diff --git a/oletools/mraptor.py b/oletools/mraptor.py index 387b138..41327fe 100755 --- a/oletools/mraptor.py +++ b/oletools/mraptor.py @@ -53,6 +53,7 @@ http://www.decalage.info/python/oletools # 2016-03-08 v0.04 PL: - collapse long lines before analysis # 2016-08-31 v0.50 PL: - added macro trigger InkPicture_Painted # 2016-09-05 PL: - added Document_BeforeClose keyword for MS Publisher (.pub) +# 2016-10-25 PL: - fixed print for Python 3 __version__ = '0.50' @@ -239,16 +240,16 @@ def main(): # Print help if no arguments are passed if len(args) == 0: - print __doc__ + print(__doc__) parser.print_help() - print '\nAn exit code is returned based on the analysis result:' + print('\nAn exit code is returned based on the analysis result:') for result in (Result_NoMacro, Result_NotMSOffice, Result_MacroOK, Result_Error, Result_Suspicious): - print ' - %d: %s' % (result.exit_code, result.name) + print(' - %d: %s' % (result.exit_code, result.name)) sys.exit() # print banner with version - print 'MacroRaptor %s - http://decalage.info/python/oletools' % __version__ - print 'This is work in progress, please report issues at %s' % URL_ISSUES + print('MacroRaptor %s - http://decalage.info/python/oletools' % __version__) + print('This is work in progress, please report issues at %s' % URL_ISSUES) logging.basicConfig(level=LOG_LEVELS[options.loglevel], format='%(levelname)-8s %(message)s') # enable logging in the modules: @@ -325,9 +326,9 @@ def main(): global_result = result exitcode = result.exit_code - print '' - print 'Flags: A=AutoExec, W=Write, X=Execute' - print 'Exit code: %d - %s' % (exitcode, global_result.name) + print('') + print('Flags: A=AutoExec, W=Write, X=Execute') + print('Exit code: %d - %s' % (exitcode, global_result.name)) sys.exit(exitcode) if __name__ == '__main__': diff --git a/oletools/oleid.py b/oletools/oleid.py index 6e88736..39b7189 100755 --- a/oletools/oleid.py +++ b/oletools/oleid.py @@ -18,7 +18,7 @@ http://www.decalage.info/python/oletools #=== LICENSE ================================================================= -# oleid is copyright (c) 2012-2015, Philippe Lagadec (http://www.decalage.info) +# oleid is copyright (c) 2012-2016, Philippe Lagadec (http://www.decalage.info) # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, @@ -48,8 +48,9 @@ http://www.decalage.info/python/oletools # 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL # - improved usage display with -h # 2014-11-30 v0.03 PL: - improved output with prettytable +# 2016-10-25 v0.50 PL: - fixed print for Python 3 -__version__ = '0.03' +__version__ = '0.50' #------------------------------------------------------------------------------ @@ -275,7 +276,7 @@ def main(): return for filename in args: - print '\nFilename:', filename + print('\nFilename:', filename) oleid = OleID(filename) indicators = oleid.check() @@ -290,7 +291,7 @@ def main(): #print '%s: %s' % (indicator.name, indicator.value) t.add_row((indicator.name, indicator.value)) - print t + print(t) if __name__ == '__main__': main() diff --git a/oletools/olemeta.py b/oletools/olemeta.py index 02697b1..429572c 100755 --- a/oletools/olemeta.py +++ b/oletools/olemeta.py @@ -45,6 +45,7 @@ http://www.decalage.info/python/oletools # - improved usage display # 2015-12-29 v0.03 PL: - only display properties present in the file # 2016-09-06 v0.50 PL: - added main entry point for setup.py +# 2016-10-25 PL: - fixed print for Python 3 __version__ = '0.50' @@ -93,7 +94,7 @@ def main(): value = str(value) t.write_row([prop, value], colors=[None, 'yellow']) t.close() - print '' + print('') print('Properties from the DocumentSummaryInformation stream:') t = tablestream.TableStream([21, 30], header_row=['Property', 'Value'], outfile=console_utf8) diff --git a/oletools/olevba.py b/oletools/olevba.py index b0da3c7..831da11 100755 --- a/oletools/olevba.py +++ b/oletools/olevba.py @@ -73,6 +73,8 @@ https://github.com/unixfreak0037/officeparser # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. +from __future__ import print_function + #------------------------------------------------------------------------------ # CHANGELOG: # 2014-08-05 v0.01 PL: - first version based on officeparser code @@ -184,6 +186,7 @@ https://github.com/unixfreak0037/officeparser # 2016-09-05 PL: - added autoexec keywords for MS Publisher (.pub) # 2016-09-06 PL: - fixed issue #20, is_zipfile on Python 2.6 # 2016-09-12 PL: - enabled packrat to improve pyparsing performance +# 2016-10-25 PL: - fixed raise and print statements for Python 3 __version__ = '0.50' @@ -246,9 +249,9 @@ except ImportError: # Python <2.5: standalone ElementTree install import elementtree.cElementTree as ET except ImportError: - raise ImportError, "lxml or ElementTree are not installed, " \ + raise ImportError("lxml or ElementTree are not installed, " \ + "see http://codespeak.net/lxml " \ - + "or http://effbot.org/zone/element-index.htm" + + "or http://effbot.org/zone/element-index.htm") import thirdparty.olefile as olefile from thirdparty.prettytable import prettytable @@ -1968,18 +1971,18 @@ def print_json(json_dict=None, _json_is_last=False, **json_parts): json_dict = json_parts if not _have_printed_json_start: - print '[' + print('[') _have_printed_json_start = True lines = json.dumps(json2ascii(json_dict), check_circular=False, indent=4, ensure_ascii=False).splitlines() for line in lines[:-1]: - print ' {0}'.format(line) + print(' {0}'.format(line)) if _json_is_last: - print ' {0}'.format(lines[-1]) # print last line without comma - print ']' + print(' {0}'.format(lines[-1])) # print last line without comma + print(']') else: - print ' {0},'.format(lines[-1]) # print last line with comma + print(' {0},'.format(lines[-1])) # print last line with comma class VBA_Scanner(object): @@ -2934,7 +2937,7 @@ class VBA_Parser_CLI(VBA_Parser): """ # print a waiting message only if the output is not redirected to a file: if sys.stdout.isatty(): - print 'Analysis...\r', + print('Analysis...\r', end='') sys.stdout.flush() results = self.analyze_macros(show_decoded_strings, deobfuscate) if results: @@ -2950,9 +2953,9 @@ class VBA_Parser_CLI(VBA_Parser): if not is_printable(description): description = repr(description) t.add_row((kw_type, keyword, description)) - print t + print(t) else: - print 'No suspicious keyword or IOC found.' + print('No suspicious keyword or IOC found.') def print_analysis_json(self, show_decoded_strings=False, deobfuscate=False): """ @@ -2966,7 +2969,7 @@ class VBA_Parser_CLI(VBA_Parser): """ # print a waiting message only if the output is not redirected to a file: if sys.stdout.isatty(): - print 'Analysis...\r', + print('Analysis...\r', end='') sys.stdout.flush() return [dict(type=kw_type, keyword=keyword, description=description) for kw_type, keyword, description in self.analyze_macros(show_decoded_strings, deobfuscate)] @@ -2995,11 +2998,11 @@ class VBA_Parser_CLI(VBA_Parser): display_filename = '%s in %s' % (self.filename, self.container) else: display_filename = self.filename - print '=' * 79 - print 'FILE:', display_filename + print('=' * 79) + print('FILE: %s' % display_filename) try: #TODO: handle olefile errors, when an OLE file is malformed - print 'Type:', self.type + print('Type: %s'% self.type) if self.detect_vba_macros(): #print 'Contains VBA Macros:' for (subfilename, stream_path, vba_filename, vba_code) in self.extract_all_macros(): @@ -3008,29 +3011,29 @@ class VBA_Parser_CLI(VBA_Parser): vba_code_filtered = filter_vba(vba_code) else: vba_code_filtered = vba_code - print '-' * 79 - print 'VBA MACRO %s ' % vba_filename - print 'in file: %s - OLE stream: %s' % (subfilename, repr(stream_path)) + print('-' * 79) + print('VBA MACRO %s ' % vba_filename) + print('in file: %s - OLE stream: %s' % (subfilename, repr(stream_path))) if display_code: - print '- ' * 39 + print('- ' * 39) # detect empty macros: if vba_code_filtered.strip() == '': - print '(empty macro)' + print('(empty macro)') else: - print vba_code_filtered + print(vba_code_filtered) for (subfilename, stream_path, form_string) in self.extract_form_strings(): - print '-' * 79 - print 'VBA FORM STRING IN %r - OLE stream: %r' % (subfilename, stream_path) - print '- ' * 39 - print form_string + print('-' * 79) + print('VBA FORM STRING IN %r - OLE stream: %r' % (subfilename, stream_path)) + print('- ' * 39) + print(form_string) if not vba_code_only: # analyse the code from all modules at once: self.print_analysis(show_decoded_strings, deobfuscate) if show_deobfuscated_code: - print 'MACRO SOURCE CODE WITH DEOBFUSCATED VBA STRINGS (EXPERIMENTAL):\n\n' - print self.reveal() + print('MACRO SOURCE CODE WITH DEOBFUSCATED VBA STRINGS (EXPERIMENTAL):\n\n') + print(self.reveal()) else: - print 'No VBA macros found.' + print('No VBA macros found.') except OlevbaBaseException: raise except Exception as exc: @@ -3038,7 +3041,7 @@ class VBA_Parser_CLI(VBA_Parser): log.info('Error processing file %s (%s)' % (self.filename, exc)) log.debug('Traceback:', exc_info=True) raise ProcessingError(self.filename, exc) - print '' + print('') def process_file_json(self, show_decoded_strings=False, @@ -3124,7 +3127,7 @@ class VBA_Parser_CLI(VBA_Parser): if self.detect_vba_macros(): # print a waiting message only if the output is not redirected to a file: if sys.stdout.isatty(): - print 'Analysis...\r', + print('Analysis...\r', end='') sys.stdout.flush() self.analyze_macros(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate) @@ -3142,7 +3145,7 @@ class VBA_Parser_CLI(VBA_Parser): base64obf, dridex, vba_obf) line = '%-12s %s' % (flags, self.filename) - print line + print(line) # old table display: # macros = autoexec = suspicious = iocs = hexstrings = 'no' @@ -3235,7 +3238,7 @@ def main(): # Print help if no arguments are passed if len(args) == 0: - print __doc__ + print(__doc__) parser.print_help() sys.exit(RETURN_WRONG_ARGS) @@ -3246,7 +3249,7 @@ def main(): url='http://decalage.info/python/oletools', type='MetaInformation') else: - print 'olevba %s - http://decalage.info/python/oletools' % __version__ + print('olevba %s - http://decalage.info/python/oletools' % __version__) logging.basicConfig(level=LOG_LEVELS[options.loglevel], format='%(levelname)-8s %(message)s') # enable logging in the modules: @@ -3266,8 +3269,8 @@ def main(): # Column headers (do not know how many files there will be yet, so if no output_mode # was specified, we will print triage for first file --> need these headers) if options.output_mode in ('triage', 'unspecified'): - print '%-12s %-65s' % ('Flags', 'Filename') - print '%-12s %-65s' % ('-' * 11, '-' * 65) + print('%-12s %-65s' % ('Flags', 'Filename')) + print('%-12s %-65s' % ('-' * 11, '-' * 65)) previous_container = None count = 0 @@ -3285,14 +3288,14 @@ def main(): if isinstance(data, Exception): if isinstance(data, PathNotFoundException): if options.output_mode in ('triage', 'unspecified'): - print '%-12s %s - File not found' % ('?', filename) + print('%-12s %s - File not found' % ('?', filename)) elif options.output_mode != 'json': log.error('Given path %r does not exist!' % filename) return_code = RETURN_FILE_NOT_FOUND if return_code == 0 \ else RETURN_SEVERAL_ERRS else: if options.output_mode in ('triage', 'unspecified'): - print '%-12s %s - Failed to read from zip file %s' % ('?', filename, container) + print('%-12s %s - Failed to read from zip file %s' % ('?', filename, container)) elif options.output_mode != 'json': log.error('Exception opening/reading %r from zip file %r: %s' % (filename, container, data)) @@ -3319,7 +3322,7 @@ def main(): # print container name when it changes: if container != previous_container: if container is not None: - print '\nFiles in %s:' % container + print('\nFiles in %s:' % container) previous_container = container # summarized output for triage: vba_parser.process_file_triage(show_decoded_strings=options.show_decoded_strings, @@ -3337,8 +3340,8 @@ def main(): except (SubstreamOpenError, UnexpectedDataError) as exc: if options.output_mode in ('triage', 'unspecified'): - print '%-12s %s - Error opening substream or uenxpected ' \ - 'content' % ('?', filename) + print('%-12s %s - Error opening substream or uenxpected ' \ + 'content' % ('?', filename)) elif options.output_mode == 'json': print_json(file=filename, type='error', error=type(exc).__name__, message=str(exc)) @@ -3349,7 +3352,7 @@ def main(): else RETURN_SEVERAL_ERRS except FileOpenError as exc: if options.output_mode in ('triage', 'unspecified'): - print '%-12s %s - File format not supported' % ('?', filename) + print('%-12s %s - File format not supported' % ('?', filename)) elif options.output_mode == 'json': print_json(file=filename, type='error', error=type(exc).__name__, message=str(exc)) @@ -3359,7 +3362,7 @@ def main(): else RETURN_SEVERAL_ERRS except ProcessingError as exc: if options.output_mode in ('triage', 'unspecified'): - print '%-12s %s - %s' % ('!ERROR', filename, exc.orig_exc) + print('%-12s %s - %s' % ('!ERROR', filename, exc.orig_exc)) elif options.output_mode == 'json': print_json(file=filename, type='error', error=type(exc).__name__, @@ -3374,9 +3377,9 @@ def main(): vba_parser.close() if options.output_mode == 'triage': - print '\n(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, TXT=Text, M=Macros, ' \ + print('\n(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, TXT=Text, M=Macros, ' \ 'A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, ' \ - 'B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)\n' + 'B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)\n') if count == 1 and options.output_mode == 'unspecified': # if options -t, -d and -j were not specified and it's a single file, print details: diff --git a/oletools/pyxswf.py b/oletools/pyxswf.py index 258febf..50fc0c4 100755 --- a/oletools/pyxswf.py +++ b/oletools/pyxswf.py @@ -55,6 +55,7 @@ http://www.decalage.info/python/oletools # 2014-11-29 v0.03 PL: - use olefile instead of OleFileIO_PL # - improved usage display with -h # 2016-09-06 v0.50 PL: - updated to match the rtfobj API +# 2016-10-25 PL: - fixed print for Python 3 __version__ = '0.50' @@ -122,7 +123,7 @@ def main(): # check if data contains the SWF magic: FWS or CWS data = f.getvalue() if 'FWS' in data or 'CWS' in data: - print 'OLE stream: %s' % repr(direntry.name) + print('OLE stream: %s' % repr(direntry.name)) # call xxxswf to scan or extract Flash files: xxxswf.disneyland(f, direntry.name, options) f.close() @@ -133,7 +134,7 @@ def main(): for filename in args: for index, orig_len, data in rtfobj.rtf_iter_objects(filename): if 'FWS' in data or 'CWS' in data: - print 'RTF embedded object size %d at index %08X' % (len(data), index) + print('RTF embedded object size %d at index %08X' % (len(data), index)) f = StringIO.StringIO(data) name = 'RTF_embedded_object_%08X' % index # call xxxswf to scan or extract Flash files: diff --git a/oletools/thirdparty/olefile/__init__.py b/oletools/thirdparty/olefile/__init__.py index a0c3512..59b442d 100644 --- a/oletools/thirdparty/olefile/__init__.py +++ b/oletools/thirdparty/olefile/__init__.py @@ -1,35 +1,28 @@ -#!/usr/local/bin/python -# -*- coding: latin-1 -*- -""" -olefile (formerly OleFileIO_PL) - -Module to read/write Microsoft OLE2 files (also called Structured Storage or -Microsoft Compound Document File Format), such as Microsoft Office 97-2003 -documents, Image Composer and FlashPix files, Outlook messages, ... -This version is compatible with Python 2.6+ and 3.x - -Project website: http://www.decalage.info/olefile - -olefile is copyright (c) 2005-2015 Philippe Lagadec (http://www.decalage.info) - -olefile is based on the OleFileIO module from the PIL library v1.1.6 -See: http://www.pythonware.com/products/pil/index.htm - -The Python Imaging Library (PIL) is - Copyright (c) 1997-2005 by Secret Labs AB - Copyright (c) 1995-2005 by Fredrik Lundh - -See source code and LICENSE.txt for information on usage and redistribution. -""" - -try: - # first try to import olefile for Python 2.6+/3.x - from .olefile import * - # import metadata not covered by *: - from .olefile import __version__, __author__, __date__ - -except: - # if it fails, fallback to the old version olefile2 for Python 2.x: - from .olefile2 import * - # import metadata not covered by *: - from .olefile2 import __doc__, __version__, __author__, __date__ +#!/usr/local/bin/python +# -*- coding: latin-1 -*- +""" +olefile (formerly OleFileIO_PL) + +Module to read/write Microsoft OLE2 files (also called Structured Storage or +Microsoft Compound Document File Format), such as Microsoft Office 97-2003 +documents, Image Composer and FlashPix files, Outlook messages, ... +This version is compatible with Python 2.6+ and 3.x + +Project website: http://www.decalage.info/olefile + +olefile is copyright (c) 2005-2015 Philippe Lagadec (http://www.decalage.info) + +olefile is based on the OleFileIO module from the PIL library v1.1.6 +See: http://www.pythonware.com/products/pil/index.htm + +The Python Imaging Library (PIL) is + Copyright (c) 1997-2005 by Secret Labs AB + Copyright (c) 1995-2005 by Fredrik Lundh + +See source code and LICENSE.txt for information on usage and redistribution. +""" + +# first try to import olefile for Python 2.6+/3.x +from .olefile import * +# import metadata not covered by *: +from .olefile import __version__, __author__, __date__ diff --git a/oletools/thirdparty/olefile/olefile2.html b/oletools/thirdparty/olefile/olefile2.html deleted file mode 100644 index 467fa63..0000000 --- a/oletools/thirdparty/olefile/olefile2.html +++ /dev/null @@ -1,241 +0,0 @@ - - -Python: module olefile2 - - - - -
 
