record_Length"
19 | uint8 "Extended Attribute Record Length"
20 | uint32 "First Sector of file data or directory"
21 | move 4
22 | uint32 "Size in bytes of file data or directory"
23 | move 4
24 | uint8 "Years 1900+"
25 | uint8 "Month"
26 | uint8 "Day"
27 | uint8 "Hours"
28 | uint8 "Minutes"
29 | uint8 "Seconds"
30 | int8 "GMT offset, in 15-minute intervals"
31 | binary "Flags"
32 |
33 | // flags, with bits as follows:
34 | // bit value
35 | // ------ ------------------------------------------
36 | // 0 (LS) 0 for a norma1 file, 1 for a hidden file
37 | // 1 0 for a file, 1 for a directory
38 | // 2 0 [1 for an associated file]
39 | // 3 0 [1 for record format specified]
40 | // 4 0 [1 for permissions specified]
41 | // 5 0
42 | // 6 0
43 | // 7 (MS) 0 [1 if not the final record for the file]
44 |
45 | hex 1 "Interleave Unit Size"
46 | hex 1 "Interleave Gap Size"
47 | int16 "Volume Sequence Number"
48 | move 2
49 | int8 "Filename_Length"
50 |
51 | string Filename_Length "Filename ASCII"
52 | // string16 (Filename_Length/2) "Filename Unicode"
53 |
54 | goto Record_Length
55 |
56 | end
--------------------------------------------------------------------------------
/WinHex_additional/CDFS Directory Entry Unicode.tpl:
--------------------------------------------------------------------------------
1 | template "CDFS Directory Entries"
2 |
3 | // Template by Christopher Taylor
4 | // taylormade@rocketmail.com
5 |
6 |
7 | // Template for the Directory Entries on a CD
8 | //
9 |
10 |
11 | description "ISO9660 Directory Entries containing Unicode Filenames"
12 | applies_to disk
13 | sector-aligned
14 | multiple
15 |
16 | begin
17 |
18 | uint8 "Record_Length"
19 | uint8 "Extended Attribute Record Length"
20 | uint32 "First Sector of file data or directory"
21 | move 4
22 | uint32 "Size in bytes of file data or directory"
23 | move 4
24 | uint8 "Years 1900+"
25 | uint8 "Month"
26 | uint8 "Day"
27 | uint8 "Hours"
28 | uint8 "Minutes"
29 | uint8 "Seconds"
30 | int8 "GMT offset, in 15-minute intervals"
31 | binary "Flags"
32 |
33 | // flags, with bits as follows:
34 | // bit value
35 | // ------ ------------------------------------------
36 | // 0 (LS) 0 for a norma1 file, 1 for a hidden file
37 | // 1 0 for a file, 1 for a directory
38 | // 2 0 [1 for an associated file]
39 | // 3 0 [1 for record format specified]
40 | // 4 0 [1 for permissions specified]
41 | // 5 0
42 | // 6 0
43 | // 7 (MS) 0 [1 if not the final record for the file]
44 |
45 | hex 1 "Interleave Unit Size"
46 | hex 1 "Interleave Gap Size"
47 | int16 "Volume Sequence Number"
48 | move 2
49 | int8 "Filename_Length"
50 |
51 | // string Filename_Length "Filename ASCII"
52 | big-endian string16 (Filename_Length/2) "Filename Unicode"
53 |
54 | goto Record_Length
55 |
56 | end
--------------------------------------------------------------------------------
/WinHex_additional/CDFS Path Tables Ascii.tpl:
--------------------------------------------------------------------------------
1 | template "CDFS Path Tables"
2 |
3 | // Template by Christopher Taylor
4 | // taylormade@rocketmail.com
5 |
6 |
7 | // Template for the Path Tables of CDs
8 | //
9 |
10 |
11 | description "ISO9660 Path Tables in ASCII (used to build folder tree structure)"
12 | applies_to disk
13 | sector-aligned
14 | multiple
15 |
16 | begin
17 |
18 | { section ""
19 | int8 "Name_Length"
20 | int8 "sectors in extended attribute record"
21 | int32 "first sector in the directory"
22 | int16 "record for parent directory"
23 | char["Name_Length"] "Folder Name"
24 | // move over a padding byte if the name is an odd number of bytes long
25 | IfEqual (Name_Length%2) 1
26 | move 1
27 | EndIf
28 |
29 | } [20]
30 |
31 | end
--------------------------------------------------------------------------------
/WinHex_additional/CDFS Path Tables Unicode.tpl:
--------------------------------------------------------------------------------
1 | template "CDFS Path Tables"
2 |
3 | // Template by Christopher Taylor
4 | // taylormade@rocketmail.com
5 |
6 |
7 | // Template for the Path Tables of CDs
8 | //
9 |
10 |
11 | description "ISO9660 Path Tables in Unicode (used to build folder tree structure)"
12 | applies_to disk
13 | sector-aligned
14 | multiple
15 |
16 | begin
17 |
18 | { section ""
19 | int8 "Name_Length"
20 | int8 "sectors in extended attribute record"
21 | int32 "first sector in the directory"
22 | int16 "record for parent directory"
23 | big-endian string16 (Name_Length/2) "Folder Name"
24 | // move over a padding byte if the name is an odd number of bytes long
25 | IfEqual (Name_Length%2) 1
26 | move 1
27 | EndIf
28 |
29 | } [20]
30 |
31 | end
--------------------------------------------------------------------------------
/WinHex_additional/CDFS Volume Descriptor.tpl:
--------------------------------------------------------------------------------
1 | template "CDFS Volume Descriptor"
2 |
3 | // Template by Christopher Taylor
4 | // taylormade@rocketmail.com
5 |
6 |
7 | // Template for the volume descriptor found in sector 16 of CDs
8 | //
9 |
10 |
11 | description "ISO9660 Volume Descriptor"
12 | applies_to disk
13 | sector-aligned
14 | multiple
15 |
16 | begin
17 |
18 | hex 1 "entry number"
19 | char[5] "Volume Descriptor Set Terminator"
20 | move 2
21 | char[32] "system identifier"
22 | char[32] "volume identifier"
23 | move 8
24 | // the next several numbers are 'double ended' so we read the first part as a
25 | // little-endian number and skip the next part which is the same number in
26 | // big-endian. i.e.: 1 is written 0x10000001
27 | int32 "total number of sectors"
28 | move 4
29 | move 32 // always zeros
30 | int16 "volume set size"
31 | move 2
32 | int16 "volume sequence number"
33 | move 2
34 | int16 "sector size"
35 | move 2
36 | int32 "path table length in bytes"
37 | move 4
38 | little-endian int32 "sector containing first little endian path table"
39 | little-endian int32 "sector containing second little endian path table"
40 | big-endian int32 "sector containing first big endian path table"
41 | big-endian int32 "sector containing second big endian path table"
42 |
43 | section "root directory record" // 34 bytes total
44 | int8 "bytes in the record (which must be even)"
45 | int8 "sectors in extended attribute record"
46 | int32 "first sector of file data or directory"
47 | move 4
48 | int32 "bytes of file data or length of directory"
49 | move 4
50 | int8 "years since 1900"
51 | int8 "month"
52 | int8 "day"
53 | int8 "hour"
54 | int8 "minute"
55 | int8 "second"
56 | int8 "GMT offset, in 15-minute intervals"
57 | binary "flags"
58 | hex 1 "file unit size for an interleaved file"
59 | hex 1 "interleave gap size for an interleaved file"
60 | int16 "volume sequence number"
61 | move 2
62 | hex 1 "identifier length"
63 | hex 1 "identifier"
64 |
65 | Section "Identifiers - ASCII"
66 | string 128 "volume set identifier"
67 | string 128 "publisher identifier"
68 | string 128 "data preparer identifier"
69 | string 128 "application identifier"
70 | string 37 "copyright file identifier"
71 | string 37 "abstract file identifier"
72 | string 37 "bibliographical file identifier"
73 | move -623
74 |
75 | section "Identifiers - Unicode"
76 | big-endian string16 64 "volume set identifier"
77 | big-endian string16 64 "publisher identifier"
78 | big-endian string16 64 "data preparer identifier"
79 | big-endian string16 64 "application identifier"
80 | big-endian string16 18 "copyright file identifier"
81 | move 1
82 | big-endian string16 18 "abstract file identifier"
83 | move 1
84 | big-endian string16 18 "bibliographical file identifier"
85 | move 1
86 |
87 | section "volume creation"
88 | char[8] "yyyymmdd"
89 | char[8] "hhmmssss"
90 | int8 "GMT offset, in 15-minute intervals"
91 |
92 | section "most recent modification"
93 | char[8] "yyyymmdd"
94 | char[8] "hhmmssss"
95 | int8 "GMT offset, in 15-minute intervals"
96 |
97 | section "volume expires"
98 | char[8] "yyyymmdd"
99 | char[8] "hhmmssss"
100 | int8 "GMT offset, in 15-minute intervals"
101 |
102 | section "volume effective from"
103 | char[8] "yyyymmdd"
104 | char[8] "hhmmssss"
105 | int8 "GMT offset, in 15-minute intervals"
106 |
107 | // to get to end of record
108 | move 2 // always 0x0100
109 | move 512 // reserved for application (but never used)
110 | move 653 // always 0x00
111 |
112 | end
--------------------------------------------------------------------------------
/WinHex_additional/DOS_exe.tpl:
--------------------------------------------------------------------------------
1 | template "DOS exe header"
2 | description "Header of DOS executables (IMAGE_DOS_HEADER)"
3 | requires 0 "4D 5A"
4 | hexadecimal
5 |
6 | // based on
7 | // http://www.delorie.com/djgpp/doc/exe/
8 | // http://www.tavi.co.uk/phobos/exeformat.html
9 |
10 | // 2017 fenugrec
11 |
12 | begin
13 | read-only uint16 signature
14 | uint16 bytes_in_last_page
15 | uint16 pages_in_file
16 | uint16 num_relocs
17 | uint16 header_paragraphs
18 | uint16 min_extra_paragraphs
19 | uint16 max_extra_paragraphs
20 | uint16 initial_ss
21 | uint16 initial_sp
22 | uint16 cks
23 | uint16 initial_ip
24 | uint16 intial_cs
25 | uint16 reloc_table_offset
26 | uint16 overlay_number
27 | end
--------------------------------------------------------------------------------
/WinHex_additional/EVT_Cursor.tpl:
--------------------------------------------------------------------------------
1 | template "EVT Cursor"
2 |
3 | // Template by Andreas Schuster
4 | // andreas.schuster@telekom.de
5 | // Version 1.0 - 20050301
6 |
7 | // This record separates the latest event record from free space or the
8 | // oldest event record respective.
9 | // Search for the "required" byte sequence shown below to locate the record.
10 |
11 | description "Microsoft Windows Eventlog - Cursor Record"
12 | applies_to file
13 | requires 0 "28 00 00 00 11 11 11 11 22 22 22 22 33 33 33 33 44 44 44 44"
14 | begin
15 | hexadecimal uint32 "Length1"
16 | hex 16 "Magic"
17 | // offset of the first record
18 | hexadecimal uint32 "OfsFirst"
19 | // offset
20 | hexadecimal uint32 "OfsNext"
21 | uint32 "NumNext"
22 | uint32 "NumFirst"
23 | hexadecimal uint32 "Length2"
24 | end
--------------------------------------------------------------------------------
/WinHex_additional/EVT_Event.tpl:
--------------------------------------------------------------------------------
1 | template "EVT Event"
2 |
3 | // Template by Andreas Schuster
4 | // andreas.schuster@telekom.de
5 | // Version 1.0 - 20050301
6 |
7 | description "Microsoft Windows Eventlog - Event Record"
8 | applies_to file
9 | requires 4 "4C 66 4C 65"
10 | begin
11 | hexadecimal uint32 "Length1"
12 | char[4] "Magic"
13 | uint32 "RecordNumber"
14 | time_t "TimeGenerated"
15 | time_t "TimeWritten"
16 | section "EventId"
17 | uint16 "Code"
18 | move -2
19 | uint_flex "16,17,18,19,20,21,22,23,24,25,26,27" "Facility"
20 | move -4
21 | uint_flex "28" "reserved"
22 | move -4
23 | uint_flex "29" "Customer"
24 | move -4
25 | uint_flex "30,31" "Severity"
26 | endsection
27 | uint16 "EventType"
28 | uint16 "NumInsertionStrings"
29 | uint16 "EventCategory"
30 | uint16 "reserved"
31 | uint32 "ClosingRecord"
32 | uint32 "OfsStrings"
33 | uint32 "LenSid"
34 | uint32 "OfsSid"
35 | uint32 "LenEventData"
36 | uint32 "OfsEventData"
37 |
38 | zstring16 "EventSource"
39 | zstring16 "ComputerName"
40 |
41 | IfGreater LenSid 0
42 | goto OfsSid
43 | hex LenSid "SID"
44 | EndIf
45 |
46 | // Insertion Strings
47 | IfGreater NumInsertionStrings 0
48 | numbering 1
49 | {
50 | zstring16 "String ~"
51 | }[NumInsertionStrings]
52 | EndIf
53 |
54 | //Event Data
55 | IfGreater LenEventData 0
56 | goto OfsEventData
57 | hex LenEventData "EventData (hex)"
58 | goto OfsEventData
59 | zstring "EventData (ascii)"
60 | EndIf
61 |
62 | goto Length1
63 | move -4
64 | hexadecimal uint32 "Length2"
65 | end
--------------------------------------------------------------------------------
/WinHex_additional/EVT_Header.tpl:
--------------------------------------------------------------------------------
1 | template "EVT Header"
2 |
3 | // Template by Andreas Schuster
4 | // andreas.schuster@telekom.de
5 | // Version 1.0 - 20050301
6 |
7 | // Every EVT file starts with the header record.
8 | // CAVE: Data is not valid if the DIRTY flag is set!
9 | // Look for the "Cursor" instead.
10 |
11 | description "Microsoft Windows Eventlog - Header Record"
12 | applies_to file
13 | fixed_start 0
14 | requires 0 "30 00 00 00 4C 66 4C 65"
15 | begin
16 | hexadecimal uint32 "Length1"
17 | char[4] "Magic"
18 | uint32 "unknown1"
19 | uint32 "unknown2"
20 | hexadecimal uint32 "OfsFirst"
21 | hexadecimal uint32 "OfsNext"
22 | uint32 "NumNext"
23 | uint32 "NumFirst"
24 | uint32 "Filesize"
25 | section "Flags"
26 | hex 4 "Overview"
27 | move -4
28 | uint_flex "0" "DIRTY"
29 | move -4
30 | uint_flex "1" "WRAPPED"
31 | move -4
32 | uint_flex "2" "LOGFULL"
33 | move -4
34 | uint_flex "3" "PRIMARY"
35 | endsection
36 | decimal uint32 "Retention"
37 | hexadecimal uint32 "Length2"
38 | end
--------------------------------------------------------------------------------
/WinHex_additional/FAT16_Entry.tpl:
--------------------------------------------------------------------------------
1 | template "FAT16 Entry"
2 |
3 | // Template by Paul Mullen, 7/14/2000
4 |
5 | description "Must start at start of FAT to get numbers right."
6 | appliesto disk
7 | sector-aligned
8 |
9 | // requires 0 "F8 FF" //first bytes of valid FAT16
10 |
11 | // Further instructions:
12 | // Specify a cluster number x as the "record #"
13 | // and press ENTER. Then you will be given the
14 | // number of the cluster following cluster x in
15 | // the cluster chain of the corresponding file.
16 |
17 | multiple
18 |
19 | begin
20 | uint16 "Next cluster"
21 | move -2
22 | hex 2 "as hex (FF FF=End)"
23 | end
--------------------------------------------------------------------------------
/WinHex_additional/FAT32_Entry.tpl:
--------------------------------------------------------------------------------
1 | template "FAT32 Entry"
2 |
3 | // Template by Stefan Fleischmann
4 | // Based on template by Paul Mullen
5 |
6 | description "Must start at start of FAT to get numbers right."
7 | appliesto disk
8 | sector-aligned
9 |
10 | // requires 0 "F8 FF" //first bytes of valid FAT32
11 |
12 | // Further instructions:
13 | // Specify a cluster number x as the "record #"
14 | // and press ENTER. Then you will be given the
15 | // number of the cluster following cluster x in
16 | // the cluster chain of the corresponding file.
17 |
18 | multiple
19 |
20 | begin
21 | uint32 "Next cluster"
22 | move -4
23 | hex 4 "as hex (FF FF=End)"
24 | end
--------------------------------------------------------------------------------
/WinHex_additional/FSINFO_Sector.tpl:
--------------------------------------------------------------------------------
1 | template "FAT32 FSINFO Sector"
2 |
3 | // Template by Stefan Fleischmann
4 | // To be applied to sector 1 of a FAT32-formatted logical drive.
5 | // Based on the information provided at
6 | // http://hjem.get2net.dk/rune_moeller_barnkob/filesystems/fat32.html
7 |
8 | description "Contains additional information about the volume"
9 | appliesto disk
10 | sector-aligned
11 | requires 0x1E4 "72 72 41 61"
12 | requires 0x1FE "55 AA"
13 |
14 | begin
15 | hex 4 "Extended boot signature"
16 | goto 0x1E4
17 | hex 4 "FSINFO signature"
18 |
19 | int32 "Free cluster count (-1=unknown)"
20 | int32 "Next free cluster"
21 | // The number of the cluster that was most recently
22 | // allocated. Allows improved performance.
23 |
24 | goto 0x1FE
25 | hex 2 "FSINFO ending signature"
26 | end
--------------------------------------------------------------------------------
/WinHex_additional/HFSPlus_B-Tree_Header.tpl:
--------------------------------------------------------------------------------
1 | template "HFS+ B-Tree Header"
2 | description "To be applied to the beginning of a B-Tree file"
3 |
4 | //Template by Jens Kirschner, 2009
5 |
6 |
7 | applies_to disk
8 | sector-aligned
9 | Big-Endian
10 |
11 | begin
12 | section "Node Descriptor"
13 | UInt32 "NextNode"
14 | UInt32 "PreviousNode"
15 | Int8 "NodeType"
16 | UInt8 "HeightInTree"
17 | UInt16 "NumRecords"
18 | hex 2 "reserved"
19 |
20 | section "Header Record"
21 | UInt16 "TreeDepth"
22 | UInt32 "RootNode"
23 | UInt32 "LeafRecords"
24 | UInt32 "FirstLeafNode"
25 | UInt32 "LastLeafNode"
26 | UInt16 "NodeSize"
27 | UInt16 "MaxKeyLength"
28 | UInt32 "TotalNodes"
29 | UInt32 "FreeNodes"
30 | hex 2 "reserved"
31 | UInt32 "ClumpSize"
32 | UInt8 "BTreeType"
33 | hex 1 "KeyCompareType" //CF: Case Fold (case-insensitive); BC: Binary Compare (case-sensitive, HFSX only)
34 | hex 4 "attributes"
35 | {
36 | hex 16 "reserved"
37 | }[4]
38 |
39 | section "User Data Record"
40 | {
41 | hex 16 "reserved"
42 | }[8]
43 |
44 | section "Map Record"
45 | {
46 | hex 16 "BitmapFirst256B" //The Map Record is of varying size! I just fixed this to 256 Bytes for simplicity.
