How to detect executable rar files? Could anyone help me?
I've found only
To process an SFX archive you need to skip the SFX module searching for the marker block in the archive. There is no marker block sequence (0x52 0x61 0x72 0x21 0x1a 0x07 0x00) in the SFX module itself.
http//
How to detect executable rar files? Could anyone help me?
The file(1) magic file signature archive can occasionally be useful. You'll find it at ftp//
The SFX archives are mainly to be found in the msdos file – with one or two exceptions –, and there is a RAR SFX signature as a sub-signature of the PE file format in there.
As far as I understand the pattern, it's 'Rar!' at some particular place in the file.
However, the tracability is zero, so I can't say if it's a modern pattern, or a very old one.
As far as I understand the pattern, it's 'Rar!' at some particular place in the file.
… since a LOT of time, but not "always" (starting from the very old 1.3 version)
http//
More loosely each and every SFX file tends to be made by a "normal" archive file of a given format preceded by a SFX "stub" or "module", i.e. a minimal "decompression executable".
The most common RAR format around is 4.0 with only a limited amount of files using the new 5.0 format, however
http//
as said there is not really really "safe way" to find a SFX file, if not that of finding a "normal" archive not starting at the beginning of the file and assuming that the (nowadays a PE executable) from the start of the file up to to the archive signature is the SFX module.
jaclaz