diff --git a/FSCS727_Forensics/Labs/Crack_Password_Word/office2john.py b/FSCS727_Forensics/Labs/Crack_Password_Word/office2john.py index 7d49cd3..fda31f9 100644 --- a/FSCS727_Forensics/Labs/Crack_Password_Word/office2john.py +++ b/FSCS727_Forensics/Labs/Crack_Password_Word/office2john.py @@ -1,2 +1,367 @@ -#!/usr/bin/env pyth# olefile (formerly OleFileIO_PL) version 0.42 2015-01-2# Module to read/write Microsoft OLE2 files (also called Structured Storage o# Microsoft Compound Document File Format), such as Microsoft Office 97-200# documents, Image Composer and FlashPix files, Outlook messages, ..# This version is compatible with Python 2.6+ and 3.# Project website: http://www.decalage.info/olefil# olefile is copyright (c) 2005-2015 Philippe Lagadec (http://www.decalage.info# olefile is based on the OleFileIO module from the PIL library v1.1.# See: http://www.pythonware.com/products/pil/index.ht# The Python Imaging Library (PIL) i# Copyright (c) 1997-2005 by Secret Labs A# Copyright (c) 1995-2005 by Fredrik Lund# See source code and LICENSE.txt for information on usage and redistributi# Since OleFileIO_PL v0.30, only Python 2.6+ and 3.x is supporte# This import enables print() as a function rather than a keywor# (main requirement to be compatible with Python 3.x# The comment on the line below should be printed on Python 2.5 or olderfrom __future__ import print_function # This version of olefile requires Python 2.6+ or 3__author__ = "Philippe Lagadec__date__ = "2015-01-25__version__ = '0.42.#--- LICENSE ----------------------------------------------------------------# olefile (formerly OleFileIO_PL) is copyright (c) 2005-2015 Philippe Lagade# (http://www.decalage.info# All rights reserved# Redistribution and use in source and binary forms, with or without modification# are permitted provided that the following conditions are met# * Redistributions of source code must retain the above copyright notice, thi# list of conditions and the following disclaimer# * Redistributions in binary form must reproduce the above copyright notice# this list of conditions and the following disclaimer in the documentatio# and/or other materials provided with the distribution# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AN# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIE# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AR# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABL# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIA# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS O# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVE# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE US# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAG# ---------# PIL License# olefile is based on source code from the OleFileIO module of the Pytho# Imaging Library (PIL) published by Fredrik Lundh under the following licens# The Python Imaging Library (PIL) i# Copyright (c) 1997-2005 by Secret Labs A# Copyright (c) 1995-2005 by Fredrik Lund# By obtaining, using, and/or copying this software and/or its associate# documentation, you agree that you have read, understood, and will comply wit# the following terms and conditions# Permission to use, copy, modify, and distribute this software and it# associated documentation for any purpose and without fee is hereby granted# provided that the above copyright notice appears in all copies, and that bot# that copyright notice and this permission notice appear in supportin# documentation, and that the name of Secret Labs AB or the author(s) not be use# in advertising or publicity pertaining to distribution of the softwar# without specific, written prior permission# SECRET LABS AB AND THE AUTHORS DISCLAIMS ALL WARRANTIES WITH REGARD TO THI# SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS# IN NO EVENT SHALL SECRET LABS AB OR THE AUTHORS BE LIABLE FOR ANY SPECIAL# INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FRO# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE O# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE O# PERFORMANCE OF THIS SOFTWAR#----------------------------------------------------------------------------# CHANGELOG: (only olefile/OleFileIO_PL changes compared to PIL 1.1.6# 2005-05-11 v0.10 PL: - a few fixes for Python 2.4 compatibilit# (all changes flagged with [PL]# 2006-02-22 v0.11 PL: - a few fixes for some Office 2003 documents which rais# exceptions in _OleStream.__init__(# 2006-06-09 v0.12 PL: - fixes for files above 6.8MB (DIFAT in loadfat# - added some constant# - added header values check# - added some docstring# - getsect: bugfix in case sectors >512 byte# - getsect: added conformity check# - DEBUG_MODE constant to activate debug displa# 2007-09-04 v0.13 PL: - improved/translated (lots of) comment# - updated licens# - converted tabs to 4 space# 2007-11-19 v0.14 PL: - added OleFileIO._raise_defect() to adapt sensitivit# - improved _unicode() to use Python 2.x unicode suppor# - fixed bug in _OleDirectoryEntr# 2007-11-25 v0.15 PL: - added safety checks to detect FAT loop# - fixed _OleStream which didn't check stream siz# - added/improved many docstrings and comment# - moved helper functions _unicode and _clsid out o# OleFileIO clas# - improved OleFileIO._find() to add Unix path synta# - OleFileIO._find() is now case-insensitiv# - added get_type() and get_rootentry_name(# - rewritten loaddirectory and _OleDirectoryEntr# 2007-11-27 v0.16 PL: - added _OleDirectoryEntry.kids_dic# - added detection of duplicate filenames in storage# - added detection of duplicate references to stream# - added get_size() and exists() to _OleDirectoryEntr# - added isOleFile to check header before parsin# - added __all__ list to control public keywords in pydo# 2007-12-04 v0.17 PL: - added _load_direntry to fix a bug in loaddirector# - improved _unicode(), added workarounds for Python <2.# - added set_debug_mode and -d option to set debug mod# - fixed bugs in OleFileIO.open and _OleDirectoryEntr# - added safety check in main for large or binar# propertie# - allow size>0 for storages for some implementation# 2007-12-05 v0.18 PL: - fixed several bugs in handling of FAT, MiniFAT an# stream# - added option '-c' in main to check all stream# 2009-12-10 v0.19 PL: - bugfix for 32 bit arrays on 64 bits platform# (thanks to Ben G. and Martijn for reporting the bug# 2009-12-11 v0.20 PL: - bugfix in OleFileIO.open when filename is not plain st# 2010-01-22 v0.21 PL: - added support for big-endian CPUs such as PowerPC Mac# 2012-02-16 v0.22 PL: - fixed bug in getproperties, patch by chuckleberryfin# (https://bitbucket.org/decalage/olefileio_pl/issue/7# - added close method to OleFileIO (fixed issue #2# 2012-07-25 v0.23 PL: - added support for file-like objects (patch by mete0r_kr# 2013-05-05 v0.24 PL: - getproperties: added conversion from filetime to pytho# datetim# - main: displays properties with date forma# - new class OleMetadata to parse standard propertie# - added get_metadata metho# 2013-05-07 v0.24 PL: - a few improvements in OleMetadat# 2013-05-24 v0.25 PL: - getproperties: option to not convert some timestamp# - OleMetaData: total_edit_time is now a number of seconds# not a timestam# - getproperties: added support for VT_BOOL, VT_INT, V_UIN# - getproperties: filter out null chars from string# - getproperties: raise non-fatal defects instead o# exceptions when properties cannot be parsed properl# 2013-05-27 PL: - getproperties: improved exception handlin# - _raise_defect: added option to set exception typ# - all non-fatal issues are now recorded, and displaye# when run as a scrip# 2013-07-11 v0.26 PL: - added methods to get modification and creation time# of a directory entry or a storage/strea# - fixed parsing of direntry timestamp# 2013-07-24 PL: - new options in listdir to list storages and/or stream# 2014-02-04 v0.30 PL: - upgraded code to support Python 3.x by Martin Pante# - several fixes for Python 2.6 (xrange, MAGIC# - reused i32 from Pillow's _binar# 2014-07-18 v0.31 - preliminary support for 4K sector# 2014-07-27 v0.31 PL: - a few improvements in OleFileIO.open (header parsing# - Fixed loadfat for large files with 4K sectors (issue #3# 2014-07-30 v0.32 PL: - added write_sect to write sectors to dis# - added write_mode option to OleFileIO.