47 | }[16]
48 | end
--------------------------------------------------------------------------------
/WinHex_additional/HFSPlus_Catalog_Key.tpl:
--------------------------------------------------------------------------------
1 | template "HFS+ Catalog Key"
2 | description "Includes following file or folder record"
3 |
4 | // Starts with parent folder's CNID and name of the file or folder
5 |
6 | big-endian
7 | applies_to disk
8 |
9 | begin
10 | UInt16 keyLength
11 | UInt32 parentID
12 | UInt16 NodeNameLen
13 | String16 NodeNameLen nodeName
14 |
15 | Int16 recordType
16 |
17 | IfEqual recordType 1
18 | section "Folder Record"
19 | UInt16 flags
20 | UInt32 valence
21 | uint32 folderID
22 | AppleDateTime createDate
23 | AppleDateTime contentModDate
24 | AppleDateTime attributeModDate
25 | AppleDateTime accessDate
26 | AppleDateTime backupDate
27 |
28 | // HFSPlusBSDInfo permissions
29 | UInt32 ownerID
30 | UInt32 groupID
31 | UInt8 adminFlags
32 | UInt8 ownerFlags
33 | octal UInt16 fileMode
34 | UInt32 "iNodeNum or linkCount or rawDevice"
35 |
36 | hex 20 FolderUserInfo
37 | hex 20 ExtendedFolderFinderInfo
38 |
39 | UInt32 textEncoding
40 | UInt32 reserved
41 | Else
42 | section "File Record"
43 | UInt16 flags
44 | UInt32 reserved
45 | uint32 fileID
46 | AppleDateTime createDate
47 | AppleDateTime contentModDate
48 | AppleDateTime attributeModDate
49 | AppleDateTime accessDate
50 | AppleDateTime backupDate
51 |
52 | // HFSPlusBSDInfo permissions
53 | UInt32 ownerID
54 | UInt32 groupID
55 | UInt8 adminFlags
56 | UInt8 ownerFlags
57 | octal UInt16 fileMode
58 | UInt32 "iNodeNum or linkCount or rawDevice"
59 |
60 | hex 20 UserInfo
61 | hex 20 FinderInfo
62 |
63 | section "dataFork"
64 | Int64 logicalSize
65 | UInt32 clumpSize
66 | UInt32 totalBlocks
67 | {
68 | UInt32 startBlock
69 | UInt32 blockCount
70 | }[8]
71 |
72 | section "resourceFork"
73 | Int64 logicalSize
74 | UInt32 clumpSize
75 | UInt32 totalBlocks
76 | {
77 | UInt32 startBlock
78 | UInt32 blockCount
79 | }[8]
80 | EndIf
81 | end
--------------------------------------------------------------------------------
/WinHex_additional/HFSPlus_Index_Node.tpl:
--------------------------------------------------------------------------------
1 | template "HFS+ Index Node"
2 | description "To be applied to the beginning of an index node in a HFS+ special file"
3 |
4 | //Template by Jens Kirschner, 2009
5 |
6 | applies_to disk
7 | sector-aligned
8 | Big-Endian
9 |
10 | begin
11 | section "Node Descriptor"
12 | UInt32 "NextNode"
13 | UInt32 "PreviousNode"
14 | Int8 "NodeType"
15 | UInt8 "HeightInTree"
16 | UInt16 "NumRecords"
17 | hex 2 "reserved"
18 |
19 | section "First Pointer"
20 | UInt16 keyLength
21 | UInt32 parentID
22 | UInt16 NameLen
23 | String16 NameLen Name
24 | UInt32 NodeNumber
25 |
26 | end
--------------------------------------------------------------------------------
/WinHex_additional/HFSPlus_Volume_Header.tpl:
--------------------------------------------------------------------------------
1 | template "HFS+ Volume Header"
2 | description "Located 1024 bytes from the start of the volume"
3 |
4 | // Template by Stefan Fleischmann
5 | // X-Ways Software Technology AG
6 |
7 | // Modified by Jens Kirschner
8 | // 7Safe Information Security Ltd.
9 |
10 | // A copy of this volume header, the alternate volume header, is stored starting 1024 bytes before the end of the volume.
11 |
12 | big-endian
13 | sector-aligned
14 | applies_to disk
15 |
16 | begin
17 | char[2] signature //H+ or HX
18 | UInt16 version
19 | Hex 4 attributes //00 00 08 00 set? Volume Inconsistent!
20 | char[4] lastMountedVersion //HFSJ if journaled, 10.0 if not; fsck and other tools also possible
21 | UInt32 journalInfoBlock
22 |
23 | AppleDateTime createDate
24 | AppleDateTime modifyDate
25 | AppleDateTime backupDate
26 | AppleDateTime checkedDate
27 |
28 | UInt32 fileCount
29 | UInt32 folderCount
30 |
31 | UInt32 blockSize
32 | UInt32 totalBlocks
33 | UInt32 freeBlocks
34 |
35 | UInt32 nextAllocation
36 | UInt32 rsrcClumpSize
37 | UInt32 dataClumpSize
38 | UInt32 nextCatalogID
39 |
40 | UInt32 writeCount
41 | Hex 8 encodingsBitmap
42 |
43 | section "FinderInfo Array"
44 |
45 | UInt32 "OS Dir ID"
46 | UInt32 "Finder Dir ID"
47 | UInt32 "Mount Open Dir"
48 | UInt32 "OS8/9 Dir ID"
49 | UInt32 "reserved"
50 | UInt32 "OS X Dir ID"
51 | Int64 "Volume ID (Int64)"
52 | move -8
53 | Hex 8 "Volume ID (Hex)"
54 |
55 | section "AllocationFile DataFork"
56 | Int64 logicalSize
57 | UInt32 clumpSize
58 | UInt32 totalBlocks
59 | {
60 | UInt32 startBlock
61 | UInt32 blockCount
62 | }[8]
63 |
64 | section "ExtentsOverflowFile DataFork"
65 | Int64 logicalSize
66 | UInt32 clumpSize
67 | UInt32 totalBlocks
68 | {
69 | UInt32 startBlock
70 | UInt32 blockCount
71 | }[8]
72 |
73 | section "CatalogFile DataFork"
74 | Int64 logicalSize
75 | UInt32 clumpSize
76 | UInt32 totalBlocks
77 | {
78 | UInt32 startBlock
79 | UInt32 blockCount
80 | }[8]
81 |
82 | section "AttributesFile DataFork"
83 | Int64 logicalSize
84 | UInt32 clumpSize
85 | UInt32 totalBlocks
86 | {
87 | UInt32 startBlock
88 | UInt32 blockCount
89 | }[8]
90 |
91 | section "StartupFile DataFork"
92 | Int64 logicalSize
93 | UInt32 clumpSize
94 | UInt32 totalBlocks
95 | {
96 | UInt32 startBlock
97 | UInt32 blockCount
98 | }[8]
99 | end
--------------------------------------------------------------------------------
/WinHex_additional/JFS Superblock.tpl:
--------------------------------------------------------------------------------
1 | template "JFS Superblock"
2 |
3 | // Created by Jens Kirschner
4 | // X-Ways Software Technology AG
5 |
6 | description "JFS Superblock for Linux"
7 | applies_to disk
8 | //sector-aligned
9 | requires 0x0 "4A 46 53 31" //JFS1
10 |
11 | begin
12 | char[4] "Magic string JFS1"
13 | uint32 "Version number"
14 |
15 | int64 "Sector count"
16 | uint32 "Block size"
17 | uint16 "log2 of block size"
18 | uint16 "log2 (bl.size/sect.size)"
19 | uint32 "Sector size"
20 | uint16 "log2 of sector size"
21 | uint16 "Padding"
22 | uint32 "Allocation group size"
23 | uint32 "Flags"
24 | uint32 "File system state"
25 | uint32 "Compression"
26 |
27 | section "Secondary aggregate inode table"
28 | uint32 "Start block"
29 | uint32 "Length"
30 |
31 | section "Secondary aggregate inode map"
32 | uint32 "Start block"
33 | uint32 "Length"
34 |
35 | Section "Log"
36 | uint32 "Device address"
37 | uint32 "Serial no"
38 | uint32 "Start block"
39 | uint32 "Length"
40 |
41 | section "fsck work space"
42 | uint32 "Start block"
43 | uint32 "Length"
44 | endsection
45 |
46 | UNIXDateTime "Last update"
47 | uint32 "Last update nanosec"
48 |
49 | uint32 "fsck log length"
50 | byte "Current fsck log"
51 |
52 | char[11] "Volume name"
53 |
54 | int64 "extendfs size"
55 | section "extendfs fsck"
56 | uint32 "Start block"
57 | uint32 "Length"
58 | section "extendfs log"
59 | uint32 "Start block"
60 | uint32 "Length"
61 | endsection
62 |
63 | char[16] "Volume UUID (ASCII)"
64 | move -16
65 | hex 16 "Volume UUID (hex)"
66 |
67 | char[16] "Volume label"
68 |
69 | char[16] "Log dev UUID (ASCII)"
70 | move -16
71 | hex 16 "Log dev UUID (hex)"
72 |
73 | end
--------------------------------------------------------------------------------
/WinHex_additional/LNK FILE Record.tpl:
--------------------------------------------------------------------------------
1 | template ".LNK FILE Record"
2 | // Template by Steve Guty
3 | // Gnostic Concepts
4 |
5 | // To retrieve useful data from the .LNK file structure
6 |
7 | description "to be applied to .LNK files to extract further data"
8 |
9 | applies_to file
10 | sector-aligned
11 |
12 | begin
13 | section "File Header"
14 | char[4] "Signature: L"
15 | hex 16 "GUID"
16 | binary[1] "display flags"
17 | move -1
18 | uint_flex "2" "D$" //flag for descriptor string entry
19 | move -4
20 | uint_flex "3" "RP" //flag for relative path entry
21 | move -4
22 | uint_flex "4" "WD" //flag for working directory entry
23 | move -4
24 | uint_flex "5" "CL" //flag for command line argument entry
25 | move -4
26 | uint_flex "6" "CI" //flag for custom icon entry
27 | binary[2]"attributes"
28 | move 2
29 | Filetime "Create Time"
30 | Filetime "Last Modified Time"
31 | Filetime "Last Access Time"
32 | int32 "File Length"
33 | int32 "Icon number"
34 | int32 "ShowWnd value"
35 | int32 "Hotkey"
36 | int64 "Always zero"
37 | int16 "Offset"
38 | move Offset
39 | endsection
40 |
41 | Section "File locator table"
42 | int32 "File locator table length"
43 | int32 "Offset to end of table"
44 | uint_flex "1""Network_flag"
45 | move -4
46 | uint_flex "0""Local_flag"
47 | // bit zero indicates local drive availabilty, bit one network drive availability
48 | int32 "Offset of local volume table"
49 | int32 "Offset of local pathname"
50 | int32 "Offset of network volume info"
51 | int32 "Offset_extended_pathname"
52 | endsection
53 |
54 | IfEqual Local_flag 1
55 | section "Local Volume Table"
56 | int32 "Length of local volume table"
57 | int32 "Volume type (2,6=removable,3=HD,4=network drive,5=CD/DVD)"
58 | hexadecimal uint32 "Volume serial number"
59 | int32 "Offset to volume label"
60 | zstring "Volume Label"
61 | zstring "Local path"
62 | move 1
63 | endsection
64 | EndIf
65 |
66 | IfEqual Network_flag 1
67 | section "Network Volume Table"
68 | int32 " Length of network volume table"
69 | move 4
70 | int32 "Offset of network share name"
71 | move 8
72 | zstring "Network share name"
73 | zstring "Extended Pathname"
74 | endsection
75 | Endif
76 |
77 | IfEqual D$ 1
78 | int16 "Length_Desc$"
79 | char16[Length_Desc$] "Descriptor String"
80 | Endif
81 |
82 | IfEqual RP 1
83 | int16 "Length_RelPath$"
84 | char16[Length_RelPath$] "Relative Path String"
85 | Endif
86 |
87 | IfEqual WD 1
88 | int16 "Length_WDPath$"
89 | char16[Length_WDPath$] "Working Directory String"
90 | Endif
91 |
92 | IfEqual CL 1
93 | int16 "Length_CMDLINE$"
94 | char16[Length_CMDLINE$] "Command Line String"
95 | Endif
96 |
97 | IfEqual CI 1
98 | int16 "Length_Icon$"
99 | char16[Length_Icon$] "Icon String"
100 | Endif
101 | end
102 |
103 |
--------------------------------------------------------------------------------
/WinHex_additional/NTFS Data Runs.tpl:
--------------------------------------------------------------------------------
1 | template "NTFS Data Runs"
2 |
3 | //template by Jens Kirschner
4 | //X-Ways Software Technology AG
5 |
6 | description "To be applied to beginning of data runs"
7 | applies_to disk
8 |
9 | begin
10 |
11 | {
12 | uint_flex "3,2,1,0" "ClusterCountSize"
13 | move -4
14 | uint_flex "7,6,5,4" "ClusterStartSize"
15 | move -3
16 |
17 | ifequal ClusterCountSize 0
18 | ExitLoop
19 | endif
20 |
21 | ifGreater ClusterCountSize 4
22 | section "Unsupported value in Data Run"
23 | ExitLoop
24 | endif
25 |
26 | ifGreater ClusterStartSize 4
27 | section "Unsupported value in Data Run"
28 | ExitLoop
29 | endif
30 |
31 | ifequal ClusterCountSize 1
32 | int8 ClusterCount
33 | endif
34 |
35 | ifequal ClusterCountSize 2
36 | int16 ClusterCount
37 | endif
38 |
39 | ifequal ClusterCountSize 3
40 | int24 ClusterCount
41 | endif
42 |
43 | ifequal ClusterCountSize 4
44 | int32 ClusterCount
45 | endif
46 |
47 |
48 | ifequal ClusterStartSize 0
49 | section "(sparse or compressed)"
50 | endsection
51 | endif
52 |
53 | ifequal ClusterStartSize 1
54 | int8 ClusterStart
55 | endif
56 |
57 | ifequal ClusterStartSize 2
58 | int16 ClusterStart
59 | endif
60 |
61 | ifequal ClusterStartSize 3
62 | int24 ClusterStart
63 | endif
64 |
65 | ifequal ClusterStartSize 4
66 | int32 ClusterStart
67 | endif
68 |
69 | endsection
70 |
71 | }[150] //arbitrary end to avoid infinite loops
72 |
73 | end
--------------------------------------------------------------------------------
/WinHex_additional/NTFS FILE Record.tpl:
--------------------------------------------------------------------------------
1 | template "NTFS FILE Record"
2 |
3 | // Template by Jens Kirschner
4 | // X-Ways Software Technology AG
5 |
6 | // To be applied to the NTFS Master File Table's (MFT's) FILE records.
