Commit 1f43eab2f9075bbb0b68d26320e5bd47308558cf
Committed by
Philippe Lagadec
Philippe Lagadec
1 parent
a2c8fb9b
msodde: improve debug-log readability for ole files
Showing
1 changed file
with
16 additions
and
1 deletions
oletools/msodde.py
| @@ -372,7 +372,7 @@ def process_ole_field(data): | @@ -372,7 +372,7 @@ def process_ole_field(data): | ||
| 372 | """ check if field instructions start with DDE | 372 | """ check if field instructions start with DDE |
| 373 | 373 | ||
| 374 | expects unicode input, returns unicode output (empty if not dde) """ | 374 | expects unicode input, returns unicode output (empty if not dde) """ |
| 375 | - #log.debug('processing field {0}'.format(data)) | 375 | + log.debug('processing field {0}'.format(data)) |
| 376 | 376 | ||
| 377 | if data.lstrip().lower().startswith(u'dde'): | 377 | if data.lstrip().lower().startswith(u'dde'): |
| 378 | #log.debug('--> is DDE!') | 378 | #log.debug('--> is DDE!') |
| @@ -410,6 +410,8 @@ def process_ole_stream(stream): | @@ -410,6 +410,8 @@ def process_ole_stream(stream): | ||
| 410 | char = ord(char) | 410 | char = ord(char) |
| 411 | 411 | ||
| 412 | if char == OLE_FIELD_START: | 412 | if char == OLE_FIELD_START: |
| 413 | + if have_start and max_size_exceeded: | ||
| 414 | + log.debug('big field was not a field after all') | ||
| 413 | have_start = True | 415 | have_start = True |
| 414 | have_sep = False | 416 | have_sep = False |
| 415 | max_size_exceeded = False | 417 | max_size_exceeded = False |
| @@ -420,6 +422,8 @@ def process_ole_stream(stream): | @@ -420,6 +422,8 @@ def process_ole_stream(stream): | ||
| 420 | 422 | ||
| 421 | # now we are after start char but not at end yet | 423 | # now we are after start char but not at end yet |
| 422 | if char == OLE_FIELD_SEP: | 424 | if char == OLE_FIELD_SEP: |
| 425 | + if have_sep: | ||
| 426 | + log.debug('unexpected field: has multiple separators!') | ||
| 423 | have_sep = True | 427 | have_sep = True |
| 424 | elif char == OLE_FIELD_END: | 428 | elif char == OLE_FIELD_END: |
| 425 | # have complete field now, process it | 429 | # have complete field now, process it |
| @@ -430,6 +434,7 @@ def process_ole_stream(stream): | @@ -430,6 +434,7 @@ def process_ole_stream(stream): | ||
| 430 | have_sep = False | 434 | have_sep = False |
| 431 | field_contents = None | 435 | field_contents = None |
| 432 | elif not have_sep: | 436 | elif not have_sep: |
| 437 | + # we are only interested in the part from start to separator | ||
| 433 | # check that array does not get too long by accident | 438 | # check that array does not get too long by accident |
| 434 | if max_size_exceeded: | 439 | if max_size_exceeded: |
| 435 | pass | 440 | pass |
| @@ -440,10 +445,20 @@ def process_ole_stream(stream): | @@ -440,10 +445,20 @@ def process_ole_stream(stream): | ||
| 440 | 445 | ||
| 441 | # appending a raw byte to a unicode string here. Not clean but | 446 | # appending a raw byte to a unicode string here. Not clean but |
| 442 | # all we do later is check for the ascii-sequence 'DDE' later... | 447 | # all we do later is check for the ascii-sequence 'DDE' later... |
| 448 | + elif char == 0: # may be a high-byte of a 2-byte codec | ||
| 449 | + field_contents += unichr(char) | ||
| 450 | + elif char in (10, 13): | ||
| 451 | + field_contents += u'\n' | ||
| 452 | + elif char < 32: | ||
| 453 | + field_contents += u'?' | ||
| 443 | elif char < 128: | 454 | elif char < 128: |
| 444 | field_contents += unichr(char) | 455 | field_contents += unichr(char) |
| 445 | else: | 456 | else: |
| 446 | field_contents += u'?' | 457 | field_contents += u'?' |
| 458 | + | ||
| 459 | + if max_size_exceeded: | ||
| 460 | + log.debug('big field was not a field after all') | ||
| 461 | + | ||
| 447 | log.debug('Checked {0} characters, found {1} fields' | 462 | log.debug('Checked {0} characters, found {1} fields' |
| 448 | .format(idx, len(result_parts))) | 463 | .format(idx, len(result_parts))) |
| 449 | 464 |