- 
olefile2 (version 0.40py2, 2014-10-01)		index
.\olefile2.py
-

olefile2 (formerly OleFileIO_PL2) version 0.40py2 2014-10-01

-Module to read Microsoft OLE2 files (also called Structured Storage or
-Microsoft Compound Document File Format), such as Microsoft Office
-documents, Image Composer and FlashPix files, Outlook messages, ...

-IMPORTANT NOTE: olefile2 is an old version of olefile meant to be used
-as fallback for Python 2.5 and older. For Python 2.6, 2.7 and 3.x, please use
-olefile which is more up-to-date. The improvements in olefile might
-not always be backported to olefile2.

-Project website: http://www.decalage.info/python/olefileio

-olefile2 is copyright (c) 2005-2014 Philippe Lagadec (http://www.decalage.info)

-olefile2 is based on the OleFileIO module from the PIL library v1.1.6
-See: http://www.pythonware.com/products/pil/index.htm

-The Python Imaging Library (PIL) is
-    Copyright (c) 1997-2005 by Secret Labs AB
-    Copyright (c) 1995-2005 by Fredrik Lundh

-See source code and LICENSE.txt for information on usage and redistribution.

-

- - - - - -
 
-Modules
       
StringIO
-array
-		datetime
-os
-		string
-struct
-		sys
-

- - - - - -
 
-Classes
       
-
OleFileIO -
-

- - - - - - - -
 
-class OleFileIO
   OLE container object

-This class encapsulates the interface to an OLE 2 structured
-storage file.  Use the {@link listdir} and {@link openstream} methods to
-access the contents of this file.

-Object names are given as a list of strings, one for each subentry
-level.  The root entry should be omitted.  For example, the following
-code extracts all image streams from a Microsoft Image Composer file:

-    ole = OleFileIO("fan.mic")

-    for entry in ole.listdir():
-        if entry[1:2] == "Image":
-            fin = ole.openstream(entry)
-            fout = open(entry[0:1], "wb")
-            while True:
-                s = fin.read(8192)
-                if not s:
-                    break
-                fout.write(s)

-You can use the viewer application provided with the Python Imaging
-Library to view the resulting files (which happens to be standard
-TIFF files).
 
 Methods defined here:
-
__init__(self, filename=None, raise_defects=40)
Constructor for OleFileIO class.

-filename: file to open.
-raise_defects: minimal level for defects to be raised as exceptions.
-(use DEFECT_FATAL for a typical application, DEFECT_INCORRECT for a
-security-oriented application, see source code for details)
- -
close(self)
close the OLE file, to release the file object
- -
dumpdirectory(self)
Dump directory (for debugging only)
- -
dumpfat(self, fat, firstindex=0)
Displays a part of FAT in human-readable form for debugging purpose
- -
dumpsect(self, sector, firstindex=0)
Displays a sector in a human-readable form, for debugging purpose.
- -
exists(self, filename)
Test if given filename exists as a stream or a storage in the OLE
-container.

-filename: path of stream in storage tree. (see openstream for syntax)
-return: True if object exist, else False.
- -
get_metadata(self)
Parse standard properties streams, return an OleMetadata object
-containing all the available metadata.
-(also stored in the metadata attribute of the OleFileIO object)

-new in version 0.25
- -
get_rootentry_name(self)
Return root entry name. Should usually be 'Root Entry' or 'R' in most
-implementations.
- -
get_size(self, filename)
Return size of a stream in the OLE container, in bytes.

-filename: path of stream in storage tree (see openstream for syntax)
-return: size in bytes (long integer)
-raise: IOError if file not found, TypeError if this is not a stream.
- -
get_type(self, filename)
Test if given filename exists as a stream or a storage in the OLE
-container, and return its type.

-filename: path of stream in storage tree. (see openstream for syntax)
-return: False if object does not exist, its entry type (>0) otherwise:
-    - STGTY_STREAM: a stream
-    - STGTY_STORAGE: a storage
-    - STGTY_ROOT: the root entry
- -
getctime(self, filename)
Return creation time of a stream/storage.

-filename: path of stream/storage in storage tree. (see openstream for
-syntax)
-return: None if creation time is null, a python datetime object
-otherwise (UTC timezone)

-new in version 0.26
- -
getmtime(self, filename)
Return modification time of a stream/storage.

-filename: path of stream/storage in storage tree. (see openstream for
-syntax)
-return: None if modification time is null, a python datetime object
-otherwise (UTC timezone)

-new in version 0.26
- -
getproperties(self, filename, convert_time=False, no_conversion=None)
Return properties described in substream.

-filename: path of stream in storage tree (see openstream for syntax)
-convert_time: bool, if True timestamps will be converted to Python datetime
-no_conversion: None or list of int, timestamps not to be converted
-               (for example total editing time is not a real timestamp)
-return: a dictionary of values indexed by id (integer)
- -
getsect(self, sect)
Read given sector from file on disk.
-sect: sector index
-returns a string containing the sector data.
- -
listdir(self, streams=True, storages=False)
Return a list of streams stored in this file

-streams: bool, include streams if True (True by default) - new in v0.26
-storages: bool, include storages if True (False by default) - new in v0.26
-(note: the root storage is never included)
- -
loaddirectory(self, sect)
Load the directory.
-sect: sector index of directory stream.
- -
loadfat(self, header)
Load the FAT table.
- -
loadfat_sect(self, sect)
Adds the indexes of the given sector to the FAT
-sect: string containing the first FAT sector, or array of long integers
-return: index of last FAT sector.
- -
loadminifat(self)
Load the MiniFAT table.
- -
open(self, filename)
Open an OLE2 file.
-Reads the header, FAT and directory.

-filename: string-like or file-like object
- -
openstream(self, filename)
Open a stream as a read-only file object (StringIO).

-filename: path of stream in storage tree (except root entry), either:
-    - a string using Unix path syntax, for example:
-      'storage_1/storage_1.2/stream'
-    - a list of storage filenames, path to the desired stream/storage.
-      Example: ['storage_1', 'storage_1.2', 'stream']
-return: file object (read-only)
-raise IOError if filename not found, or if this is not a stream.
- -
sect2array(self, sect)
convert a sector to an array of 32 bits unsigned integers,
-swapping bytes on big endian CPUs such as PowerPC (old Macs)
- -

- - - - - -
 
-Functions
       
isOleFile(filename)
Test if file is an OLE container (according to its header).
-filename: file name or path (str, unicode)
-return: True if OLE, False otherwise.
-

- - - - - -
 
-Data
       DEFECT_FATAL = 40
-DEFECT_INCORRECT = 30
-DEFECT_POTENTIAL = 20
-DEFECT_UNSURE = 10
-STGTY_EMPTY = 0
-STGTY_LOCKBYTES = 3
-STGTY_PROPERTY = 4
-STGTY_ROOT = 5
-STGTY_STORAGE = 1
-STGTY_STREAM = 2
-__all__ = ['OleFileIO', 'isOleFile', 'DEFECT_UNSURE', 'STGTY_STREAM', 'DEFECT_FATAL', 'STGTY_EMPTY', 'STGTY_LOCKBYTES', 'STGTY_STORAGE', 'STGTY_PROPERTY', 'DEFECT_INCORRECT', 'DEFECT_POTENTIAL', 'STGTY_ROOT']
-__author__ = 'Philippe Lagadec'
-__date__ = '2014-10-01'
-__version__ = '0.40py2'

