Commit 8dc4854df1c2bef3a56373dd73c4c378788df688
1 parent
8be66d11
ppt_record_parser: move constants to top of file
Showing
1 changed file
with
75 additions
and
72 deletions
oletools/ppt_record_parser.py
| ... | ... | @@ -49,6 +49,80 @@ import io |
| 49 | 49 | import zlib |
| 50 | 50 | |
| 51 | 51 | |
| 52 | +# types of relevant records (there are much more than listed here) | |
| 53 | +RECORD_TYPES = dict([ | |
| 54 | + # file structure types | |
| 55 | + (0x0ff5, 'UserEditAtom'), | |
| 56 | + (0x0ff6, 'CurrentUserAtom'), # --> use PptRecordCurrentUser instead | |
| 57 | + (0x1772, 'PersistDirectoryAtom'), | |
| 58 | + (0x2f14, 'CryptSession10Container'), | |
| 59 | + # document types | |
| 60 | + (0x03e8, 'DocumentContainer'), | |
| 61 | + (0x0fc9, 'HandoutContainer'), | |
| 62 | + (0x03f0, 'NotesContainer'), | |
| 63 | + (0x03ff, 'VbaInfoContainer'), | |
| 64 | + (0x03e9, 'DocumentAtom'), | |
| 65 | + (0x03ea, 'EndDocumentAtom'), | |
| 66 | + # slide types | |
| 67 | + (0x03ee, 'SlideContainer'), | |
| 68 | + (0x03f8, 'MainMasterContainer'), | |
| 69 | + # external object ty | |
| 70 | + (0x0409, 'ExObjListContainer'), | |
| 71 | + (0x1011, 'ExOleVbaActiveXAtom'), # --> use PptRecordExOleVbaActiveXAtom | |
| 72 | + (0x1006, 'ExAviMovieContainer'), | |
| 73 | + (0x100e, 'ExCDAudioContainer'), | |
| 74 | + (0x0fee, 'ExControlContainer'), | |
| 75 | + (0x0fd7, 'ExHyperlinkContainer'), | |
| 76 | + (0x1007, 'ExMCIMovieContainer'), | |
| 77 | + (0x100d, 'ExMIDIAudioContainer'), | |
| 78 | + (0x0fcc, 'ExOleEmbedContainer'), | |
| 79 | + (0x0fce, 'ExOleLinkContainer'), | |
| 80 | + (0x100f, 'ExWAVAudioEmbeddedContainer'), | |
| 81 | + (0x1010, 'ExWAVAudioLinkContainer'), | |
| 82 | + (0x1004, 'ExMediaAtom'), | |
| 83 | + (0x040a, 'ExObjListAtom'), | |
| 84 | + (0x0fcd, 'ExOleEmbedAtom'), | |
| 85 | + (0x0fc3, 'ExOleObjAtom'), # --> use PptRecordExOleObjAtom instead | |
| 86 | + # other types | |
| 87 | + (0x0fc1, 'MetafileBlob'), | |
| 88 | + (0x0fb8, 'FontEmbedDataBlob'), | |
| 89 | + (0x07e7, 'SoundDataBlob'), | |
| 90 | + (0x138b, 'BinaryTagDataBlob'), | |
| 91 | + (0x0fba, 'CString'), | |
| 92 | +]) | |
| 93 | + | |
| 94 | + | |
| 95 | +# record types where version is not 0x0 or 0xf | |
| 96 | +VERSION_EXCEPTIONS = dict([ | |
| 97 | + (0x0400, 2), # rt_vbainfoatom | |
| 98 | + (0x03ef, 2), # rt_slideatom | |
| 99 | +]) | |
| 100 | + | |
| 101 | + | |
| 102 | +# record types where instance is not 0x0 or 0x1 | |
| 103 | +INSTANCE_EXCEPTIONS = dict([ | |
| 104 | + (0x0fba, (2, 0x14)), # rt_cstring, | |
| 105 | + (0x0ff0, (2, 2)), # rt_slidelistwithtext, | |