__init__ and ope# 2014-07-31 PL: - fixed padding in write_sect for Python 3, added check# - added write_stream to write a stream to dis# 2014-09-26 v0.40 PL: - renamed OleFileIO_PL to olefil# 2014-11-09 NE: - added support for Jython (Niko Ehrenfeuchter# 2014-11-13 v0.41 PL: - improved isOleFile and OleFileIO.open to support OL# data in a string buffer and file-like objects# 2014-11-21 PL: - updated comments according to Pillow's commit# 2015-01-24 v0.42 PL: - changed the default path name encoding from Latin-# to UTF-8 on Python 2.x (Unicode on Python 3.x# - added path_encoding option to override the defaul# - fixed a bug in _list when a storage is emp#----------------------------------------------------------------------------# TODO (for version 1.0)# + get rid of print statements, to simplify Python 2.x and 3.x suppor# + add is_stream and is_storag# + remove leading and trailing slashes where a path is use# + add functions path_list2str and path_str2lis# + fix how all the methods handle unicode str and/or bytes as argument# + add path attrib to _OleDirEntry, set it once and for all in init o# append_kids (then listdir/_list can be simplified# - TESTS with Linux, MacOSX, Python 1.5.2, various files, PIL, ..# - add underscore to each private method, to avoid their display i# pydoc/epydoc documentation - Remove it for classes to be documente# - replace all raised exceptions with _raise_defect (at least in OleFileIO# - merge code from _OleStream and OleFileIO.getsect to read sector# (maybe add a class for FAT and MiniFAT ?# - add method to check all streams (follow sectors chains without storing al# stream in memory, and report anomalies# - use _OleDirectoryEntry.kids_dict to improve _find and _list # - fix Unicode names handling (find some way to stay compatible with Py1.5.2# => if possible avoid converting names to Latin-# - review DIFAT code: fix handling of DIFSECT blocks in FAT (not stop# - rewrite OleFileIO.getpropertie# - improve docstrings to show more sample use# - see also original notes and FIXME belo# - remove all obsolete FIXME# - OleMetadata: fix version attrib according t# http://msdn.microsoft.com/en-us/library/dd945671%28v=office.12%29.as# IDEAS# - in OleFileIO._open and _OleStream, use size=None instead of 0x7FFFFFFF fo# streams with unknown siz# - use arrays of int instead of long integers for FAT/MiniFAT, to improv# performance and reduce memory usage ? (possible issue with values >2^31# - provide tests with unittest (may need write support to create samples# - move all debug code (and maybe dump methods) to a separate module, wit# a class which inherits OleFileIO # - fix docstrings to follow epydoc forma# - add support for big endian byte order # - create a simple OLE explorer with wxPyth# FUTURE EVOLUTIONS to add write support# see issue #6 on Bitbucket# https://bitbucket.org/decalage/olefileio_pl/issue/6/improve-olefileio_pl-to-write-ole-fil#----------------------------------------------------------------------------# NOTES from PIL 1.1.# History# 1997-01-20 fl Create# 1997-01-22 fl Fixed 64-bit portability quir# 2003-09-09 fl Fixed typo in OleFileIO.loadfat (noted by Daniel Haertle# 2004-02-29 fl Changed long hex constants to signed integer# Notes# FIXME: sort out sign problem (eliminate long hex constants# FIXME: change filename to use "a/b/c" instead of ["a", "b", "c"# FIXME: provide a glob mechanism function (using fnmatchcase# Literature# "FlashPix Format Specification, Appendix A", Kodak and Microsoft# September 1996# Quotes# "If this document and functionality of the Software conflict# the actual functionality of the Software represents the correc# functionality" -- Microsoft, in the OLE format specificati#---------------------------------------------------------------------------import iimport syimport struct, array, os.path, dateti#=== COMPATIBILITY WORKAROUNDS ==============================================#[PL] Define explicitly the public API to avoid private objects in pydoc#TODO: add mor# __all__ = ['OleFileIO', 'isOleFile', 'MAGIC# For Python 3.x, need to redefine long as intif str is not bytes long = i# Need to make sure we use xrange both on Python 2 and 3.xtry # on Python 2 we need xrange iterrange = xrangexcept # no xrange, for Python 3 it was renamed as range iterrange = ran#[PL] workaround to fix an issue with array item size on 64 bits systemsif array.array('L').itemsize == 4 # on 32 bits platforms, long integers in an array are 32 bits UINT32 = 'Lelif array.array('I').itemsize == 4 # on 64 bits platforms, integers in an array are 32 bits UINT32 = 'Ielif array.array('i').itemsize == 4 # On 64 bit Jython, signed integers ('i') are the only way to store our 3 # bit values in an array in a *somewhat* reasonable way, as the otherwis # perfectly suited 'H' (unsigned int, 32 bits) results in a completel # unusable behaviour. This is most likely caused by the fact that Jav # doesn't have unsigned values, and thus Jython's "array" implementation # which is based on "jarray", doesn't have them either # NOTE: to trick Jython into converting the values it would normall # interpret as "signed" into "unsigned", a binary-and operation wit # 0xFFFFFFFF can be used. This way it is possible to use the same comparin # operations on all platforms / implementations. The corresponding cod # lines are flagged with a 'JYTHON-WORKAROUND' tag below UINT32 = 'ielse raise ValueError('Need to fix a bug with 32 bit arrays, please contact author..#[PL] These workarounds were inspired from the Path modul# (see http://www.jorendorff.com/articles/python/path/#TODO: test with old Python versio# Pre-2.3 workaround for basestringtry basestrinexcept NameError try # is Unicode supported (Python >2.0 or >1.6 ? basestring = (str, unicode except NameError basestring = s#[PL] Experimental setting: if True, OLE filenames will be kept in Unicod# if False (default PIL behaviour), all filenames are converted to Latin-1KEEP_UNICODE_NAMES = Trif sys.version_info[0] < 3 # On Python 2.x, the default encoding for path names is UTF-8 DEFAULT_PATH_ENCODING = 'utf-8else # On Python 3.x, the default encoding for path names is Unicode (None) DEFAULT_PATH_ENCODING = N#=== DEBUGGING =============================================================#TODO: replace this by proper loggi#[PL] DEBUG display mode: False by default, use set_debug_mode() or "-d" o# command line to change itDEBUG_MODE = Falsdef debug_print(msg) print(msgdef debug_pass(msg) pasdebug = debug_padef set_debug_mode(debug_mode) "" Set debug mode on or off, to control display of debugging messages :param mode: True or Fals "" global DEBUG_MODE, debu DEBUG_MODE = debug_mod if debug_mode debug = debug_prin else debug = debug_p#=== CONSTANTS =============================================================# magic bytes that should be at the beginning of every OLE fileMAGIC = b'\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE#[PL]: added constants for Sector IDs (from AAF specificationsMAXREGSECT = 0xFFFFFFFA # (-6) maximum SECDIFSECT = 0xFFFFFFFC # (-4) denotes a DIFAT sector in a FAFATSECT = 0xFFFFFFFD # (-3) denotes a FAT sector in a FAENDOFCHAIN = 0xFFFFFFFE # (-2) end of a virtual stream chaiFREESECT = 0xFFFFFFFF # (-1) unallocated sect#[PL]: added constants for Directory Entry IDs (from AAF specificationsMAXREGSID = 0xFFFFFFFA # (-6) maximum directory entry INOSTREAM = 0xFFFFFFFF # (-1) unallocated directory ent#[PL] object types in storage (from AAF specificationsSTGTY_EMPTY = 0 # empty directory entry (according to OpenOffice.org docSTGTY_STORAGE = 1 # element is a storage objecSTGTY_STREAM = 2 # element is a stream objecSTGTY_LOCKBYTES = 3 # element is an ILockBytes objecSTGTY_PROPERTY = 4 # element is an IPropertyStorage objecSTGTY_ROOT = 5 # element is a root stor# -------------------------------------------------------------------# property typVT_EMPTY=0; VT_NULL=1; VT_I2=2; VT_I4=3; VT_R4=4; VT_R8=5; VT_CY=6VT_DATE=7; VT_BSTR=8; VT_DISPATCH=9; VT_ERROR=10; VT_BOOL=11VT_VARIANT=12; VT_UNKNOWN=13; VT_DECIMAL=14; VT_I1=16; VT_UI1=17VT_UI2=18; VT_UI4=19; VT_I8=20; VT_UI8=21; VT_INT=22; VT_UINT=23VT_VOID=24; VT_HRESULT=25; VT_PTR=26; VT_SAFEARRAY=27; VT_CARRAY=28VT_USERDEFINED=29; VT_LPSTR=30; VT_LPWSTR=31; VT_FILETIME=64VT_BLOB=65; VT_STREAM=66; VT_STORAGE=67; VT_STREAMED_OBJECT=68VT_STORED_OBJECT=69; VT_BLOB_OBJECT=70; VT_CF=71; VT_CLSID=72VT_VECTOR=0x100# map property id to name (for debugging purposeVT = {for keyword, var in list(vars().items()) if keyword[:3] == "VT_" VT[var] = keywo# -------------------------------------------------------------------# Some common document types (root.clsid fieldWORD_CLSID = "00020900-0000-0000-C000-000000000046#TODO: check Excel, PPT, .