- - - - - -
 
-Author
       Philippe Lagadec
- \ No newline at end of file diff --git a/oletools/thirdparty/olefile/olefile2.py b/oletools/thirdparty/olefile/olefile2.py deleted file mode 100644 index c57a82b..0000000 --- a/oletools/thirdparty/olefile/olefile2.py +++ /dev/null @@ -1,2043 +0,0 @@ -#!/usr/local/bin/python -# -*- coding: latin-1 -*- -""" -olefile2 (formerly OleFileIO_PL2) version 0.40py2 2014-10-01 - -Module to read Microsoft OLE2 files (also called Structured Storage or -Microsoft Compound Document File Format), such as Microsoft Office -documents, Image Composer and FlashPix files, Outlook messages, ... - -IMPORTANT NOTE: olefile2 is an old version of olefile meant to be used -as fallback for Python 2.5 and older. For Python 2.6, 2.7 and 3.x, please use -olefile which is more up-to-date. The improvements in olefile might -not always be backported to olefile2. - -Project website: http://www.decalage.info/python/olefileio - -olefile2 is copyright (c) 2005-2014 Philippe Lagadec (http://www.decalage.info) - -olefile2 is based on the OleFileIO module from the PIL library v1.1.6 -See: http://www.pythonware.com/products/pil/index.htm - -The Python Imaging Library (PIL) is - Copyright (c) 1997-2005 by Secret Labs AB - Copyright (c) 1995-2005 by Fredrik Lundh - -See source code and LICENSE.txt for information on usage and redistribution. -""" - -__author__ = "Philippe Lagadec" -__date__ = "2014-10-01" -__version__ = '0.40py2' - -#--- LICENSE ------------------------------------------------------------------ - -# olefile (formerly OleFileIO_PL) is copyright (c) 2005-2014 Philippe Lagadec -# (http://www.decalage.info) -# -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without modification, -# are permitted provided that the following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this -# list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation -# and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# ---------- -# PIL License: -# -# olefile is based on source code from the OleFileIO module of the Python -# Imaging Library (PIL) published by Fredrik Lundh under the following license: - -# The Python Imaging Library (PIL) is -# Copyright (c) 1997-2005 by Secret Labs AB -# Copyright (c) 1995-2005 by Fredrik Lundh -# -# By obtaining, using, and/or copying this software and/or its associated -# documentation, you agree that you have read, understood, and will comply with -# the following terms and conditions: -# -# Permission to use, copy, modify, and distribute this software and its -# associated documentation for any purpose and without fee is hereby granted, -# provided that the above copyright notice appears in all copies, and that both -# that copyright notice and this permission notice appear in supporting -# documentation, and that the name of Secret Labs AB or the author(s) not be used -# in advertising or publicity pertaining to distribution of the software -# without specific, written prior permission. -# -# SECRET LABS AB AND THE AUTHORS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS -# SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. -# IN NO EVENT SHALL SECRET LABS AB OR THE AUTHORS BE LIABLE FOR ANY SPECIAL, -# INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR -# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -#----------------------------------------------------------------------------- -# CHANGELOG: (only olefile/OleFileIO_PL changes compared to PIL 1.1.6) -# 2005-05-11 v0.10 PL: - a few fixes for Python 2.4 compatibility -# (all changes flagged with [PL]) -# 2006-02-22 v0.11 PL: - a few fixes for some Office 2003 documents which raise -# exceptions in _OleStream.__init__() -# 2006-06-09 v0.12 PL: - fixes for files above 6.8MB (DIFAT in loadfat) -# - added some constants -# - added header values checks -# - added some docstrings -# - getsect: bugfix in case sectors >512 bytes -# - getsect: added conformity checks -# - DEBUG_MODE constant to activate debug display -# 2007-09-04 v0.13 PL: - improved/translated (lots of) comments -# - updated license -# - converted tabs to 4 spaces -# 2007-11-19 v0.14 PL: - added OleFileIO._raise_defect() to adapt sensitivity -# - improved _unicode() to use Python 2.x unicode support -# - fixed bug in _OleDirectoryEntry -# 2007-11-25 v0.15 PL: - added safety checks to detect FAT loops -# - fixed _OleStream which didn't check stream size -# - added/improved many docstrings and comments -# - moved helper functions _unicode and _clsid out of -# OleFileIO class -# - improved OleFileIO._find() to add Unix path syntax -# - OleFileIO._find() is now case-insensitive -# - added get_type() and get_rootentry_name() -# - rewritten loaddirectory and _OleDirectoryEntry -# 2007-11-27 v0.16 PL: - added _OleDirectoryEntry.kids_dict -# - added detection of duplicate filenames in storages -# - added detection of duplicate references to streams -# - added get_size() and exists() to _OleDirectoryEntry -# - added isOleFile to check header before parsing -# - added __all__ list to control public keywords in pydoc -# 2007-12-04 v0.17 PL: - added _load_direntry to fix a bug in loaddirectory -# - improved _unicode(), added workarounds for Python <2.3 -# - added set_debug_mode and -d option to set debug mode -# - fixed bugs in OleFileIO.open and _OleDirectoryEntry -# - added safety check in main for large or binary -# properties -# - allow size>0 for storages for some implementations -# 2007-12-05 v0.18 PL: - fixed several bugs in handling of FAT, MiniFAT and -# streams -# - added option '-c' in main to check all streams -# 2009-12-10 v0.19 PL: - bugfix for 32 bit arrays on 64 bits platforms -# (thanks to Ben G. and Martijn for reporting the bug) -# 2009-12-11 v0.20 PL: - bugfix in OleFileIO.open when filename is not plain str -# 2010-01-22 v0.21 PL: - added support for big-endian CPUs such as PowerPC Macs -# 2012-02-16 v0.22 PL: - fixed bug in getproperties, patch by chuckleberryfinn -# (https://bitbucket.org/decalage/olefileio_pl/issue/7) -# - added close method to OleFileIO (fixed issue #2) -# 2012-07-25 v0.23 PL: - added support for file-like objects (patch by mete0r_kr) -# 2013-05-05 v0.24 PL: - getproperties: added conversion from filetime to python -# datetime -# - main: displays properties with date format -# - new class OleMetadata to parse standard properties -# - added get_metadata method -# 2013-05-07 v0.24 PL: - a few improvements in OleMetadata -# 2013-05-24 v0.25 PL: - getproperties: option to not convert some timestamps -# - OleMetaData: total_edit_time is now a number of seconds, -# not a timestamp -# - getproperties: added support for VT_BOOL, VT_INT, V_UINT -# - getproperties: filter out null chars from strings -# - getproperties: raise non-fatal defects instead of -# exceptions when properties cannot be parsed properly -# 2013-05-27 PL: - getproperties: improved exception handling -# - _raise_defect: added option to set exception type -# - all non-fatal issues are now recorded, and displayed -# when run as a script -# 2013-07-11 v0.26 PL: - added methods to get modification and creation times -# of a directory entry or a storage/stream -# - fixed parsing of direntry timestamps -# 2013-07-24 PL: - new options in listdir to list storages and/or streams -# 2014-07-18 v0.31 - preliminary support for 4K sectors -# 2014-09-26 v0.40 PL: - renamed OleFileIO_PL to olefile - -#----------------------------------------------------------------------------- -# TODO: -# + check if running on Python 2.6+, if so issue warning to use olefile - -#----------------------------------------------------------------------------- - -# -# THIS IS WORK IN PROGRESS -# -# The Python Imaging Library -# $Id: OleFileIO.py 2339 2005-03-25 08:02:17Z fredrik $ -# -# stuff to deal with OLE2 Structured Storage files. this module is -# used by PIL to read Image Composer and FlashPix files, but can also -# be used to read other files of this type. -# -# History: -# 1997-01-20 fl Created -# 1997-01-22 fl Fixed 64-bit portability quirk -# 2003-09-09 fl Fixed typo in OleFileIO.loadfat (noted by Daniel Haertle) -# 2004-02-29 fl Changed long hex constants to signed integers -# -# Notes: -# FIXME: sort out sign problem (eliminate long hex constants) -# FIXME: change filename to use "a/b/c" instead of ["a", "b", "c"] -# FIXME: provide a glob mechanism function (using fnmatchcase) -# -# Literature: -# -# "FlashPix Format Specification, Appendix A", Kodak and Microsoft, -# September 1996. -# -# Quotes: -# -# "If this document and functionality of the Software conflict, -# the actual functionality of the Software represents the correct -# functionality" -- Microsoft, in the OLE format specification -# -# Copyright (c) Secret Labs AB 1997. -# Copyright (c) Fredrik Lundh 1997. -# -# See the README file for information on usage and redistribution. -# - -#------------------------------------------------------------------------------ - -import string, StringIO, struct, array, os.path, sys, datetime - -#[PL] Define explicitly the public API to avoid private objects in pydoc: -__all__ = ['OleFileIO', 'isOleFile'] - -#[PL] workaround to fix an issue with array item size on 64 bits systems: -if array.array('L').itemsize == 4: - # on 32 bits platforms, long integers in an array are 32 bits: - UINT32 = 'L' -elif array.array('I').itemsize == 4: - # on 64 bits platforms, integers in an array are 32 bits: - UINT32 = 'I' -else: - raise ValueError, 'Need to fix a bug with 32 bit arrays, please contact author...' - - -#[PL] These workarounds were inspired from the Path module -# (see http://www.jorendorff.com/articles/python/path/) -#TODO: test with old Python versions - -# Pre-2.3 workaround for booleans -try: - True, False -except NameError: - True, False = 1, 0 - -# Pre-2.3 workaround for basestring. -try: - basestring -except NameError: - try: - # is Unicode supported (Python >2.0 or >1.6 ?) - basestring = (str, unicode) - except NameError: - basestring = str - -#[PL] Experimental setting: if True, OLE filenames will be kept in Unicode -# if False (default PIL behaviour), all filenames are converted to Latin-1. -KEEP_UNICODE_NAMES = False - -#[PL] DEBUG display mode: False by default, use set_debug_mode() or "-d" on -# command line to change it. -DEBUG_MODE = False -def debug_print(msg): - print msg -def debug_pass(msg): - pass -debug = debug_pass - -def set_debug_mode(debug_mode): - """ - Set debug mode on or off, to control display of debugging messages. - mode: True or False - """ - global DEBUG_MODE, debug - DEBUG_MODE = debug_mode - if debug_mode: - debug = debug_print - else: - debug = debug_pass - -#TODO: convert this to hex -MAGIC = '\320\317\021\340\241\261\032\341' - -#[PL]: added constants for Sector IDs (from AAF specifications) -MAXREGSECT = 0xFFFFFFFAL; # maximum SECT -DIFSECT = 0xFFFFFFFCL; # (-4) denotes a DIFAT sector in a FAT -FATSECT = 0xFFFFFFFDL; # (-3) denotes a FAT sector in a FAT -ENDOFCHAIN = 0xFFFFFFFEL; # (-2) end of a virtual stream chain -FREESECT = 0xFFFFFFFFL; # (-1) unallocated sector - -#[PL]: added constants for Directory Entry IDs (from AAF specifications) -MAXREGSID = 0xFFFFFFFAL; # maximum directory entry ID -NOSTREAM = 0xFFFFFFFFL; # (-1) unallocated directory entry - -#[PL] object types in storage (from AAF specifications) -STGTY_EMPTY = 0 # empty directory entry (according to OpenOffice.org doc) -STGTY_STORAGE = 1 # element is a storage object -STGTY_STREAM = 2 # element is a stream object -STGTY_LOCKBYTES = 3 # element is an ILockBytes object -STGTY_PROPERTY = 4 # element is an IPropertyStorage object -STGTY_ROOT = 5 # element is a root storage - - -# -# -------------------------------------------------------------------- -# property types - -VT_EMPTY=0; VT_NULL=1; VT_I2=2; VT_I4=3; VT_R4=4; VT_R8=5; VT_CY=6; -VT_DATE=7; VT_BSTR=8; VT_DISPATCH=9; VT_ERROR=10; VT_BOOL=11; -VT_VARIANT=12; VT_UNKNOWN=13; VT_DECIMAL=14; VT_I1=16; VT_UI1=17; -VT_UI2=18; VT_UI4=19; VT_I8=20; VT_UI8=21; VT_INT=22; VT_UINT=23; -VT_VOID=24; VT_HRESULT=25; VT_PTR=26; VT_SAFEARRAY=27; VT_CARRAY=28; -VT_USERDEFINED=29; VT_LPSTR=30; VT_LPWSTR=31; VT_FILETIME=64; -VT_BLOB=65; VT_STREAM=66; VT_STORAGE=67; VT_STREAMED_OBJECT=68; -VT_STORED_OBJECT=69; VT_BLOB_OBJECT=70; VT_CF=71; VT_CLSID=72; -VT_VECTOR=0x1000; - -# map property id to name (for debugging purposes) - -VT = {} -for keyword, var in vars().items(): - if keyword[:3] == "VT_": - VT[var] = keyword - -# -# -------------------------------------------------------------------- -# Some common document types (root.clsid fields) - -WORD_CLSID = "00020900-0000-0000-C000-000000000046" -#TODO: check Excel, PPT, ... - -#[PL]: Defect levels to classify parsing errors - see OleFileIO._raise_defect() -DEFECT_UNSURE = 10 # a case which looks weird, but not sure it's a defect -DEFECT_POTENTIAL = 20 # a potential defect -DEFECT_INCORRECT = 30 # an error according to specifications, but parsing - # can go on -DEFECT_FATAL = 40 # an error which cannot be ignored, parsing is - # impossible - -#[PL] add useful constants to __all__: -for key in vars().keys(): - if key.startswith('STGTY_') or key.startswith('DEFECT_'): - __all__.append(key) - - -#--- FUNCTIONS ---------------------------------------------------------------- - -def isOleFile (filename): - """ - Test if file is an