7 |
8 | description "To be applied to records in the Master File Table"
9 | applies_to disk
10 | sector-aligned
11 | multiple
12 |
13 | begin
14 | char[4] "Signature: FILE"
15 | uint16 "Offset to update sequence"
16 | uint16 "Update sequence size in words"
17 | int64 "Logfile sequence number"
18 | uint16 "Sequence number (reuse count)"
19 | uint16 "Hard link count"
20 | uint16 "Offset to the first attribute"
21 | hex 2 "Flags"
22 | uint32 "Real size of the FILE record"
23 | uint32 "Allocated size of the record"
24 | int64 "Base record (0: itself)"
25 | uint16 "ID of next attribute"
26 | IfEqual "Offset to the first attribute" 56
27 | move 2
28 | uint32 "ID of this record"
29 | EndIf
30 | goto "Offset to update sequence"
31 | hex 2 "Update sequence number"
32 | hex 4 "Update sequence array"
33 |
34 | goto "Offset to the first attribute"
35 |
36 | {
37 | endsection
38 |
39 | hexadecimal uint32 "Attribute type"
40 | IfEqual "Attribute type" 4294967295
41 | ExitLoop
42 | EndIf
43 | uint16 "Length of the attribute"
44 | move 2
45 | IfEqual "Attribute type" 16 //Attribute type 0x10: Standard Information
46 | move 16
47 | FileTime "Creation in UTC"
48 | FileTime "Modification in UTC"
49 | FileTime "Record change in UTC"
50 | FileTime "Last access in UTC"
51 | move -48
52 | EndIf
53 | IfEqual "Attribute type" 48 //Attribute type 0x30: Filename
54 | move 16
55 | uint32 "Parent FILE record"
56 | move 2
57 | uint16 "Parent reuse count"
58 | move 56
59 | uint8 "Namelength"
60 | move 1
61 | char16[Namelength] "Filename"
62 | move -82
63 | move (Namelength*(-2))
64 | EndIf
65 | move "Length of the attribute"
66 | move -8
67 |
68 | IfEqual "Length of the attribute" 0
69 | ExitLoop
70 | EndIf
71 | }[20] //arbitrary number to avoid infinite loops
72 |
73 | Goto 0
74 | Move 1024
75 | end
--------------------------------------------------------------------------------
/WinHex_additional/Non-Unicode LNK FILE Record.tpl:
--------------------------------------------------------------------------------
1 | template ".LNK FILE Record (non-Unicode)"
2 | // Template by Steve Guty
3 | // Gnostic Concepts
4 |
5 | // To retrieve useful data from the .LNK file structure
6 |
7 | description "to be applied to .LNK files to extract further data"
8 |
9 | applies_to file
10 | sector-aligned
11 |
12 | begin
13 | section "File Header"
14 | char[4] "Signature: L"
15 | hex 16 "GUID"
16 | binary[1] "display flags"
17 | move -1
18 | uint_flex "2" "D$" //flag for descriptor string entry
19 | move -4
20 | uint_flex "3" "RP" //flag for relative path entry
21 | move -4
22 | uint_flex "4" "WD" //flag for working directory entry
23 | move -4
24 | uint_flex "5" "CL" //flag for command line argument entry
25 | move -4
26 | uint_flex "6" "CI" //flag for custom icon entry
27 | binary[2]"attributes"
28 | move 2
29 | Filetime "Create Time"
30 | Filetime "Last Modified Time"
31 | Filetime "Last Access Time"
32 | int32 "File Length"
33 | int32 "Icon number"
34 | int32 "ShowWnd value"
35 | int32 "Hotkey"
36 | int64 "Always zero"
37 | int16 "Offset"
38 | move Offset
39 | endsection
40 |
41 | section "File locator table"
42 | int32 "File locator table length"
43 | int32 "Offset to end of table"
44 | uint_flex "1""Network_flag"
45 | move -4
46 | uint_flex "0""Local_flag"
47 | // bit zero indicates local drive availabilty, bit one network drive availability
48 | int32 "Offset of local volume table"
49 | int32 "Offset of local pathname"
50 | int32 "Offset of network volume info"
51 | int32 "Offset_extended_pathname"
52 | endsection
53 |
54 | IfEqual Local_flag 1
55 | section "Local Volume Table"
56 | int32 "Length of local volume table"
57 | int32 "Volume type (2,6=removable,3=HD,4=network drive,5=CD/DVD)"
58 | hexadecimal uint32 "Volume serial number"
59 | int32 "Offset to volume label"
60 | zstring "Volume Label"
61 | zstring "Local path"
62 | move 1
63 | endsection
64 | EndIf
65 |
66 | IfEqual Network_flag 1
67 | section "Network Volume Table"
68 | int32 "Length of network volume table"
69 | move 4
70 | int32 "Offset of network share name"
71 | move 8
72 | zstring "Network share name"
73 | zstring "Extended Pathname"
74 | endsection
75 | Endif
76 |
77 | IfEqual D$ 1
78 | int16 "Length_Desc$"
79 | char[Length_Desc$] "Descriptor String"
80 | Endif
81 |
82 | IfEqual RP 1
83 | int16 "Length_RelPath$"
84 | char[Length_RelPath$] "Relative Path String"
85 | Endif
86 |
87 | IfEqual WD 1
88 | int16 "Length_WDPath$"
89 | char[Length_WDPath$] "Working Directory String"
90 | Endif
91 |
92 | IfEqual CL 1
93 | int16 "Length_CMDLINE$"
94 | char[Length_CMDLINE$] "Command Line String"
95 | Endif
96 |
97 | IfEqual CI 1
98 | int16 "Length_Icon$"
99 | char[Length_Icon$] "Icon String"
100 | Endif
101 | end
102 |
103 |
--------------------------------------------------------------------------------
/WinHex_additional/OLYMPUS_WMA_v03.tpl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kacos2000/WinHex_Templates/dfc80e8705d722f66d33a3c8be84ca37070fb1ed/WinHex_additional/OLYMPUS_WMA_v03.tpl
--------------------------------------------------------------------------------
/WinHex_additional/PCAP.tpl:
--------------------------------------------------------------------------------
1 | template "PCAP-file"
2 |
3 | // Template by Frank Weiss
4 | // Federal Judicial Police BELGIUM - RCCU OVL
5 |
6 | // To be applied to a PCAP-file
7 |
8 | description "PCAP-file"
9 | applies_to file
10 | fixed_start 00
11 | requires 0x00 "D4 C3 B2 A1" // magic number
12 |
13 |
14 | begin
15 | section "Global PCAP-header"
16 | hex 4 "Magic number"
17 | uint16 "Major version"
18 | uint16 "Minor version"
19 | uint32 "UTC minus timezone used in the headers (sec)"
20 | uint32 "Accuracy of timestamp"
21 | uint32 "Maximum length of captured packets (bytes)"
22 | uint32 "Link-Layer Header Type"
23 | endsection
24 |
25 | {
26 | section "Packet header & data"
27 | uint32 "Unix Epoch (sec)"
28 | move -4
29 | UNIXDateTime "Unix Epoch"
30 | uint32 "Microseconds"
31 | uint32 "Packetsize on file (bytes)"
32 | uint32 "Packetsize on the wire (bytes)"
33 | hex "Packetsize on file (bytes)" "Data"
34 | } [unlimited]
35 |
36 | end
--------------------------------------------------------------------------------
/WinHex_additional/POS_File_Format_1.1.tpl:
--------------------------------------------------------------------------------
1 | template "POS File Format 1.1"
2 |
3 | // Template by Stefan Fleischmann
4 | // Format 1.1 used by WinHex 8.7 through 11.7.
5 | // More detailed description of the POS file format
6 | // available from http://www.winhex.com .
7 |
8 | description "Structure of an outdated WinHex position file (.pos)"
9 | applies_to file
10 | requires 0 "57 69 6E 48 65 78 20 50 6F 73 20 76 31 2E 31"
11 |
12 | begin
13 | char[16] "File signature"
14 | int32 "# of positions"
15 |
16 | numbering 1
17 | {
18 | section "Position #~"
19 | int64 "Offset (decimal)"
20 | FILETIME "Recorded on"
21 | read-only byte "Description length"
22 | char[Description length] "Description"
23 | endsection
24 | } [# of positions]
25 |
26 | // some text strings for internal use may follow
27 | // ignored by this template
28 | end
--------------------------------------------------------------------------------
/WinHex_additional/POS_File_Format_2.0.tpl:
--------------------------------------------------------------------------------
1 | template "POS File Format 2.0"
2 |
3 | // Template by Stefan Fleischmann
4 | // Format 2.0 used by WinHex 11.8 and later.
5 | // More detailed description of the POS file format
6 | // available from http://www.winhex.com .
7 |
8 | description "Structure of a WinHex position file (.pos)"
9 | applies_to file
10 | requires 0 "57 69 6E 48 65 78 20 50 6F 73 20 76 32 2E 30"
11 |
12 | begin
13 | char[16] "File signature"
14 | uint32 "Flags"
15 | int32 "# of positions"
16 |
17 | numbering 1
18 | {
19 | section "Position #~"
20 | int64 "Offset (decimal)"
21 | int64 "Size (decimal)"
22 | FILETIME "Recorded on"
23 | uint32 "RGB color"
24 | read-only uint16 "Description length"
25 | char[Description length] "Description"
26 | endsection
27 | } [# of positions]
28 |
29 | // some text strings for internal use may follow
30 | // ignored by this template
31 | end
--------------------------------------------------------------------------------
/WinHex_additional/Palm PDB 6 records.tpl:
--------------------------------------------------------------------------------
1 | template "Palm PDB 6 records"
2 |
3 | // Template by Ulf Zibis, Germany
4 | // email: Ulf.Zibis@gmx.de
5 | //
6 | // To be applied to Palm Database File.
7 | // Shows the first 6 records if available.
8 |
9 |
10 | // ***** Requires WinHex 10.52 or later *****
11 |
12 | description "Palm Database File records"
13 | applies_to file
14 | fixed_start 0
15 | big-endian
16 |
17 | begin
18 | string 32 "Database name"
19 | // hex 2 "Attributes"
20 | // move -2
21 | // uint_flex "9" "Read only flag (1)"
22 | // move -4
23 | // uint_flex "10" "Dirty AppInfoArea flag (2)"
24 | // move -4
25 | // uint_flex "11" "Backup flag (3)"
26 | // move -4
27 | // uint_flex "12" "OK install new flag (4)"
28 | // move -4
29 | // uint_flex "13" "Reset after install flag (5)"
30 | // move -4
31 | // uint_flex "14" "Copy protect flag (6)"
32 | // move -2
33 | // string 2 "Version"
34 | // UNIXDateTime "Create time"
35 | // UNIXDateTime "Modify time"
36 | // UNIXDateTime "Backup time"
37 | // uint32 "Modification number"
38 | // hexadecimal uint32 "AppInfo offset"
39 | // hexadecimal uint32 "SortInfo offset"
40 | move 28
41 | char[4] "Type"
42 | char[4] "Creator"
43 | // uint32 "ID seed"
44 | // uint32 "Next RecordList"
45 | move 8
46 | uint16 "Number of Records"
47 |
48 |
49 | section "The first 6 records (only for PDB with 6 records):"
50 |
51 | section "Record #1"
52 |
53 | goto 0x4e
54 | hexadecimal uint32 "Offset"
55 | uint_flex "7" "Delete flag"
56 | move -4
57 | uint_flex "6" "Dirty flag"
58 | move -4
59 | uint_flex "5" "Busy flag"
60 | move -4
61 | uint_flex "4" "Secret flag"
62 | move -4
63 | uint_flex "3,2,1,0" "Category nr."
64 | move -3
65 | hex 3 "Unique ID (hex)"
66 | move -3
67 | uint_flex "7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16"
68 | "Unique ID"
69 |
70 | goto "Offset"
71 | hex 32 "Record (first 32 Bytes if available)"
72 | move -32
73 | char[32] "Record as text"
74 |
75 | section "Record #2"
76 |
77 | goto 0x56
78 | hexadecimal uint32 "Offset"
79 | uint_flex "7" "Delete flag"
80 | move -4
81 | uint_flex "6" "Dirty flag"
82 | move -4
83 | uint_flex "5" "Busy flag"
84 | move -4
85 | uint_flex "4" "Secret flag"
86 | move -4
87 | uint_flex "3,2,1,0" "Category nr."
88 | move -3
89 | hex 3 "Unique ID (hex)"
90 | move -3
91 | uint_flex "7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16"
92 | "Unique ID"
93 |
94 | goto "Offset"
95 | hex 32 "Record (first 32 Bytes if available)"
96 | move -32
97 | char[32] "Record as text"
98 |
99 | section "Record #3"
100 |
101 | goto 0x5e
102 | hexadecimal uint32 "Offset"
103 | uint_flex "7" "Delete flag"
104 | move -4
105 | uint_flex "6" "Dirty flag"
106 | move -4
107 | uint_flex "5" "Busy flag"
108 | move -4
109 | uint_flex "4" "Secret flag"
110 | move -4
111 | uint_flex "3,2,1,0" "Category nr."
112 | move -3
113 | hex 3 "Unique ID (hex)"
114 | move -3
115 | uint_flex "7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16"
116 | "Unique ID"
117 |
118 | goto "Offset"
119 | hex 32 "Record (first 32 Bytes if available)"
120 | move -32
121 | char[32] "Record as text"
122 |
123 | section "Record #4"
124 |
125 | goto 0x66
126 | hexadecimal uint32 "Offset"
127 | uint_flex "7" "Delete flag"
128 | move -4
129 | uint_flex "6" "Dirty flag"
130 | move -4
131 | uint_flex "5" "Busy flag"
132 | move -4
133 | uint_flex "4" "Secret flag"
134 | move -4
135 | uint_flex "3,2,1,0" "Category nr."
136 | move -3
137 | hex 3 "Unique ID (hex)"
138 | move -3
139 | uint_flex "7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16"
140 | "Unique ID"
141 |
142 | goto "Offset"
143 | hex 32 "Record (first 32 Bytes if available)"
144 | move -32
145 | char[32] "Record as text"
146 |
147 | section "Record #5"
148 |
149 | goto 0x6e
150 | hexadecimal uint32 "Offset"
151 | uint_flex "7" "Delete flag"
152 | move -4
153 | uint_flex "6" "Dirty flag"
154 | move -4
155 | uint_flex "5" "Busy flag"
156 | move -4
157 | uint_flex "4" "Secret flag"
158 | move -4
159 | uint_flex "3,2,1,0" "Category nr."
160 | move -3
161 | hex 3 "Unique ID (hex)"
162 | move -3
163 | uint_flex "7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16"
164 | "Unique ID"
165 |
166 | goto "Offset"
167 | hex 32 "Record (first 32 Bytes if available)"
168 | move -32
169 | char[32] "Record as text"
170 |
171 | section "Record #6"
172 |
173 | goto 0x76
174 | hexadecimal uint32 "Offset"
175 | uint_flex "7" "Delete flag"
176 | move -4
177 | uint_flex "6" "Dirty flag"
178 | move -4
179 | uint_flex "5" "Busy flag"
180 | move -4
181 | uint_flex "4" "Secret flag"
182 | move -4
183 | uint_flex "3,2,1,0" "Category nr."
184 | move -3
185 | hex 3 "Unique ID (hex)"
186 | move -3
187 | uint_flex "7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16"
188 | "Unique ID"
189 |
190 | goto "Offset"
191 | hex 17 "Record (first 17 Bytes if available)"
192 | move -17
193 | char[17] "Record as text"
194 |
195 | endsection
196 |
197 | end
--------------------------------------------------------------------------------
/WinHex_additional/Palm PDB.tpl:
--------------------------------------------------------------------------------
1 | template "Palm PDB"
2 |
3 | // Template by Ulf Zibis, Germany
4 | // email: Ulf.Zibis@gmx.de
5 | //
6 | // To be applied to Palm Database File.
7 |
8 |
9 | // ***** Requires WinHex 10.52 or later *****
10 |
11 | description "Palm Database File"
12 | applies_to file
13 | fixed_start 0
14 | big-endian
15 |
16 | begin
17 | string 32 "Database name"
18 | hex 2 "Attributes"
19 | move -2
20 | uint_flex "9" "Read only flag (1)"
21 | move -4
22 | uint_flex "10" "Dirty AppInfoArea flag (2)"
23 | move -4
24 | uint_flex "11" "Backup flag (3)"
25 | move -4
26 | uint_flex "12" "OK install new flag (4)"
27 | move -4
28 | uint_flex "13" "Reset after install flag (5)"
29 | move -4
30 | uint_flex "14" "Copy protect flag (6)"
31 | move -2
32 | string 2 "Version"
33 | UNIXDateTime "Create time"
34 | UNIXDateTime "Modify time"
35 | UNIXDateTime "Backup time"
36 | uint32 "Modification number"
37 | hexadecimal uint32 "AppInfo offset"
38 | hexadecimal uint32 "SortInfo offset"
39 | char[4] "Type"
40 | char[4] "Creator"
41 | uint32 "ID seed"
42 | uint32 "Next RecordList"
43 | uint16 "Number of Records"
44 |
45 |
46 | numbering 1
47 |
48 | {
49 | section "Record Header #~"
50 | hexadecimal uint32 "Offset"
51 | uint_flex "7" "Delete flag"
52 | move -4
53 | uint_flex "6" "Dirty flag"
54 | move -4
55 | uint_flex "5" "Busy flag"
56 | move -4
57 | uint_flex "4" "Secret flag"
58 | move -4
59 | uint_flex "3,2,1,0" "Category nr."
60 | move -3
61 | hex 3 "Unique ID (hex)"
62 | move -3
63 | uint_flex "7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16"
64 | "Unique ID"
65 | move -1
66 |
67 | // the following works only once. Sorry !
68 | // section "Record #~"
69 | // goto Offset
70 | // string 32 "Record"
71 | // following calculation not provided by WinHex. Sorry !
72 | // goto 0x4e*~
73 |
74 | } [Number of Records]
75 |
76 | endsection
77 |
78 | read-only hex 2 "Padding"
79 |
80 | // The optional AppInfo block and SortInfo block are not valid,
81 | // if the respective offsets above are zero ! If these blocks
82 | // are shorter than 32 Bytes, the remaining Bytes are also not valid.
83 |
84 | goto "AppInfo offset"
85 | hex 32 "AppInfo (if Offset not 0) (1. 32 Bytes)"
86 | move -32
87 | char[64] "AppInfo (first 64 Characters)"
88 | goto "SortInfo offset"
89 | hex 32 "SortInfo (if Offset not 0) (1. 32 Bytes)"
90 | move -32
91 | char[64] "SortInfo (first 64 Characters)"
92 | end
--------------------------------------------------------------------------------
/WinHex_additional/README.md:
--------------------------------------------------------------------------------
1 | Additional (User) Templates for WinHex & X-Ways Forensics ([Source](https://www.x-ways.net/winhex/templates/))
2 |
--------------------------------------------------------------------------------
/WinHex_additional/Reiser Superblock.tpl:
--------------------------------------------------------------------------------
1 | template "ReiserFS Superblock"
2 |
3 | // Created by Jens Kirschner on Oct 5, 2004
4 | // X-Ways Software Technology AG
5 |
6 | // The superblock always starts at offset 0x10000 = 64 KB regardless
7 | // of sector or block sizes on the system.
8 |
9 | description "To be applied to offset 0x10000 of a ReiserFS partition"
10 | applies_to disk
11 | sector-aligned
12 | requires 0x34 "52 65 49 73 45 72" // Reiser magic "ReIsEr"
13 |
14 | begin
15 | uint32 "Block count"
16 | uint32 "Free block count"
17 | uint32 "Root block #"
18 | uint32 "Journal block #"
19 | uint32 "Journal device #"
20 | uint32 "Journal size"
21 | uint32 "Max. transaction blocks"
22 | uint32 "Journal magic"
23 | uint32 "Max. batch blocks"
24 | uint32 "Max. commit age (secs)"
25 | uint32 "Max. transaction age (secs)"
26 | uint16 "Block size"
27 | uint16 "Max. size object ID array"
28 | uint16 "Curr. size object ID array"
29 | uint16 "State (1=clean)"
30 | char[10] "Reiser Magic"
31 | uint16 "State (fsck)"
32 | uint32 "Hash function code"
33 | uint16 "Tree height"
34 | uint16 "No. of blocks for block bitmap"
35 | uint16 "Version"
36 | uint16 "Reserved for journal"
37 |
38 | uint32 "Inode generation"
39 | uint32 "Flags"
40 | hex 16 "UUID"
41 | char[16] "Volume label"
42 | end
--------------------------------------------------------------------------------
/WinHex_additional/Reiser4 Directory Entries.tpl:
--------------------------------------------------------------------------------
1 | template "Reiser4 Directory Entries"
2 |
3 | // Created by Jens Kirschner
4 |
5 | // X-Ways Software Technology AG
6 |
7 | // Reiser directory entries are slightly problematic. While
8 | // the numbers displayed by this template are ok, the names
9 | // are stored backwards and the template does not deal with
10 | // that too lightly... Requires a bit of work to get used to...
11 |
12 | description "Reads Reiser4 directories"
13 |
14 | begin
15 | uint16 NoOfEntries
16 |
17 | {
18 | section "Entry ~"
19 | char[7] NamePartOne
20 | uint_flex "0" "1=name directly after key"
21 | move -3
22 | char[8] NamePartTwo
23 | char[8] NamePartThree
24 | uint16 "Offset to key ~"
25 | }[NoOfEntries]
26 |
27 |
28 | section "Keys (some with filenames)"
29 | {
30 | section "Key ~"
31 | goto "Offset to key ~"
32 |
33 | int64 "Key: Locality"
34 | move -8 //Locality in more detail
35 | uint_flex "31,30,29,28,27,26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4" "Parent ID/Major Locality (28-bit)"
36 | move -4
37 | uint_flex "3,2,1,0" "Type/Minor Locality"
38 | move 4
39 |
40 | int64 "Key: Ordering"
41 |
42 | int64 "Key: Object ID"
43 | move -8 //Object ID in more detail
44 |
45 | uint32 "Object ID (32-bit)"
46 | uint_flex "31,30,29,28" "Controversial Band"
47 |
48 | IfEqual "1=name directly after key" 1
49 | zstring "Full Filename"
50 | Endif
51 | }[NoOfEntries]
52 | end
--------------------------------------------------------------------------------
/WinHex_additional/Reiser4 Item Header Large.tpl:
--------------------------------------------------------------------------------
1 | template "Reiser4 Item Header (Large Keys)"
2 |
3 | // Created by Jens Kirschner
4 |
5 | // X-Ways Software Technology AG
6 |
7 | // The internal tree nodes of Reiser4 contain as many items as stated
8 | // in the appropriate field of the node header. Each item then possesses
9 | // an item header, located at the END of the node!
