Commit e97257d4fe0f831b47a4a46497ed19abc9f8be48
1 parent
6d2d6844
olemap: added extra data detection, completed header display
Showing
1 changed file
with
45 additions
and
4 deletions
oletools/olemap.py
| ... | ... | @@ -48,6 +48,7 @@ http://www.decalage.info/python/oletools |
| 48 | 48 | # - improved MiniFAT display with tablestream |
| 49 | 49 | # 2017-03-21 PL: - added header display |
| 50 | 50 | # - added options --header, --fat and --minifat |
| 51 | +# 2017-03-22 PL: - added extra data detection, completed header display | |
| 51 | 52 | |
| 52 | 53 | |
| 53 | 54 | __version__ = '0.51dev3' |
| ... | ... | @@ -115,15 +116,55 @@ def sid_display(sid): |
| 115 | 116 | |
| 116 | 117 | def show_header(ole): |
| 117 | 118 | print("OLE HEADER:") |
| 118 | - t = tablestream.TableStream([20, 20, 79-(4+20+20)], header_row=['Attribute', 'Value', 'Description']) | |
| 119 | + t = tablestream.TableStream([24, 16, 79-(4+24+16)], header_row=['Attribute', 'Value', 'Description']) | |
| 119 | 120 | t.write_row(['OLE Signature (hex)', binascii.b2a_hex(ole.header_signature).upper(), 'Should be D0CF11E0A1B11AE1']) |
| 120 | 121 | t.write_row(['Header CLSID (hex)', binascii.b2a_hex(ole.header_clsid).upper(), 'Should be 0']) |
| 121 | 122 | t.write_row(['Minor Version', '%04X' % ole.minor_version, 'Should be 003E']) |
| 122 | 123 | t.write_row(['Major Version', '%04X' % ole.dll_version, 'Should be 3 or 4']) |
| 123 | 124 | t.write_row(['Byte Order', '%04X' % ole.byte_order, 'Should be FFFE (little endian)']) |
| 124 | 125 | t.write_row(['Sector Shift', '%04X' % ole.sector_shift, 'Should be 0009 or 000C']) |
| 125 | - t.write_row(['Sector Size (bytes)', '%d' % ole.sector_size, 'Should be 512 or 4096 bytes']) | |
| 126 | - t.write_row(['Number of Directory Sectors', ole.num_dir_sectors, 'Should be 0 if major version is 3']) | |
| 126 | + t.write_row(['# of Dir Sectors', ole.num_dir_sectors, 'Should be 0 if major version is 3']) | |
| 127 | + t.write_row(['# of FAT Sectors', ole.num_fat_sectors, '']) | |
| 128 | + t.write_row(['First Dir Sector', '%08X' % ole.first_dir_sector, '(hex)']) | |
| 129 | + t.write_row(['Transaction Sig Number', ole.transaction_signature_number, 'Should be 0']) | |
| 130 | + t.write_row(['MiniStream cutoff', ole.mini_stream_cutoff_size, 'Should be 4096 bytes']) | |
| 131 | + t.write_row(['First MiniFAT Sector', '%08X' % ole.first_mini_fat_sector, '(hex)']) | |
| 132 | + t.write_row(['# of MiniFAT Sectors', ole.num_mini_fat_sectors, '']) | |
| 133 | + t.write_row(['First DIFAT Sector', '%08X' % ole.first_difat_sector, '(hex)']) | |
| 134 | + t.write_row(['# of DIFAT Sectors', ole.num_difat_sectors, '']) | |
| 135 | + t.close() | |
| 136 | + print('') | |
| 137 | + print("CALCULATED ATTRIBUTES:") | |
| 138 | + t = tablestream.TableStream([24, 16, 79-(4+24+16)], header_row=['Attribute', 'Value', 'Description']) | |
| 139 | + t.write_row(['Sector Size (bytes)', ole.sector_size, 'Should be 512 or 4096 bytes']) | |
| 140 | + t.write_row(['Actual File Size (bytes)', ole._filesize, 'Real file size on disk']) | |
| 141 | + num_sectors_per_fat_sector = ole.sector_size/4 | |
| 142 | + num_sectors_in_fat = num_sectors_per_fat_sector * ole.num_fat_sectors | |
| 143 | + # Need to add one sector for the header: | |
| 144 | + max_filesize_fat = (num_sectors_in_fat + 1) * ole.sector_size | |
| 145 | + t.write_row(['Max File Size in FAT', max_filesize_fat, 'Max file size covered by FAT']) | |
| 146 | + if ole._filesize > max_filesize_fat: | |
| 147 | + extra_size_beyond_fat = ole._filesize - max_filesize_fat | |
| 148 | + color = 'red' | |
| 149 | + else: | |
| 150 | + extra_size_beyond_fat = 0 | |
| 151 | + color = None | |
| 152 | + t.write_row(['Extra data beyond FAT', extra_size_beyond_fat, 'Only if file is larger than FAT coverage'], | |
| 153 | + colors=[color, color, color]) | |
| 154 | + # Find the last used sector: | |
| 155 | + # By default, it's the last sector in the FAT | |
| 156 | + last_used_sector = len(ole.fat)-1 | |
| 157 | + for i in range(len(ole.fat)-1, 0, -1): | |
| 158 | + last_used_sector = i | |
| 159 | + if ole.fat[i] != olefile.FREESECT: | |
| 160 | + break | |
| 161 | + # Extra data would start at the next sector | |
| 162 | + offset_extra_data = ole.sectorsize * (last_used_sector + 2) | |
| 163 | + t.write_row(['Extra data offset in FAT', '%08X' % offset_extra_data, 'Offset of the 1st free sector at end of FAT']) | |
| 164 | + extra_data_size = ole._filesize - offset_extra_data | |
| 165 | + color = 'red' if extra_data_size > 0 else None | |
| 166 | + t.write_row(['Extra data size', extra_data_size, 'Size of data starting at the 1st free sector at end of FAT'], | |
| 167 | + colors=[color, color, color]) | |
| 127 | 168 | t.close() |
| 128 | 169 | print('') |
| 129 | 170 | |
| ... | ... | @@ -131,7 +172,7 @@ def show_header(ole): |
| 131 | 172 | def show_fat(ole): |
| 132 | 173 | print('FAT:') |
| 133 | 174 | t = tablestream.TableStream([8, 12, 8, 8], header_row=['Sector #', 'Type', 'Offset', 'Next #']) |
| 134 | - for i in range(ole.nb_sect): | |
| 175 | + for i in range(len(ole.fat)): | |
| 135 | 176 | fat_value = ole.fat[i] |
| 136 | 177 | fat_type = FAT_TYPES.get(fat_value, '<Data>') |
| 137 | 178 | color_type = FAT_COLORS.get(fat_value, FAT_COLORS['default']) | ... | ... |