#[PL]: Defect levels to classify parsing errors - see OleFileIO._raise_defect(DEFECT_UNSURE = 10 # a case which looks weird, but not sure it's a defecDEFECT_POTENTIAL = 20 # a potential defecDEFECT_INCORRECT = 30 # an error according to specifications, but parsin # can go oDEFECT_FATAL = 40 # an error which cannot be ignored, parsing i # impossib# Minimal size of an empty OLE file, with 512-bytes sectors = 1536 byte# (this is used in isOleFile and OleFile.openMINIMAL_OLEFILE_SIZE = 15#[PL] add useful constants to __all__# for key in list(vars().keys())# if key.startswith('STGTY_') or key.startswith('DEFECT_')# __all__.append(k#=== FUNCTIONS =============================================================def isOleFile (filename) "" Test if a file is an OLE container (according to the magic bytes in its header :param filename: string-like or file-like object, OLE file to par - if filename is a string smaller than 1536 bytes, it is the pat of the file to open. (bytes or unicode string - if filename is a string longer than 1535 bytes, it is parse as the content of an OLE file in memory. (bytes type only - if filename is a file-like object (with read and seek methods) it is parsed as-i :returns: True if OLE, False otherwise "" # check if filename is a string-like or file-like object if hasattr(filename, 'read') # file-like object: use it directl header = filename.read(len(MAGIC) # just in case, seek back to start of file filename.seek(0 elif isinstance(filename, bytes) and len(filename) >= MINIMAL_OLEFILE_SIZE # filename is a bytes string containing the OLE file to be parsed header = filename[:len(MAGIC) else # string-like object: filename of file on dis header = open(filename, 'rb').read(len(MAGIC) if header == MAGIC return Tru else return Faif bytes is str # version for Python 2. def i8(c) return ord(celse # version for Python 3. def i8(c) return c if c.__class__ is int else c#TODO: replace i16 and i32 with more readable struct.unpack equivalendef i16(c, o = 0) "" Converts a 2-bytes (16 bits) string to an intege :param c: string containing bytes to conver :param o: offset of bytes to convert in strin "" return i8(c[o]) | (i8(c[o+1]) len(fat) raise IOError('malformed OLE document, stream too large' # optimization(?): data is first a list of strings, and join() is calle # at the end to concatenate all in one string # (this may not be really useful with recent Python versions data = [ # if size is zero, then first sector index should be ENDOFCHAIN if size == 0 and sect != ENDOFCHAIN debug('size == 0 and sect != ENDOFCHAIN:' raise IOError('incorrect OLE sector index for empty stream' #[PL] A fixed-length for loop is used instead of an undefined whil # loop to avoid DoS attacks for i in range(nb_sectors) # Sector index may be ENDOFCHAIN, but only if size was unknow if sect == ENDOFCHAIN if unknown_size brea else # else this means that the stream is smaller than declared debug('sect=ENDOFCHAIN before expected size' raise IOError('incomplete OLE stream' # sector index should be within FAT if sect<0 or sect>=len(fat) debug('sect=%d (%X) / len(fat)=%d' % (sect, sect, len(fat)) debug('i=%d / nb_sectors=%d' %(i, nb_sectors)## tmp_data = b"".join(data## f = open('test_debug.bin', 'wb'## f.write(tmp_data## f.close(## debug('data read so far: %d bytes' % len(tmp_data) raise IOError('incorrect OLE FAT, sector index out of range' #TODO: merge this code with OleFileIO.getsect() #TODO: check if this works with 4K sectors try fp.seek(offset + sectorsize * sect except debug('sect=%d, seek=%d, filesize=%d' (sect, offset+sectorsize*sect, filesize) raise IOError('OLE sector index out of range' sector_data = fp.read(sectorsize # [PL] check if there was enough data # Note: if sector is the last of the file, sometimes it is not # complete sector (of 512 or 4K), so we may read less tha # sectorsize if len(sector_data)!=sectorsize and sect!=(len(fat)-1) debug('sect=%d / len(fat)=%d, seek=%d / filesize=%d, len read=%d' (sect, len(fat), offset+sectorsize*sect, filesize, len(sector_data)) debug('seek+len(read)=%d' % (offset+sectorsize*sect+len(sector_data)) raise IOError('incomplete OLE sector' data.append(sector_data # jump to next sector in the FAT try sect = fat[sect] & 0xFFFFFFFF # JYTHON-WORKAROUN except IndexError # [PL] if pointer is out of the FAT an exception is raise raise IOError('incorrect OLE FAT, sector index out of range' #[PL] Last sector should be a "end of chain" marker if sect != ENDOFCHAIN raise IOError('incorrect last sector index in OLE stream' data = b"".join(data # Data is truncated to the actual stream size if len(data) >= size data = data[:size # actual stream size is stored for future use self.size = siz elif unknown_size # actual stream size was not known, now we know the size of rea # data self.size = len(data else # read data is less than expected debug('len(data)=%d, size=%d' % (len(data), size) raise IOError('OLE stream size is less than declared' # when all data is read in memory, BytesIO constructor is calle io.BytesIO.__init__(self, data # Then the _OleStream object can be used as a read-only file obje#--- _OleDirectoryEntry -----------------------------------------------------class _OleDirectoryEntr "" OLE2 Directory Entr "" #[PL] parsing code moved from OleFileIO.loaddirecto # struct to parse directory entries # <: little-endian byte order, standard size # (note: this should guarantee that Q returns a 64 bits int # 64s: string containing entry name in unicode (max 31 chars) + null cha # H: uint16, number of bytes used in name buffer, including null = (len+1)* # B: uint8, dir entry type (between 0 and 5 # B: uint8, color: 0=black, 1=re # I: uint32, index of left child node in the red-black tree, NOSTREAM if non # I: uint32, index of right child node in the red-black tree, NOSTREAM if non # I: uint32, index of child root node if it is a storage, else NOSTREA # 16s: CLSID, unique identifier (only used if it is a storage # I: uint32, user flag # Q (was 8s): uint64, creation timestamp or zer # Q (was 8s): uint64, modification timestamp or zer # I: uint32, SID of first sector if stream or ministream, SID of 1st secto # of stream containing ministreams if root entry, 0 otherwis # I: uint32, total stream size in bytes if stream (low 32 bits), 0 otherwis # I: uint32, total stream size in bytes if stream (high 32 bits), 0 otherwis STRUCT_DIRENTRY = '<64sHBBIII16sIQQIII # size of a directory entry: 128 byte DIRENTRY_SIZE = 12 assert struct.calcsize(STRUCT_DIRENTRY) == DIRENTRY_S def __init__(self, entry, sid, olefile) "" Constructor for an _OleDirectoryEntry object Parses a 128-bytes entry from the OLE Directory strea :param entry : string (must be 128 bytes long :param sid : index of this directory entry in the OLE file director :param olefile: OleFileIO containing this directory entr "" self.sid = si # ref to olefile is stored for future us self.olefile = olefil # kids is a list of children entries, if this entry is a storage # (list of _OleDirectoryEntry objects self.kids = [ # kids_dict is a dictionary of children entries, indexed by thei # name in lowercase: used to quickly find an entry, and to detec # duplicate self.kids_dict = { # flag used to detect if the entry is referenced more than once i # directory self.used = Fals # decode DirEntr name namelength self.entry_type self.color self.sid_left self.sid_right self.sid_child clsid self.dwUserFlags self.createTime self.modifyTime self.isectStart sizeLow sizeHig ) = struct.unpack(_OleDirectoryEntry.STRUCT_DIRENTRY, entry if self.entry_type not in [STGTY_ROOT, STGTY_STORAGE, STGTY_STREAM, STGTY_EMPTY] olefile._raise_defect(DEFECT_INCORRECT, 'unhandled OLE storage type' # only first directory entry can (and should) be root if self.entry_type == STGTY_ROOT and sid != 0 olefile._raise_defect(DEFECT_INCORRECT, 'duplicate OLE root entry' if sid == 0 and self.entry_type != STGTY_ROOT olefile._raise_defect(DEFECT_INCORRECT, 'incorrect OLE root entry' #debug (struct.unpack(fmt_entry, entry[:len_entry]) # name should be at most 31 unicode characters + null character # so 64 bytes in total (31*2 + 2) if namelength>64 olefile._raise_defect(DEFECT_INCORRECT, 'incorrect DirEntry name length' # if exception not raised, namelength is set to the maximum value namelength = 6 # only characters without ending null char are kept name = name[:(namelength-2) #TODO: check if the name is actually followed by a null unicode character ([MS-CFB] 2.6.1 #TODO: check if the name does not contain forbidden characters # [MS-CFB] 2.6.1: "The following characters are illegal and MUST NOT be part of the name: '/', '\', ':', '!'