10 |
11 | // This is the item header defined by Reiser4 Format40, which is the
12 | // currently only format definition
13 |
14 |
15 | description "Item Header for Format40 of Reiser4, using large keys"
16 | //applies_to disk
17 | multiple
18 |
19 | begin
20 | //due to uint_flex's limitation to 32-bit integers, only the first
21 | //28 bits of the Locality and the first 32 bits of the Object ID
22 | //can be displayed in detail - this is rarely an issue, though.
23 |
24 | int64 "Key: Locality"
25 | move -8 //Locality in more detail
26 | uint_flex "31,30,29,28,27,26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4" "Parent ID/Major Locality (28-bit)"
27 | move -4
28 | uint_flex "3,2,1,0" "Type/Minor Locality"
29 | move 4
30 |
31 | //Ordering: The only component missing for the "small key" variant
32 | int64 "Key: Ordering"
33 |
34 | int64 "Key: Object ID"
35 | move -8 //Object ID in more detail
36 |
37 | uint32 "Object ID (32-bit)"
38 | uint_flex "31,30,29,28" "Controversial Band"
39 |
40 |
41 | int64 "Key: Offset"
42 |
43 | uint16 "Item body offset"
44 | uint16 "Flags"
45 | uint16 "Plugin ID"
46 | end
--------------------------------------------------------------------------------
/WinHex_additional/Reiser4 Item Header Small.tpl:
--------------------------------------------------------------------------------
1 | template "Reiser4 Item Header (Small Keys)"
2 |
3 | // Created by Jens Kirschner
4 |
5 | // X-Ways Software Technology AG
6 |
7 | // The internal tree nodes of Reiser4 contain as many items as stated
8 | // in the appropriate field of the node header. Each item then possesses
9 | // an item header, located at the END of the node!
10 |
11 | // This is the item header defined by Reiser4 Format40, which is the
12 | // currently only format definition
13 |
14 |
15 | description "Item Header for Format40 of Reiser4, using small keys"
16 | //applies_to disk
17 | multiple
18 |
19 | begin
20 | //due to uint_flex's limitation to 32-bit integers, only the first
21 | //28 bits of the Locality and the first 32 bits of the Object ID
22 | //can be displayed in detail - this is rarely an issue, though.
23 |
24 | int64 "Key: Locality"
25 | move -8 //Locality in more detail
26 | uint_flex "31,30,29,28,27,26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4" "Parent ID/Major Locality (28-bit)"
27 | move -4
28 | uint_flex "3,2,1,0" "Type/Minor Locality"
29 | move 4
30 |
31 | //Ordering: The only component missing for the "small key" variant
32 | //int64 "Key: Ordering"
33 |
34 | int64 "Key: Object ID"
35 | move -8 //Object ID in more detail
36 |
37 | uint32 "Object ID (32-bit)"
38 | uint_flex "31,30,29,28" "Controversial Band"
39 |
40 |
41 | int64 "Key: Offset"
42 |
43 | uint16 "Item body offset"
44 | uint16 "Flags"
45 | uint16 "Plugin ID"
46 | end
--------------------------------------------------------------------------------
/WinHex_additional/Reiser4 Node Header.tpl:
--------------------------------------------------------------------------------
1 | template "Reiser4 Node Header"
2 |
3 | // Created by Jens Kirschner
4 |
5 | // X-Ways Software Technology AG
6 |
7 | // The internal tree nodes of Reiser4 all possess a node header.
8 | // This is the node header defined by Reiser4 Format40, which is the
9 | // currently only format definition
10 |
11 |
12 | description "Node Header for Format40 of Reiser4"
13 | //applies_to disk
14 | sector-aligned
15 |
16 | begin
17 | int16 "Plugin ID (0: Format40)"
18 | int16 "No. of items"
19 | int16 "Free space"
20 | int16 "Free space offset"
21 | char[4] "Node magic"
22 | hex 4 "MKFS ID"
23 | int64 "Flush ID"
24 | int16 "Flags"
25 | byte "Level"
26 | byte "Pad"
27 | end
--------------------------------------------------------------------------------
/WinHex_additional/Reiser4 Stat Data.tpl:
--------------------------------------------------------------------------------
1 | template "Reiser4 Stat Data"
2 |
3 | // Created by Jens Kirschner
4 |
5 | // X-Ways Software Technology AG
6 |
7 | description "To be applied to the beginning of a Reiser4 Stat Structure"
8 | applies_to disk
9 |
10 | begin
11 | //The first 2 Bytes contain one bit for each possible extension (1: Extension is present)
12 | uint_flex "0" "Light weight Stat"
13 | move -4
14 | uint_flex "1" "Unix Stat"
15 | move -4
16 | uint_flex "2" "Large times"
17 | move -4
18 | uint_flex "3" "Symlink included"
19 | move -4
20 | uint_flex "4" "Non-standard Plug-In"
21 | move -4
22 | uint_flex "5" "Flags present"
23 | move -4
24 | uint_flex "6" "Capabilities present"
25 | move -4
26 | uint_flex "7" "Cluster Stat"
27 | move -4
28 | uint_flex "8" "Crypto Stat"
29 | move -2
30 |
31 | //The next three fields are always present, but for light-weight files, they are the only ones!
32 |
33 | IfEqual "Light weight Stat" 1
34 | section "Light weight Stat"
35 | octal uint16 "File mode (octal)"
36 | uint32 "Hard link count"
37 | int64 "FileSize"
38 | EndIf
39 |
40 | IfEqual "Unix Stat" 1
41 | section "Unix Stat"
42 | uint32 "Owner ID (uid)"
43 | uint32 "Group ID (gid)"
44 | UNIXDateTime "Access time"
45 | UNIXDateTime "Modification time"
46 | UNIXDateTime "Change time"
47 | int64 "Bytes used or device"
48 | EndIf
49 |
50 | IfEqual "Large times" 1 //Is this really the way this works?
51 | section "Large times"
52 | uint32 "Access time nano-seconds"
53 | uint32 "Modification time nano-seconds"
54 | uint32 "Change time nano-seconds"
55 | EndIf
56 |
57 | IfEqual "Symlink included" 1
58 | section "Symlink"
59 | char[FileSize] "Symlink target"
60 | EndIf
61 |
62 | IfEqual "Non-standard Plug-In" 1
63 | uint16 "Plug-in number"
64 | {
65 | move 4 //contents ... difficult
66 | }[Plug-in number]
67 | EndIf
68 |
69 | // IfEqual "Flags present" 1
70 | // hex 4 "Flags"
71 | // EndIf
72 |
73 | // IfEqual "Capabilities present" 1
74 | // hex 4 "Effective Capabilities"
75 | // hex 4 "Permitted Capabilities"
76 | // EndIf
77 |
78 | // IfEqual "Cluster Stat" 1
79 | // int64 "Cluster shift"
80 | // EndIf
81 |
82 | // IfEqual "Crypto Stat" 1
83 | // uint16 "Crypto-Key size"
84 | // hex "Crypto-Key size" "Key"
85 | // EndIf
86 |
87 | end
--------------------------------------------------------------------------------
/WinHex_additional/Reiser4 Superblock.tpl:
--------------------------------------------------------------------------------
1 | template "Reiser4 Superblock"
2 |
3 | // Created by Jens Kirschner on Feb 16, 2005
4 | // X-Ways Software Technology AG
5 |
6 | // The superblock always starts at offset 0x10000 = 64 KB
7 |
8 | // Superblock as defined by Reiser4 Format40, which is the
9 | // currently only format definition
10 |
11 | description "Superblock for Format40 of Reiser4"
12 | applies_to disk
13 | //sector-aligned
14 | requires 0x0 "52 65 49 73 45 72 34"
15 |
16 | begin
17 | section "Master Reiser4 Superblock"
18 | char[16] "Magic string ReIsEr4"
19 | int16 "Disk Plugin (0: Format40)"
20 | int16 "Block size"
21 | hex 16 "UUID"
22 | char[16] "Label"
23 | int64 "Diskmap Block"
24 | endsection
25 |
26 | IfEqual "Disk Plugin (0: Format40)" 0
27 |
28 | goto "Block size"
29 |
30 | section "Format40 Superblock"
31 | int64 "Block count"
32 | int64 "Free block count"
33 | int64 "Root block #"
34 | int64 "Smallest free object ID"
35 | int64 "File count"
36 | int64 "Superblock flush count"
37 | hex 4 "UID"
38 | char[16] "Magic string ReIsEr40FoRmAt"
39 | int16 "Tree height"
40 | int16 "Formatting policy"
41 | int64 "Flags"
42 | char[432] "Not used"
43 | endsection
44 | endif
45 | end
--------------------------------------------------------------------------------
/WinHex_additional/SFF_File_Format.tpl:
--------------------------------------------------------------------------------
1 | template "SFF File Format"
2 |
3 | // Template by Ulf Zibis, Germany
4 | // email: Ulf.Zibis@gmx.de
5 |
6 | // ***** Requires WinHex 10.52 or later *****
7 |
8 | description "Structured Fax File format - http://delphi.pjh2.de/articles/graphic/sff_format.php"
9 | // see also: ftp://ftp.avm.de/develper/capispec/capi20/capi20-1.pdf
10 |
11 | applies_to file
12 | fixed_start 0
13 |
14 | requires 0x0 "53 66 66 66" // SFF file indication
15 | requires 0x4 "01" // version
16 |
17 | begin
18 | read-only char[4] "SFF_ID ('Sfff')"
19 | read-only hex 1 "Version (01)"
20 | read-only hex 1 "reserved"
21 | hexadecimal uint16 "User information"
22 | hexadecimal uint16 "PageCount"
23 | hexadecimal uint16 "OffsetFirstPageHeader"
24 | hexadecimal uint32 "OffsetLastPageHeader"
25 | hexadecimal uint32 "OffsetDocumentEnd"
26 | goto OffsetFirstPageHeader
27 |
28 | numbering 1
29 |
30 | {
31 | section "Page Header ~"
32 | uint8 "PageHeaderID (254)"
33 | hexadecimal uint8 "PageHeaderLen (normaly 0x10)"
34 | uint8 "ResolutionVertical (0: 98 lpi 1: 196 lpi)"
35 | uint8 "ResolutionHorizontal (0: 203 dpi)"
36 | uint8 "Coding (0)"
37 | uint8 "reserved"
38 | uint16 "LineLength"
39 | uint16 "PageLength"
40 | hexadecimal uint32 "OffsetPreviousPage"
41 | hexadecimal uint32 "OffsetNextPage"
42 | hex 8 "PageData..."
43 | goto OffsetNextPage
44 | } [PageCount]
45 |
46 | endsection
47 | end
48 |
--------------------------------------------------------------------------------
/WinHex_additional/SQLite Header.tpl:
--------------------------------------------------------------------------------
1 | template "SQLite Header"
2 |
3 | // Template by Terrance Maguire
4 | // terrance.maguire@gmail.com
5 | // Version 1.5 - 20180320
6 |
7 | // Every SQLite file starts with the header record.
8 | // The Database Header is 100 Bytes in Length
9 | // This template follows Database Header Format from www.SQLite.org
10 | // Select the File Mode in XWF
11 |
12 | description "SQLite - Header Record"
13 | fixed_start 0
14 | requires 0 "53514C69746520666F726D6174203300"
15 | big-endian
16 | read-only
17 | begin
18 | hex 16 "SQLite Format 3 Header" //00
19 | uint16 "Page Size in Bytes" //16
20 | uint8 "Write Version (1 Journal 2 WAL >2 RO)" //18
21 | uint8 "Read Version (1 Journal 2 WAL)" //19
22 | move 4
23 | uint32 "File Change Counter (not used by WAL)" //24
24 | uint32 "Size of Database File in Pages" //28
25 | uint32 "First Freelist Trunk Page" //32
26 | uint32 "Total Freelist Pages" //36
27 | move 4
28 | uint32 "Schema Format Number" //44
29 | move 4
30 | uint32 "Auto vacuum largest b-tree page" //52
31 | uint32 "Database Text Encoding" //56
32 | move 4
33 | uint32 "Incremental vacuum mode (zero=no)" //64
34 | uint32 "Application ID" //68
35 | move 20
36 | uint32 "Version-Valid-for-Number" //92
37 | uint32 "SQLite Version Number" //96
38 | end
--------------------------------------------------------------------------------
/WinHex_additional/TIFF File Format.tpl:
--------------------------------------------------------------------------------
1 | template "TIFF File Format"
2 |
3 | // Template by Ulf Zibis, Germany
4 | // email: Ulf.Zibis@gmx.de
5 |
6 | // ***** Requires WinHex 10.52 or later *****
7 |
8 | description "TIFF format V6.0 - http://partners.adobe.com/asn/developer/PDFS/TN/TIFF6.pdf"
9 | applies_to file
10 | fixed_start 0
11 |
12 | requires 0x2 "2A 00" // TIFF file indication
13 |
14 | begin
15 | section "Only for Intel little-endian byte order !"
16 | endsection
17 | read-only char[2] "Byte order (II for Intel)"
18 | read-only uint16 "TIFF file indicator (42)"
19 | read-only hexadecimal uint32 "1._Image_File_Directory"
20 | goto 1._Image_File_Directory
21 |
22 | section "1. Image File Directory (IFD):"
23 | uint16 "Number of Dir Entries"
24 |
25 | numbering 1
26 |
27 | {
28 | section "Directory Entry ~"
29 | uint16 "Tag"
30 | uint16 "Type"
31 | uint32 "Count"
32 | uint32 "Value (if fits in 4 Bytes)"
33 | move -4
34 | hexadecimal uint32 "... or Offset"
35 |
36 | } [Number of Dir Entries]
37 |
38 | endsection
39 |
40 | hexadecimal uint32 "Offset of next IFD"
41 | section "If 0: No more IFDs"
42 | section "If >0: use template 'TIFF File IFD'"
43 | end
--------------------------------------------------------------------------------
/WinHex_additional/TIFF File IFD.tpl:
--------------------------------------------------------------------------------
1 | template "TIFF File IFD"
2 |
3 | // Template by Ulf Zibis, Germany
4 | // email: Ulf.Zibis@gmx.de
5 |
6 | // ***** Requires WinHex 10.52 or later *****
7 |
8 | description "TIFF format V6.0 - Image File Directory (IFD)"
9 | applies_to file
10 |
11 | begin
12 | section "Only for Intel little-endian byte order !"
13 | section "Image File Directory (IFD):"
14 | uint16 "Number of Dir Entries"
15 |
16 | numbering 1
17 |
18 | {
19 | section "Directory Entry ~"
20 | uint16 "Tag"
21 | uint16 "Type"
22 | uint32 "Count"
23 | uint32 "Value (if fits in 4 Bytes)"
24 | move -4
25 | hexadecimal uint32 "... or Offset"
26 |
27 | } [Number of Dir Entries]
28 |
29 | endsection
30 |
31 | hexadecimal uint32 "Offset of next IFD"
32 | section "If 0: No more IFDs"
33 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS directory entry BE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS directory entry"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "big-endian variant"
7 | applies_to disk
8 | big-endian
9 | multiple
10 | begin
11 | uint32 "Inode"
12 | uint16 "Length of entry"
13 | uint8 "File type (4:dir,8:file,10:link)"
14 | uint8 "Length of string"
15 | char[Length of string] "name"
16 | goto 0
17 | move "Length of entry"
18 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS directory entry LE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS directory entry"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "little-endian variant"
7 | applies_to disk
8 | multiple
9 | begin
10 | uint32 "Inode"
11 | uint16 "Length of entry"
12 | uint8 "File type (4:dir,8:file,10:link)"
13 | uint8 "Length of string"
14 | char[Length of string] "name"
15 | goto 0
16 | move "Length of entry"
17 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS1 Cylinder Group Descriptor BE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS1 cylinder group descriptor"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "big-endian variant"
7 | big-endian
8 | sector-aligned
9 | applies_to disk
10 | requires 0x04 "00 09 02 55"
11 |
12 | begin
13 | uint32 "unused"
14 | hex 4 "Magic signature"
15 | UNIXDateTime "Last time written"
16 | uint32 "Group no."
17 | uint16 "No. of cylinders in group"
18 | uint16 "No. of inodes in group"
19 | uint32 "No. of fragments in group"
20 | uint32 "No. of directorys"
21 | uint32 "No. of free blocks"
22 | uint32 "No. of free inodes"
23 | uint32 "No. of free fragments"
24 | uint32 "Last block allocated"
25 | uint32 "Last fragment allocated"
26 | uint32 "Last inode allocated"
27 | hex 32 "Summary of available fragments"
28 | uint32 "No. of free blocks in each cylinder"
29 | uint32 "Free block position table"
30 | uint32 "Position of Inode bitmap"
31 | uint32 "Position of fragment bitmap"
32 | uint32 "Next available space in descriptor"
33 | uint32 "Counts of available clusters"
34 | uint32 "Position of block bitmap"
35 | uint32 "No. of blocks in group"
36 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS1 Cylinder Group Descriptor LE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS1 cylinder group descriptor"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "little-endian variant"
7 | sector-aligned
8 | little-endian
9 | applies_to disk
10 | requires 0x04 "00 09 02 55"
11 |
12 | begin
13 | uint32 "unused"
14 | hex 4 "Magic signature"
15 | UNIXDateTime "Last time written"
16 | uint32 "Group no."
17 | uint16 "No. of cylinders in group"
18 | uint16 "No. of inodes in group"
19 | uint32 "No. of fragments in group"
20 | uint32 "No. of directorys"
21 | uint32 "No. of free blocks"
22 | uint32 "No. of free inodes"
23 | uint32 "No. of free fragments"
24 | uint32 "Last block allocated"
25 | uint32 "Last fragment allocated"
26 | uint32 "Last inode allocated"
27 | hex 32 "Summary of available fragments"
28 | uint32 "No. of free blocks in each cylinder"
29 | uint32 "Free block position table"
30 | uint32 "Position of Inode bitmap"
31 | uint32 "Position of fragment bitmap"
32 | uint32 "Next available space in descriptor"
33 | uint32 "Counts of available clusters"
34 | uint32 "Position of block bitmap"
35 | uint32 "No. of blocks in group"
36 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS1 Inode BE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS1 Inode"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "big-endian variant"
7 | applies_to disk
8 | big-endian
9 | multiple
10 | begin
11 | octal uint16 "mode"
12 | uint16 "Link count"
13 | uint32 "unused"
14 | int64 "Size"
15 | UNIXDateTime "Access time"
16 | uint32 "Refinement"
17 | UNIXDateTime "Modified time"
18 | uint32 "Refinement"
19 | UNIXDateTime "Change time"
20 | uint32 "Refinement"
21 | numbering 1
22 | {
23 | uint32 "Direkt block ptr. [~]"
24 | } [12]
25 | uint32 "Indirect block ptr."
