diff --git a/oletools/common/clsid.py b/oletools/common/clsid.py index 252e971..7084ef2 100644 --- a/oletools/common/clsid.py +++ b/oletools/common/clsid.py @@ -95,7 +95,7 @@ KNOWN_CLSIDS = { '0004A6B0-0000-0000-C000-000000000046': 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', # TODO: to be confirmed # Referenced in https://devblogs.microsoft.com/setup/identifying-windows-installer-file-types/ : '000C1082-0000-0000-C000-000000000046': 'MSI Transform (mst)', - '000C1084-0000-0000-C000-000000000046': 'MSI Installer Package (msi)', + '000C1084-0000-0000-C000-000000000046': 'MSI Windows Installer Package (msi)', '000C1086-0000-0000-C000-000000000046': 'MSI Patch Package (psp)', '048EB43E-2059-422F-95E0-557DA96038AF': 'Microsoft Powerpoint.Slide.12', '05741520-C4EB-440A-AC3F-9643BBC9F847': 'otkloadr.WRLoader (can be used to bypass ASLR after triggering an exploit)', diff --git a/oletools/ftguess.py b/oletools/ftguess.py index 6db2c86..ea556f2 100644 --- a/oletools/ftguess.py +++ b/oletools/ftguess.py @@ -11,9 +11,13 @@ ftguess is part of the python-oletools package: http://www.decalage.info/python/oletools """ +# Useful resources about file formats: +# http://fileformats.archiveteam.org +# https://www.nationalarchives.gov.uk/PRONOM/Default.aspx + #=== LICENSE ================================================================= -# ftguess is copyright (c) 2018-2022, Philippe Lagadec (http://www.decalage.info) +# ftguess is copyright (c) 2018-2023, Philippe Lagadec (http://www.decalage.info) # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, @@ -43,7 +47,7 @@ from __future__ import print_function # 2018-07-04 v0.54 PL: - first version # 2021-05-09 v0.60 PL: - -__version__ = '0.60.1' +__version__ = '0.60.2dev3' # ------------------------------------------------------------------------------ # TODO: @@ -184,6 +188,7 @@ class FTYPE(object): GENERIC_XML = 'XML' # Generic XML file GENERIC_OPENXML = 'OpenXML' # Generic OpenXML file UNKNOWN = 'Unknown File Type' + MSI = "MSI" class CONTAINER(object): """ @@ -664,6 +669,15 @@ class FType_XPS(FType_Generic_OpenXML): extensions = ['xps'] +class FType_MSI(FType_Generic_OLE): + # see http://fileformats.archiveteam.org/wiki/Windows_Installer + application = APP.WINDOWS + filetype = FTYPE.MSI + name = 'MSI' + longname = 'Windows Installer Package (.msi)' + extensions = ['msi'] + + # TODO: for PPT, check for stream 'PowerPoint Document' # TODO: for Visio, check for stream 'VisioDocument' @@ -678,6 +692,8 @@ clsid_ftypes = { '00020810-0000-0000-C000-000000000046': FType_Excel5, # POWERPOINT '64818D10-4F9B-11CF-86EA-00AA00B929E8': FType_Powerpoint97, + # MSI + '000C1084-0000-0000-C000-000000000046': FType_MSI, } openxml_ftypes = { diff --git a/setup.py b/setup.py index 9b0af6d..2eda398 100644 --- a/setup.py +++ b/setup.py @@ -55,7 +55,7 @@ import os, fnmatch #--- METADATA ----------------------------------------------------------------- name = "oletools" -version = '0.60.2dev2' +version = '0.60.2dev3' desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" long_desc = open('oletools/README.rst').read() author = "Philippe Lagadec"