Peter M. Groen / oletools

Commit 857d1e4a1c9e9c4ddc1e1d878bb69a3ee58e6404

Authored by decalage2
1 parent 6c61acad

ftguess: added MSI format

Inline Side-by-side
Showing 3 changed files with 20 additions and 4 deletions
oletools/common/clsid.py
  View file @857d1e4
@@ -95,7 +95,7 @@ KNOWN_CLSIDS = { @@ -95,7 +95,7 @@ KNOWN_CLSIDS = {
95 '0004A6B0-0000-0000-C000-000000000046': 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', # TODO: to be confirmed 95 '0004A6B0-0000-0000-C000-000000000046': 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', # TODO: to be confirmed
96 # Referenced in https://devblogs.microsoft.com/setup/identifying-windows-installer-file-types/ : 96 # Referenced in https://devblogs.microsoft.com/setup/identifying-windows-installer-file-types/ :
97 '000C1082-0000-0000-C000-000000000046': 'MSI Transform (mst)', 97 '000C1082-0000-0000-C000-000000000046': 'MSI Transform (mst)',
98 - '000C1084-0000-0000-C000-000000000046': 'MSI Installer Package (msi)', 98 + '000C1084-0000-0000-C000-000000000046': 'MSI Windows Installer Package (msi)',
99 '000C1086-0000-0000-C000-000000000046': 'MSI Patch Package (psp)', 99 '000C1086-0000-0000-C000-000000000046': 'MSI Patch Package (psp)',
100 '048EB43E-2059-422F-95E0-557DA96038AF': 'Microsoft Powerpoint.Slide.12', 100 '048EB43E-2059-422F-95E0-557DA96038AF': 'Microsoft Powerpoint.Slide.12',
101 '05741520-C4EB-440A-AC3F-9643BBC9F847': 'otkloadr.WRLoader (can be used to bypass ASLR after triggering an exploit)', 101 '05741520-C4EB-440A-AC3F-9643BBC9F847': 'otkloadr.WRLoader (can be used to bypass ASLR after triggering an exploit)',
oletools/ftguess.py
  View file @857d1e4
@@ -11,9 +11,13 @@ ftguess is part of the python-oletools package: @@ -11,9 +11,13 @@ ftguess is part of the python-oletools package:
11 http://www.decalage.info/python/oletools 11 http://www.decalage.info/python/oletools
12 """ 12 """
13 13
  14 +# Useful resources about file formats:
  15 +# http://fileformats.archiveteam.org
  16 +# https://www.nationalarchives.gov.uk/PRONOM/Default.aspx
  17 +
14 #=== LICENSE ================================================================= 18 #=== LICENSE =================================================================
15 19
16 -# ftguess is copyright (c) 2018-2022, Philippe Lagadec (http://www.decalage.info) 20 +# ftguess is copyright (c) 2018-2023, Philippe Lagadec (http://www.decalage.info)
17 # All rights reserved. 21 # All rights reserved.
18 # 22 #
19 # Redistribution and use in source and binary forms, with or without modification, 23 # Redistribution and use in source and binary forms, with or without modification,
@@ -43,7 +47,7 @@ from __future__ import print_function @@ -43,7 +47,7 @@ from __future__ import print_function
43 # 2018-07-04 v0.54 PL: - first version 47 # 2018-07-04 v0.54 PL: - first version
44 # 2021-05-09 v0.60 PL: - 48 # 2021-05-09 v0.60 PL: -
45 49
46 -__version__ = '0.60.1' 50 +__version__ = '0.60.2dev3'
47 51
48 # ------------------------------------------------------------------------------ 52 # ------------------------------------------------------------------------------
49 # TODO: 53 # TODO:
@@ -184,6 +188,7 @@ class FTYPE(object): @@ -184,6 +188,7 @@ class FTYPE(object):
184 GENERIC_XML = 'XML' # Generic XML file 188 GENERIC_XML = 'XML' # Generic XML file
185 GENERIC_OPENXML = 'OpenXML' # Generic OpenXML file 189 GENERIC_OPENXML = 'OpenXML' # Generic OpenXML file
186 UNKNOWN = 'Unknown File Type' 190 UNKNOWN = 'Unknown File Type'
  191 + MSI = "MSI"
187 192
188 class CONTAINER(object): 193 class CONTAINER(object):
189 """ 194 """
@@ -664,6 +669,15 @@ class FType_XPS(FType_Generic_OpenXML): @@ -664,6 +669,15 @@ class FType_XPS(FType_Generic_OpenXML):
664 extensions = ['xps'] 669 extensions = ['xps']
665 670
666 671
  672 +class FType_MSI(FType_Generic_OLE):
  673 + # see http://fileformats.archiveteam.org/wiki/Windows_Installer
  674 + application = APP.WINDOWS
  675 + filetype = FTYPE.MSI
  676 + name = 'MSI'
  677 + longname = 'Windows Installer Package (.msi)'
  678 + extensions = ['msi']
  679 +
  680 +
667 # TODO: for PPT, check for stream 'PowerPoint Document' 681 # TODO: for PPT, check for stream 'PowerPoint Document'
668 # TODO: for Visio, check for stream 'VisioDocument' 682 # TODO: for Visio, check for stream 'VisioDocument'
669 683
@@ -678,6 +692,8 @@ clsid_ftypes = { @@ -678,6 +692,8 @@ clsid_ftypes = {
678 '00020810-0000-0000-C000-000000000046': FType_Excel5, 692 '00020810-0000-0000-C000-000000000046': FType_Excel5,
679 # POWERPOINT 693 # POWERPOINT
680 '64818D10-4F9B-11CF-86EA-00AA00B929E8': FType_Powerpoint97, 694 '64818D10-4F9B-11CF-86EA-00AA00B929E8': FType_Powerpoint97,
  695 + # MSI
  696 + '000C1084-0000-0000-C000-000000000046': FType_MSI,
681 } 697 }
682 698
683 openxml_ftypes = { 699 openxml_ftypes = {
setup.py
  View file @857d1e4
@@ -55,7 +55,7 @@ import os, fnmatch @@ -55,7 +55,7 @@ import os, fnmatch
55 #--- METADATA ----------------------------------------------------------------- 55 #--- METADATA -----------------------------------------------------------------
56 56
57 name = "oletools" 57 name = "oletools"
58 -version = '0.60.2dev2' 58 +version = '0.60.2dev3'
59 desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" 59 desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
60 long_desc = open('oletools/README.rst').read() 60 long_desc = open('oletools/README.rst').read()
61 author = "Philippe Lagadec" 61 author = "Philippe Lagadec"