26 | uint32 "Double indirect block ptr."
27 | uint32 "Triple indirect block ptr."
28 | uint32 "Status flags"
29 | uint32 "Blocks held"
30 | uint32 "User ID"
31 | uint32 "Group ID"
32 | goto 0
33 | move 128
34 | end
35 |
--------------------------------------------------------------------------------
/WinHex_additional/UFS1 Inode LE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS1 Inode"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "little-endian variant"
7 | applies_to disk
8 | multiple
9 | begin
10 | octal uint16 "mode"
11 | uint16 "Link count"
12 | uint32 "unused"
13 | int64 "Size"
14 | UNIXDateTime "Access time"
15 | uint32 "Refinement"
16 | UNIXDateTime "Modified time"
17 | uint32 "Refinement"
18 | UNIXDateTime "Change time"
19 | uint32 "Refinement"
20 | numbering 1
21 | {
22 | uint32 "Direkt block ptr. [~]"
23 | } [12]
24 | uint32 "Indirect block ptr."
25 | uint32 "Double indirect block ptr."
26 | uint32 "Triple indirect block ptr."
27 | uint32 "Status flags"
28 | uint32 "Blocks held"
29 | uint32 "User ID"
30 | uint32 "Group ID"
31 | goto 0
32 | move 128
33 | end
34 |
--------------------------------------------------------------------------------
/WinHex_additional/UFS1 Superblock BE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS1 Superblock BE"
2 |
3 | // Created by Michele Larese on Dec 7, 2005
4 | // X-Ways Software Technology AG
5 |
6 | // The first superblock always starts at position 8192 of
7 | // an UFS partition. There will be a copy of it in every
8 | // cylinder group of the drive.
9 |
10 | description "Raw content of the UFS1/2 superblock (big-endian)"
11 | big-endian
12 | sector-aligned
13 | applies_to disk
14 | requires 0x55c "00 01 19 54"
15 | begin
16 | goto 0x055c
17 | hexadecimal uint32 "magic number"
18 | goto 0
19 | uint32 "unused"
20 | uint32 "unused"
21 | uint32 "Offset to Superblock in CG"
22 | uint32 "Offset to Cylinder-block in CG"
23 | uint32 "Offset to inode-blocks CG"
24 | uint32 "Offset to first data after CG"
25 | uint32 "Cylinder group offset in cylinder"
26 | hexadecimal uint32 "used to calc mod fs_ntrak"
27 | UNIXDateTime "last time written -- time_t"
28 | uint32 "number of blocks in fs"
29 | uint32 "number of data blocks in fs"
30 | uint32 "number of cylinder groups"
31 | uint32 "size of basic blocks in fs"
32 | uint32 "size of frag blocks in fs"
33 | uint32 "number of frags in a block in fs"
34 | uint32 "minimum percentage of free blocks"
35 | uint32 "num of ms for optimal next block"
36 | uint32 "disk revolutions per second"
37 | hexadecimal uint32 "``blkoff'' calc of blk offsets"
38 | hexadecimal uint32 "``fragoff'' calc of frag offsets"
39 | uint32 "``lblkno'' calc of logical blkno"
40 | uint32 "``numfrags'' calc number of frags"
41 | uint32 "max number of contiguous blks"
42 | uint32 "max number of blks per cyl group"
43 | uint32 "block to frag shift"
44 | uint32 "fsbtodb and dbtofsb shift constant"
45 | uint32 "actual size of super block"
46 | uint32 "csum block offset"
47 | uint32 "csum block number"
48 | uint32 "value of NINDIR"
49 | uint32 "value of INOPB"
50 | uint32 "value of NSPF"
51 | uint32 "optimization preference, see below"
52 | uint32 "sectors/track including spares"
53 | uint32 "hardware sector interleave"
54 | uint32 "sector 0 skew, per track"
55 | hex 8 "file system id"
56 | uint32 "blk addr of cyl grp summary area"
57 | uint32 "size of cyl grp summary area"
58 | uint32 "cylinder group size"
59 | uint32 "tracks per cylinder"
60 | uint32 "sectors per track"
61 | uint32 "sectors per cylinder"
62 | uint32 "cylinders in file system"
63 | uint32 "cylinders per group"
64 | uint32 "inodes per cylinder group"
65 | uint32 "blocks per group * fs_frag"
66 | uint32 "number of directories"
67 | uint32 "number of free blocks"
68 | uint32 "number of free inodes"
69 | uint32 "number of free frags"
70 | uint8 "super block modified flag"
71 | uint8 "file system is clean flag"
72 | uint8 "mounted read-only flag"
73 | uint8 "currently unused flag"
74 | char[512] "name mounted on"
75 | uint32 "last cg searched"
76 |
77 | numbering 1
78 | {
79 | hexadecimal uint32 "list of fs_cs info buffers"
80 | } [31]
81 | uint32 "max cluster"
82 | uint32 "cyl per cycle in postbl"
83 | hex 256 "old rotation block list head"
84 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS1 Superblock LE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS1 Superblock LE"
2 |
3 | // Created by Michele Larese on Dec 7, 2005
4 | // X-Ways Software Technology AG
5 |
6 | // The first superblock always starts at position 8192 of
7 | // an UFS partition. There will be a copy of it in every
8 | // cylinder group of the drive.
9 |
10 | description "Raw content of the UFS1/2 superblock (little-endian)"
11 | sector-aligned
12 | applies_to disk
13 | requires 0x55c "54 19 01 00"
14 | begin
15 | goto 0x055c
16 | hexadecimal uint32 "magic number"
17 | goto 0
18 | uint32 "unused"
19 | uint32 "unused"
20 | uint32 "Offset to Superblock in CG"
21 | uint32 "Offset to Cylinder-block in CG"
22 | uint32 "Offset to inode-blocks CG"
23 | uint32 "Offset to first data after CG"
24 | uint32 "Cylinder group offset in cylinder"
25 | hexadecimal uint32 "used to calc mod fs_ntrak"
26 | UNIXDateTime "last time written -- time_t"
27 | uint32 "number of blocks in fs"
28 | uint32 "number of data blocks in fs"
29 | uint32 "number of cylinder groups"
30 | uint32 "size of basic blocks in fs"
31 | uint32 "size of frag blocks in fs"
32 | uint32 "number of frags in a block in fs"
33 | uint32 "minimum percentage of free blocks"
34 | uint32 "num of ms for optimal next block"
35 | uint32 "disk revolutions per second"
36 | hexadecimal uint32 "``blkoff'' calc of blk offsets"
37 | hexadecimal uint32 "``fragoff'' calc of frag offsets"
38 | uint32 "``lblkno'' calc of logical blkno"
39 | uint32 "``numfrags'' calc number of frags"
40 | uint32 "max number of contiguous blks"
41 | uint32 "max number of blks per cyl group"
42 | uint32 "block to frag shift"
43 | uint32 "fsbtodb and dbtofsb shift constant"
44 | uint32 "actual size of super block"
45 | uint32 "csum block offset"
46 | uint32 "csum block number"
47 | uint32 "value of NINDIR"
48 | uint32 "value of INOPB"
49 | uint32 "value of NSPF"
50 | uint32 "optimization preference, see below"
51 | uint32 "sectors/track including spares"
52 | uint32 "hardware sector interleave"
53 | uint32 "sector 0 skew, per track"
54 | hex 8 "file system id"
55 | uint32 "blk addr of cyl grp summary area"
56 | uint32 "size of cyl grp summary area"
57 | uint32 "cylinder group size"
58 | uint32 "tracks per cylinder"
59 | uint32 "sectors per track"
60 | uint32 "sectors per cylinder"
61 | uint32 "cylinders in file system"
62 | uint32 "cylinders per group"
63 | uint32 "inodes per cylinder group"
64 | uint32 "blocks per group * fs_frag"
65 | uint32 "number of directories"
66 | uint32 "number of free blocks"
67 | uint32 "number of free inodes"
68 | uint32 "number of free frags"
69 | uint8 "super block modified flag"
70 | uint8 "file system is clean flag"
71 | uint8 "mounted read-only flag"
72 | uint8 "currently unused flag"
73 | char[512] "name mounted on"
74 | uint32 "last cg searched"
75 | numbering 1
76 | {
77 | hexadecimal uint32 "list of fs_cs info buffers"
78 | } [31]
79 | uint32 "max cluster"
80 | uint32 "cyl per cycle in postbl"
81 | hex 256 "old rotation block list head"
82 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS2 Cylinder Group Descriptor BE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS2 cylinder group descriptor"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "big-endian variant"
7 | sector-aligned
8 | big-endian
9 | applies_to disk
10 | requires 0x04 "00 09 02 55"
11 | begin
12 | uint32 "unused"
13 | hex 4 "Magic signature"
14 | uint32 "unused"
15 | uint32 "Group number"
16 | uint32 "unused"
17 | uint32 "No. of fragments in group"
18 | uint32 "No. of directorys"
19 | uint32 "No. of free blocks"
20 | uint32 "No. of free inodes"
21 | uint32 "No. of free fragments"
22 | uint32 "Last block allocated"
23 | uint32 "Last fragment allocated"
24 | uint32 "Last inode allocated"
25 | hex 32 "Summary of available fragments"
26 | int64 "unused"
27 | uint32 "Position of inode bitmap"
28 | uint32 "Position of fragment bitmap"
29 | uint32 "Next available space"
30 | uint32 "Counts of available cluster"
31 | uint32 "Positon of block bitmap"
32 | uint32 "No. of blocks in group"
33 | uint32 "No. of inodes in group"
34 | uint32 "Last initialized inode"
35 | uint32 "unused"
36 | move 4
37 | UNIXDateTime "Last time written"
38 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS2 Cylinder Group Descriptor LE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS2 cylinder group descriptor"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "little-endian variant"
7 | sector-aligned
8 | applies_to disk
9 | requires 0x04 "00 09 02 55"
10 | begin
11 | uint32 "unused"
12 | hex 4 "Magic signature"
13 | uint32 "unused"
14 | uint32 "Group number"
15 | uint32 "unused"
16 | uint32 "No. of fragments in group"
17 | uint32 "No. of directorys"
18 | uint32 "No. of free blocks"
19 | uint32 "No. of free inodes"
20 | uint32 "No. of free fragments"
21 | uint32 "Last block allocated"
22 | uint32 "Last fragment allocated"
23 | uint32 "Last inode allocated"
24 | hex 32 "Summary of available fragments"
25 | int64 "unused"
26 | uint32 "Position of inode bitmap"
27 | uint32 "Position of fragment bitmap"
28 | uint32 "Next available space"
29 | uint32 "Counts of available cluster"
30 | uint32 "Positon of block bitmap"
31 | uint32 "No. of blocks in group"
32 | uint32 "No. of inodes in group"
33 | uint32 "Last initialized inode"
34 | uint32 "unused"
35 | move 4
36 | UNIXDateTime "Last time written"
37 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS2 Inode BE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS2 Inode"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "big-endian variant"
7 | applies_to disk
8 | big-endian
9 | multiple
10 | begin
11 | octal uint16 "mode"
12 | uint16 "Link count"
13 | uint32 "User ID"
14 | uint32 "Group ID"
15 | uint32 "Inode block size"
16 | int64 "Size"
17 | int64 "Bytes held"
18 | move 4
19 | UNIXDateTime "Access time"
20 | move 4
21 | UNIXDateTime "Modified time"
22 | move 4
23 | UNIXDateTime "Change time"
24 | move 4
25 | UNIXDateTime "Create time"
26 | uint32 "Refinement mtime (ns)"
27 | uint32 "Refinement atime (ns)"
28 | uint32 "Refinement changetime (ns)"
29 | uint32 "Refinement createtime (ns)"
30 | uint32 "Generation no. (NFS)"
31 | uint32 "Kernel flags"
32 | uint32 "Status flags"
33 | uint32 "extended attribute flags"
34 | int64 "1. direct ext. attr. blk pointer"
35 | int64 "2. direct ext. attr. blk pointer"
36 | numbering 1
37 | {
38 | int64 "Direkt block ptr. [~]"
39 | } [12]
40 | int64 "Indirect block ptr."
41 | int64 "Double indirect block ptr."
42 | int64 "Triple indirect block ptr."
43 | goto 0
44 | move 256
45 | end
46 |
--------------------------------------------------------------------------------
/WinHex_additional/UFS2 Inode LE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS2 Inode"
2 |
3 | // Created by Michele Larese on Dec 20, 2005
4 | // X-Ways Software Technology AG
5 |
6 | description "little-endian variant"
7 | applies_to disk
8 | multiple
9 | begin
10 | octal uint16 "mode"
11 | uint16 "Link count"
12 | uint32 "User ID"
13 | uint32 "Group ID"
14 | uint32 "Inode block size"
15 | int64 "Size"
16 | int64 "Bytes held"
17 | move 4
18 | UNIXDateTime "Access time"
19 | move 4
20 | UNIXDateTime "Modified time"
21 | move 4
22 | UNIXDateTime "Change time"
23 | move 4
24 | UNIXDateTime "Create time"
25 | uint32 "Refinement mtime (ns)"
26 | uint32 "Refinement atime (ns)"
27 | uint32 "Refinement changetime (ns)"
28 | uint32 "Refinement createtime (ns)"
29 | uint32 "Generation no. (NFS)"
30 | uint32 "Kernel flags"
31 | uint32 "Status flags"
32 | uint32 "extended attribute flags"
33 | int64 "1. direct ext. attr. blk pointer"
34 | int64 "2. direct ext. attr. blk pointer"
35 | numbering 1
36 | {
37 | int64 "Direkt block ptr. [~]"
38 | } [12]
39 | int64 "Indirect block ptr."
40 | int64 "Double indirect block ptr."
41 | int64 "Triple indirect block ptr."
42 | goto 0
43 | move 256
44 | end
45 |
--------------------------------------------------------------------------------
/WinHex_additional/UFS2 Superblock BE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS2 Superblock BE"
2 |
3 | // Created by Michele Larese on Dec 7, 2005
4 | // X-Ways Software Technology AG
5 |
6 | // The first superblock always starts at position 65536, 131072
7 | // or 262144 of an UFS partition. There will be a copy of it in
8 | // every cylinder group of the drive.
9 |
10 | description "Raw content of the UFS2 superblock (big-endian)"
11 | big-endian
12 | sector-aligned
13 | applies_to disk
14 | requires 0x55c "19 54 01 19"
15 | begin
16 | goto 0x055c
17 | hexadecimal uint32 "magic number"
18 | goto 0
19 | hex 8 "unused"
20 | uint32 "Offset to Superblock in CG"
21 | uint32 "Offset to Cylinder-block in CG"
22 | uint32 "Offset to inode-blocks CG"
23 | uint32 "Offset to first data after CG"
24 | hex 20 "Unused"
25 | uint32 "Number of cylinder groups"
26 | uint32 "size of a block"
27 | uint32 "size of fragment"
28 | uint32 "number of frags in a blk"
29 | uint32 "minimum % of free blocks"
30 | hex 8 "Unused"
31 | uint32 "Mask to calc blk address"
32 | uint32 "Mask to calc frag. address"
33 | uint32 "Shift to calc blk byte addr."
34 | uint32 "Shift to calc frag byte addr."
35 | uint32 "Max number of contiguous blks"
36 | uint32 "Max number of blks per cyl group"
37 | uint32 "No. of convert bits blk <-> frag"
38 | uint32 "Mo. of convert bits frag <-> sector"
39 | uint32 "Size of Superblock"
40 | hex 8 "Unused"
41 | uint32 "No. of ind. addr. per frag"
42 | uint32 "No. of inodes per block in inode table"
43 | hex 4 "Unused"
44 | uint32 "Optimization technique"
45 | hex 12 "Unused"
46 | hex 8 "File System ID"
47 | hex 4 "Unused"
48 | uint32 "Size of cyl. grp. summary area"
49 | uint32 "Size of cyl. grp. descriptor"
50 | hex 20 "Unused"
51 | uint32 "Inodes per cylinder group"
52 | uint32 "Fragments per cyl. group"
53 | hex 16 "Unused"
54 | byte "Super block modified flag"
55 | byte "FS was clean when mounted"
56 | byte "Mounted read only flag"
57 | byte "Unused"
58 | char[468] "Last mount point"
59 | char[32] "Volume name"
60 | int64 "System UID"
61 | uint32 "Unused"
62 | uint32 "Last cylinder group searched"
63 | hex 272 "Unused"
64 | int64 "Location of superblock"
65 | int64 "Number of directorys"
66 | int64 "Number of free blocks"
67 | int64 "Number of free inodes"
68 | int64 "Number of free fragments"
69 | int64 "Number of free clusters"
70 | hex 24 "Unused"
71 | UNIXDateTime "last time written (refinement)"
72 | UNIXDateTime "last time written"
73 | int64 "Number of fragments in FS"
74 | int64 "No of fragments that can store data"
75 | int64 "Frag. addr. of cyl. grp. sum. area"
76 | int64 "Blocks in proc. of being freed"
77 | uint32 "Inodes in proc. of being freed"
78 | numbering 1
79 | {
80 | int64 "inode addr. for snap inodes"
81 | } [10]
82 | uint32 "Expected average file size"
83 | uint32 "Expected no. of files per dir"
84 | hex 108 "Unused"
85 | hex 4 "flags"
86 | uint32 "Size of cluster summary area in grp. descr."
87 | uint32 "Max length of internal symlink"
88 | hex 4 "Format of inodes"
89 | int64 "Max file size"
90 | hex 8 "Mask to calc offset in blk. for addr."
91 | hex 8 "Mask to calc offset in frag. for addr."
92 | hex 4 "File system state"
93 | hex 16 "Unused"
94 | hex 4 "Magic number"
95 |
96 |
97 | end
--------------------------------------------------------------------------------
/WinHex_additional/UFS2 Superblock LE.tpl:
--------------------------------------------------------------------------------
1 | template "UFS2 Superblock LE"
2 |
3 | // Created by Michele Larese on Dec 7, 2005
4 | // X-Ways Software Technology AG
5 |
6 | // The first superblock always starts at position 65536, 131072
7 | // or 262144 of an UFS partition. There will be a copy of it in
8 | // every cylinder group of the drive.
9 |
10 | description "Raw content of the UFS2 superblock (little-endian)"
11 | sector-aligned
12 | applies_to disk
13 | requires 0x55c "19 01 54 19"
14 | begin
15 | goto 0x055c
16 | hexadecimal uint32 "magic number"
17 | goto 0
18 | hex 8 "unused"
19 | uint32 "Offset to Superblock in CG"
20 | uint32 "Offset to Cylinder-block in CG"
21 | uint32 "Offset to inode-blocks CG"
22 | uint32 "Offset to first data after CG"
23 | hex 20 "Unused"
24 | uint32 "Number of cylinder groups"
25 | uint32 "size of a block"
26 | uint32 "size of fragment"
27 | uint32 "number of frags in a blk"
28 | uint32 "minimum % of free blocks"
29 | hex 8 "Unused"
30 | uint32 "Mask to calc blk address"
31 | uint32 "Mask to calc frag. address"
32 | uint32 "Shift to calc blk byte addr."