OLE container (according to its header). - filename: file name or path (str, unicode) - return: True if OLE, False otherwise. - """ - f = open(filename, 'rb') - header = f.read(len(MAGIC)) - if header == MAGIC: - return True - else: - return False - - -#TODO: replace i16 and i32 with more readable struct.unpack equivalent -def i16(c, o = 0): - """ - Converts a 2-bytes (16 bits) string to an integer. - - c: string containing bytes to convert - o: offset of bytes to convert in string - """ - return ord(c[o])+(ord(c[o+1])<<8) - - -def i32(c, o = 0): - """ - Converts a 4-bytes (32 bits) string to an integer. - - c: string containing bytes to convert - o: offset of bytes to convert in string - """ - return int(ord(c[o])+(ord(c[o+1])<<8)+(ord(c[o+2])<<16)+(ord(c[o+3])<<24)) - # [PL]: added int() because "<<" gives long int since Python 2.4 - - -def _clsid(clsid): - """ - Converts a CLSID to a human-readable string. - clsid: string of length 16. - """ - assert len(clsid) == 16 - if clsid == "\0" * len(clsid): - return "" - return (("%08X-%04X-%04X-%02X%02X-" + "%02X" * 6) % - ((i32(clsid, 0), i16(clsid, 4), i16(clsid, 6)) + - tuple(map(ord, clsid[8:16])))) - - - -# UNICODE support for Old Python versions: -# (necessary to handle storages/streams names which use Unicode) - -try: - # is Unicode supported ? - unicode - - def _unicode(s, errors='replace'): - """ - Map unicode string to Latin 1. (Python with Unicode support) - - s: UTF-16LE unicode string to convert to Latin-1 - errors: 'replace', 'ignore' or 'strict'. See Python doc for unicode() - """ - #TODO: test if it OleFileIO works with Unicode strings, instead of - # converting to Latin-1. - try: - # First the string is converted to plain Unicode: - # (assuming it is encoded as UTF-16 little-endian) - u = s.decode('UTF-16LE', errors) - if KEEP_UNICODE_NAMES: - return u - else: - # Second the unicode string is converted to Latin-1 - return u.encode('latin_1', errors) - except: - # there was an error during Unicode to Latin-1 conversion: - raise IOError, 'incorrect Unicode name' - -except NameError: - def _unicode(s, errors='replace'): - """ - Map unicode string to Latin 1. (Python without native Unicode support) - - s: UTF-16LE unicode string to convert to Latin-1 - errors: 'replace', 'ignore' or 'strict'. (ignored in this version) - """ - # If the unicode function does not exist, we assume this is an old - # Python version without Unicode support. - # Null bytes are simply removed (this only works with usual Latin-1 - # strings which do not contain unicode characters>256): - return filter(ord, s) - - -def filetime2datetime(filetime): - """ - convert FILETIME (64 bits int) to Python datetime.datetime - """ - # TODO: manage exception when microseconds is too large - # inspired from http://code.activestate.com/recipes/511425-filetime-to-datetime/ - _FILETIME_null_date = datetime.datetime(1601, 1, 1, 0, 0, 0) - #debug('timedelta days=%d' % (filetime/(10*1000000*3600*24))) - return _FILETIME_null_date + datetime.timedelta(microseconds=filetime/10) - - - -#=== CLASSES ================================================================== - -class OleMetadata: - """ - class to parse and store metadata from standard properties of OLE files. - - Available attributes: - codepage, title, subject, author, keywords, comments, template, - last_saved_by, revision_number, total_edit_time, last_printed, create_time, - last_saved_time, num_pages, num_words, num_chars, thumbnail, - creating_application, security, codepage_doc, category, presentation_target, - bytes, lines, paragraphs, slides, notes, hidden_slides, mm_clips, - scale_crop, heading_pairs, titles_of_parts, manager, company, links_dirty, - chars_with_spaces, unused, shared_doc, link_base, hlinks, hlinks_changed, - version, dig_sig, content_type, content_status, language, doc_version - - Note: an attribute is set to None when not present in the properties of the - OLE file. - - References for SummaryInformation stream: - - http://msdn.microsoft.com/en-us/library/dd942545.aspx - - http://msdn.microsoft.com/en-us/library/dd925819%28v=office.12%29.aspx - - http://msdn.microsoft.com/en-us/library/windows/desktop/aa380376%28v=vs.85%29.aspx - - http://msdn.microsoft.com/en-us/library/aa372045.aspx - - http://sedna-soft.de/summary-information-stream/ - - http://poi.apache.org/apidocs/org/apache/poi/hpsf/SummaryInformation.html - - References for DocumentSummaryInformation stream: - - http://msdn.microsoft.com/en-us/library/dd945671%28v=office.12%29.aspx - - http://msdn.microsoft.com/en-us/library/windows/desktop/aa380374%28v=vs.85%29.aspx - - http://poi.apache.org/apidocs/org/apache/poi/hpsf/DocumentSummaryInformation.html - - new in version 0.25 - """ - - # attribute names for SummaryInformation stream properties: - # (ordered by property id, starting at 1) - SUMMARY_ATTRIBS = ['codepage', 'title', 'subject', 'author', 'keywords', 'comments', - 'template', 'last_saved_by', 'revision_number', 'total_edit_time', - 'last_printed', 'create_time', 'last_saved_time', 'num_pages', - 'num_words', 'num_chars', 'thumbnail', 'creating_application', - 'security'] - - # attribute names for DocumentSummaryInformation stream properties: - # (ordered by property id, starting at 1) - DOCSUM_ATTRIBS = ['codepage_doc', 'category', 'presentation_target', 'bytes', 'lines', 'paragraphs', - 'slides', 'notes', 'hidden_slides', 'mm_clips', - 'scale_crop', 'heading_pairs', 'titles_of_parts', 'manager', - 'company', 'links_dirty', 'chars_with_spaces', 'unused', 'shared_doc', - 'link_base', 'hlinks', 'hlinks_changed', 'version', 'dig_sig', - 'content_type', 'content_status', 'language', 'doc_version'] - - def __init__(self): - """ - Constructor for OleMetadata - All attributes are set to None by default - """ - # properties from SummaryInformation stream - self.codepage = None - self.title = None - self.subject = None - self.author = None - self.keywords = None - self.comments = None - self.template = None - self.last_saved_by = None - self.revision_number = None - self.total_edit_time = None - self.last_printed = None - self.create_time = None - self.last_saved_time = None - self.num_pages = None - self.num_words = None - self.num_chars = None - self.thumbnail = None - self.creating_application = None - self.security = None - # properties from DocumentSummaryInformation stream - self.codepage_doc = None - self.category = None - self.presentation_target = None - self.bytes = None - self.lines = None - self.paragraphs = None - self.slides = None - self.notes = None - self.hidden_slides = None - self.mm_clips = None - self.scale_crop = None - self.heading_pairs = None - self.titles_of_parts = None - self.manager = None - self.company = None - self.links_dirty = None - self.chars_with_spaces = None - self.unused = None - self.shared_doc = None - self.link_base = None - self.hlinks = None - self.hlinks_changed = None - self.version = None - self.dig_sig = None - self.content_type = None - self.content_status = None - self.language = None - self.doc_version = None - - - def parse_properties(self, olefile): - """ - Parse standard properties of an OLE file, from the streams - "\x05SummaryInformation" and "\x05DocumentSummaryInformation", - if present. - Properties are converted to strings, integers or python datetime objects. - If a property is not present, its value is set to None. - """ - # first set all attributes to None: - for attrib in (self.SUMMARY_ATTRIBS + self.DOCSUM_ATTRIBS): - setattr(self, attrib, None) - if olefile.exists("\x05SummaryInformation"): - # get properties from the stream: - # (converting timestamps to python datetime, except total_edit_time, - # which is property #10) - props = olefile.getproperties("\x05SummaryInformation", - convert_time=True, no_conversion=[10]) - # store them into this object's attributes: - for i in range(len(self.SUMMARY_ATTRIBS)): - # ids for standards properties start at 0x01, until 0x13 - value = props.get(i+1, None) - setattr(self, self.SUMMARY_ATTRIBS[i], value) - if olefile.exists("\x05DocumentSummaryInformation"): - # get properties from the stream: - props = olefile.getproperties("\x05DocumentSummaryInformation", - convert_time=True) - # store them into this object's attributes: - for i in range(len(self.DOCSUM_ATTRIBS)): - # ids for standards properties start at 0x01, until 0x13 - value = props.get(i+1, None) - setattr(self, self.DOCSUM_ATTRIBS[i], value) - - def dump(self): - """ - Dump all metadata, for debugging purposes. - """ - print 'Properties from SummaryInformation stream:' - for prop in self.SUMMARY_ATTRIBS: - value = getattr(self, prop) - print '- %s: %s' % (prop, repr(value)) - print 'Properties from DocumentSummaryInformation stream:' - for prop in self.DOCSUM_ATTRIBS: - value = getattr(self, prop) - print '- %s: %s' % (prop, repr(value)) - - -#--- _OleStream --------------------------------------------------------------- - -class _OleStream(StringIO.StringIO): - """ - OLE2 Stream - - Returns a read-only file object which can be used to read - the contents of a OLE stream (instance of the StringIO class). - To open a stream, use the openstream method in the OleFile class. - - This function can be used with either ordinary streams, - or ministreams, depending on the offset, sectorsize, and - fat table arguments. - - Attributes: - - size: actual size of data stream, after it was opened. - """ - - # FIXME: should store the list of sects obtained by following - # the fat chain, and load new sectors on demand instead of - # loading it all in one go. - - def __init__(self, fp, sect, size, offset, sectorsize, fat, filesize): - """ - Constructor for _OleStream class. - - fp : file object, the OLE container or the MiniFAT stream - sect : sector index of first sector in the stream - size : total size of the stream - offset : offset in bytes for the first FAT or MiniFAT sector - sectorsize: size of one sector - fat : array/list of sector indexes (FAT or MiniFAT) - filesize : size of OLE file (for debugging) - return : a StringIO instance containing the OLE stream - """ - debug('_OleStream.__init__:') - debug(' sect=%d (%X), size=%d, offset=%d, sectorsize=%d, len(fat)=%d, fp=%s' - %(sect,sect,size,offset,sectorsize,len(fat), repr(fp))) - #[PL] To detect malformed documents with FAT loops, we compute the - # expected number of sectors in the stream: - unknown_size = False - if size==0x7FFFFFFF: - # this is the case when called from OleFileIO._open(), and stream - # size is not known in advance (for example when reading the - # Directory stream). Then we can only guess maximum size: - size = len(fat)*sectorsize - # and we keep a record that size was unknown: - unknown_size = True - debug(' stream with UNKNOWN SIZE') - nb_sectors = (size + (sectorsize-1)) / sectorsize - debug('nb_sectors = %d' % nb_sectors) - # This number should (at least) be less than the total number of - # sectors in the given FAT: - if nb_sectors > len(fat): - raise IOError, 'malformed OLE document, stream too large' - # optimization(?): data is first a list of strings, and join() is called - # at the end to concatenate all in one string. - # (this may not be really useful with recent Python versions) - data = [] - # if size is zero, then first sector index should be ENDOFCHAIN: - if size == 0 and sect != ENDOFCHAIN: - debug('size == 0 and sect != ENDOFCHAIN:') - raise IOError, 'incorrect OLE sector index for empty stream' - #[PL] A fixed-length for loop is used instead of an undefined while - # loop to avoid DoS attacks: - for i in xrange(nb_sectors): - # Sector index may be ENDOFCHAIN, but only if size was unknown - if sect == ENDOFCHAIN: - if unknown_size: - break - else: - # else this means that the stream is smaller than declared: - debug('sect=ENDOFCHAIN before expected size') - raise IOError, 'incomplete OLE stream' - # sector index should be within FAT: - if sect<0 or sect>=len(fat): - debug('sect=%d (%X) / len(fat)=%d' % (sect, sect, len(fat))) - debug('i=%d / nb_sectors=%d' %(i, nb_sectors)) -## tmp_data = string.join(data, "") -## f = open('test_debug.bin', 'wb') -## f.write(tmp_data) -## f.close() -## debug('data read so far: %d bytes' % len(tmp_data)) - raise IOError, 'incorrect OLE FAT, sector index out of range' - #TODO: merge this code with OleFileIO.getsect() ? - #TODO: check if this works with 4K sectors: - try: - fp.seek(offset + sectorsize * sect) - except: - debug('sect=%d, seek=%d, filesize=%d' % - (sect, offset+sectorsize*sect, filesize)) - raise IOError, 'OLE sector index out of range' - sector_data = fp.read(sectorsize) - # [PL] check if there was enough data: - # Note: if sector is the last of the file, sometimes it is not a - # complete sector (of 512 or 4K), so we may read less than - # sectorsize. - if len(sector_data)!=sectorsize and sect!