| 106 | + (0x0fd9, (3, 4)), # rt_headersfooters, | |
| 107 | + (0x07e4, (5, 5)), # rt_soundcollection, | |
| 108 | + (0x03fb, (7, 7)), # rt_guideatom, | |
| 109 | + (0x07e9, (2, 2)), # rt_bookmarkseeatom, | |
| 110 | + (0x07f0, (6, 6)), # rt_colorschemeatom, | |
| 111 | + (0xf125, (0, 5)), # rt_timeconditioncontainer, | |
| 112 | + (0xf13d, (0, 0xa)), # rt_timepropertylist, | |
| 113 | + (0x0fc8, (2, 2)), # rt_kinsoku, | |
| 114 | + (0x0fd2, (3, 3)), # rt_kinsokuatom, | |
| 115 | + (0x0f9f, (0, 5)), # rt_textheaderatom, | |
| 116 | + (0x0fb7, (0, 128)), # rt_fontentityatom, | |
| 117 | + (0x0fa3, (0, 8)), # rt_textmasterstyleatom, | |
| 118 | + (0x0fad, (0, 8)), # rt_textmasterstyle9atom, | |
| 119 | + (0x0fb2, (0, 8)), # rt_textmasterstyle10atom, | |
| 120 | + (0x07f9, (0, 0x80)), # rt_blibentitiy9atom, | |
| 121 | + (0x0faf, (0, 5)), # rt_outlinetextpropsheader9atom, | |
| 122 | + (0x0fb8, (0, 3)), # rt_fontembeddatablob, | |
| 123 | +]) | |
| 124 | + | |
| 125 | + | |
| 52 | 126 | class PptFile(record_base.OleRecordFile): |
| 53 | 127 | """ Record-based view on a PowerPoint ppt file """ |
| 54 | 128 | |
| ... | ... | @@ -56,6 +130,7 @@ class PptFile(record_base.OleRecordFile): |
| 56 | 130 | def stream_class_for_name(self, stream_name): |
| 57 | 131 | return PptStream |
| 58 | 132 | |
| 133 | + | |
| 59 | 134 | class PptStream(record_base.OleRecordStream): |
| 60 | 135 | """ a stream of records in a ppt file """ |
| 61 | 136 | |
| ... | ... | @@ -401,78 +476,6 @@ class PptRecordExOleVbaActiveXAtom(PptRecord): |
| 401 | 476 | return '{0}, {1}{2}'.format(text[:-2], compr_text, text[-2:]) |
| 402 | 477 | |
| 403 | 478 | |
| 404 | -# types of relevant records (there are much more than listed here) | |
| 405 | -RECORD_TYPES = dict([ | |
| 406 | - # file structure types | |
| 407 | - (0x0ff5, 'UserEditAtom'), | |
| 408 | - (0x0ff6, 'CurrentUserAtom'), # --> use PptRecordCurrentUser instead | |
| 409 | - (0x1772, 'PersistDirectoryAtom'), | |
| 410 | - (0x2f14, 'CryptSession10Container'), | |
| 411 | - # document types | |
| 412 | - (0x03e8, 'DocumentContainer'), | |
| 413 | - (0x0fc9, 'HandoutContainer'), | |
| 414 | - (0x03f0, 'NotesContainer'), | |
| 415 | - (0x03ff, 'VbaInfoContainer'), | |
| 416 | - (0x03e9, 'DocumentAtom'), | |
| 417 | - (0x03ea, 'EndDocumentAtom'), | |
| 418 | - # slide types | |
| 419 | - (0x03ee, 'SlideContainer'), | |
| 420 | - (0x03f8, 'MainMasterContainer'), | |
| 421 | - # external object ty | |
| 422 | - (0x0409, 'ExObjListContainer'), | |
| 423 | - (0x1011, 'ExOleVbaActiveXAtom'), # --> use PptRecordExOleVbaActiveXAtom | |