33 | uint32 "Shift to calc frag byte addr."
34 | uint32 "Max number of contiguous blks"
35 | uint32 "Max number of blks per cyl group"
36 | uint32 "No. of convert bits blk <-> frag"
37 | uint32 "Mo. of convert bits frag <-> sector"
38 | uint32 "Size of Superblock"
39 | hex 8 "Unused"
40 | uint32 "No. of ind. addr. per frag"
41 | uint32 "No. of inodes per block in inode table"
42 | hex 4 "Unused"
43 | uint32 "Optimization technique"
44 | hex 12 "Unused"
45 | hex 8 "File System ID"
46 | hex 4 "Unused"
47 | uint32 "Size of cyl. grp. summary area"
48 | uint32 "Size of cyl. grp. descriptor"
49 | hex 20 "Unused"
50 | uint32 "Inodes per cylinder group"
51 | uint32 "Fragments per cyl. group"
52 | hex 16 "Unused"
53 | byte "Super block modified flag"
54 | byte "FS was clean when mounted"
55 | byte "Mounted read only flag"
56 | byte "Unused"
57 | char[468] "Last mount point"
58 | char[32] "Volume name"
59 | int64 "System UID"
60 | uint32 "Unused"
61 | uint32 "Last cylinder group searched"
62 | hex 272 "Unused"
63 | int64 "Location of superblock"
64 | int64 "Number of directorys"
65 | int64 "Number of free blocks"
66 | int64 "Number of free inodes"
67 | int64 "Number of free fragments"
68 | int64 "Number of free clusters"
69 | hex 24 "Unused"
70 | UNIXDateTime "last time written (refinement)"
71 | UNIXDateTime "last time written"
72 | int64 "Number of fragments in FS"
73 | int64 "No of fragments that can store data"
74 | int64 "Frag. addr. of cyl. grp. sum. area"
75 | int64 "Blocks in proc. of being freed"
76 | uint32 "Inodes in proc. of being freed"
77 | numbering 1
78 | {
79 | int64 "inode addr. for snap inodes"
80 | } [10]
81 | uint32 "Expected average file size"
82 | uint32 "Expected no. of files per dir"
83 | hex 108 "Unused"
84 | hex 4 "flags"
85 | uint32 "Size of cluster summary area in grp. descr."
86 | uint32 "Max length of internal symlink"
87 | hex 4 "Format of inodes"
88 | int64 "Max file size"
89 | hex 8 "Mask to calc offset in blk. for addr."
90 | hex 8 "Mask to calc offset in frag. for addr."
91 | hex 4 "File system state"
92 | hex 16 "Unused"
93 | hex 4 "Magic number"
94 | end
--------------------------------------------------------------------------------
/WinHex_additional/WAVPCM.tpl:
--------------------------------------------------------------------------------
1 | template "WAV PCM File Format"
2 |
3 | // Template by Khomenko Volodymyr, Ukraine.
4 |
5 | description "Structure of a simple WAV-PCM (unpacked) audio file"
6 | appliesto file
7 |
8 | requires 0x00 "52 49 46 46" // 'RIFF'
9 | requires 0x08 "57 41 56 45" // 'WAVE'
10 | requires 0x0C "66 6d 74 20" // 'fmt '
11 |
12 | begin
13 | section "RIFF block"
14 | read-only char[4] "RIFF_ID" // 00
15 | uint32 "Data size(filesize-8)" // 04
16 | read-only char[4] "RIFF_FORMAT" // 08
17 | endsection
18 |
19 | section "FMT block"
20 | read-only char[4] "FMT_ID" // 0C
21 | uint32 "FMT_SIZE" // 10
22 | uint16 "wFormatTag" // 14
23 | uint16 "nChannels" // 16
24 | uint32 "nSamplesPerSec" // 18
25 | uint32 "nAvrgBytesPerSec" // 1C
26 | uint16 "nBlockAlign" // 20
27 | uint16 "wBitsPerSample" // 22
28 |
29 | // Skip bytes till begin of next block (in case of FMT_SIZE>16)
30 | move FMT_SIZE
31 | move -16
32 | endsection
33 |
34 | section "DATA block"
35 | read-only char[4] "DATA_ID"
36 | uint32 "DATA_SIZE"
37 | endsection
38 | end
39 |
--------------------------------------------------------------------------------
/WinHex_additional/ZIP.tpl:
--------------------------------------------------------------------------------
1 | template "ZIP file"
2 | description "Contains structure of ZIP file"
3 | applies_to file
4 | requires 0 "504B0304"
5 |
6 | begin
7 | // File Information Stored in ZIP
8 | section "Compressed file local headers"
9 | numbering 0
10 | {
11 | section "File header"
12 | hex 4 Value
13 | IfEqual Value 0x504B0304
14 | move -4
15 | Else
16 | ExitLoop
17 | EndIf
18 |
19 | hex 4 "ZIP local file header signature (0x04034b50)"
20 | hex 2 "Version needed to extract"
21 | hex 2 "General purpose bit flag"
22 | hex 2 "Compression method"
23 | DOSDateTime "Last mod file date/time"
24 | hex 4 "CRC 32"
25 | uint32 "Compressed size"
26 | uint32 "Uncompressed size"
27 | uint16 "Filename length"
28 | uint16 "Extra field length"
29 | string "Filename length" "File name"
30 | hex "Extra field length" "Extra field"
31 | move "Compressed size" // to end of file data
32 | endsection
33 | }[100]
34 | endsection
35 |
36 | move -4
37 | section "Central Directory"
38 | numbering 0
39 | {
40 | section "CD File Header"
41 | hex 4 Value1
42 | IfEqual Value1 0x504B0102
43 | move -4
44 | Else
45 | ExitLoop
46 | EndIf
47 |
48 | hex 4 "Central file header signature (0x02014b50)"
49 | hex 2 "Version made by"
50 | hex 2 "Version needed to extract"
51 | hex 2 "General purpose bit flag"
52 | hex 2 "Compression method"
53 | DOSDateTime "Last mod file date/time"
54 | hex 4 "CRC 32"
55 | uint32 "Compressed size"
56 | uint32 "Uncompressed size"
57 | uint16 "Filename Length"
58 | uint16 "ExtraField Length"
59 | uint16 "File comment length"
60 | uint16 "Disk number start"
61 | hex 2 "Internal file attributes"
62 | hex 4 "External file attributes"
63 | uint32 "Relative offset of local header"
64 | string "Filename Length" "File name"
65 | string "ExtraField Length" "Extra field"
66 | string "File comment length" "File comment"
67 | endsection
68 | }[100]
69 | endsection
70 |
71 | move -4
72 | section "Additional data"
73 | hex 4 "End of central dir signature (0x06054b50)"
74 | uint16 "Number of this disk"
75 | uint16 "Number of the disk with the start of the central directory"
76 | uint16 "Number of entries in the central dir on this disk"
77 | uint16 "Number of entries in the central dir"
78 | uint32 "Size of the central directory"
79 | uint32 "Offset of start of central directory with respect to the starting disk number"
80 | uint16 "Zipfile comment length"
81 | string "Zipfile comment length" "Zipfile comment"
82 | endsection
83 | end
--------------------------------------------------------------------------------
/WinHex_additional/ZIP_Central_Directory_Structure.tpl:
--------------------------------------------------------------------------------
1 | template "ZIP Central Directory Structure"
2 |
3 | // Template by Trenton D. Adams
4 | // Cf. ftp://ftp.uu.net/pub/archiving/zip/doc/appnote-970311-iz.zip
5 |
6 | description "Central Directory structure layout for ZIP files."
7 | applies_to file
8 | multiple
9 | requires 0 "504B0102"
10 |
11 | begin
12 | // Central File Header
13 | hex 4 "Central file header signature (0x02014b50)"
14 | hex 2 "Version made by"
15 | hex 2 "Version needed to extract"
16 | hex 2 "General purpose bit flag"
17 | hex 2 "Compression method"
18 | DOSDateTime "Last modification file date/time"
19 | hex 4 "CRC 32"
20 | uint32 "Compressed size"
21 | uint32 "Uncompressed size"
22 | uint16 "Filename len"
23 | uint16 "Extra field len"
24 | uint16 "Comment len"
25 | uint16 "Disk start number"
26 | hex 2 "Internal file attr"
27 | hex 4 "External file attr"
28 | uint32 "Local header offset"
29 | string "Filename len" "File name"
30 | hex "Extra field len" "Extra field"
31 | string "Comment len" "File comments"
32 | end
--------------------------------------------------------------------------------
/WinHex_additional/ZIP_Data_Descriptor_Structure.tpl:
--------------------------------------------------------------------------------
1 | template "ZIP Data Descriptor Structure"
2 |
3 | // Template by Trenton D. Adams
4 | // Cf. ftp://ftp.uu.net/pub/archiving/zip/doc/appnote-970311-iz.zip
5 |
6 | description "Data Descriptor structure layout for ZIP files."
7 | applies_to file
8 | requires 0 "504B0708"
9 |
10 | begin
11 | // Data Descriptor
12 | hex 4 "Data descriptor signature (0x08074b50)"
13 | hex 4 "CRC 32"
14 | uint32 "Compressed size"
15 | uint32 "Uncompressed size"
16 | end
--------------------------------------------------------------------------------
/WinHex_additional/ZIP_End_of_Central_Dir_Structure.tpl:
--------------------------------------------------------------------------------
1 | template "ZIP End of Central Directory Structure"
2 |
3 | // Template by Trenton D. Adams
4 | // Cf. ftp://ftp.uu.net/pub/archiving/zip/doc/appnote-970311-iz.zip
5 |
6 | description "End of Central Directory structure layout for ZIP files."
7 | applies_to file
8 | requires 0 "504B0506"
9 |
10 | begin
11 | // End of Central Dir
12 | hex 4 "End of central dir signature (0x06054b50)"
13 | uint16 "Disk # (spanned)"
14 | uint16 "First disk #"
15 | uint16 "Total num entries on this disk"
16 | uint16 "Total ZIP entries on all disks"
17 | uint32 "Central directory size"
18 | uint32 "Central directory byte offset"
19 | uint16 "ZIP file comment len"
20 | string "ZIP file comment len" "ZIP file comment"
21 | end
--------------------------------------------------------------------------------
/WinHex_additional/ZIP_Local_File_Header_Structure.tpl:
--------------------------------------------------------------------------------
1 | template "ZIP Local File Header Structure"
2 |
3 | // Template by Trenton D. Adams
4 | // Cf. ftp://ftp.uu.net/pub/archiving/zip/doc/appnote-970311-iz.zip
5 |
6 | description "Local File Header Structure for ZIP files"
7 | applies_to file
8 | multiple
9 | requires 0 "504B0304"
10 |
11 | begin
12 | // File Information Stored in ZIP
13 | hex 4 "ZIP file header signature (0x04034b50)"
14 | hex 2 "Version needed to extract"
15 | hex 2 "General purpose bit flag"
16 | hex 2 "Compression method"
17 | DOSDateTime "last mod file date/time"
18 | hex 4 "CRC 32"
19 | uint32 "Compressed size"
20 | uint32 "Uncompressed size"
21 | uint16 "Filename length"
22 | uint16 "Extra field length"
23 | string "Filename length" "Filename"
24 | hex "Extra field length" "Extra field"
25 | move "Compressed size" // to end of file data
26 | end
--------------------------------------------------------------------------------
/WinHex_additional/dbf field.tpl:
--------------------------------------------------------------------------------
1 | template "dbf field"
2 |
3 | // Sample template by Paul Mullen, pcguru@the-answer.com
4 |
5 | description "32 byte definition for each data field"
6 |
7 | appliesto file
8 |
9 | requires 10 00
10 | multiple
11 |
12 | begin
13 | char[10] "Field Name (zero terminated)"
14 | read-only hex 1 "(zero terminator)"
15 | char[1] "Field Type"
16 | int32 "offset from start of record"
17 | byte "Field length (bytes)"
18 | byte "Decimal places"
19 | read-only hex 2 "(Reserved)"
20 | byte "Work area ID"
21 | read-only hex 10 "(Reserved)"
22 | byte "Used in production index"
23 | end
24 |
--------------------------------------------------------------------------------
/WinHex_additional/dbf header.tpl:
--------------------------------------------------------------------------------
1 | template "dbf file header"
2 |
3 | description "First 32 bytes of a dBase/xBase .dbf file"
4 |
5 | appliesto file
6 |
7 | requires 30 "00 00"
8 |
9 | begin
10 | hex 1 "Version"
11 | byte [3] "Last update, format YYMMDD"
12 | uint32 "Number of records in file"
13 | uint16 "Length of header"
14 | uint16 "Data Record length"
15 | read-only hex 2 "(Reserved, fill with 0)"
16 | byte "Incomplete transaction"
17 | byte "Encryption flag"
18 | hex 12 "dBaseIV multi-user"
19 | byte "Production index exists"
20 | byte "dBaseIV language option"
21 | read-only hex 2 "(always 0x00)"
22 | end
--------------------------------------------------------------------------------
/WinHex_additional/dbf sample records.tpl:
--------------------------------------------------------------------------------
1 | template "dbf sample data record"
2 |
3 | // Sample template by Paul Mullen, pcguru@the-answer.com
4 |
5 | description "applies to states.dbf"
6 |
7 | appliesto file
8 |
9 | multiple
10 |
11 | begin
12 | char[1] "*=deleted"
13 | char[12] "Area"
14 | char[25] "State Name"
15 | char[2] "FIPS"
16 | char[7] "Region"
17 | char[2] "Abbreviation"
18 | char[10] "Pop 1990"
19 | char[10] "Pop 1996"
20 | end
21 |
--------------------------------------------------------------------------------
/WinHex_additional/dbf tutorial.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kacos2000/WinHex_Templates/dfc80e8705d722f66d33a3c8be84ca37070fb1ed/WinHex_additional/dbf tutorial.zip
--------------------------------------------------------------------------------
/WinHex_additional/exFAT Boot Sector 2.tpl:
--------------------------------------------------------------------------------
1 | template "Boot Sector exFAT"
2 |
3 | // Template by Christopher Taylor
4 | // taylormade@rocketmail.com
5 |
6 |
7 | // Template for the Volume Boot Record of an exFAT Volume
8 | // This template is far from complete and there are several sections
9 | // of unknown data that are just stepped over that need to be
10 | // understood in the final version of this template
11 |
12 | description "Describes Volume and Location of System Files"
13 | applies_to disk
14 | sector-aligned
15 |
16 | requires 0x02 "90"
17 | requires 0x03 "45 58 46 41 54" // ="EXFAT" at offset 3
18 | requires 0x1FE "55 AA"
19 |
20 | begin
21 | read-only hex 3 "JMP instruction"
22 | char[8] "OEM"
23 |
24 | section "Volume Information"
25 | move 53 //zeros
26 | uint32 "Partition Sector Offset"
27 | move 4
28 | int64 "Total Sectors in Volume"
29 | uint32 "FAT Location (Sector Number)"
30 | uint32 "Size of FAT (in Sectors)"
31 | uint32 "Bitmap Location (Sector Number)"
32 | uint32 "Number of Clusters"
33 | uint32 "Root Directory Location (Cluster Number)"
34 | hexadecimal uint32 "Volume Serial Number"
35 | read-only hex 2 "File System Version #"
36 | binary "Volume Flags"
37 | uint8 "Active FAT"
38 | uint8 "Bytes per Sector (2^x)"
39 | uint8 "Sectors per Cluster (2^x)"
40 | uint8 "Number of FATs"
41 | read-only hex 1 "Drive Type"
42 | uint8 "Percentage of volume used"
43 | move 7
44 | endsection
45 | read-only hex 48 "Boot Code"
46 | move 88 //zeros
47 | char[72] "Boot Messages"
48 | read-only hex 118 "zeros"
49 | read-only hex 61 "FFs"
50 | read-only hex 3 "unidentified"
51 |
52 | endsection
53 |
54 | goto 0x1FE
55 | read-only hex 2 "Signature (55 AA)"
56 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT Boot Sector.tpl:
--------------------------------------------------------------------------------
1 | template "Boot Sector exFAT"
2 |
3 | // Template by Robert Shullich
4 | // John Jay College of Criminal Justice
5 |
6 | // To be applied to the first VBR sector of a exFAT-formatted logical drive.
