Commit 53dfd753efb9a549b81d2120aecde7d6b2dd278a
1 parent
857d1e4a
ftguess: added OneNote format
Showing
1 changed file
with
23 additions
and
1 deletions
oletools/ftguess.py
| ... | ... | @@ -189,6 +189,7 @@ class FTYPE(object): |
| 189 | 189 | GENERIC_OPENXML = 'OpenXML' # Generic OpenXML file |
| 190 | 190 | UNKNOWN = 'Unknown File Type' |
| 191 | 191 | MSI = "MSI" |
| 192 | + ONENOTE = "OneNote" | |
| 192 | 193 | |
| 193 | 194 | class CONTAINER(object): |
| 194 | 195 | """ |
| ... | ... | @@ -203,6 +204,7 @@ class CONTAINER(object): |
| 203 | 204 | MIME = 'MIME' |
| 204 | 205 | BINARY = 'Binary' # Generic binary file without container |
| 205 | 206 | UNKNOWN = 'Unknown Container' |
| 207 | + ONENOTE = 'OneNote' | |
| 206 | 208 | |
| 207 | 209 | class APP(object): |
| 208 | 210 | """ |
| ... | ... | @@ -215,6 +217,7 @@ class APP(object): |
| 215 | 217 | MSVISIO = 'MS Visio' |
| 216 | 218 | MSPROJECT = 'MS Project' |
| 217 | 219 | MSOFFICE = 'MS Office' # when the exact app is unknown |
| 220 | + MSONENOTE = 'MS OneNote' | |
| 218 | 221 | ZIP_ARCHIVER = 'Any Zip Archiver' |
| 219 | 222 | WINDOWS = 'Windows' # for Windows executables and XPS |
| 220 | 223 | UNKNOWN = 'Unknown Application' |
| ... | ... | @@ -678,6 +681,25 @@ class FType_MSI(FType_Generic_OLE): |
| 678 | 681 | extensions = ['msi'] |
| 679 | 682 | |
| 680 | 683 | |
| 684 | +class FType_OneNote(FType_Base): | |
| 685 | + container = CONTAINER.ONENOTE | |
| 686 | + application = APP.MSONENOTE | |
| 687 | + filetype = FTYPE.ONENOTE | |
| 688 | + name = 'OneNote' | |
| 689 | + longname = 'MS OneNote Revision Store (.one)' | |
| 690 | + extensions = ['one'] | |
| 691 | + content_types = ('application/msonenote',) | |
| 692 | + PUID = 'fmt/637' | |
| 693 | + # ref: https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/ae670cd2-4b38-4b24-82d1-87cfb2cc3725 | |
| 694 | + # PRONOM: https://www.nationalarchives.gov.uk/PRONOM/Format/proFormatSearch.aspx?status=detailReport&id=1437 | |
| 695 | + | |
| 696 | + @classmethod | |
| 697 | + def recognize(cls, ftg): | |
| 698 | + # ref about Header with OneNote GUID: | |
| 699 | + # https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/2b394c6b-8788-441f-b631-da1583d772fd | |
| 700 | + return True if ftg.data.startswith(b'\xE4\x52\x5C\x7B\x8C\xD8\xA7\x4D\xAE\xB1\x53\x78\xD0\x29\x96\xD3') else False | |
| 701 | + | |
| 702 | + | |
| 681 | 703 | # TODO: for PPT, check for stream 'PowerPoint Document' |
| 682 | 704 | # TODO: for Visio, check for stream 'VisioDocument' |
| 683 | 705 | |
| ... | ... | @@ -770,7 +792,7 @@ class FileTypeGuesser(object): |
| 770 | 792 | self.data_bytesio = io.BytesIO(self.data) |
| 771 | 793 | |
| 772 | 794 | # Identify the main container type: |
| 773 | - for ftype in (FType_RTF, FType_Generic_OLE, FType_Generic_Zip): | |
| 795 | + for ftype in (FType_RTF, FType_Generic_OLE, FType_Generic_Zip, FType_OneNote): | |
| 774 | 796 | if ftype.recognize(self): |
| 775 | 797 | self.ftype = ftype |
| 776 | 798 | break | ... | ... |