=(len(fat)-1): - debug('sect=%d / len(fat)=%d, seek=%d / filesize=%d, len read=%d' % - (sect, len(fat), offset+sectorsize*sect, filesize, len(sector_data))) - debug('seek+len(read)=%d' % (offset+sectorsize*sect+len(sector_data))) - raise IOError, 'incomplete OLE sector' - data.append(sector_data) - # jump to next sector in the FAT: - try: - sect = fat[sect] - except IndexError: - # [PL] if pointer is out of the FAT an exception is raised - raise IOError, 'incorrect OLE FAT, sector index out of range' - #[PL] Last sector should be a "end of chain" marker: - if sect != ENDOFCHAIN: - raise IOError, 'incorrect last sector index in OLE stream' - data = string.join(data, "") - # Data is truncated to the actual stream size: - if len(data) >= size: - data = data[:size] - # actual stream size is stored for future use: - self.size = size - elif unknown_size: - # actual stream size was not known, now we know the size of read - # data: - self.size = len(data) - else: - # read data is less than expected: - debug('len(data)=%d, size=%d' % (len(data), size)) - raise IOError, 'OLE stream size is less than declared' - # when all data is read in memory, StringIO constructor is called - StringIO.StringIO.__init__(self, data) - # Then the _OleStream object can be used as a read-only file object. - - -#--- _OleDirectoryEntry ------------------------------------------------------- - -class _OleDirectoryEntry: - - """ - OLE2 Directory Entry - """ - #[PL] parsing code moved from OleFileIO.loaddirectory - - # struct to parse directory entries: - # <: little-endian byte order, standard sizes - # (note: this should guarantee that Q returns a 64 bits int) - # 64s: string containing entry name in unicode (max 31 chars) + null char - # H: uint16, number of bytes used in name buffer, including null = (len+1)*2 - # B: uint8, dir entry type (between 0 and 5) - # B: uint8, color: 0=black, 1=red - # I: uint32, index of left child node in the red-black tree, NOSTREAM if none - # I: uint32, index of right child node in the red-black tree, NOSTREAM if none - # I: uint32, index of child root node if it is a storage, else NOSTREAM - # 16s: CLSID, unique identifier (only used if it is a storage) - # I: uint32, user flags - # Q (was 8s): uint64, creation timestamp or zero - # Q (was 8s): uint64, modification timestamp or zero - # I: uint32, SID of first sector if stream or ministream, SID of 1st sector - # of stream containing ministreams if root entry, 0 otherwise - # I: uint32, total stream size in bytes if stream (low 32 bits), 0 otherwise - # I: uint32, total stream size in bytes if stream (high 32 bits), 0 otherwise - STRUCT_DIRENTRY = '<64sHBBIII16sIQQIII' - # size of a directory entry: 128 bytes - DIRENTRY_SIZE = 128 - assert struct.calcsize(STRUCT_DIRENTRY) == DIRENTRY_SIZE - - - def __init__(self, entry, sid, olefile): - """ - Constructor for an _OleDirectoryEntry object. - Parses a 128-bytes entry from the OLE Directory stream. - - entry : string (must be 128 bytes long) - sid : index of this directory entry in the OLE file directory - olefile: OleFileIO containing this directory entry - """ - self.sid = sid - # ref to olefile is stored for future use - self.olefile = olefile - # kids is a list of children entries, if this entry is a storage: - # (list of _OleDirectoryEntry objects) - self.kids = [] - # kids_dict is a dictionary of children entries, indexed by their - # name in lowercase: used to quickly find an entry, and to detect - # duplicates - self.kids_dict = {} - # flag used to detect if the entry is referenced more than once in - # directory: - self.used = False - # decode DirEntry - ( - name, - namelength, - self.entry_type, - self.color, - self.sid_left, - self.sid_right, - self.sid_child, - clsid, - self.dwUserFlags, - self.createTime, - self.modifyTime, - self.isectStart, - sizeLow, - sizeHigh - ) = struct.unpack(_OleDirectoryEntry.STRUCT_DIRENTRY, entry) - if self.entry_type not in [STGTY_ROOT, STGTY_STORAGE, STGTY_STREAM, STGTY_EMPTY]: - olefile._raise_defect(DEFECT_INCORRECT, 'unhandled OLE storage type') - # only first directory entry can (and should) be root: - if self.entry_type == STGTY_ROOT and sid != 0: - olefile._raise_defect(DEFECT_INCORRECT, 'duplicate OLE root entry') - if sid == 0 and self.entry_type != STGTY_ROOT: - olefile._raise_defect(DEFECT_INCORRECT, 'incorrect OLE root entry') - #debug (struct.unpack(fmt_entry, entry[:len_entry])) - # name should be at most 31 unicode characters + null character, - # so 64 bytes in total (31*2 + 2): - if namelength>64: - olefile._raise_defect(DEFECT_INCORRECT, 'incorrect DirEntry name length') - # if exception not raised, namelength is set to the maximum value: - namelength = 64 - # only characters without ending null char are kept: - name = name[:(namelength-2)] - # name is converted from unicode to Latin-1: - self.name = _unicode(name) - - debug('DirEntry SID=%d: %s' % (self.sid, repr(self.name))) - debug(' - type: %d' % self.entry_type) - debug(' - sect: %d' % self.isectStart) - debug(' - SID left: %d, right: %d, child: %d' % (self.sid_left, - self.sid_right, self.sid_child)) - - # sizeHigh is only used for 4K sectors, it should be zero for 512 bytes - # sectors, BUT apparently some implementations set it as 0xFFFFFFFFL, 1 - # or some other value so it cannot be raised as a defect in general: - if olefile.sectorsize == 512: - if sizeHigh != 0 and sizeHigh != 0xFFFFFFFFL: - debug('sectorsize=%d, sizeLow=%d, sizeHigh=%d (%X)' % - (olefile.sectorsize, sizeLow, sizeHigh, sizeHigh)) - olefile._raise_defect(DEFECT_UNSURE, 'incorrect OLE stream size') - self.size = sizeLow - else: - self.size = sizeLow + (long(sizeHigh)<<32) - debug(' - size: %d (sizeLow=%d, sizeHigh=%d)' % (self.size, sizeLow, sizeHigh)) - - self.clsid = _clsid(clsid) - # a storage should have a null size, BUT some implementations such as - # Word 8 for Mac seem to allow non-null values => Potential defect: - if self.entry_type == STGTY_STORAGE and self.size != 0: - olefile._raise_defect(DEFECT_POTENTIAL, 'OLE storage with size>0') - # check if stream is not already referenced elsewhere: - if self.entry_type in (STGTY_ROOT, STGTY_STREAM) and self.size>0: - if self.size < olefile.minisectorcutoff \ - and self.entry_type==STGTY_STREAM: # only streams can be in MiniFAT - # ministream object - minifat = True - else: - minifat = False - olefile._check_duplicate_stream(self.isectStart, minifat) - - - - def build_storage_tree(self): - """ - Read and build the red-black tree attached to this _OleDirectoryEntry - object, if it is a storage. - Note that this method builds a tree of all subentries, so it should - only be called for the root object once. - """ - debug('build_storage_tree: SID=%d - %s - sid_child=%d' - % (self.sid, repr(self.name), self.sid_child)) - if self.sid_child != NOSTREAM: - # if child SID is not NOSTREAM, then this entry is a storage. - # Let's walk through the tree of children to fill the kids list: - self.append_kids(self.sid_child) - - # Note from OpenOffice documentation: the safest way is to - # recreate the tree because some implementations may store broken - # red-black trees... - - # in the OLE file, entries are sorted on (length, name). - # for convenience, we sort them on name instead: - # (see __cmp__ method in this class) - self.kids.sort() - - - def append_kids(self, child_sid): - """ - Walk through red-black tree of children of this directory entry to add - all of them to the kids list. (recursive method) - - child_sid : index of child directory entry to use, or None when called - first time for the root. (only used during recursion) - """ - #[PL] this method was added to use simple recursion instead of a complex - # algorithm. - # if this is not a storage or a leaf of the tree, nothing to do: - if child_sid == NOSTREAM: - return - # check if child SID is in the proper range: - if child_sid<0 or child_sid>=len(self.olefile.direntries): - self.olefile._raise_defect(DEFECT_FATAL, 'OLE DirEntry index out of range') - # get child direntry: - child = self.olefile._load_direntry(child_sid) #direntries[child_sid] - debug('append_kids: child_sid=%d - %s - sid_left=%d, sid_right=%d, sid_child=%d' - % (child.sid, repr(child.name), child.sid_left, child.sid_right, child.sid_child)) - # the directory entries are organized as a red-black tree. - # (cf. Wikipedia for details) - # First walk through left side of the tree: - self.append_kids(child.sid_left) - # Check if its name is not already used (case-insensitive): - name_lower = child.name.lower() - if self.kids_dict.has_key(name_lower): - self.olefile._raise_defect(DEFECT_INCORRECT, - "Duplicate filename in OLE storage") - # Then the child_sid _OleDirectoryEntry object is appended to the - # kids list and dictionary: - self.kids.append(child) - self.kids_dict[name_lower] = child - # Check if kid was not already referenced in a storage: - if child.used: - self.olefile._raise_defect(DEFECT_INCORRECT, - 'OLE Entry referenced more than once') - child.used = True - # Finally walk through right side of the tree: - self.append_kids(child.sid_right) - # Afterwards build kid's own tree if it's also a storage: - child.build_storage_tree() - - - def __cmp__(self, other): - "Compare entries by name" - return cmp(self.name, other.name) - #TODO: replace by the same function as MS implementation ? - # (order by name length first, then case-insensitive order) - - - def dump(self, tab = 0): - "Dump this entry, and all its subentries (for debug purposes only)" - TYPES = ["(invalid)", "(storage)", "(stream)", "(lockbytes)", - "(property)", "(root)"] - print " "*tab + repr(self.name), TYPES[self.entry_type], - if self.entry_type in (STGTY_STREAM, STGTY_ROOT): - print self.size, "bytes", - print - if self.entry_type in (STGTY_STORAGE, STGTY_ROOT) and self.clsid: - print " "*tab + "{%s}" % self.clsid - - for kid in self.kids: - kid.dump(tab + 2) - - - def getmtime(self): - """ - Return modification time of a directory entry. - - return: None if modification time is null, a python datetime object - otherwise (UTC timezone) - - new in version 0.26 - """ - if self.modifyTime == 0: - return None - return filetime2datetime(self.modifyTime) - - - def getctime(self): - """ - Return creation time of a directory entry. - - return: None if modification time is null, a python datetime object - otherwise (UTC timezone) - - new in version 0.26 - """ - if self.createTime == 0: - return None - return filetime2datetime(self.createTime) - - -#--- OleFileIO ---------------------------------------------------------------- - -class OleFileIO: - """ - OLE container object - - This class encapsulates the interface to an OLE 2 structured - storage file. Use the {@link listdir} and {@link openstream} methods to - access the contents of this file. - - Object names are given as a list of strings, one for each subentry - level. The root entry should be omitted. For example, the following - code extracts all image streams from a Microsoft Image Composer file: - - ole = OleFileIO("fan.mic") - - for entry in ole.listdir(): - if entry[1:2] == "Image": - fin = ole.openstream(entry) - fout = open(entry[0:1], "wb") - while True: - s = fin.read(8192) - if not s: - break - fout.write(s) - - You can use the viewer application provided with the Python Imaging - Library to view the resulting files (which happens to be standard - TIFF files). - """ - - def __init__(self, filename = None, raise_defects=DEFECT_FATAL): - """ - Constructor for OleFileIO class. - - filename: file to open. - raise_defects: minimal level for defects to be raised as exceptions. - (use DEFECT_FATAL for a typical application, DEFECT_INCORRECT for a - security-oriented application, see source code for details) - """ - # minimal level for defects to be raised as exceptions: - self._raise_defects_level = raise_defects - # list of defects/issues not raised as exceptions: - # tuples of (exception type, message) - self.parsing_issues = [] - if filename: - self.open(filename) - - - def _raise_defect(self, defect_level, message, exception_type=IOError): - """ - This method should be called for any defect found during file parsing. - It may raise an IOError exception according to the minimal level chosen - for the OleFileIO object. - - defect_level: defect level, possible values are: - DEFECT_UNSURE : a case which looks weird, but not sure it's a defect - DEFECT_POTENTIAL : a potential defect - DEFECT_INCORRECT : an error according to specifications, but parsing can go on - DEFECT_FATAL : an error which cannot be ignored, parsing is impossible - message: string describing the defect, used with raised exception. - exception_type: exception class to be raised, IOError by default - """ - # added by [PL] - if defect_level >= self._raise_defects_level: - raise exception_type, message - else: - # just record the issue, no exception raised: - self.parsing_issues.append((exception_type, message)) - - - def open(self, filename): - """ - Open an OLE2 file. - Reads the header, FAT and directory. - - filename: string-like or file-like object - """ - #[PL] check if filename is a string-like or file-like object: - # (it is better to check for a read() method) - if hasattr(filename, 'read'): - # file-like object - self.fp = filename - else: - # string-like object: filename of file on disk - #TODO: if larger than 1024 bytes, this could be the actual data => StringIO - self.fp = open(filename, "rb") - # old code fails if filename is not a plain string: - #if type(filename) == type(""): - # self.fp = open(filename, "rb") - #else: - # self.fp = filename - # obtain the filesize by using seek and tell, which should work on most - # file-like objects: - #TODO: do it above, using getsize with filename when possible? - #TODO: fix code to fail with clear exception when filesize cannot be obtained - self.fp.seek(0, os.SEEK_END) - try: - filesize = self.fp.tell() - finally: - self.fp.seek(0) - self._filesize = filesize - - # lists of streams in FAT and MiniFAT, to detect duplicate references - # (list of indexes of first sectors of each stream) - self._used_streams_fat = [] - self._used_streams_minifat = [] - - header = self.fp.read(512) - - if len(header) != 512 or header[:8] != MAGIC: - self._raise_defect(DEFECT_FATAL, "not an OLE2 structured storage file") - - # [PL] header structure according to AAF specifications: - ##Header - ##struct StructuredStorageHeader { // [offset from start (bytes), length (bytes)] - ##BYTE _abSig[8]; // [00H,08] {0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, - ## // 0x1a, 0xe1} for current version - ##CLSID _clsid; // [08H,16] reserved must be zero (WriteClassStg/ - ## // GetClassFile uses root directory class id) - ##USHORT _uMinorVersion; // [18H,02] minor version of the format: 33 is - ## // written by reference implementation - ##USHORT _uDllVersion; // [1AH,02] major version of the dll/format: 3 for - ## // 512-byte sectors, 4 for 4 KB sectors - ##USHORT _uByteOrder; // [1CH,02] 0xFFFE: indicates Intel byte-ordering - ##USHORT _uSectorShift; // [1EH,02] size of sectors in power-of-two; - ## // typically 9 indicating 512-byte sectors - ##USHORT _uMiniSectorShift; // [20H,02] size of mini-sectors in power-of-two; - ## // typically 6 indicating 64-byte mini-sectors - ##USHORT _usReserved; // [22H,02] reserved, must be zero - ##ULONG _ulReserved1; // [24H,04] reserved, must be zero - ##FSINDEX _csectDir; // [28H,04] must be zero for 512-byte sectors, - ## // number of SECTs in directory chain for 4 KB - ## // sectors - ##FSINDEX _csectFat; // [2CH,04] number of SECTs in the FAT chain - ##SECT _sectDirStart; // [30H,04] first SECT in the directory chain - ##DFSIGNATURE _signature; // [34H,04] signature used for transactions; must - ## // be zero. The reference implementation - ## // does not support transactions - ##ULONG _ulMiniSectorCutoff; // [38H,04] maximum size for a mini stream; - ## // typically 4096 bytes - ##SECT _sectMiniFatStart; // [3CH,04] first SECT in the MiniFAT chain - ##FSINDEX _csectMiniFat; // [40H,04] number of SECTs in the MiniFAT chain - ##SECT _sectDifStart; // [44H,04] first SECT in the DIFAT chain - ##FSINDEX _csectDif; // [48H,04] number of SECTs in the DIFAT chain - ##SECT _sectFat[109]; // [4CH,436] the SECTs of first 109 FAT sectors - ##}; - - # [PL] header decoding: - # '<' indicates little-endian byte ordering for Intel (cf. struct module help) - fmt_header = '<8s16sHHHHHHLLLLLLLLLL' - header_size = struct.calcsize(fmt_header) - debug( "fmt_header size = %d, +FAT = %d" % (header_size, header_size + 109*4) ) - header1 = header[:header_size] - ( - self.Sig, - self.clsid, - self.MinorVersion, - self.DllVersion, - self.ByteOrder, - self.SectorShift, - self.MiniSectorShift, - self.Reserved, self.Reserved1, - self.csectDir, - self.csectFat, - self.sectDirStart, - self.signature, - self.MiniSectorCutoff, - self.MiniFatStart, - self.csectMiniFat, - self.sectDifStart, - self.csectDif - ) = struct.unpack(fmt_header, header1) - debug( struct.unpack(fmt_header, header1)) - - if self.Sig != '\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1': - # OLE signature should always be present - self._raise_defect(DEFECT_FATAL, "incorrect OLE signature") - if self.clsid != '\x00'*16: - # according to AAF specs, CLSID should always be zero - self._raise_defect(DEFECT_INCORRECT, "incorrect CLSID in OLE header") - debug( "MinorVersion = %d" % self.MinorVersion ) - debug( "DllVersion = %d" % self.DllVersion ) - if self.DllVersion not in [3, 4]: - # version 3: usual format, 512 bytes per sector - # version 4: large format, 4K per sector - self._raise_defect(DEFECT_INCORRECT, "incorrect DllVersion in OLE header") - debug( "ByteOrder = %X" % self.ByteOrder ) - if self.ByteOrder != 0xFFFE: - # For now only common little-endian documents are handled correctly - self._raise_defect(DEFECT_FATAL, "incorrect ByteOrder in OLE header") - # TODO: add big-endian support for documents created on Mac ? - self.SectorSize = 2**self.SectorShift - debug( "sector_size = %d" % self.SectorSize ) - if self.SectorSize not in [512, 4096]: - self._raise_defect(DEFECT_INCORRECT, "incorrect sector_size in OLE header") - if (self.DllVersion==3 and self.SectorSize!=512) \ - or (self.DllVersion==4 and self.SectorSize!=4096): - self._raise_defect(DEFECT_INCORRECT, "sector_size does not match DllVersion in OLE header") - self.MiniSectorSize = 2**self.MiniSectorShift - debug( "mini_sector_size = %d" % self.MiniSectorSize ) - if self.MiniSectorSize not in [64]: - self._raise_defect(DEFECT_INCORRECT, "incorrect mini_sector_size in OLE header") - if self.Reserved != 0 or self.Reserved1 != 0: - self._raise_defect(DEFECT_INCORRECT, "incorrect OLE header (non-null reserved bytes)") - debug( "csectDir = %d" % self.csectDir ) - if self.SectorSize==512 and self.csectDir!=0: - self._raise_defect(DEFECT_INCORRECT, "incorrect csectDir in OLE header") - debug( "num_fat_sectors = %d" % self.csectFat ) - debug( "first_dir_sector = %X" % self.sectDirStart ) - debug( "transaction_signature_number = %d" % self.signature ) - # Signature should be zero, BUT some implementations do not follow this - # rule => only a potential defect: - if self.signature != 0: - self._raise_defect(DEFECT_POTENTIAL, "incorrect OLE header (transaction_signature_number>0)") - debug( "mini_stream_cutoff_size = %d" % self.MiniSectorCutoff ) - debug( "first_mini_fat_sector = %X" % self.MiniFatStart ) - debug( "num_mini_fat_sectors = %d" % self.csectMiniFat ) - debug( "first_difat_sector = %X" % self.sectDifStart ) - debug( "num_difat_sectors = %d" % self.csectDif ) - - # calculate the number of sectors in the file - # (-1 because header doesn't count) - self.nb_sect = ( (filesize + self.SectorSize-1) / self.SectorSize) - 1 - debug( "Number of sectors in the file: %d" % self.nb_sect ) - - # file clsid (probably never used, so we don't store it) - clsid = _clsid(header[8:24]) - self.sectorsize = self.SectorSize #1 << i16(header, 30) - self.minisectorsize = self.MiniSectorSize #1 << i16(header, 32) - self.minisectorcutoff = self.MiniSectorCutoff # i32(header, 56) - - # check known streams for duplicate references (these are always in FAT, - # never in MiniFAT): - self._check_duplicate_stream(self.sectDirStart) - # check MiniFAT only if it is not empty: - if self.csectMiniFat: - self._check_duplicate_stream(self.MiniFatStart) - # check DIFAT only if it is not empty: - if self.csectDif: - self._check_duplicate_stream(self.sectDifStart) - - # Load file allocation tables - self.loadfat(header) - # Load direcory. This sets both the direntries list (ordered by sid) - # and the root (ordered by hierarchy) members. - self.loaddirectory(self.sectDirStart)#i32(header, 48)) - self.ministream = None - self.minifatsect = self.MiniFatStart #i32(header, 60) - - - def close(self): - """ - close the OLE file, to release the file object - """ - self.fp.close() - - - def _check_duplicate_stream(self, first_sect, minifat=False): - """ - Checks if a stream has not been already referenced elsewhere. - This method should only be called once for each known stream, and only - if stream size is not null. - first_sect: index of first sector of the stream in FAT - minifat: if True, stream is located in the MiniFAT, else in the FAT - """ - if minifat: - debug('_check_duplicate_stream: sect=%d in MiniFAT' % first_sect) - used_streams = self._used_streams_minifat - else: - debug('_check_duplicate_stream: sect=%d in FAT' % first_sect) - # some values can be safely ignored (not a real stream): - if first_sect in (DIFSECT,FATSECT,ENDOFCHAIN,FREESECT): - return - used_streams = self._used_streams_fat - #TODO: would it be more efficient using a dict or hash values, instead - # of a list of long ? - if first_sect in used_streams: - self._raise_defect(DEFECT_INCORRECT, 'Stream referenced twice') - else: - used_streams.append(first_sect) - - - def dumpfat(self, fat, firstindex=0): - "Displays a part of FAT in human-readable form for debugging purpose" - # [PL] added only for debug - if not DEBUG_MODE: - return - # dictionary to convert special FAT values in human-readable strings - VPL=8 # valeurs par ligne (8+1 * 8+1 = 81) - fatnames = { - FREESECT: "..free..", - ENDOFCHAIN: "[ END. ]", - FATSECT: "FATSECT ", - DIFSECT: "DIFSECT " - } - nbsect = len(fat) - nlines = (nbsect+VPL-1)/VPL - print "index", - for i in range(VPL): - print ("%8X" % i), - print "" - for l in range(nlines): - index = l*VPL - print ("%8X:" % (firstindex+index)), - for i in range(index, index+VPL): - if i>=nbsect: - break - sect = fat[i] - if sect in fatnames: - nom = fatnames[sect] - else: - if sect == i+1: - nom = " --->" - else: - nom = "%8X" % sect - print nom, - print "" - - - def dumpsect(self, sector, firstindex=0): - "Displays a sector in a human-readable form, for debugging purpose." - if not DEBUG_MODE: - return - VPL=8 # number of values per line (8+1 * 8+1 = 81) - tab = array.array(UINT32, sector) - nbsect = len(tab) - nlines = (nbsect+VPL-1)/VPL - print "index", - for i in range(VPL): - print ("%8X" % i), - print "" - for l in range(nlines): - index = l*VPL - print ("%8X:" % (firstindex+index)), - for i in range(index, index+VPL): - if i>=nbsect: - break - sect = tab[i] - nom = "%8X" % sect - print nom, - print "" - - def sect2array(self, sect): - """ - convert a sector to an array of 32 bits unsigned integers, - swapping bytes on big endian CPUs such as PowerPC (old Macs) - """ - a = array.array(UINT32, sect) - # if CPU is big endian, swap bytes: - if sys.byteorder == 'big': - a.byteswap() - return a - - - def loadfat_sect(self, sect): - """ - Adds the indexes of the given sector to the FAT - sect: string containing the first FAT sector, or array of long integers - return: index of last FAT sector. - """ - # a FAT sector is an array of ulong integers. - if isinstance(sect, array.array): - # if sect is already an array it is directly used - fat1 = sect - else: - # if it's a raw sector, it is parsed in an array - fat1 = self.sect2array(sect) - self.dumpsect(sect) - # The FAT is a sector chain starting at the first index of itself. - for isect in fat1: - #print "isect = %X" % isect - if isect == ENDOFCHAIN or isect == FREESECT: - # the end of the sector chain has been reached - break - # read the FAT sector - s = self.getsect(isect) - # parse it as an array of 32 bits integers, and add it to the - # global FAT array - nextfat = self.sect2array(s) - self.fat = self.fat + nextfat - return isect - - - def loadfat(self, header): - """ - Load the FAT table. - """ - # The header contains a sector numbers - # for the first 109 FAT sectors. Additional sectors are - # described by DIF blocks - - sect = header[76:512] - debug( "len(sect)=%d, so %d integers" % (len(sect), len(sect)/4) ) - #fat = [] - # [PL] FAT is an array of 32 bits unsigned ints, it's more effective - # to use an array than a list in Python. - # It's initialized as empty first: - self.fat = array.array(UINT32) - self.loadfat_sect(sect) - #self.dumpfat(self.fat) -## for i in range(0, len(sect), 4): -## ix = i32(sect, i) -## #[PL] if ix == -2 or ix == -1: # ix == 0xFFFFFFFEL or ix == 0xFFFFFFFFL: -## if ix == 0xFFFFFFFEL or ix == 0xFFFFFFFFL: -## break -## s = self.getsect(ix) -## #fat = fat + map(lambda i, s=s: i32(s, i), range(0, len(s), 4)) -## fat = fat + array.array(UINT32, s) - if self.csectDif != 0: - # [PL] There's a DIFAT because file is larger than 6.8MB - # some checks just in case: - if self.csectFat <= 109: - # there must be at least 109 blocks in header and the rest in - # DIFAT, so number of sectors must be >109. - self._raise_defect(DEFECT_INCORRECT, 'incorrect DIFAT, not enough sectors') - if self.sectDifStart >= self.nb_sect: - # initial DIFAT block index must be valid - self._raise_defect(DEFECT_FATAL, 'incorrect DIFAT, first index out of range') - debug( "DIFAT analysis..." ) - # We compute the necessary number of DIFAT sectors : - # (each DIFAT sector = 127 pointers + 1 towards next DIFAT sector) - nb_difat = (self.csectFat-109 + 126)/127 - debug( "nb_difat = %d" % nb_difat ) - if self.csectDif != nb_difat: - raise IOError, 'incorrect DIFAT' - isect_difat = self.sectDifStart - for i in xrange(nb_difat): - debug( "DIFAT block %d, sector %X" % (i, isect_difat) ) - #TODO: check if corresponding FAT SID = DIFSECT - sector_difat = self.getsect(isect_difat) - difat = self.sect2array(sector_difat) - self.dumpsect(sector_difat) - self.loadfat_sect(difat[:127]) - # last DIFAT pointer is next DIFAT sector: - isect_difat = difat[127] - debug( "next DIFAT sector: %X" % isect_difat ) - # checks: - if isect_difat not in [ENDOFCHAIN, FREESECT]: - # last DIFAT pointer value must be ENDOFCHAIN or FREESECT - raise IOError, 'incorrect end of DIFAT' -## if len(self.fat) != self.num_fat_sectors: -## # FAT should contain num_fat_sectors blocks -## print "FAT length: %d instead of %d" % (len(self.fat), self.num_fat_sectors) -## raise IOError, 'incorrect DIFAT' - # since FAT is read from fixed-size sectors, it may contain more values - # than the actual number of sectors in the file. - # Keep only the relevant sector indexes: - if len(self.fat) > self.nb_sect: - debug('len(fat)=%d, shrunk