| 424 | - (0x1006, 'ExAviMovieContainer'), | |
| 425 | - (0x100e, 'ExCDAudioContainer'), | |
| 426 | - (0x0fee, 'ExControlContainer'), | |
| 427 | - (0x0fd7, 'ExHyperlinkContainer'), | |
| 428 | - (0x1007, 'ExMCIMovieContainer'), | |
| 429 | - (0x100d, 'ExMIDIAudioContainer'), | |
| 430 | - (0x0fcc, 'ExOleEmbedContainer'), | |
| 431 | - (0x0fce, 'ExOleLinkContainer'), | |
| 432 | - (0x100f, 'ExWAVAudioEmbeddedContainer'), | |
| 433 | - (0x1010, 'ExWAVAudioLinkContainer'), | |
| 434 | - (0x1004, 'ExMediaAtom'), | |
| 435 | - (0x040a, 'ExObjListAtom'), | |
| 436 | - (0x0fcd, 'ExOleEmbedAtom'), | |
| 437 | - (0x0fc3, 'ExOleObjAtom'), # --> use PptRecordExOleObjAtom instead | |
| 438 | - # other types | |
| 439 | - (0x0fc1, 'MetafileBlob'), | |
| 440 | - (0x0fb8, 'FontEmbedDataBlob'), | |
| 441 | - (0x07e7, 'SoundDataBlob'), | |
| 442 | - (0x138b, 'BinaryTagDataBlob'), | |
| 443 | - (0x0fba, 'CString'), | |
| 444 | -]) | |
| 445 | - | |
| 446 | -# record types where version is not 0x0 or 0xf | |
| 447 | -VERSION_EXCEPTIONS = dict([ | |
| 448 | - (0x0400, 2), # rt_vbainfoatom | |
| 449 | - (0x03ef, 2), # rt_slideatom | |
| 450 | -]) | |
| 451 | - | |
| 452 | -# record types where instance is not 0x0 or 0x1 | |
| 453 | -INSTANCE_EXCEPTIONS = dict([ | |
| 454 | - (0x0fba, (2, 0x14)), # rt_cstring, | |
| 455 | - (0x0ff0, (2, 2)), # rt_slidelistwithtext, | |
| 456 | - (0x0fd9, (3, 4)), # rt_headersfooters, | |
| 457 | - (0x07e4, (5, 5)), # rt_soundcollection, | |
| 458 | - (0x03fb, (7, 7)), # rt_guideatom, | |
| 459 | - (0x07e9, (2, 2)), # rt_bookmarkseeatom, | |
| 460 | - (0x07f0, (6, 6)), # rt_colorschemeatom, | |
| 461 | - (0xf125, (0, 5)), # rt_timeconditioncontainer, | |
| 462 | - (0xf13d, (0, 0xa)), # rt_timepropertylist, | |
| 463 | - (0x0fc8, (2, 2)), # rt_kinsoku, | |
| 464 | - (0x0fd2, (3, 3)), # rt_kinsokuatom, | |
| 465 | - (0x0f9f, (0, 5)), # rt_textheaderatom, | |
| 466 | - (0x0fb7, (0, 128)), # rt_fontentityatom, | |
| 467 | - (0x0fa3, (0, 8)), # rt_textmasterstyleatom, | |
| 468 | - (0x0fad, (0, 8)), # rt_textmasterstyle9atom, | |
| 469 | - (0x0fb2, (0, 8)), # rt_textmasterstyle10atom, | |
| 470 | - (0x07f9, (0, 0x80)), # rt_blibentitiy9atom, | |
| 471 | - (0x0faf, (0, 5)), # rt_outlinetextpropsheader9atom, | |
| 472 | - (0x0fb8, (0, 3)), # rt_fontembeddatablob, | |
| 473 | -]) | |
| 474 | - | |
| 475 | - | |
| 476 | 479 | ############################################################################### |
| 477 | 480 | # TESTING |
| 478 | 481 | ############################################################################### | ... | ... |