Commit 1f43eab2f9075bbb0b68d26320e5bd47308558cf
Committed by
Philippe Lagadec
Philippe Lagadec
1 parent
a2c8fb9b
msodde: improve debug-log readability for ole files
Showing
1 changed file
with
16 additions
and
1 deletions
oletools/msodde.py
| ... | ... | @@ -372,7 +372,7 @@ def process_ole_field(data): |
| 372 | 372 | """ check if field instructions start with DDE |
| 373 | 373 | |
| 374 | 374 | expects unicode input, returns unicode output (empty if not dde) """ |
| 375 | - #log.debug('processing field {0}'.format(data)) | |
| 375 | + log.debug('processing field {0}'.format(data)) | |
| 376 | 376 | |
| 377 | 377 | if data.lstrip().lower().startswith(u'dde'): |
| 378 | 378 | #log.debug('--> is DDE!') |
| ... | ... | @@ -410,6 +410,8 @@ def process_ole_stream(stream): |
| 410 | 410 | char = ord(char) |
| 411 | 411 | |
| 412 | 412 | if char == OLE_FIELD_START: |
| 413 | + if have_start and max_size_exceeded: | |
| 414 | + log.debug('big field was not a field after all') | |
| 413 | 415 | have_start = True |
| 414 | 416 | have_sep = False |
| 415 | 417 | max_size_exceeded = False |
| ... | ... | @@ -420,6 +422,8 @@ def process_ole_stream(stream): |
| 420 | 422 | |
| 421 | 423 | # now we are after start char but not at end yet |
| 422 | 424 | if char == OLE_FIELD_SEP: |
| 425 | + if have_sep: | |
| 426 | + log.debug('unexpected field: has multiple separators!') | |
| 423 | 427 | have_sep = True |
| 424 | 428 | elif char == OLE_FIELD_END: |
| 425 | 429 | # have complete field now, process it |
| ... | ... | @@ -430,6 +434,7 @@ def process_ole_stream(stream): |
| 430 | 434 | have_sep = False |
| 431 | 435 | field_contents = None |
| 432 | 436 | elif not have_sep: |
| 437 | + # we are only interested in the part from start to separator | |
| 433 | 438 | # check that array does not get too long by accident |
| 434 | 439 | if max_size_exceeded: |
| 435 | 440 | pass |
| ... | ... | @@ -440,10 +445,20 @@ def process_ole_stream(stream): |
| 440 | 445 | |
| 441 | 446 | # appending a raw byte to a unicode string here. Not clean but |
| 442 | 447 | # all we do later is check for the ascii-sequence 'DDE' later... |
| 448 | + elif char == 0: # may be a high-byte of a 2-byte codec | |
| 449 | + field_contents += unichr(char) | |
| 450 | + elif char in (10, 13): | |
| 451 | + field_contents += u'\n' | |
| 452 | + elif char < 32: | |
| 453 | + field_contents += u'?' | |
| 443 | 454 | elif char < 128: |
| 444 | 455 | field_contents += unichr(char) |
| 445 | 456 | else: |
| 446 | 457 | field_contents += u'?' |
| 458 | + | |
| 459 | + if max_size_exceeded: | |
| 460 | + log.debug('big field was not a field after all') | |
| 461 | + | |
| 447 | 462 | log.debug('Checked {0} characters, found {1} fields' |
| 448 | 463 | .format(idx, len(result_parts))) |
| 449 | 464 | ... | ... |