to nb_sect=%d' % (len(self.fat), self.nb_sect)) - self.fat = self.fat[:self.nb_sect] - debug('\nFAT:') - self.dumpfat(self.fat) - - - def loadminifat(self): - """ - Load the MiniFAT table. - """ - # MiniFAT is stored in a standard sub-stream, pointed to by a header - # field. - # NOTE: there are two sizes to take into account for this stream: - # 1) Stream size is calculated according to the number of sectors - # declared in the OLE header. This allocated stream may be more than - # needed to store the actual sector indexes. - # (self.num_mini_fat_sectors is the number of sectors of size self.sector_size) - stream_size = self.csectMiniFat * self.SectorSize - # 2) Actually used size is calculated by dividing the MiniStream size - # (given by root entry size) by the size of mini sectors, *4 for - # 32 bits indexes: - nb_minisectors = (self.root.size + self.MiniSectorSize-1) / self.MiniSectorSize - used_size = nb_minisectors * 4 - debug('loadminifat(): minifatsect=%d, nb FAT sectors=%d, used_size=%d, stream_size=%d, nb MiniSectors=%d' % - (self.minifatsect, self.csectMiniFat, used_size, stream_size, nb_minisectors)) - if used_size > stream_size: - # This is not really a problem, but may indicate a wrong implementation: - self._raise_defect(DEFECT_INCORRECT, 'OLE MiniStream is larger than MiniFAT') - # In any case, first read stream_size: - s = self._open(self.minifatsect, stream_size, force_FAT=True).read() - #[PL] Old code replaced by an array: - #self.minifat = map(lambda i, s=s: i32(s, i), range(0, len(s), 4)) - self.minifat = self.sect2array(s) - # Then shrink the array to used size, to avoid indexes out of MiniStream: - debug('MiniFAT shrunk from %d to %d sectors' % (len(self.minifat), nb_minisectors)) - self.minifat = self.minifat[:nb_minisectors] - debug('loadminifat(): len=%d' % len(self.minifat)) - debug('\nMiniFAT:') - self.dumpfat(self.minifat) - - def getsect(self, sect): - """ - Read given sector from file on disk. - sect: sector index - returns a string containing the sector data. - """ - # [PL] this original code was wrong when sectors are 4KB instead of - # 512 bytes: - #self.fp.seek(512 + self.sectorsize * sect) - #[PL]: added safety checks: - #print "getsect(%X)" % sect - try: - self.fp.seek(self.sectorsize * (sect+1)) - except: - debug('getsect(): sect=%X, seek=%d, filesize=%d' % - (sect, self.sectorsize*(sect+1), self._filesize)) - self._raise_defect(DEFECT_FATAL, 'OLE sector index out of range') - sector = self.fp.read(self.sectorsize) - if len(sector) != self.sectorsize: - debug('getsect(): sect=%X, read=%d, sectorsize=%d' % - (sect, len(sector), self.sectorsize)) - self._raise_defect(DEFECT_FATAL, 'incomplete OLE sector') - return sector - - - def loaddirectory(self, sect): - """ - Load the directory. - sect: sector index of directory stream. - """ - # The directory is stored in a standard - # substream, independent of its size. - - # open directory stream as a read-only file: - # (stream size is not known in advance) - self.directory_fp = self._open(sect) - - #[PL] to detect malformed documents and avoid DoS attacks, the maximum - # number of directory entries can be calculated: - max_entries = self.directory_fp.size / 128 - debug('loaddirectory: size=%d, max_entries=%d' % - (self.directory_fp.size, max_entries)) - - # Create list of directory entries - #self.direntries = [] - # We start with a list of "None" object - self.direntries = [None] * max_entries -## for sid in xrange(max_entries): -## entry = fp.read(128) -## if not entry: -## break -## self.direntries.append(_OleDirectoryEntry(entry, sid, self)) - # load root entry: - root_entry = self._load_direntry(0) - # Root entry is the first entry: - self.root = self.direntries[0] - # read and build all storage trees, starting from the root: - self.root.build_storage_tree() - - - def _load_direntry (self, sid): - """ - Load a directory entry from the directory. - This method should only be called once for each storage/stream when - loading the directory. - sid: index of storage/stream in the directory. - return: a _OleDirectoryEntry object - raise: IOError if the entry has always been referenced. - """ - # check if SID is OK: - if sid<0 or sid>=len(self.direntries): - self._raise_defect(DEFECT_FATAL, "OLE directory index out of range") - # check if entry was already referenced: - if self.direntries[sid] is not None: - self._raise_defect(DEFECT_INCORRECT, - "double reference for OLE stream/storage") - # if exception not raised, return the object - return self.direntries[sid] - self.directory_fp.seek(sid * 128) - entry = self.directory_fp.read(128) - self.direntries[sid] = _OleDirectoryEntry(entry, sid, self) - return self.direntries[sid] - - - def dumpdirectory(self): - """ - Dump directory (for debugging only) - """ - self.root.dump() - - - def _open(self, start, size = 0x7FFFFFFF, force_FAT=False): - """ - Open a stream, either in FAT or MiniFAT according to its size. - (openstream helper) - - start: index of first sector - size: size of stream (or nothing if size is unknown) - force_FAT: if False (default), stream will be opened in FAT or MiniFAT - according to size. If True, it will always be opened in FAT. - """ - debug('OleFileIO.open(): sect=%d, size=%d, force_FAT=%s' % - (start, size, str(force_FAT))) - # stream size is compared to the mini_stream_cutoff_size threshold: - if size < self.minisectorcutoff and not force_FAT: - # ministream object - if not self.ministream: - # load MiniFAT if it wasn't already done: - self.loadminifat() - # The first sector index of the miniFAT stream is stored in the - # root directory entry: - size_ministream = self.root.size - debug('Opening MiniStream: sect=%d, size=%d' % - (self.root.isectStart, size_ministream)) - self.ministream = self._open(self.root.isectStart, - size_ministream, force_FAT=True) - return _OleStream(fp=self.ministream, sect=start, size=size, - offset=0, sectorsize=self.minisectorsize, - fat=self.minifat, filesize=self.ministream.size) - else: - # standard stream - return _OleStream(fp=self.fp, sect=start, size=size, - offset=self.sectorsize, - sectorsize=self.sectorsize, fat=self.fat, - filesize=self._filesize) - - - def _list(self, files, prefix, node, streams=True, storages=False): - """ - (listdir helper) - files: list of files to fill in - prefix: current location in storage tree (list of names) - node: current node (_OleDirectoryEntry object) - streams: bool, include streams if True (True by default) - new in v0.26 - storages: bool, include storages if True (False by default) - new in v0.26 - (note: the root storage is never included) - """ - prefix = prefix + [node.name] - for entry in node.kids: - if entry.kids: - # this is a storage - if storages: - # add it to the list - files.append(prefix[1:] + [entry.name]) - # check its kids - self._list(files, prefix, entry, streams, storages) - else: - # this is a stream - if streams: - # add it to the list - files.append(prefix[1:] + [entry.name]) - - - def listdir(self, streams=True, storages=False): - """ - Return a list of streams stored in this file - - streams: bool, include streams if True (True by default) - new in v0.26 - storages: bool, include storages if True (False by default) - new in v0.26 - (note: the root storage is never included) - """ - files = [] - self._list(files, [], self.root, streams, storages) - return files - - - def _find(self, filename): - """ - Returns directory entry of given filename. (openstream helper) - Note: this method is case-insensitive. - - filename: path of stream in storage tree (except root entry), either: - - a string using Unix path syntax, for example: - 'storage_1/storage_1.2/stream' - - a list of storage filenames, path to the desired stream/storage. - Example: ['storage_1', 'storage_1.2', 'stream'] - return: sid of requested filename - raise IOError if file not found - """ - - # if filename is a string instead of a list, split it on slashes to - # convert to a list: - if isinstance(filename, basestring): - filename = filename.split('/') - # walk across storage tree, following given path: - node = self.root - for name in filename: - for kid in node.kids: - if kid.name.lower() == name.lower(): - break - else: - raise IOError, "file not found" - node = kid - return node.sid - - - def openstream(self, filename): - """ - Open a stream as a read-only file object (StringIO). - - filename: path of stream in storage tree (except root entry), either: - - a string using Unix path syntax, for example: - 'storage_1/storage_1.2/stream' - - a list of storage filenames, path to the desired stream/storage. - Example: ['storage_1', 'storage_1.2', 'stream'] - return: file object (read-only) - raise IOError if filename not found, or if this is not a stream. - """ - sid = self._find(filename) - entry = self.direntries[sid] - if entry.entry_type != STGTY_STREAM: - raise IOError, "this file is not a stream" - return self._open(entry.isectStart, entry.size) - - - def get_type(self, filename): - """ - Test if given filename exists as a stream or a storage in the OLE - container, and return its type. - - filename: path of stream in storage tree. (see openstream for syntax) - return: False if object does not exist, its entry type (>0) otherwise: - - STGTY_STREAM: a stream - - STGTY_STORAGE: a storage - - STGTY_ROOT: the root entry - """ - try: - sid = self._find(filename) - entry = self.direntries[sid] - return entry.entry_type - except: - return False - - - def getmtime(self, filename): - """ - Return modification time of a stream/storage. - - filename: path of stream/storage in storage tree. (see openstream for - syntax) - return: None if modification time is null, a python datetime object - otherwise (UTC timezone) - - new in version 0.26 - """ - sid = self._find(filename) - entry = self.direntries[sid] - return entry.getmtime() - - - def getctime(self, filename): - """ - Return creation time of a stream/storage. - - filename: path of stream/storage in storage tree. (see openstream for - syntax) - return: None if creation time is null, a python datetime object - otherwise (UTC timezone) - - new in version 0.26 - """ - sid = self._find(filename) - entry = self.direntries[sid] - return entry.getctime() - - - def exists(self, filename): - """ - Test if given filename exists as a stream or a storage in the OLE - container. - - filename: path of stream in storage tree. (see openstream for syntax) - return: True if object exist, else False. - """ - try: - sid = self._find(filename) - return True - except: - return False - - - def get_size(self, filename): - """ - Return size of a stream in the OLE container, in bytes. - - filename: path of stream in storage tree (see openstream for syntax) - return: size in bytes (long integer) - raise: IOError if file not found, TypeError if this is not a stream. - """ - sid = self._find(filename) - entry = self.direntries[sid] - if entry.entry_type != STGTY_STREAM: - #TODO: Should it return zero instead of raising an exception ? - raise TypeError, 'object is not an OLE stream' - return entry.size - - - def get_rootentry_name(self): - """ - Return root entry name. Should usually be 'Root Entry' or 'R' in most - implementations. - """ - return self.root.name - - - def getproperties(self, filename, convert_time=False, no_conversion=None): - """ - Return properties described in substream. - - filename: path of stream in storage tree (see openstream for syntax) - convert_time: bool, if True timestamps will be converted to Python datetime - no_conversion: None or list of int, timestamps not to be converted - (for example total editing time is not a real timestamp) - return: a dictionary of values indexed by id (integer) - """ - # make sure no_conversion is a list, just to simplify code below: - if no_conversion == None: - no_conversion = [] - # stream path as a string to report exceptions: - streampath = filename - if not isinstance(streampath, str): - streampath = '/'.join(streampath) - - fp = self.openstream(filename) - - data = {} - - try: - # header - s = fp.read(28) - clsid = _clsid(s[8:24]) - - # format id - s = fp.read(20) - fmtid = _clsid(s[:16]) - fp.seek(i32(s, 16)) - - # get section - s = "****" + fp.read(i32(fp.read(4))-4) - # number of properties: - num_props = i32(s, 4) - except: - # catch exception while parsing property header, and only raise - # a DEFECT_INCORRECT then return an empty dict, because this is not - # a fatal error when parsing the whole file - exctype, excvalue = sys.exc_info()[:2] - msg = 'Error while parsing properties header in stream %s: %s' % ( - repr(streampath), excvalue) - self._raise_defect(DEFECT_INCORRECT, msg, exctype) - return data - - for i in range(num_props): - try: - id = 0 # just in case of an exception - id = i32(s, 8+i*8) - offset = i32(s, 12+i*8) - type = i32(s, offset) - - debug ('property id=%d: type=%d offset=%X' % (id, type, offset)) - - # test for common types first (should perhaps use - # a dictionary instead?) - - if type == VT_I2: # 16-bit signed integer - value = i16(s, offset+4) - if value >= 32768: - value = value - 65536 - elif type == VT_UI2: # 2-byte unsigned integer - value = i16(s, offset+4) - elif type in (VT_I4, VT_INT, VT_ERROR): - # VT_I4: 32-bit signed integer - # VT_ERROR: HRESULT, similar to 32-bit signed integer, - # see