. # name is converted from UTF-16LE to the path encoding specified in the OleFileIO self.name = olefile._decode_utf16_str(nam debug('DirEntry SID=%d: %s' % (self.sid, repr(self.name)) debug(' - type: %d' % self.entry_type debug(' - sect: %d' % self.isectStart debug(' - SID left: %d, right: %d, child: %d' % (self.sid_left self.sid_right, self.sid_child # sizeHigh is only used for 4K sectors, it should be zero for 512 byte # sectors, BUT apparently some implementations set it as 0xFFFFFFFF, # or some other value so it cannot be raised as a defect in general if olefile.sectorsize == 512 if sizeHigh != 0 and sizeHigh != 0xFFFFFFFF debug('sectorsize=%d, sizeLow=%d, sizeHigh=%d (%X)' (olefile.sectorsize, sizeLow, sizeHigh, sizeHigh) olefile._raise_defect(DEFECT_UNSURE, 'incorrect OLE stream size' self.size = sizeLo else self.size = sizeLow + (long(sizeHigh)<<32 debug(' - size: %d (sizeLow=%d, sizeHigh=%d)' % (self.size, sizeLow, sizeHigh self.clsid = _clsid(clsid # a storage should have a null size, BUT some implementations such a # Word 8 for Mac seem to allow non-null values => Potential defect if self.entry_type == STGTY_STORAGE and self.size != 0 olefile._raise_defect(DEFECT_POTENTIAL, 'OLE storage with size>0' # check if stream is not already referenced elsewhere if self.entry_type in (STGTY_ROOT, STGTY_STREAM) and self.size>0 if self.size < olefile.minisectorcutoff and self.entry_type==STGTY_STREAM: # only streams can be in MiniFA # ministream objec minifat = Tru else minifat = Fals olefile._check_duplicate_stream(self.isectStart, mini def build_storage_tree(self) "" Read and build the red-black tree attached to this _OleDirectoryEntr object, if it is a storage Note that this method builds a tree of all subentries, so it shoul only be called for the root object once "" debug('build_storage_tree: SID=%d - %s - sid_child=%d % (self.sid, repr(self.name), self.sid_child) if self.sid_child != NOSTREAM # if child SID is not NOSTREAM, then this entry is a storage # Let's walk through the tree of children to fill the kids list self.append_kids(self.sid_chil # Note from OpenOffice documentation: the safest way is t # recreate the tree because some implementations may store broke # red-black trees. # in the OLE file, entries are sorted on (length, name) # for convenience, we sort them on name instead # (see rich comparison methods in this class self.kids.sor def append_kids(self, child_sid) "" Walk through red-black tree of children of this directory entry to ad all of them to the kids list. (recursive metho :param child_sid : index of child directory entry to use, or None when calle first time for the root. (only used during recursion "" #[PL] this method was added to use simple recursion instead of a comple # algorithm # if this is not a storage or a leaf of the tree, nothing to do if child_sid == NOSTREAM retur # check if child SID is in the proper range if child_sid<0 or child_sid>=len(self.olefile.direntries) self.olefile._raise_defect(DEFECT_FATAL, 'OLE DirEntry index out of range' # get child direntry child = self.olefile._load_direntry(child_sid) #direntries[child_sid debug('append_kids: child_sid=%d - %s - sid_left=%d, sid_right=%d, sid_child=%d % (child.sid, repr(child.name), child.sid_left, child.sid_right, child.sid_child) # the directory entries are organized as a red-black tree # (cf. Wikipedia for details # First walk through left side of the tree self.append_kids(child.sid_left # Check if its name is not already used (case-insensitive) name_lower = child.name.lower( if name_lower in self.kids_dict self.olefile._raise_defect(DEFECT_INCORRECT "Duplicate filename in OLE storage" # Then the child_sid _OleDirectoryEntry object is appended to th # kids list and dictionary self.kids.append(child self.kids_dict[name_lower] = chil # Check if kid was not already referenced in a storage if child.used self.olefile._raise_defect(DEFECT_INCORRECT 'OLE Entry referenced more than once' child.used = Tru # Finally walk through right side of the tree self.append_kids(child.sid_right # Afterwards build kid's own tree if it's also a storage child.build_storage_tre def __eq__(self, other) "Compare entries by name return self.name == other.na def __lt__(self, other) "Compare entries by name return self.name < other.na def __ne__(self, other) return not self.__eq__(othe def __le__(self, other) return self.__eq__(other) or self.__lt__(othe # Reflected __lt__() and __le__() will be used for __gt__() and __ge__ #TODO: replace by the same function as MS implementation # (order by name length first, then case-insensitive ord def dump(self, tab = 0) "Dump this entry, and all its subentries (for debug purposes only) TYPES = ["(invalid)", "(storage)", "(stream)", "(lockbytes)" "(property)", "(root)" print(" "*tab + repr(self.name), TYPES[self.entry_type], end=' ' if self.entry_type in (STGTY_STREAM, STGTY_ROOT) print(self.size, "bytes", end=' ' print( if self.entry_type in (STGTY_STORAGE, STGTY_ROOT) and self.clsid print(" "*tab + "{%s}" % self.clsi for kid in self.kids kid.dump(tab + def getmtime(self) "" Return modification time of a directory entr :returns: None if modification time is null, a python datetime objec otherwise (UTC timezon new in version 0.2 "" if self.modifyTime == 0 return Non return filetime2datetime(self.modifyTi def getctime(self) "" Return creation time of a directory entr :returns: None if modification time is null, a python datetime objec otherwise (UTC timezon new in version 0.2 "" if self.createTime == 0 return Non return filetime2datetime(self.createTi#--- OleFileIO --------------------------------------------------------------class OleFileIO "" OLE container obje This class encapsulates the interface to an OLE 2 structure storage file. Use the listdir and openstream methods t access the contents of this fil Object names are given as a list of strings, one for each subentr level. The root entry should be omitted. For example, the followin code extracts all image streams from a Microsoft Image Composer file ole = OleFileIO("fan.mic for entry in ole.listdir() if entry[1:2] == "Image" fin = ole.openstream(entry fout = open(entry[0:1], "wb" while True s = fin.read(8192 if not s brea fout.write( You can use the viewer application provided with the Python Imagin Library to view the resulting files (which happens to be standar TIFF files) " def __init__(self, filename=None, raise_defects=DEFECT_FATAL write_mode=False, debug=False, path_encoding=DEFAULT_PATH_ENCODING) "" Constructor for the OleFileIO clas :param filename: file to ope - if filename is a string smaller than 1536 bytes, it is the pat of the file to open. (bytes or unicode string - if filename is a string longer than 1535 bytes, it is parse as the content of an OLE file in memory. (bytes type only - if filename is a file-like object (with read, seek and tell methods) it is parsed as-i :param raise_defects: minimal level for defects to be raised as exceptions (use DEFECT_FATAL for a typical application, DEFECT_INCORRECT for security-oriented application, see source code for detail :param write_mode: bool, if True the file is opened in read/write mode instea of read-only by defaul :param debug: bool, set debug mo :param path_encoding: None or str, name of the codec to use for pat names (streams and storages), or None for Unicode Unicode by default on Python 3+, UTF-8 on Python 2.x (new in olefile 0.42, was hardcoded to Latin-1 until olefile v0.41 "" set_debug_mode(debug # minimal level for defects to be raised as exceptions self._raise_defects_level = raise_defect # list of defects/issues not raised as exceptions # tuples of (exception type, message self.parsing_issues = [ self.write_mode = write_mod self.path_encoding = path_encodin self._filesize = Non self.fp = Non if filename self.open(filename, write_mode=write_mo def _raise_defect(self, defect_level, message, exception_type=IOError) "" This method should be called for any defect found during file parsing It may