7 | // This template assumes a DD acquired image
8 |
9 | description "BIOS parameter block (BPB) and more"
10 | sector-aligned
11 |
12 |
13 |
14 | begin
15 | read-only hex 3 "JMP instruction"
16 | char[8] "OEM"
17 |
18 | goto 0x0040
19 |
20 | section "exFAT BIOS Parameter Block"
21 | int64 "Partition Offset"
22 | int64 "Total Sectors in Volume"
23 | uint32 "FAT Offset (Offset of First FAT)"
24 | uint32 "FAT Length (in sectors)"
25 | uint32 "Cluster Heap Offset"
26 | uint32 "Cluster Count"
27 | uint32 "Root Directory First Cluster"
28 | uint32 "Volume serial number (decimal)"
29 | move -4
30 | hex 4 "Volume serial number (hex)"
31 | hex 2 "File System Revision (MM.VV)"
32 | uint16 "Volume Flags"
33 | move -1
34 | uint_flex "0" "Bit 0 - Active FAT"
35 | move -4
36 | uint_flex "1" "Bit 1 - Volume Dirty"
37 | move -4
38 | uint_flex "2" "Bit 2 - Media Failure"
39 | move -4
40 | uint_flex "3" "Bit 3 - Clear to Zero"
41 | move -4
42 | uint_flex "4" "Bit 4 - Reserved"
43 | move -4
44 | uint_flex "5" "Bit 5 - Reserved"
45 | move -4
46 | uint_flex "6" "Bit 6 - Reserved"
47 | move -4
48 | uint_flex "7" "Bit 7 - Reserved"
49 | move -3
50 | uint8 "Bytes Per Sector"
51 | uint8 "Sectors Per Cluster"
52 | uint8 "Number of FATS"
53 | hex 1 "Drive Select (Hex)"
54 | uint8 "Percent in use"
55 | endsection
56 |
57 | section "VBR Signature"
58 | goto 0x1FE
59 | read-only hex 2 "Signature (55 AA)"
60 | endsection
61 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT Regular File.tpl:
--------------------------------------------------------------------------------
1 | template "Exfat Reg File 85,C0,C1"
2 | description "Parse Dir File Rcrd Set 85,C0,C1"
3 | applies_to disk
4 | //requires 0x01 0x85 // ="Directory Entry Information"
5 | //requires 0x21 0xC1 // ="Stream Directory Information"
6 | //requires 0x41 0xC0 // ="First Entry of Filename"
7 | multiple
8 |
9 | begin
10 | hex 1 "Type Code"
11 | move -1
12 | uint_flex "0" " | Type Code bit"
13 | move -4
14 | uint_flex "1" " | Type Code bit"
15 | move -4
16 | uint_flex "2" " | Type Code bit"
17 | move -4
18 | uint_flex "3" " | Type Code bit"
19 | move -4
20 | uint_flex "4" " | Type Code bit"
21 | move -4
22 | uint_flex "5" " | Bit 5 - 0-Critical, 1-Benign"
23 | move -4
24 | uint_flex "6" " | Bit 6 - 0-Primary, 1-Secondary"
25 | move -4
26 | uint_flex "7" " | Bit 7 - 0-Not In Use, 1-In Use"
27 | move -3
28 | hex 1 "count of 2nd-ary entries"
29 | hex 2 "checksum"
30 | binary "Flags"
31 | move -1
32 | uint_flex "0" " | Bit 0 - Read Only"
33 | move -4
34 | uint_flex "1" " | Bit 1 - Hidden"
35 | move -4
36 | uint_flex "2" " | Bit 2 - System"
37 | move -4
38 | uint_flex "3" " | Bit 3 - Reserved"
39 | move -4
40 | uint_flex "4" " | Bit 4 - Directory"
41 | move -4
42 | uint_flex "5" " | Bit 5 - Archive"
43 | move -4
44 | uint_flex "6" " | Bit 6 - Reserved"
45 | move -4
46 | uint_flex "7" " | Bit 7 - Reserved"
47 | move -3
48 | binary "Bits 8-15 Reserved"
49 | hex 2 "Reserved"
50 | dosdatetime "Created Time Stamp"
51 | move -4
52 | hex 4 "Create Time hex value"
53 | dosdatetime "Last Modified Time Stamp"
54 | move -4
55 | hex 4 "Last Modified Time hex value"
56 | dosdatetime "Last Access Time Stamp"
57 | move -4
58 | Hex 4 "Last Access Time hex value"
59 | byte "Creation 0-199 Micro Seconds"
60 | byte "Last Modified 0-199 Micro seconds"
61 | hex 1 "CR Time Zone Code"
62 | hex 1 "Mod Time Zone Code"
63 | hex 1 "Acc Time Zone Code"
64 | hex 7 "Reserved"
65 |
66 | endsection
67 | hex 1 "Type Code C0"
68 | binary "flags"
69 | move -1
70 | uint_flex "0" " | Allocation Possible 0-No 1-Yes"
71 | move -4
72 | uint_flex "1" " | No Fat Chain 0-Valid, 1-Invalid"
73 | move -4
74 | uint_flex "2" " | Reserved"
75 | move -4
76 | uint_flex "3" " | Reserved"
77 | move -4
78 | uint_flex "4" " | Reserved"
79 | move -4
80 | uint_flex "5" " | Reserved"
81 | move -4
82 | uint_flex "6" " | Reserved"
83 | move -4
84 | uint_flex "7" " | Reserved"
85 | move -3
86 | hex 1 "Reserved"
87 | byte "Length"
88 | hex 2 "Filename hash"
89 | hex 2 "Reserved"
90 | int64 "Valid Data Length 64bit"
91 | hex 4 "Reserved"
92 | hex 4 "1st Cluster Address 32bit"
93 | int64 "Data Length 64bit"
94 |
95 | endsection
96 | {
97 | hex 1 "Type Code"
98 | binary "Secondary Flag"
99 | move -1
100 | uint_flex "0" " | Bit 0 - Allocated"
101 | move -4
102 | uint_flex "1" " | Bit 1 - No FAT Chain"
103 | move -3
104 | char16[15] "Filename Unicode 14 characters"
105 | }
106 |
107 |
108 |
109 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT type code 81.tpl:
--------------------------------------------------------------------------------
1 | template "Exfat Rcrd Type 81"
2 | description "Parse Rcrd Type 81 - Bitmap"
3 | applies_to disk
4 | "requires 11 0F"
5 | multiple
6 |
7 | begin
8 | hex 1 "Type Code 81 or 03"
9 | binary "0-1st bitmap, 1-2nd bitmap"
10 | hex 18 "Reserved"
11 | hex 4 "Staring Cluster O/S"
12 | int64 "Bitmap Length"
13 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT type code 82.tpl:
--------------------------------------------------------------------------------
1 | template "Exfat Rcrd Type 82"
2 | description "Parse Rcrd Type 82 - Up-Case Table"
3 | applies_to disk
4 | "requires 11 0F"
5 | multiple
6 |
7 | begin
8 | hex 1 "Type Code 82"
9 | hex 3 "Reserved"
10 | hex 4 "Table checksum"
11 | hex 12 "Reserved"
12 | hex 4 "Starting Cluster O/S"
13 | int64 "Up-Case Table Length"
14 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT type code 83.tpl:
--------------------------------------------------------------------------------
1 | template "Exfat Rcrd Type 83"
2 | description "Parse Rcrd Type 83 - Volume Label"
3 | applies_to disk
4 | "requires 11 0F"
5 | multiple
6 |
7 | begin
8 | hex 1 "Type Code 83 or 03"
9 | hex 1 "Vol Label Unicode Length"
10 | char16[11] "Volume Label"
11 | hex 8 "Reserved"
12 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT type code 85.tpl:
--------------------------------------------------------------------------------
1 | template "Exfat Rcrd Type 85"
2 | description "Parse Rcrd Type 85 - Attribute Rcrd"
3 | applies_to disk
4 | "requires 11 0F"
5 | multiple
6 |
7 | begin
8 | hex 1 "Type Code"
9 | move -1
10 | uint_flex "0" " | Type Code bit"
11 | move -4
12 | uint_flex "1" " | Type Code bit"
13 | move -4
14 | uint_flex "2" " | Type Code bit"
15 | move -4
16 | uint_flex "3" " | Type Code bit"
17 | move -4
18 | uint_flex "4" " | Type Code bit"
19 | move -4
20 | uint_flex "5" " | Bit 5 - 0-Critical, 1-Benign"
21 | move -4
22 | uint_flex "6" " | Bit 6 - 0-Primary, 1-Secondary"
23 | move -4
24 | uint_flex "7" " | Bit 7 - 0-Not In Use, 1-In Use"
25 | move -3
26 | hex 1 "count of 2nd-ary entries"
27 | hex 2 "checksum"
28 | binary "Flags"
29 | move -1
30 | uint_flex "0" " | Bit 0 - Read Only"
31 | move -4
32 | uint_flex "1" " | Bit 1 - Hidden"
33 | move -4
34 | uint_flex "2" " | Bit 2 - System"
35 | move -4
36 | uint_flex "3" " | Bit 3 - Reserved"
37 | move -4
38 | uint_flex "4" " | Bit 4 - Directory"
39 | move -4
40 | uint_flex "5" " | Bit 5 - Archive"
41 | move -4
42 | uint_flex "6" " | Bit 6 - Reserved"
43 | move -4
44 | uint_flex "7" " | Bit 7 - Reserved"
45 | move -3
46 | binary "Bits 8-15 Reserved"
47 | hex 2 "Reserved"
48 | dosdatetime "Created Time Stamp"
49 | move -4
50 | hex 4 "Create Time hex value"
51 | dosdatetime "Last Modified Time Stamp"
52 | move -4
53 | hex 4 "Last Modified Time hex value"
54 | dosdatetime "Last Access Time Stamp"
55 | move -4
56 | Hex 4 "Last Access Time hex value"
57 | byte "Creation 0-199 Micro Seconds"
58 | byte "Last Modified 0-199 Micro seconds"
59 | hex 1 "CR Time Zone Code"
60 | hex 1 "Mod Time Zone Code"
61 | hex 1 "Acc Time Zone Code"
62 | hex 7 "Reserved"
63 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT type code A0.tpl:
--------------------------------------------------------------------------------
1 | template "Exfat Rcrd Type A0"
2 | description "Parse Rcrd Type A0 - GUID Rcrd"
3 | applies_to disk
4 | "requires 11 0F"
5 | multiple
6 |
7 | begin
8 | hex 1 "Type Code"
9 | int8 "Seconard Count"
10 | hex 2 "Set Checksum"
11 | binary [4] "Primary Flags"
12 | hex 16 "Volume GUID"
13 | hex 10 "Reserved"
14 |
15 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT type code C0.tpl:
--------------------------------------------------------------------------------
1 | template "Exfat Rcrd Type C0"
2 | description "Parse Rcrd Type C0 - Data Stream Rcrd"
3 | applies_to disk
4 | "requires 11 0F"
5 | multiple
6 |
7 | begin
8 | hex 1 "Type Code"
9 | binary "flags"
10 | move -1
11 | uint_flex "0" " | Allocation Possible 0-No 1-Yes"
12 | move -4
13 | uint_flex "1" " | No Fat Chain 0-Valid, 1-Invalid"
14 | move -4
15 | uint_flex "2" " | Reserved"
16 | move -4
17 | uint_flex "3" " | Reserved"
18 | move -4
19 | uint_flex "4" " | Reserved"
20 | move -4
21 | uint_flex "5" " | Reserved"
22 | move -4
23 | uint_flex "6" " | Reserved"
24 | move -4
25 | uint_flex "7" " | Reserved"
26 | move -3
27 | hex 1 "Reserved"
28 | byte "Name Length"
29 | hex 2 "Filename hash"
30 | hex 2 "Reserved"
31 | int64 "Valid Data Length (64bit)"
32 | hex 4 "Reserved"
33 | hex 4 "1st Cluster Address (32bit)"
34 | int64 "Data Length"
35 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT type code C1.tpl:
--------------------------------------------------------------------------------
1 | template "Exfat Rcrd Type C1"
2 | description "Parse Rcrd Type C1 - Filename Rcrd"
3 | applies_to disk
4 | "requires 11 0F"
5 | multiple
6 |
7 | begin
8 | hex 1 "Type Code"
9 | binary "Secondary Flag"
10 | move -1
11 | uint_flex "0" " | Bit 0 - Allocated"
12 | move -4
13 | uint_flex "1" " | Bit 1 - No FAT Chain"
14 | move -3
15 | char16[15] "Filename Unicode 14 characters"
16 | end
--------------------------------------------------------------------------------
/WinHex_additional/exFAT.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kacos2000/WinHex_Templates/dfc80e8705d722f66d33a3c8be84ca37070fb1ed/WinHex_additional/exFAT.zip
--------------------------------------------------------------------------------
/WinHex_default/Boot Sector FAT.tpl:
--------------------------------------------------------------------------------
1 | template "Boot Sector FAT"
2 |
3 | // Template by Stefan Fleischmann
4 | // X-Ways Software Technology AG
5 |
6 | // Boot sector format for MSDOS 4.0 onwards (incl. Windows 9x)
7 | // To be applied to sector 0 of a FAT12/FAT16-formatted logical drive.
8 |
9 | description "BIOS parameter block (BPB) and more"
10 | applies_to disk
11 | sector-aligned
12 |
13 | requires 0x0 "EB" // JMP instruction will usually be EB xx 90
14 | requires 0x2 "90" // (though older drives may use E9 xx xx)
15 | requires 0x1FE "55 AA"
16 |
17 | begin
18 | read-only hex 3 "JMP instruction"
19 | char[8] "OEM"
20 |
21 | section "BIOS Parameter Block"
22 | uint16 "Bytes per sector"
23 | uint8 "Sectors per cluster"
24 | uint16 "Reserved sectors"
25 | uint8 "Number of FATs"
26 | uint16 "Root entries"
27 | uint16 "Sectors (under 32 MB)"
28 | hex 1 "Media descriptor (hex)"
29 | uint16 "Sectors per FAT"
30 | uint16 "Sectors per track"
31 | uint16 "Heads"
32 | uint32 "Hidden sectors"
33 | uint32 "Sectors (over 32 MB)"
34 | endsection
35 |
36 | hex 1 "BIOS drive (hex, HD=8x)"
37 | read-only uint8 "(Unused)"
38 | hex 1 "Ext. boot signature (29h)"
39 | uint32 "Volume serial number (decimal)"
40 | move -4
41 | hex 4 "Volume serial number (hex)"
42 | char[11] "Volume label"
43 | char[8] "File system"
44 |
45 | goto 0x1FE
46 | read-only hex 2 "Signature (55 AA)"
47 | end
--------------------------------------------------------------------------------
/WinHex_default/Boot Sector FAT32.tpl:
--------------------------------------------------------------------------------
1 | template "Boot Sector FAT32"
2 |
3 | // Template by Stefan Fleischmann
4 | // X-Ways Software Technology AG
5 |
6 | // To be applied to sector 0 of a FAT32-formatted logical drive.
7 |
8 | description "BIOS parameter block (BPB) and more"
9 | applies_to disk
10 | sector-aligned
11 |
12 | requires 0x02 "90"
13 | requires 0x52 "46 41 54 33 32" // ="FAT32" at offset 52
14 | requires 0x1FE "55 AA"
15 |
16 | begin
17 | read-only hex 3 "JMP instruction"
18 | char[8] "OEM"
19 |
20 | section "BIOS Parameter Block"
21 | uint16 "Bytes per sector"
22 | uint8 "Sectors per cluster"
23 | uint16 "Reserved sectors"
24 | uint8 "Number of FATs"
25 | uint16 "Root entries (unused)"
26 | uint16 "Sectors (on small volumes)"
27 | hex 1 "Media descriptor (hex)"
28 | uint16 "Sectors per FAT (small vol.)"
29 | uint16 "Sectors per track"
30 | uint16 "Heads"
31 | uint32 "Hidden sectors"
32 | uint32 "Sectors (on large volumes)"
33 |
34 | section "FAT32 Section"
35 | uint32 "Sectors per FAT"
36 | uint16 "Extended flags"
37 | move -2
38 | uint_flex "7" "FAT mirroring disabled?"
39 | move -2
40 | uint16 "Version (usually 0)"
41 | uint32 "Root dir 1st cluster"
42 | uint16 "FSInfo sector"
43 | uint16 "Backup boot sector"
44 | read-only hex 12 "(Reserved)"
45 | endsection
46 |
47 | hex 1 "BIOS drive (hex, HD=8x)"
48 | read-only uint8 (Unused)
49 | hex 1 "Ext. boot signature (29h)"
50 | uint32 "Volume serial number (decimal)"
51 | move -4
52 | hex 4 "Volume serial number (hex)"
53 | char[11] "Volume label"
54 | char[8] "File system"
55 | endsection
56 |
57 | goto 0x1FE
58 | read-only hex 2 "Signature (55 AA)"
59 | end
--------------------------------------------------------------------------------
/WinHex_default/Boot Sector NTFS.tpl:
--------------------------------------------------------------------------------
1 | template "Boot Sector NTFS"
2 |
3 | // Template by Stefan Fleischmann
4 | // X-Ways Software Technology AG
5 |
6 | // To be applied to sector 0 of an NTFS-formatted
7 | // logical drive or to the mirror copy of the boot
8 | // sector, which will be located near the end of
9 | // the partition.
10 |
11 | description "Boot sector of an NTFS partition"
12 | applies_to disk
13 | sector-aligned
14 |
15 | requires 0x00 "EB" // bytes 0 to 2 are
16 | requires 0x02 "90" // JMP instruction
17 | requires 0x03 "4E 54 46 53 20" // ID must be "NTFS"
18 | requires 0x1FE "55 AA" // "magic" signature
19 |
20 | begin
21 | read-only hex 3 "JMP instruction" //00
22 | char[8] "File system ID" //03
23 | uint16 "Bytes per sector" //0B
24 | uint8 "Sectors per cluster" //0D
25 | uint16 "Reserved sectors" //0E
26 | hex 3 "(always zero)" //10
27 | read-only hex 2 "(unused)" //13
28 | hex 1 "Media descriptor" //15
29 | read-only hex 2 "(unused)" //16
30 | uint16 "Sectors per track" //18
31 | uint16 "Heads" //1A
32 | uint32 "Hidden sectors" //1C
33 | read-only hex 4 "(unused)" //20
34 | read-only hex 4 "(always 80 00 80 00)" //24
35 | int64 "Total sectors excl. backup boot sector" //28
36 | int64 "Start C# $MFT" //30
37 | int64 "Start C# $MFTMirr" //38
38 | int8 "FILE record size indicator"//40
39 | read-only uint24 "(unused)"
40 | int8 "INDX buffer size indicator"//44
41 | read-only uint24 "(unused)"
42 | hex 4 "32-bit serial number (hex)"
43 | move -4
44 | hexadecimal uint32 "32-bit SN (hex, reversed)"
45 | move -4
46 | hex 8 "64-bit serial number (hex)"
47 | uint32 "Checksum" //50
48 | goto 0x1FE //boot load code follows
49 | read-only hex 2 "Signature (55 AA)" //1FE
50 | end
--------------------------------------------------------------------------------
/WinHex_default/Ext Directory Entry.tpl:
--------------------------------------------------------------------------------
1 | template "Ext2/Ext3 Directory Entry"
2 |
3 | // Template by Eoghan Casey
4 | // Revised by Jens Kirschner on Sep 29, 2004
5 |
6 | // To be applied to a sector of a Ext2 drive
7 | // that contains a directory starting with the
8 | // first inode entry. This template only displays
9 | // allocated files - deleted filenames are not displayed
10 |
11 | description "Locates the Inode for a given filename"
12 | applies_to disk
13 | multiple
14 |
15 | begin
16 | uint32 "Inode"
17 | uint16 "Entry length"
18 | uint8 "Name length"
19 | uint8 "Type (1=file 2=dir 7=sym.link)"
20 | char[Name length] "File name"
21 | goto 0
22 | move "Entry length"
23 | end
--------------------------------------------------------------------------------
/WinHex_default/Ext Group Descriptor.tpl:
--------------------------------------------------------------------------------
1 | template "Ext2/Ext3 Group Descriptor"
2 |
3 | // Created by Jens Kirschner
4 | // X-Ways Software Technology AG, 2004-2015
5 |
6 | description "Locates the meta blocks for a block group"
7 | applies_to disk
8 | sector-aligned
9 | multiple
10 |
11 | begin
12 | uint32 "Block bitmap block"
13 | uint32 "Inode bitmap block"
14 | uint32 "Inode table block"
15 | uint16 "Free blocks count"
16 | uint16 "Free Inodes count"
17 | uint16 "Directories count"
18 | uint16 "Flags"
19 | uint32 "Snapshot excl. bitmap"
20 | uint16 "Block bitmap checksum"
21 | uint16 "Inode bitmap checksum"
22 | uint16 "Never used inode count"
23 | uint16 "Grp desc checksum"
24 | end
25 |
--------------------------------------------------------------------------------
/WinHex_default/Ext Inode.tpl:
--------------------------------------------------------------------------------
1 | template "Ext2/Ext3 Inode"
2 |
3 | // By Jens Kirschner
4 |
5 | description "Contains a file's meta information (classic block formatting)"
6 | applies_to disk
7 | multiple
8 |
9 | begin
10 |
11 | section "File mode"
12 |
13 | octal uint_flex "8,7,6,5,4,3,2,1,0" "Permissions"
14 |
15 | move -4
16 | uint_flex "15,14,13,12" "File type (8=reg.file, 4=dir.)"
