ftguess: added MSI format

decalage2
1 parent 6c61acad
Showing 3 changed files with 20 additions and 4 deletions
oletools/common/clsid.py
oletools/ftguess.py
setup.py
@@ -95,7 +95,7 @@ KNOWN_CLSIDS = {
     '0004A6B0-0000-0000-C000-000000000046': 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', # TODO: to be confirmed
     # Referenced in https://devblogs.microsoft.com/setup/identifying-windows-installer-file-types/ :
     '000C1082-0000-0000-C000-000000000046': 'MSI Transform (mst)',
-    '000C1084-0000-0000-C000-000000000046': 'MSI Installer Package (msi)',
+    '000C1084-0000-0000-C000-000000000046': 'MSI Windows Installer Package (msi)',
     '000C1086-0000-0000-C000-000000000046': 'MSI Patch Package (psp)',
     '048EB43E-2059-422F-95E0-557DA96038AF': 'Microsoft Powerpoint.Slide.12',
     '05741520-C4EB-440A-AC3F-9643BBC9F847': 'otkloadr.WRLoader (can be used to bypass ASLR after triggering an exploit)',
@@ -11,9 +11,13 @@ ftguess is part of the python-oletools package:
 http://www.decalage.info/python/oletools
 """
  
+# Useful resources about file formats:
+# http://fileformats.archiveteam.org
+# https://www.nationalarchives.gov.uk/PRONOM/Default.aspx
+
 #=== LICENSE =================================================================
  
-# ftguess is copyright (c) 2018-2022, Philippe Lagadec (http://www.decalage.info)
+# ftguess is copyright (c) 2018-2023, Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -43,7 +47,7 @@ from __future__ import print_function
 # 2018-07-04 v0.54 PL: - first version
 # 2021-05-09 v0.60 PL: -
  
-__version__ = '0.60.1'
+__version__ = '0.60.2dev3'
  
 # ------------------------------------------------------------------------------
 # TODO:
@@ -184,6 +188,7 @@ class FTYPE(object):
     GENERIC_XML = 'XML' # Generic XML file
     GENERIC_OPENXML = 'OpenXML' # Generic OpenXML file
     UNKNOWN = 'Unknown File Type'
+    MSI = "MSI"
  
 class CONTAINER(object):
     """
@@ -664,6 +669,15 @@ class FType_XPS(FType_Generic_OpenXML):
     extensions = ['xps']
  
  
+class FType_MSI(FType_Generic_OLE):
+    # see http://fileformats.archiveteam.org/wiki/Windows_Installer
+    application = APP.WINDOWS
+    filetype = FTYPE.MSI
+    name = 'MSI'
+    longname = 'Windows Installer Package (.msi)'
+    extensions = ['msi']
+
+
 # TODO: for PPT, check for stream 'PowerPoint Document'
 # TODO: for Visio, check for stream 'VisioDocument'
  
@@ -678,6 +692,8 @@ clsid_ftypes = {
     '00020810-0000-0000-C000-000000000046': FType_Excel5,
     # POWERPOINT
     '64818D10-4F9B-11CF-86EA-00AA00B929E8': FType_Powerpoint97,
+    # MSI
+    '000C1084-0000-0000-C000-000000000046': FType_MSI,
 }
  
 openxml_ftypes = {
@@ -55,7 +55,7 @@ import os, fnmatch
 #--- METADATA -----------------------------------------------------------------
  
 name         = "oletools"
-version      = '0.60.2dev2'
+version      = '0.60.2dev3'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"