raise an IOError exception according to the minimal level chose for the OleFileIO objec :param defect_level: defect level, possible values ar - DEFECT_UNSURE : a case which looks weird, but not sure it's a defec - DEFECT_POTENTIAL : a potential defec - DEFECT_INCORRECT : an error according to specifications, but parsing can go o - DEFECT_FATAL : an error which cannot be ignored, parsing is impossib :param message: string describing the defect, used with raised exception :param exception_type: exception class to be raised, IOError by defaul "" # added by [PL if defect_level >= self._raise_defects_level raise exception_type(message else # just record the issue, no exception raised self.parsing_issues.append((exception_type, messag def _decode_utf16_str(self, utf16_str, errors='replace') "" Decode a string encoded in UTF-16 LE format, as found in the OL directory or in property streams. Return a string encode according to the path_encoding specified for the OleFileIO objec :param utf16_str: bytes string encoded in UTF-16 LE forma :param errors: str, see python documentation for str.decode( :return: str, encoded according to path_encodin "" unicode_str = utf16_str.decode('UTF-16LE', errors if self.path_encoding # an encoding has been specified for path names return unicode_str.encode(self.path_encoding, errors else # path_encoding=None, return the Unicode string as-is return unicode_ def open(self, filename, write_mode=False) "" Open an OLE2 file in read-only or read/write mode Read and parse the header, FAT and director :param filename: string-like or file-like object, OLE file to par - if filename is a string smaller than 1536 bytes, it is the pat of the file to open. (bytes or unicode string - if filename is a string longer than 1535 bytes, it is parse as the content of an OLE file in memory. (bytes type only - if filename is a file-like object (with read, seek and tell methods) it is parsed as-i :param write_mode: bool, if True the file is opened in read/write mode instea of read-only by default. (ignored if filename is not a path "" self.write_mode = write_mod #[PL] check if filename is a string-like or file-like object # (it is better to check for a read() method if hasattr(filename, 'read') #TODO: also check seek and tell methods # file-like object: use it directl self.fp = filenam elif isinstance(filename, bytes) and len(filename) >= MINIMAL_OLEFILE_SIZE # filename is a bytes string containing the OLE file to be parsed # convert it to BytesI self.fp = io.BytesIO(filename else # string-like object: filename of file on dis if self.write_mode # open file in mode 'read with update, binary # According to https://docs.python.org/2/library/functions.html#ope # 'w' would truncate the file, 'a' may only append on some Unixe mode = 'r+b else # read-only mode by defaul mode = 'rb self.fp = open(filename, mode # obtain the filesize by using seek and tell, which should work on mos # file-like objects #TODO: do it above, using getsize with filename when possible #TODO: fix code to fail with clear exception when filesize cannot be obtaine filesize= self.fp.seek(0, os.SEEK_END try filesize = self.fp.tell( finally self.fp.seek(0 self._filesize = filesi # lists of streams in FAT and MiniFAT, to detect duplicate reference # (list of indexes of first sectors of each stream self._used_streams_fat = [ self._used_streams_minifat = header = self.fp.read(51 if len(header) != 512 or header[:8] != MAGIC self._raise_defect(DEFECT_FATAL, "not an OLE2 structured storage file # [PL] header structure according to AAF specifications ##Heade ##struct StructuredStorageHeader { // [offset from start (bytes), length (bytes) ##BYTE _abSig[8]; // [00H,08] {0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1 ## // 0x1a, 0xe1} for current versio ##CLSID _clsid; // [08H,16] reserved must be zero (WriteClassStg ## // GetClassFile uses root directory class id ##USHORT _uMinorVersion; // [18H,02] minor version of the format: 33 i ## // written by reference implementatio ##USHORT _uDllVersion; // [1AH,02] major version of the dll/format: 3 fo ## // 512-byte sectors, 4 for 4 KB sector ##USHORT _uByteOrder; // [1CH,02] 0xFFFE: indicates Intel byte-orderin ##USHORT _uSectorShift; // [1EH,02] size of sectors in power-of-two ## // typically 9 indicating 512-byte sector ##USHORT _uMiniSectorShift; // [20H,02] size of mini-sectors in power-of-two ## // typically 6 indicating 64-byte mini-sector ##USHORT _usReserved; // [22H,02] reserved, must be zer ##ULONG _ulReserved1; // [24H,04] reserved, must be zer ##FSINDEX _csectDir; // [28H,04] must be zero for 512-byte sectors ## // number of SECTs in directory chain for 4 K ## // sector ##FSINDEX _csectFat; // [2CH,04] number of SECTs in the FAT chai ##SECT _sectDirStart; // [30H,04] first SECT in the directory chai ##DFSIGNATURE _signature; // [34H,04] signature used for transactions; mus ## // be zero. The reference implementatio ## // does not support transaction ##ULONG _ulMiniSectorCutoff; // [38H,04] maximum size for a mini stream ## // typically 4096 byte ##SECT _sectMiniFatStart; // [3CH,04] first SECT in the MiniFAT chai ##FSINDEX _csectMiniFat; // [40H,04] number of SECTs in the MiniFAT chai ##SECT _sectDifStart; // [44H,04] first SECT in the DIFAT chai ##FSINDEX _csectDif; // [48H,04] number of SECTs in the DIFAT chai ##SECT _sectFat[109]; // [4CH,436] the SECTs of first 109 FAT sector ## # [PL] header decoding # '<' indicates little-endian byte ordering for Intel (cf. struct module help fmt_header = '<8s16sHHHHHHLLLLLLLLLL header_size = struct.calcsize(fmt_header debug( "fmt_header size = %d, +FAT = %d" % (header_size, header_size + 109*4) header1 = header[:header_size self.Sig self.clsid self.MinorVersion self.DllVersion self.ByteOrder self.SectorShift self.MiniSectorShift self.Reserved, self.Reserved1 self.csectDir self.csectFat self.sectDirStart self.signature self.MiniSectorCutoff self.MiniFatStart self.csectMiniFat self.sectDifStart self.csectDi ) = struct.unpack(fmt_header, header1 debug( struct.unpack(fmt_header, header1 if self.Sig != MAGIC # OLE signature should always be presen self._raise_defect(DEFECT_FATAL, "incorrect OLE signature" if self.clsid != bytearray(16) # according to AAF specs, CLSID should always be zer self._raise_defect(DEFECT_INCORRECT, "incorrect CLSID in OLE header" debug( "MinorVersion = %d" % self.MinorVersion debug( "DllVersion = %d" % self.DllVersion if self.DllVersion not in [3, 4] # version 3: usual format, 512 bytes per secto # version 4: large format, 4K per secto self._raise_defect(DEFECT_INCORRECT, "incorrect DllVersion in OLE header" debug( "ByteOrder = %X" % self.ByteOrder if self.ByteOrder != 0xFFFE # For now only common little-endian documents are handled correctl self._raise_defect(DEFECT_FATAL, "incorrect ByteOrder in OLE header" # TODO: add big-endian support for documents created on Mac # But according to [MS-CFB] ? v20140502, ByteOrder MUST be 0xFFFE self.SectorSize = 2**self.SectorShif debug( "SectorSize = %d" % self.SectorSize if self.SectorSize not in [512, 4096] self._raise_defect(DEFECT_INCORRECT, "incorrect SectorSize in OLE header" if (self.DllVersion==3 and self.SectorSize!=512) or (self.DllVersion==4 and self.SectorSize!=4096) self._raise_defect(DEFECT_INCORRECT, "SectorSize does not match DllVersion in OLE header" self.MiniSectorSize = 2**self.MiniSectorShif debug( "MiniSectorSize = %d" % self.MiniSectorSize if self.MiniSectorSize not in [64] self._raise_defect(DEFECT_INCORRECT, "incorrect MiniSectorSize in OLE header" if self.Reserved != 0 or self.Reserved1 != 0 self._raise_defect(DEFECT_INCORRECT, "incorrect OLE header (non-null reserved bytes)" debug( "csectDir = %d" % self.csectDir # Number of directory sectors (only allowed if DllVersion != 3 if self.SectorSize==512 and self.csectDir!