Commit 9e355a9d79489b76a81f9f796bc80e135be92a0a
1 parent
eb680811
deal with case that offset in mso_file_extract might not be found,
specify some more exceptions in mso_file_extract
Showing
1 changed file
with
14 additions
and
10 deletions
oletools/olevba.py
| @@ -871,25 +871,29 @@ def mso_file_extract(data): | @@ -871,25 +871,29 @@ def mso_file_extract(data): | ||
| 871 | """ | 871 | """ |
| 872 | # check the magic: | 872 | # check the magic: |
| 873 | assert is_mso_file(data) | 873 | assert is_mso_file(data) |
| 874 | + | ||
| 875 | + # In all the samples seen so far, Word always uses an offset of 0x32, | ||
| 876 | + # and Excel 0x22A. But we read the offset from the header to be more | ||
| 877 | + # generic. | ||
| 878 | + offsets = [0x32, 0x22A] | ||
| 879 | + | ||
| 874 | # First, attempt to get the compressed data offset from the header | 880 | # First, attempt to get the compressed data offset from the header |
| 875 | # According to my tests, it should be an unsigned 16 bits integer, | 881 | # According to my tests, it should be an unsigned 16 bits integer, |
| 876 | # at offset 0x1E (little endian) + add 46: | 882 | # at offset 0x1E (little endian) + add 46: |
| 877 | try: | 883 | try: |
| 878 | offset = struct.unpack_from('<H', data, offset=0x1E)[0] + 46 | 884 | offset = struct.unpack_from('<H', data, offset=0x1E)[0] + 46 |
| 879 | log.debug('Parsing MSO file: data offset = 0x%X' % offset) | 885 | log.debug('Parsing MSO file: data offset = 0x%X' % offset) |
| 880 | - except Exception: | ||
| 881 | - log.exception('Unable to parse MSO/ActiveMime file header') | ||
| 882 | - raise RuntimeError('Unable to parse MSO/ActiveMime file header') | ||
| 883 | - # In all the samples seen so far, Word always uses an offset of 0x32, | ||
| 884 | - # and Excel 0x22A. But we read the offset from the header to be more | ||
| 885 | - # generic. | ||
| 886 | - # Let's try that offset, then 0x32 and 0x22A, just in case: | ||
| 887 | - for start in (offset, 0x32, 0x22A): | 886 | + offsets.insert(0, offset) # insert at beginning of offsets |
| 887 | + except struct.error as exc: | ||
| 888 | + log.exception('Unable to parse MSO/ActiveMime file header (%s)' % exc) | ||
| 889 | + raise MsoExtractionError('Unable to parse MSO/ActiveMime file header') | ||
| 890 | + # now try offsets | ||
| 891 | + for start in offsets: | ||
| 888 | try: | 892 | try: |
| 889 | log.debug('Attempting zlib decompression from MSO file offset 0x%X' % start) | 893 | log.debug('Attempting zlib decompression from MSO file offset 0x%X' % start) |
| 890 | extracted_data = zlib.decompress(data[start:]) | 894 | extracted_data = zlib.decompress(data[start:]) |
| 891 | return extracted_data | 895 | return extracted_data |
| 892 | - except Exception: | 896 | + except zlib.error as exc: |
| 893 | log.exception('zlib decompression failed') | 897 | log.exception('zlib decompression failed') |
| 894 | # None of the guessed offsets worked, let's try brute-forcing by looking | 898 | # None of the guessed offsets worked, let's try brute-forcing by looking |
| 895 | # for potential zlib-compressed blocks starting with 0x78: | 899 | # for potential zlib-compressed blocks starting with 0x78: |
| @@ -900,7 +904,7 @@ def mso_file_extract(data): | @@ -900,7 +904,7 @@ def mso_file_extract(data): | ||
| 900 | log.debug('Attempting zlib decompression from MSO file offset 0x%X' % start) | 904 | log.debug('Attempting zlib decompression from MSO file offset 0x%X' % start) |
| 901 | extracted_data = zlib.decompress(data[start:]) | 905 | extracted_data = zlib.decompress(data[start:]) |
| 902 | return extracted_data | 906 | return extracted_data |
| 903 | - except Exception: | 907 | + except zlib.error as exc: |
| 904 | log.exception('zlib decompression failed') | 908 | log.exception('zlib decompression failed') |
| 905 | raise MsoExtractionError('Unable to decompress data from a MSO/ActiveMime file') | 909 | raise MsoExtractionError('Unable to decompress data from a MSO/ActiveMime file') |
| 906 | 910 |