17 |
18 | move -4
19 | uint_flex "9" "Sticky bit"
20 |
21 | move -4
22 | uint_flex "10" "SGID"
23 |
24 | move -4
25 | uint_flex "11" "SUID"
26 |
27 | move -2
28 | endsection
29 |
30 | uint16 "Owner user ID"
31 | uint32 "Size in bytes (low 4 bytes)"
32 | UNIXDateTime "Access time"
33 | UNIXDateTime "Inode change"
34 | UNIXDateTime "Modification"
35 | UNIXDateTime "Deletion"
36 | uint16 "Group ID"
37 | uint16 "Hard-link count"
38 | uint32 "Sector count"
39 | uint32 "File flags"
40 | move -4
41 | uint_flex "19" "Extents"
42 | uint32 "OS dependent"
43 |
44 | ifequal Extents 1
45 | section "Skipping extents."
46 | section "Please use a different Ext Inode template."
47 | endsection
48 | move 60
49 | else
50 | numbering 1
51 | {
52 | uint32 "Direct block #~"
53 | } [12]
54 | uint32 "Indirect block"
55 | uint32 "Double indirect block"
56 | uint32 "Triple indirect block"
57 | endif
58 |
59 | uint32 "File version"
60 | uint32 "File ACL"
61 | uint32 "Size in bytes (high 4 bytes)"
62 | uint32 "Fragment address"
63 | uint8 "Fragment #"
64 | uint8 "Fragment size"
65 | uint16 "Padding"
66 | hex 4 "Reserved"
67 | goto 0
68 | move 128 // Change this for a different Inode size (128: default)
69 | end
--------------------------------------------------------------------------------
/WinHex_default/Ext Superblock.tpl:
--------------------------------------------------------------------------------
1 | template "Ext2/Ext3/Ext4 Superblock"
2 |
3 | // Created by Jens Kirschner
4 | // X-Ways Software Technology AG, 2004-2007
5 |
6 | // The first superblock always starts at position 1024 regardless
7 | // of sector or block sizes on the system. There will be a copy of
8 | // it in every blockgroup of the drive, always as the first block
9 | // of the group, UNLESS the "sparse superblock feature" is set on
10 | // the drive. This is standard these days and will cause the
11 | // superblock copies to exist only in blockgroups 0, 1 and all
12 | // powers of 3, 5 and 7. The other blockgroups will neither have
13 | // superblocks nor group descriptor tables
14 |
15 |
16 | description "To be applied to offset 1024 of an Ext2/3/4 partition"
17 | applies_to disk
18 |
19 | requires 0x38 "53 EF" // ext2 magic
20 |
21 | begin
22 | uint32 "Inode count"
23 | uint32 "Block count"
24 | uint32 "Reserved block count"
25 | uint32 "Free block count"
26 | uint32 "Free Inode count"
27 | uint32 "First data block"
28 | uint32 "Block size (0=1K, 1=2K, 2=4K)"
29 | int32 "Fragment size (same)"
30 | uint32 "Blocks per group"
31 | uint32 "Fragments per group"
32 | uint32 "Inodes per group"
33 | UNIXDateTime "Last mount time"
34 | UNIXDateTime "Last write time"
35 | uint16 "Mount count"
36 | int16 "Maximal mount count"
37 | hex 2 "Magic signature (53 EF)"
38 | uint16 "File system state"
39 | uint16 "Behavior when detecting errors"
40 | uint16 "Minor revision level"
41 | UNIXDateTime "Time of last check"
42 | uint32 "Max. time between checks (sec)"
43 | uint32 "OS (0: Linux)"
44 | uint32 "Revision level"
45 | uint16 "User ID for reserved blocks"
46 | uint16 "Group ID for reserved blocks"
47 |
48 | IfEqual "Revision level" 0
49 | // no extended superblock section
50 | Else
51 | section "Extended Superblock Section"
52 | uint32 "First non-reserved Inode"
53 | uint16 "Inode size"
54 | uint16 "This superblock's block group"
55 |
56 | section "Compatibility Feature Flags"
57 | uint_flex "2" "Has journal"
58 | move -4
59 | uint_flex "31,30,29,28,27,26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,1,0" "Others"
60 |
61 | section "Incompatibility Feature Flags"
62 | uint_flex "1" "Filetype in dir. entry"
63 | move -4
64 | uint_flex "6" "Extents used"
65 | move -4
66 | uint_flex "7" "64-bit block numbers"
67 | move -4
68 | uint_flex "9" "Flexible block groups"
69 | move -4
70 | uint_flex "31,30,29,28,27,26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,5,4,3,2,0" "Others"
71 |
72 | section "RO-compatibility Feature Flags"
73 | uint_flex "0" "Sparse superblock"
74 | move -4
75 | uint_flex "31,30,29,28,27,26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1" "Others"
76 | endsection
77 |
78 | hex 16 "UUID of the volume"
79 | char[16] "Volume name"
80 | char[64] "Last mounted path"
81 | uint32 "Algorithm usage bitmap"
82 | uint8 "Blocks preallocation"
83 | uint8 "Directory blocks preallocation"
84 | move 2
85 | hex 16 "Journal UUID"
86 | uint32 "Journal Inode"
87 | uint32 "Journal device #"
88 | uint32 "Last orphaned Inode"
89 | numbering 1 {
90 | uint32 "Hash seed ~"
91 | } [4]
92 | uint8 "Default hash version"
93 | move 3
94 | uint32 "Default mount options"
95 | uint32 "First metablock block group"
96 | UNIXDateTime "Filesystem creation"
97 |
98 | section "Journal Inode Backup" //17x 4 bytes
99 | {
100 | uint32 "Journal Block ~"
101 | }[12]
102 | uint32 "Journal indirect block"
103 | uint32 "Journal double indirect block"
104 | uint32 "Journal triple indirect block"
105 | uint32 "unknown"
106 | uint32 "Journal filesize"
107 |
108 | section "64-bit Support"
109 | uint32 "Block count hi DWord"
110 | uint32 "Res. blocks hi DWord"
111 | uint32 "Free blocks hi DWord"
112 | EndIf
113 | end
--------------------------------------------------------------------------------
/WinHex_default/FAT Directory Entry.tpl:
--------------------------------------------------------------------------------
1 | template "FAT Directory Entry"
2 |
3 | // Template by Stefan Fleischmann
4 | // X-Ways Software Technology AG
5 |
6 | // To be applied to a sector of a FAT16 or FAT32 drive
7 | // that contains a directory. Not suitable for LFN
8 | // (long filename) directory entries.
9 |
10 | description "Normal/short entry format"
11 | applies_to disk
12 | multiple
13 |
14 | begin
15 | char[8] "Filename (blank-padded)"
16 | char[3] "Extension (blank-padded)"
17 | hex 1 "0F = LFN entry"
18 | move -1
19 | binary "Attributes ( - -a-dir-vol-s-h-r)"
20 | goto 0
21 | hex 1 "00 = Never used, E5 = Erased"
22 | move 11
23 | read-only byte "(reserved)"
24 | move 1
25 | DOSDateTime "Creation date & time"
26 | move -5
27 | byte "Cr. time refinement in 10-ms units"
28 | move 2
29 | DOSDateTime "Access date (no time!)"
30 | move 2
31 | DOSDateTime "Update date & time"
32 | move -6
33 | uint16 "(FAT 32) High word of cluster #"
34 | move 4
35 | uint16 "16-bit cluster #"
36 | uint32 "File size (zero for a directory)"
37 | end
--------------------------------------------------------------------------------
/WinHex_default/FAT LFN Entry.tpl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kacos2000/WinHex_Templates/dfc80e8705d722f66d33a3c8be84ca37070fb1ed/WinHex_default/FAT LFN Entry.tpl
--------------------------------------------------------------------------------
/WinHex_default/GUID Partition Table.tpl:
--------------------------------------------------------------------------------
1 | template "GUID Partition Table"
2 |
3 | // X-Ways Software Technology AG
4 | // To be applied to sector 0 of a physical hard disk with GPT partitioning.
5 |
6 | description "Contains GUID partition table"
7 | applies_to disk
8 | sector-aligned
9 | requires 512 "45 46 49 20 50 41 52 54"
10 |
11 | begin
12 |
13 | move 446
14 |
15 | section "Protective MBR"
16 | uint8 "Boot Indicator"
17 | hex 1 "Starting Head"
18 | hex 1 "Starting Sector"
19 | hex 1 "Starting Cylinder"
20 | hex 1 "System ID (Should be 1xEE)"
21 | hex 1 "Ending Head"
22 | hex 1 "Ending Sector"
23 | hex 1 "Ending Cylinder"
24 | uint32 "Starting LBA"
25 | uint32 "Size in LBA"
26 | endsection
27 |
28 | move 50
29 |
30 | section "GUID Partition Table Header"
31 | hex 8 "Signature (must be 45[..]54)"
32 | hex 4 "Revision No"
33 | uint32 "Header Size (should be 92)"
34 | hexadecimal uint32 "Header CRC32"
35 | move 4
36 | int64 "Primary LBA (should be 1)"
37 | int64 "Backup LBA"
38 | int64 "First Usable LBA"
39 | int64 "Last Usable LBA"
40 | hex 16 "Disk GUID"
41 | move -16
42 | GUID "Disk GUID"
43 | int64 "Partition Entry LBA (should be 2)"
44 | uint32 "MaxNo of Partition Entries"
45 | uint32 "Size of Partition Entry"
46 | hexadecimal uint32 "Partition Entry Array CRC32"
47 | endsection
48 |
49 | move 420
50 |
51 | numbering 1
52 | {
53 | section "GUID Partition Table Entry #~"
54 |
55 | hex 16 "Partition Type GUID"
56 | move -16
57 | GUID "Partition Type GUID"
58 | hex 16 "Unique Partition GUID"
59 | move -16
60 | GUID "Unique Partition GUID"
61 | int64 "Starting LBA"
62 | IfEqual "Starting LBA" 0
63 | ExitLoop
64 | EndIf
65 | int64 "Ending LBA"
66 | hex 8 "Attribute Bits"
67 | string16 36 "Partition Name"
68 | }[128]
69 | endsection
70 | end
--------------------------------------------------------------------------------
/WinHex_default/HFS+ Volume Header.tpl:
--------------------------------------------------------------------------------
1 | template "HFS+ Volume Header"
2 | description "Located 1024 bytes from the start of the volume"
3 |
4 | // Template by Stefan Fleischmann
5 | // X-Ways Software Technology AG
6 |
7 | // Modified by Jens Kirschner
8 | // 7Safe Information Security Ltd.
9 |
10 | // A copy of this volume header, the alternate volume header, is stored starting 1024 bytes before the end of the volume.
11 |
12 | big-endian
13 | applies_to disk
14 |
15 | begin
16 | char[2] signature //H+ or HX
17 | UInt16 version
18 | Hex 4 attributes //00 00 08 00 set? Volume Inconsistent!
19 | char[4] lastMountedVersion //HFSJ if journaled, 10.0 if not; fsck and other tools also possible
20 | UInt32 journalInfoBlock
21 |
22 | AppleDateTime createDate
23 | AppleDateTime modifyDate
24 | AppleDateTime backupDate
25 | AppleDateTime checkedDate
26 |
27 | UInt32 fileCount
28 | UInt32 folderCount
29 |
30 | UInt32 blockSize
31 | UInt32 totalBlocks
32 | UInt32 freeBlocks
33 |
34 | UInt32 nextAllocation
35 | UInt32 rsrcClumpSize
36 | UInt32 dataClumpSize
37 | UInt32 nextCatalogID
38 |
39 | UInt32 writeCount
40 | Hex 8 encodingsBitmap
41 |
42 | section "FinderInfo Array"
43 |
44 | UInt32 "OS Dir ID"
45 | UInt32 "Finder Dir ID"
46 | UInt32 "Mount Open Dir"
47 | UInt32 "OS8/9 Dir ID"
48 | UInt32 "reserved"
49 | UInt32 "OS X Dir ID"
50 | Int64 "Volume ID (Int64)"
51 | move -8
52 | Hex 8 "Volume ID (Hex)"
53 |
54 | section "AllocationFile DataFork"
55 | Int64 logicalSize
56 | UInt32 clumpSize
57 | UInt32 totalBlocks
58 | {
59 | UInt32 startBlock
60 | UInt32 blockCount
61 | }[8]
62 |
63 | section "ExtentsOverflowFile DataFork"
64 | Int64 logicalSize
65 | UInt32 clumpSize
66 | UInt32 totalBlocks
67 | {
68 | UInt32 startBlock
69 | UInt32 blockCount
70 | }[8]
71 |
72 | section "CatalogFile DataFork"
73 | Int64 logicalSize
74 | UInt32 clumpSize
75 | UInt32 totalBlocks
76 | {
77 | UInt32 startBlock
78 | UInt32 blockCount
79 | }[8]
80 |
81 | section "AttributesFile DataFork"
82 | Int64 logicalSize
83 | UInt32 clumpSize
84 | UInt32 totalBlocks
85 | {
86 | UInt32 startBlock
87 | UInt32 blockCount
88 | }[8]
89 |
90 | section "StartupFile DataFork"
91 | Int64 logicalSize
92 | UInt32 clumpSize
93 | UInt32 totalBlocks
94 | {
95 | UInt32 startBlock
96 | UInt32 blockCount
97 | }[8]
98 | end
--------------------------------------------------------------------------------
/WinHex_default/Master Boot Record.tpl:
--------------------------------------------------------------------------------
1 | template "Master Boot Record"
2 |
3 | // Template by Stefan Fleischmann
4 | // X-Ways Software Technology AG
5 |
6 | // To be applied to sector 0 of a physical hard disk.
7 |
8 | description "Contains partition table"
9 | applies_to disk
10 | sector-aligned
11 | requires 510 "55 AA"
12 |
13 | begin
14 | read-only hex 440 "Master bootstrap loader code"
15 |
16 | // big-endian hexadecimal uint32 "Windows disk signature"
17 | hex 4 "Windows disk signature"
18 | move -4
19 | hexadecimal uint32 "Same reversed" // as seen in the registry
20 |
21 | move 2
22 | numbering 1
23 |
24 | {
25 | section "Partition Table Entry #~"
26 | hexadecimal byte "80 = active partition"
27 | uint8 "Start head"
28 | uint_flex "5,4,3,2,1,0" "Start sector"
29 | move -4
30 | uint_flex "7,6,15,14,13,12,11,10,9,8" "Start cylinder"
31 | move -2
32 | hex 1 "Partition type indicator (hex)"
33 | uint8 "End head"
34 | uint_flex "5,4,3,2,1,0" "End sector"
35 | move -4
36 | uint_flex "7,6,15,14,13,12,11,10,9,8" "End cylinder"
37 | move -2
38 | uint32 "Sectors preceding partition ~"
39 | uint32 "Sectors in partition ~"
40 | } [4]
41 |
42 | endsection
43 | read-only hex 2 "Signature (55 AA)"
44 | end
--------------------------------------------------------------------------------
/WinHex_default/NTFS FILE Record.tpl:
--------------------------------------------------------------------------------
1 | template "NTFS FILE Record"
2 |
3 | // X-Ways Software Technology AG
4 | // To be applied to the NTFS Master File Table's (MFT's) FILE records.
5 | // Proceeding to adjacent records does not work correctly if the
6 | // number or types of attributes are different.
7 | // Fix-up bytes (update sequence number) are not processed.
8 |
9 | description "To be applied to records in the Master File Table"
10 | applies_to disk
11 | sector-aligned
12 | multiple
13 |
14 | begin
15 | char[4] "Signature: FILE"
16 | uint16 "Offset to update sequence"
17 | uint16 "Update sequence size in words"
18 | int64 "Logfile sequence number"
19 | uint16 "Use/deletion count"
20 | uint16 "Hard-link count"
21 | uint16 "Offset to the first attribute"
22 | hexadecimal uint16 Flags
23 | uint32 "Logical size of this record"
24 | uint32 "Physical size of the record"
25 | int64 "Base record (0: itself)"
26 | uint16 "ID of next attribute"
27 | IfGreater "Offset to the first attribute" 55
28 | move 2
29 | uint32 "ID of this FILE record"
30 | EndIf
31 | goto "Offset to update sequence"
32 | hex 2 "Update sequence number"
33 | //Update Sequence Array -> disregarded here
34 | goto "Offset to the first attribute"
35 |
36 | {
37 | endsection
38 |
39 | hexadecimal uint32 "Attribute type"
40 | IfEqual "Attribute type" 4294967295
41 | ExitLoop
42 | EndIf
43 | uint16 "Length of the attribute"
44 | move 2
45 | uint8 "1=non-resident"
46 | move 5
47 | uint16 "Attribut ID"
48 | move -16
49 |
50 | IfEqual "Attribute type" 16 //Attribute type 0x10: Standard Information
51 | move 24
52 | FileTime "Creation in UTC"
53 | FileTime "Modification in UTC"
54 | FileTime "Record change in UTC"
55 | FileTime "Last access in UTC"
56 | hexadecimal uint32 Flags
57 | move -60
58 | EndIf
59 | IfEqual "Attribute type" 48 //Attribute type 0x30: Filename
60 | move 24
61 | uint32 "Parent FILE record"
62 | move 2
63 | uint16 "Parent use/del. count"
64 | FileTime "Creation in UTC"
65 | FileTime "Modification in UTC"
66 | FileTime "Record change in UTC"
67 | FileTime "Last access in UTC"
68 | move 0x18
69 | uint8 "Namelen"
70 | uint8 "Namespace"
71 | char16[Namelen] "Filename"
72 | move -90
73 | move (Namelen*(-2))
74 | EndIf
75 | move "Length of the attribute"
76 |
77 | IfEqual "Length of the attribute" 0
78 | ExitLoop
79 | EndIf
80 | }[16] //arbitrary number to avoid infinite loops
81 |
82 | Goto 0
83 | Move "Physical size of the record"
84 | end
--------------------------------------------------------------------------------
/WinHex_default/README.md:
--------------------------------------------------------------------------------
1 | Templates included with [X-Ways© Forensic/ WinHex](https://www.x-ways.net/)
2 |
--------------------------------------------------------------------------------
/test/REFS_AttrDef_from_refs.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kacos2000/WinHex_Templates/dfc80e8705d722f66d33a3c8be84ca37070fb1ed/test/REFS_AttrDef_from_refs.sys
--------------------------------------------------------------------------------