=0 self._raise_defect(DEFECT_INCORRECT, "incorrect csectDir in OLE header" debug( "csectFat = %d" % self.csectFat # csectFat = number of FAT sectors in the fil debug( "sectDirStart = %X" % self.sectDirStart # sectDirStart = 1st sector containing the director debug( "signature = %d" % self.signature # Signature should be zero, BUT some implementations do not follow thi # rule => only a potential defect # (according to MS-CFB, may be != 0 for applications supporting fil # transactions if self.signature != 0 self._raise_defect(DEFECT_POTENTIAL, "incorrect OLE header (signature>0)" debug( "MiniSectorCutoff = %d" % self.MiniSectorCutoff # MS-CFB: This integer field MUST be set to 0x00001000. This fiel # specifies the maximum size of a user-defined data stream allocate # from the mini FAT and mini stream, and that cutoff is 4096 bytes # Any user-defined data stream larger than or equal to this cutoff siz # must be allocated as normal sectors from the FAT if self.MiniSectorCutoff != 0x1000 self._raise_defect(DEFECT_INCORRECT, "incorrect MiniSectorCutoff in OLE header" debug( "MiniFatStart = %X" % self.MiniFatStart debug( "csectMiniFat = %d" % self.csectMiniFat debug( "sectDifStart = %X" % self.sectDifStart debug( "csectDif = %d" % self.csectDif # calculate the number of sectors in the fil # (-1 because header doesn't count self.nb_sect = ( (filesize + self.SectorSize-1) // self.SectorSize) - debug( "Number of sectors in the file: %d" % self.nb_sect #TODO: change this test, because an OLE file MAY contain other dat # after the last secto # file clsi self.clsid = _clsid(header[8:24 #TODO: remove redundant attributes, and fix the code which uses them self.sectorsize = self.SectorSize #1 << i16(header, 30 self.minisectorsize = self.MiniSectorSize #1 << i16(header, 32 self.minisectorcutoff = self.MiniSectorCutoff # i32(header, 5 # check known streams for duplicate references (these are always in FAT # never in MiniFAT) self._check_duplicate_stream(self.sectDirStart # check MiniFAT only if it is not empty if self.csectMiniFat self._check_duplicate_stream(self.MiniFatStart # check DIFAT only if it is not empty if self.csectDif self._check_duplicate_stream(self.sectDifStar # Load file allocation table self.loadfat(header # Load direcory. This sets both the direntries list (ordered by sid # and the root (ordered by hierarchy) members self.loaddirectory(self.sectDirStart)#i32(header, 48) self.ministream = Non self.minifatsect = self.MiniFatStart #i32(header, def close(self) "" close the OLE file, to release the file objec "" self.fp.clos def _check_duplicate_stream(self, first_sect, minifat=False) "" Checks if a stream has not been already referenced elsewhere This method should only be called once for each known stream, and onl if stream size is not nul :param first_sect: int, index of first sector of the stream in FA :param minifat: bool, if True, stream is located in the MiniFAT, else in the FA "" if minifat debug('_check_duplicate_stream: sect=%d in MiniFAT' % first_sect used_streams = self._used_streams_minifa else debug('_check_duplicate_stream: sect=%d in FAT' % first_sect # some values can be safely ignored (not a real stream) if first_sect in (DIFSECT,FATSECT,ENDOFCHAIN,FREESECT) retur used_streams = self._used_streams_fa #TODO: would it be more efficient using a dict or hash values, instea # of a list of long if first_sect in used_streams self._raise_defect(DEFECT_INCORRECT, 'Stream referenced twice' else used_streams.append(first_se def dumpfat(self, fat, firstindex=0) "Displays a part of FAT in human-readable form for debugging purpose # [PL] added only for debu if not DEBUG_MODE retur # dictionary to convert special FAT values in human-readable string VPL = 8 # values per line (8+1 * 8+1 = 81 fatnames = FREESECT: "..free.." ENDOFCHAIN: "[ END. ]" FATSECT: "FATSECT " DIFSECT: "DIFSECT nbsect = len(fat nlines = (nbsect+VPL-1)//VP print("index", end=" " for i in range(VPL) print("%8X" % i, end=" " print( for l in range(nlines) index = l*VP print("%8X:" % (firstindex+index), end=" " for i in range(index, index+VPL) if i>=nbsect brea sect = fat[i aux = sect & 0xFFFFFFFF # JYTHON-WORKAROUN if aux in fatnames name = fatnames[aux else if sect == i+1 name = " ---> else name = "%8X" % sec print(name, end=" " prin def dumpsect(self, sector, firstindex=0) "Displays a sector in a human-readable form, for debugging purpose. if not DEBUG_MODE retur VPL=8 # number of values per line (8+1 * 8+1 = 81 tab = array.array(UINT32, sector if sys.byteorder == 'big' tab.byteswap( nbsect = len(tab nlines = (nbsect+VPL-1)//VP print("index", end=" " for i in range(VPL) print("%8X" % i, end=" " print( for l in range(nlines) index = l*VP print("%8X:" % (firstindex+index), end=" " for i in range(index, index+VPL) if i>=nbsect brea sect = tab[i name = "%8X" % sec print(name, end=" " print def sect2array(self, sect) "" convert a sector to an array of 32 bits unsigned integers swapping bytes on big endian CPUs such as PowerPC (old Macs "" a = array.array(UINT32, sect # if CPU is big endian, swap bytes if sys.byteorder == 'big' a.byteswap( retur def loadfat_sect(self, sect) "" Adds the indexes of the given sector to the F :param sect: string containing the first FAT sector, or array of long integer :returns: index of last FAT sector "" # a FAT sector is an array of ulong integers if isinstance(sect, array.array) # if sect is already an array it is directly use fat1 = sec else # if it's a raw sector, it is parsed in an arra fat1 = self.sect2array(sect self.dumpsect(sect # The FAT is a sector chain starting at the first index of itself for isect in fat1 isect = isect & 0xFFFFFFFF # JYTHON-WORKAROUN debug("isect = %X" % isect if isect == ENDOFCHAIN or isect == FREESECT # the end of the sector chain has been reache debug("found end of sector chain" brea # read the FAT secto s = self.getsect(isect # parse it as an array of 32 bits integers, and add it to th # global FAT arra nextfat = self.sect2array(s self.fat = self.fat + nextfa return is def loadfat(self, header) "" Load the FAT table "" # The 1st sector of the file contains sector numbers for the first 10 # FAT sectors, right after the header which is 76 bytes long # (always 109, whatever the sector size: 512 bytes = 76+4*109 # Additional sectors are described by DIF bloc sect = header[76:512 debug( "len(sect)=%d, so %d integers" % (len(sect), len(sect)//4) #fat = [ # [PL] FAT is an array of 32 bits unsigned ints, it's more effectiv # to use an array than a list in Python # It's initialized as empty first self.fat = array.array(UINT32 self.loadfat_sect(sect #self.dumpfat(self.fat## for i in range(0, len(sect), 4)## ix = i32(sect, i## #[PL] if ix == -2 or ix == -1: # ix == 0xFFFFFFFE or ix == 0xFFFFFFFF## if ix == 0xFFFFFFFE or ix == 0xFFFFFFFF## brea## s = self.getsect(ix## #fat = fat + [i32(s, i) for i in range(0, len(s), 4)## fat = fat + array.array(UINT32, s if self.csectDif != 0 # [PL] There's a DIFAT because file is larger than 6.8M # some checks just in case if self.csectFat <= 109 # there must be at least 109 blocks in header and the rest i # DIFAT, so number of sectors must be >109 self._raise_defect(DEFECT_INCORRECT, 'incorrect DIFAT, not enough sectors' if self.sectDifStart >= self.nb_sect # initial DIFAT block index must be vali self._raise_defect(DEFECT_FATAL, 'incorrect DIFAT, first index out of range' debug( "DIFAT analysis..." # We compute the necessary number of DIFAT sectors # Number of pointers per DIFAT sector = (sectorsize/4)- # (-1 because the last pointer is the next DIFAT sector number nb_difat_sectors = (self.sectorsize//4)- # (if 512 bytes: each DIFAT sector = 127 pointers + 1 towards next DIFAT sector nb_difat = (self.csectFat-109 + nb_difat_sectors-1)//nb_difat_sector debug( "nb_difat = %d" % nb_difat if self.csectDif != nb_difat raise IOError('incorrect DIFAT' isect_difat = self.sectDifStar for i in iterrange(nb_difat) debug( "DIFAT block %d, sector %X" % (i, isect_difat) #TODO: check if corresponding FAT SID = DIFSEC sector_difat = self.getsect(isect_difat difat = self.sect2array(sector_difat self.dumpsect(sector_difat self.loadfat_sect(difat[:nb_difat_sectors] # last DIFAT pointer is next DIFAT sector isect_difat = difat[nb_difat_sectors debug( "next DIFAT sector: %X" % isect_difat # checks if isect_difat not in [ENDOFCHAIN, FREESECT] # last DIFAT pointer value must be ENDOFCHAIN or FREESEC raise IOError('incorrect end of DIFAT'## if len(self.fat) != self.csectFat## # FAT should contain csectFat block## print("FAT length: %d instead of %d" % (len(self.fat), self.csectFat)## raise IOError('incorrect DIFAT' # since FAT is read from fixed-size sectors, it may contain more value # than the actual number of sectors in the file # Keep only the relevant sector indexes if len(self.fat) > self.nb_sect debug('len(fat)=%d, shrunk to nb_sect=%d' % (len(self.fat), self.nb_sect) self.fat = self.fat[:self.nb_sect debug('\nFAT:' self.dumpfat(self.f def