http://msdn.microsoft.com/en-us/library/cc230330.aspx - value = i32(s, offset+4) - elif type in (VT_UI4, VT_UINT): # 4-byte unsigned integer - value = i32(s, offset+4) # FIXME - elif type in (VT_BSTR, VT_LPSTR): - # CodePageString, see http://msdn.microsoft.com/en-us/library/dd942354.aspx - # size is a 32 bits integer, including the null terminator, and - # possibly trailing or embedded null chars - #TODO: if codepage is unicode, the string should be converted as such - count = i32(s, offset+4) - value = s[offset+8:offset+8+count-1] - # remove all null chars: - value = value.replace('\x00', '') - elif type == VT_BLOB: - # binary large object (BLOB) - # see http://msdn.microsoft.com/en-us/library/dd942282.aspx - count = i32(s, offset+4) - value = s[offset+8:offset+8+count] - elif type == VT_LPWSTR: - # UnicodeString - # see http://msdn.microsoft.com/en-us/library/dd942313.aspx - # "the string should NOT contain embedded or additional trailing - # null characters." - count = i32(s, offset+4) - value = _unicode(s[offset+8:offset+8+count*2]) - elif type == VT_FILETIME: - value = long(i32(s, offset+4)) + (long(i32(s, offset+8))<<32) - # FILETIME is a 64-bit int: "number of 100ns periods - # since Jan 1,1601". - if convert_time and id not in no_conversion: - debug('Converting property #%d to python datetime, value=%d=%fs' - %(id, value, float(value)/10000000L)) - # convert FILETIME to Python datetime.datetime - # inspired from http://code.activestate.com/recipes/511425-filetime-to-datetime/ - _FILETIME_null_date = datetime.datetime(1601, 1, 1, 0, 0, 0) - debug('timedelta days=%d' % (value/(10*1000000*3600*24))) - value = _FILETIME_null_date + datetime.timedelta(microseconds=value/10) - else: - # legacy code kept for backward compatibility: returns a - # number of seconds since Jan 1,1601 - value = value / 10000000L # seconds - elif type == VT_UI1: # 1-byte unsigned integer - value = ord(s[offset+4]) - elif type == VT_CLSID: - value = _clsid(s[offset+4:offset+20]) - elif type == VT_CF: - # PropertyIdentifier or ClipboardData?? - # see http://msdn.microsoft.com/en-us/library/dd941945.aspx - count = i32(s, offset+4) - value = s[offset+8:offset+8+count] - elif type == VT_BOOL: - # VARIANT_BOOL, 16 bits bool, 0x0000=Fals, 0xFFFF=True - # see http://msdn.microsoft.com/en-us/library/cc237864.aspx - value = bool(i16(s, offset+4)) - else: - value = None # everything else yields "None" - debug ('property id=%d: type=%d not implemented in parser yet' % (id, type)) - - # missing: VT_EMPTY, VT_NULL, VT_R4, VT_R8, VT_CY, VT_DATE, - # VT_DECIMAL, VT_I1, VT_I8, VT_UI8, - # see http://msdn.microsoft.com/en-us/library/dd942033.aspx - - # FIXME: add support for VT_VECTOR - # VT_VECTOR is a 32 uint giving the number of items, followed by - # the items in sequence. The VT_VECTOR value is combined with the - # type of items, e.g. VT_VECTOR|VT_BSTR - # see http://msdn.microsoft.com/en-us/library/dd942011.aspx - - #print "%08x" % id, repr(value), - #print "(%s)" % VT[i32(s, offset) & 0xFFF] - - data[id] = value - except: - # catch exception while parsing each property, and only raise - # a DEFECT_INCORRECT, because parsing can go on - exctype, excvalue = sys.exc_info()[:2] - msg = 'Error while parsing property id %d in stream %s: %s' % ( - id, repr(streampath), excvalue) - self._raise_defect(DEFECT_INCORRECT, msg, exctype) - - return data - - def get_metadata(self): - """ - Parse standard properties streams, return an OleMetadata object - containing all the available metadata. - (also stored in the metadata attribute of the OleFileIO object) - - new in version 0.25 - """ - self.metadata = OleMetadata() - self.metadata.parse_properties(self) - return self.metadata - -# -# -------------------------------------------------------------------- -# This script can be used to dump the directory of any OLE2 structured -# storage file. - -if __name__ == "__main__": - - import sys - - # [PL] display quick usage info if launched from command-line - if len(sys.argv) <= 1: - print __doc__ - print """ -Launched from command line, this script parses OLE files and prints info. - -Usage: olefile2.py [-d] [-c] [file2 ...] - -Options: --d : debug mode (display a lot of debug information, for developers only) --c : check all streams (for debugging purposes) -""" - sys.exit() - - check_streams = False - for filename in sys.argv[1:]: -## try: - # OPTIONS: - if filename == '-d': - # option to switch debug mode on: - set_debug_mode(True) - continue - if filename == '-c': - # option to switch check streams mode on: - check_streams = True - continue - - ole = OleFileIO(filename)#, raise_defects=DEFECT_INCORRECT) - print "-" * 68 - print filename - print "-" * 68 - ole.dumpdirectory() - for streamname in ole.listdir(): - if streamname[-1][0] == "\005": - print streamname, ": properties" - props = ole.getproperties(streamname, convert_time=True) - props = props.items() - props.sort() - for k, v in props: - #[PL]: avoid to display too large or binary values: - if isinstance(v, basestring): - if len(v) > 50: - v = v[:50] - # quick and dirty binary check: - for c in (1,2,3,4,5,6,7,11,12,14,15,16,17,18,19,20, - 21,22,23,24,25,26,27,28,29,30,31): - if chr(c) in v: - v = '(binary data)' - break - print " ", k, v - - if check_streams: - # Read all streams to check if there are errors: - print '\nChecking streams...' - for streamname in ole.listdir(): - # print name using repr() to convert binary chars to \xNN: - print '-', repr('/'.join(streamname)),'-', - st_type = ole.get_type(streamname) - if st_type == STGTY_STREAM: - print 'size %d' % ole.get_size(streamname) - # just try to read stream in memory: - ole.openstream(streamname) - else: - print 'NOT a stream : type=%d' % st_type - print '' - -## for streamname in ole.listdir(): -## # print name using repr() to convert binary chars to \xNN: -## print '-', repr('/'.join(streamname)),'-', -## print ole.getmtime(streamname) -## print '' - - print 'Modification/Creation times of all directory entries:' - for entry in ole.direntries: - if entry is not None: - print '- %s: mtime=%s ctime=%s' % (entry.name, - entry.getmtime(), entry.getctime()) - print '' - - # parse and display metadata: - meta = ole.get_metadata() - meta.dump() - print '' - #[PL] Test a few new methods: - root = ole.get_rootentry_name() - print 'Root entry name: "%s"' % root - if ole.exists('worddocument'): - print "This is a Word document." - print "type of stream 'WordDocument':", ole.get_type('worddocument') - print "size :", ole.get_size('worddocument') - if ole.exists('macros/vba'): - print "This document may contain VBA macros." - - # print parsing issues: - print '\nNon-fatal issues raised during parsing:' - if ole.parsing_issues: - for exctype, msg in ole.parsing_issues: - print '- %s: %s' % (exctype.__name__, msg) - else: - print 'None' -## except IOError, v: -## print "***", "cannot read", file, "-", v - -# this code was developed while listening to The Wedding Present "Sea Monsters" diff --git a/oletools/thirdparty/xxxswf/xxxswf.py b/oletools/thirdparty/xxxswf/xxxswf.py index 1a47878..1f95659 100644 --- a/oletools/thirdparty/xxxswf/xxxswf.py +++ b/oletools/thirdparty/xxxswf/xxxswf.py @@ -1,371 +1,371 @@ -# xxxswf.py was created by alexander dot hanel at gmail dot com -# version 0.1 -# Date - 12-07-2011 -# To do list -# - Tag Parser -# - ActionScript Decompiler - -import fnmatch -import hashlib -import imp -import math -import os -import re -import struct -import sys -import time -from StringIO import StringIO -from optparse import OptionParser -import zlib - -def checkMD5(md5): -# checks if MD5 has been seen in MD5 Dictionary -# MD5Dict contains the MD5 and the CVE -# For { 'MD5':'CVE', 'MD5-1':'CVE-1', 'MD5-2':'CVE-2'} - MD5Dict = {'c46299a5015c6d31ad5766cb49e4ab4b':'CVE-XXXX-XXXX'} - if MD5Dict.get(md5): - print '\t[BAD] MD5 Match on', MD5Dict.get(md5) - return - -def bad(f): - for idx, x in enumerate(findSWF(f)): - tmp = verifySWF(f,x) - if tmp != None: - yaraScan(tmp) - checkMD5(hashBuff(tmp)) - return - -def yaraScan(d): -# d = buffer of the read file -# Scans SWF using Yara - # test if yara module is installed - # if not Yara can be downloaded from http://code.google.com/p/yara-project/ - try: - imp.find_module('yara') - import yara - except ImportError: - print '\t[ERROR] Yara module not installed - aborting scan' - return - # test for yara compile errors - try: - r = yara.compile(r'rules.yar') - except: - pass - print '\t[ERROR] Yara compile error - aborting scan' - return - # get matches - m = r.match(data=d) - # print matches - for X in m: - print '\t[BAD] Yara Signature Hit:', X - return - -def findSWF(d): -# d = buffer of the read file -# Search for SWF Header Sigs in files - return [tmp.start() for tmp in re.finditer('CWS|FWS', d.read())] - -def hashBuff(d): -# d = buffer of the read file -# This function hashes the buffer -# source: http://stackoverflow.com/q/5853830 - if type(d) is str: - d = StringIO(d) - md5 = hashlib.md5() - while True: - data = d.read(128) - if not data: - break - md5.update(data) - return md5.hexdigest() - -def verifySWF(f,addr): - # Start of SWF - f.seek(addr) - # Read Header - header = f.read(3) - # Read Version - ver = struct.unpack(' 20: - print ' - [ERROR] Invalid SWF Version' - return None - - if 'CWS' in header: - try: - f.read(3) - tmp = 'FWS' + f.read(5) + zlib.decompress(f.read()) - print ' - CWS Header' - return tmp - - except: - pass - print '- [ERROR]: Zlib decompression error. Invalid CWS SWF' - return None - - elif 'FWS' in header: - try: - tmp = f.read(size) - print ' - FWS Header' - return tmp - - except: - pass - print ' - [ERROR] Invalid SWF Size' - return None - - else: - print ' - [Error] Logic Error Blame Programmer' - return None - -def headerInfo(f): -# f is the already opended file handle -# Yes, the format is is a rip off SWFDump. Can you blame me? Their tool is awesome. - # SWFDump FORMAT - # [HEADER] File version: 8 - # [HEADER] File is zlib compressed. Ratio: 52% - # [HEADER] File size: 37536 - # [HEADER] Frame rate: 18.000000 - # [HEADER] Frame count: 323 - # [HEADER] Movie width: 217.00 - # [HEADER] Movie height: 85.00 - if type(f) is str: - f = StringIO(f) - sig = f.read(3) - print '\t[HEADER] File header:', sig - if 'C' in sig: - print '\t[HEADER] File is zlib compressed.' - version = struct.unpack('> 3 - print '\t[HEADER] Rect Nbit:', nbit - # Curretely the nbit is static at 15. This could be modified in the - # future. If larger than 9 this will break the struct unpack. Will have - # to revist must be a more effective way to deal with bits. Tried to keep - # the algo but damn this is ugly... - f.seek(ta) - rect = struct.unpack('>Q', f.read(int(math.ceil((nbit*4)/8.0))))[0] - tmp = struct.unpack('>7)[2:].zfill(1) - # bin requires Python 2.6 or higher - # skips string '0b' and the nbit - rect = bin(rect)[7:] - xmin = int(rect[0:nbit-1],2) - print '\t[HEADER] Rect Xmin:', xmin - xmax = int(rect[nbit:(nbit*2)-1],2) - print '\t[HEADER] Rect Xmax:', xmax - ymin = int(rect[nbit*2:(nbit*3)-1],2) - print '\t[HEADER] Rect Ymin:', ymin - # one bit needs to be added, my math might be off here - ymax = int(rect[nbit*3:(nbit*4)-1] + str(tmp) ,2) - print '\t[HEADER] Rect Ymax:', ymax - framerate = struct.unpack(' 20: + print(' - [ERROR] Invalid SWF Version') + return None + + if 'CWS' in header: + try: + f.read(3) + tmp = 'FWS' + f.read(5) + zlib.decompress(f.read()) + print(' - CWS Header') + return tmp + + except: + pass + print('- [ERROR]: Zlib decompression error. Invalid CWS SWF') + return None + + elif 'FWS' in header: + try: + tmp = f.read(size) + print(' - FWS Header') + return tmp + + except: + pass + print(' - [ERROR] Invalid SWF Size') + return None + + else: + print(' - [Error] Logic Error Blame Programmer') + return None + +def headerInfo(f): +# f is the already opended file handle +# Yes, the format is is a rip off SWFDump. Can you blame me? Their tool is awesome. + # SWFDump FORMAT + # [HEADER] File version: 8 + # [HEADER] File is zlib compressed. Ratio: 52% + # [HEADER] File size: 37536 + # [HEADER] Frame rate: 18.000000 + # [HEADER] Frame count: 323 + # [HEADER] Movie width: 217.00 + # [HEADER] Movie height: 85.00 + if type(f) is str: + f = StringIO(f) + sig = f.read(3) + print('\t[HEADER] File header: %s' % sig) + if 'C' in sig: + print('\t[HEADER] File is zlib compressed.') + version = struct.unpack('> 3 + print('\t[HEADER] Rect Nbit: %d' % nbit) + # Curretely the nbit is static at 15. This could be modified in the + # future. If larger than 9 this will break the struct unpack. Will have + # to revist must be a more effective way to deal with bits. Tried to keep + # the algo but damn this is ugly... + f.seek(ta) + rect = struct.unpack('>Q', f.read(int(math.ceil((nbit*4)/8.0))))[0] + tmp = struct.unpack('>7)[2:].zfill(1) + # bin requires Python 2.6 or higher + # skips string '0b' and the nbit + rect = bin(rect)[7:] + xmin = int(rect[0:nbit-1],2) + print('\t[HEADER] Rect Xmin: %d' % xmin) + xmax = int(rect[nbit:(nbit*2)-1],2) + print('\t[HEADER] Rect Xmax: %d' % xmax) + ymin = int(rect[nbit*2:(nbit*3)-1],2) + print('\t[HEADER] Rect Ymin: %d' % ymin) + # one bit needs to be added, my math might be off here + ymax = int(rect[nbit*3:(nbit*4)-1] + str(tmp) ,2) + print('\t[HEADER] Rect Ymax: %d' % ymax) + framerate = struct.unpack('