loadminifat(self) "" Load the MiniFAT table "" # MiniFAT is stored in a standard sub-stream, pointed to by a heade # field # NOTE: there are two sizes to take into account for this stream # 1) Stream size is calculated according to the number of sector # declared in the OLE header. This allocated stream may be more tha # needed to store the actual sector indexes # (self.csectMiniFat is the number of sectors of size self.SectorSize stream_size = self.csectMiniFat * self.SectorSiz # 2) Actually used size is calculated by dividing the MiniStream siz # (given by root entry size) by the size of mini sectors, *4 fo # 32 bits indexes nb_minisectors = (self.root.size + self.MiniSectorSize-1) // self.MiniSectorSiz used_size = nb_minisectors * debug('loadminifat(): minifatsect=%d, nb FAT sectors=%d, used_size=%d, stream_size=%d, nb MiniSectors=%d' (self.minifatsect, self.csectMiniFat, used_size, stream_size, nb_minisectors) if used_size > stream_size # This is not really a problem, but may indicate a wrong implementation self._raise_defect(DEFECT_INCORRECT, 'OLE MiniStream is larger than MiniFAT' # In any case, first read stream_size s = self._open(self.minifatsect, stream_size, force_FAT=True).read( #[PL] Old code replaced by an array #self.minifat = [i32(s, i) for i in range(0, len(s), 4) self.minifat = self.sect2array(s # Then shrink the array to used size, to avoid indexes out of MiniStream debug('MiniFAT shrunk from %d to %d sectors' % (len(self.minifat), nb_minisectors) self.minifat = self.minifat[:nb_minisectors debug('loadminifat(): len=%d' % len(self.minifat) debug('\nMiniFAT:' self.dumpfat(self.minifa def getsect(self, sect) "" Read given sector from file on dis :param sect: int, sector inde :returns: a string containing the sector data "" # From [MS-CFB]: A sector number can be converted into a byte offse # into the file by using the following formula # (sector number + 1) x Sector Size # This implies that sector #0 of the file begins at byte offset Secto # Size, not at # [PL] the original code in PIL was wrong when sectors are 4KB instead o # 512 bytes #self.fp.seek(512 + self.sectorsize * sect #[PL]: added safety checks #print("getsect(%X)" % sect try self.fp.seek(self.sectorsize * (sect+1) except debug('getsect(): sect=%X, seek=%d, filesize=%d' (sect, self.sectorsize*(sect+1), self._filesize) self._raise_defect(DEFECT_FATAL, 'OLE sector index out of range' sector = self.fp.read(self.sectorsize if len(sector) != self.sectorsize debug('getsect(): sect=%X, read=%d, sectorsize=%d' (sect, len(sector), self.sectorsize) self._raise_defect(DEFECT_FATAL, 'incomplete OLE sector' return sec def write_sect(self, sect, data, padding=b'\x00') "" Write given sector to file on dis :param sect: int, sector inde :param data: bytes, sector dat :param padding: single byte, padding character if data < sector siz "" if not isinstance(data, bytes) raise TypeError("write_sect: data must be a bytes string" if not isinstance(padding, bytes) or len(padding)!=1 raise TypeError("write_sect: padding must be a bytes string of 1 char" #TODO: we could allow padding=None for no padding at al try self.fp.seek(self.sectorsize * (sect+1) except debug('write_sect(): sect=%X, seek=%d, filesize=%d' (sect, self.sectorsize*(sect+1), self._filesize) self._raise_defect(DEFECT_FATAL, 'OLE sector index out of range' if len(data) < self.sectorsize # add paddin data += padding * (self.sectorsize - len(data) elif len(data) < self.sectorsize raise ValueError("Data is larger than sector size" self.fp.write(da def loaddirectory(self, sect) "" Load the director :param sect: sector index of directory stream "" # The directory is stored in a standar # substream, independent of its siz # open directory stream as a read-only file # (stream size is not known in advance self.directory_fp = self._open(sec #[PL] to detect malformed documents and avoid DoS attacks, the maximu # number of directory entries can be calculated max_entries = self.directory_fp.size // 12 debug('loaddirectory: size=%d, max_entries=%d' (self.directory_fp.size, max_entries # Create list of directory entrie #self.direntries = [ # We start with a list of "None" objec self.direntries = [None] * max_entrie## for sid in iterrange(max_entries)## entry = fp.read(128## if not entry## brea## self.direntries.append(_OleDirectoryEntry(entry, sid, self) # load root entry root_entry = self._load_direntry(0 # Root entry is the first entry self.root = self.direntries[0 # read and build all storage trees, starting from the root self.root.build_storage_tre def _load_direntry (self, sid) "" Load a directory entry from the directory This method should only be called once for each storage/stream whe loading the director :param sid: index of storage/stream in the directory :returns: a _OleDirectoryEntry obje :exception IOError: if the entry has always been referenced "" # check if SID is OK if sid<0 or sid>=len(self.direntries) self._raise_defect(DEFECT_FATAL, "OLE directory index out of range" # check if entry was already referenced if self.direntries[sid] is not None self._raise_defect(DEFECT_INCORRECT "double reference for OLE stream/storage" # if exception not raised, return the objec return self.direntries[sid self.directory_fp.seek(sid * 128 entry = self.directory_fp.read(128 self.direntries[sid] = _OleDirectoryEntry(entry, sid, self return self.direntries[s def dumpdirectory(self) "" Dump directory (for debugging only "" self.root.dum def _open(self, start, size = 0x7FFFFFFF, force_FAT=False) "" Open a stream, either in FAT or MiniFAT according to its size (openstream helpe :param start: index of first secto :param size: size of stream (or nothing if size is unknown :param force_FAT: if False (default), stream will be opened in FAT or MiniFA according to size. If True, it will always be opened in FAT "" debug('OleFileIO.open(): sect=%d, size=%d, force_FAT=%s' (start, size, str(force_FAT)) # stream size is compared to the MiniSectorCutoff threshold if size < self.minisectorcutoff and not force_FAT # ministream objec if not self.ministream # load MiniFAT if it wasn't already done self.loadminifat( # The first sector index of the miniFAT stream is stored in th # root directory entry size_ministream = self.root.siz debug('Opening MiniStream: sect=%d, size=%d' (self.root.isectStart, size_ministream) self.ministream = self._open(self.root.isectStart size_ministream, force_FAT=True return _OleStream(fp=self.ministream, sect=start, size=size offset=0, sectorsize=self.minisectorsize fat=self.minifat, filesize=self.ministream.size else # standard strea return _OleStream(fp=self.fp, sect=start, size=size offset=self.sectorsize sectorsize=self.sectorsize, fat=self.fat filesize=self._filesi def _list(self, files, prefix, node, streams=True, storages=False) "" listdir help :param files: list of files to fill i :param prefix: current location in storage tree (list of names :param node: current node (_OleDirectoryEntry object :param streams: bool, include streams if True (True by default) - new in v0.2 :param storages: bool, include storages if True (False by default) - new in v0.2 (note: the root storage is never included "" prefix = prefix + [node.name for entry in node.kids if entry.entry_type == STGTY_STORAGE # this is a storag if storages # add it to the lis files.append(prefix[1:] + [entry.name] # check its kid self._list(files, prefix, entry, streams, storages elif entry.entry_type == STGTY_STREAM # this is a strea if streams # add it to the lis files.append(prefix[1:] + [entry.name] else self._raise_defect(DEFECT_INCORRECT, 'The directory tree contains an entry which is not a stream nor a storage def listdir(self, streams=True, storages=False) "" Return a list of streams and/or storages stored in this fi :param streams: bool, include streams if True (True by default) - new in v0.2 :param storages: bool, include storages if True (False by default) - new in v0.2 (note: the root storage is never included :returns: list of stream and/or storage path "" files = [ self._list(files, [], self.root, streams, storages return fi def _find(self, filename) "" Returns directory entry of given filename. (openstream helper Note: this method is case-insensitiv :param filename: path of stream in storage tree (except root entry), eithe - a string using Unix path syntax, for example 'storage_1/storage_1.2/stream - or a list of storage filenames, path to the desired stream/storage Example: ['storage_1', 'storage_1.2', 'stream :returns: sid of requested filenam :exception IOError: if file not foun " # if filename is a string instead of a list, split it on slashes t # convert to a list if isinstance(filename, basestring) filename = filename.split('/' # walk across storage tree, following given path node = self.roo for name in filename for kid in node.kids if kid.name.lower() == name.lower() brea else raise IOError("file not found" node = ki return node. def openstream(self, filename) "" Open a stream as a read-only file object (BytesIO) Note: filename is case-insensitiv :param filename: path of stream in storage tree (except root entry), eithe - a string using Unix path syntax, for example 'storage_1/storage_1.2/stream - or a list of storage filenames, path to the desired stream/storage Example: ['storage_1', 'storage_1.2', 'stream :returns: file object (read-only :exception IOError: if filename not found, or if this is not a stream "" sid = self._find(filename entry = self.direntries[sid if entry.entry_type != STGTY_STREAM raise IOError("this file is not a stream" return self._open(entry.isectStart, entry.si def write_stream(self, stream_name, data) "" Write a stream to disk. For now, it is only possible to replace a existing stream by data of the same siz :param stream_name: path of stream in storage tree (except root entry), eithe - a string using Unix path syntax, for example 'storage_1/storage_1.2/stream - or a list of storage filenames, path to the desired stream/storage Example: ['storage_1', 'storage_1.2', 'stream :param data: bytes, data to be written, must be the same size as the origina stream "" if not isinstance(data, bytes) raise TypeError("write_stream: data must be a bytes string" sid = self._find(stream_name entry = self.direntries[sid if entry.entry_type != STGTY_STREAM raise IOError("this is not a stream" size = entry.siz if size != len(data) raise ValueError("write_stream: data must be the same size as the existing stream" if size < self.minisectorcutoff raise NotImplementedError("Writing a stream in MiniFAT is not implemented yet" sect = entry.isectStar # number of sectors to writ nb_sectors = (size + (self.sectorsize-1)) // self.sectorsiz debug('nb_sectors = %d' % nb_sectors for i in range(nb_sectors)## try## self.fp.seek(offset + self.sectorsize * sect## except## debug('sect=%d, seek=%d' ## (sect, offset+self.sectorsize*sect)## raise IOError('OLE sector index out of range' # extract one sector from data, the last one being smaller if i<(nb_sectors-1) data_sector = data [i*self.sectorsize : (i+1)*self.sectorsize #TODO: comment this if it work assert(len(data_sector)==self.sectorsize else data_sector = data [i*self.sectorsize: #TODO: comment this if it work debug('write_stream: size=%d sectorsize=%d data_sector=%d size%%sectorsize=%d % (size, self.sectorsize, len(data_sector), size % self.sectorsize) assert(len(data_sector) % self.sectorsize==size % self.sectorsize self.write_sect(sect, data_sector## self.fp.write(data_sector # jump to next sector in the FAT try sect = self.fat[sect except IndexError # [PL] if pointer is out of the FAT an exception is raise raise IOError('incorrect OLE FAT, sector index out of range' #[PL] Last sector should be a "end of chain" marker if sect != ENDOFCHAIN raise IOError('incorrect last sector index in OLE strea def get_type(self, filename) "" Test if given filename exists as a stream or a storage in the OL container, and return its typ :param filename: path of stream in storage tree. (see openstream for syntax :returns: False if object does not exist, its entry type (>0) otherwis - STGTY_STREAM: a strea - STGTY_STORAGE: a storag - STGTY_ROOT: the root entr "" try sid = self._find(filename entry = self.direntries[sid return entry.entry_typ except return Fa def getmtime(self, filename) "" Return modification time of a stream/storag :param filename: path of stream/storage in storage tree. (see openstream fo syntax :returns: None if modification time is null, a python datetime objec otherwise (UTC timezon new in version 0.2 "" sid = self._find(filename entry = self.direntries[sid return entry.getmtim def getctime(self, filename) "" Return creation time of a stream/storag :param filename: path of stream/storage in storage tree. (see openstream fo syntax :returns: None if creation time is null, a python datetime objec otherwise (UTC timezon new in version 0.2 "" sid = self._find(filename entry = self.direntries[sid return entry.getctim def exists(self, filename) "" Test if given filename exists as a stream or a storage in the OL container Note: filename is case-insensitiv :param filename: path of stream in storage tree. (see openstream for syntax :returns: True if object exist, else False "" try sid = self._find(filename return Tru except return Fa def get_size(self, filename) "" Return size of a stream in the OLE container, in byte :param filename: path of stream in storage tree (see openstream for syntax :returns: size in bytes (long integer :exception IOError: if file not foun :exception TypeError: if this is not a stream "" sid = self._find(filename entry = self.direntries[sid if entry.entry_type != STGTY_STREAM #TODO: Should it return zero instead of raising an exception raise TypeError('object is not an OLE stream' return entry.s def get_rootentry_name(self) "" Return root entry name. Should usually be 'Root Entry' or 'R' in mos implementations "" return self.root.n def getproperties(self, filename, convert_time=False, no_conversion=None) "" Return properties described in substrea :param filename: path of stream in storage tree (see openstream for syntax :param convert_time: bool, if True timestamps will be converted to Python datetim :param no_conversion: None or list of int, timestamps not to be converte (for example total editing time is not a real timestam :returns: a dictionary of values indexed by id (integer "" #REFERENCE: [MS-OLEPS] https://msdn.microsoft.com/en-us/library/dd942421.asp # make sure no_conversion is a list, just to simplify code below if no_conversion == None no_conversion = [ # stream path as a string to report exceptions streampath = filenam if not isinstance(streampath, str) streampath = '/'.join(streampat fp = self.openstream(filenam data = try # heade s = fp.read(28 clsid = _clsid(s[8:24 # format i s = fp.read(20 fmtid = _clsid(s[:16] fp.seek(i32(s, 16 # get sectio s = b"****" + fp.read(i32(fp.read(4))-4 # number of properties num_props = i32(s, 4 except BaseException as exc # catch exception while parsing property header, and only rais # a DEFECT_INCORRECT then return an empty dict, because this is no # a fatal error when parsing the whole fil msg = 'Error while parsing properties header in stream %s: %s' % repr(streampath), exc self._raise_defect(DEFECT_INCORRECT, msg, type(exc) return da for i in range(num_props) try id = 0 # just in case of an exceptio id = i32(s, 8+i*8 offset = i32(s, 12+i*8 type = i32(s, offse debug ('property id=%d: type=%d offset=%X' % (id, type, offset # test for common types first (should perhaps us # a dictionary instead if type == VT_I2: # 16-bit signed intege value = i16(s, offset+4 if value >= 32768 value = value - 6553 elif type == VT_UI2: # 2-byte unsigned intege value = i16(s, offset+4 elif type in (VT_I4, VT_INT, VT_ERROR) # VT_I4: 32-bit signed intege # VT_ERROR: HRESULT, similar to 32-bit signed integer # see http://msdn.microsoft.com/en-us/library/cc230330.asp value = i32(s, offset+4 elif type in (VT_UI4, VT_UINT): # 4-byte unsigned intege value = i32(s, offset+4) # FIXM elif type in (VT_BSTR, VT_LPSTR) # CodePageString, see http://msdn.microsoft.com/en-us/library/dd942354.asp # size is a 32 bits integer, including the null terminator, an # possibly trailing or embedded null char #TODO: if codepage is unicode, the string should be converted as suc count = i32(s, offset+4 value = s[offset+8:offset+8+count-1 # remove all null chars value = value.replace(b'\x00', b'' elif type == VT_BLOB # binary large object (BLOB # see http://msdn.microsoft.com/en-us/library/dd942282.asp count = i32(s, offset+4 value = s[offset+8:offset+8+count elif type == VT_LPWSTR # UnicodeStrin # see http://msdn.microsoft.com/en-us/library/dd942313.asp # "the string should NOT contain embedded or additional trailin # null characters. count = i32(s, offset+4 value = self._decode_utf16_str(s[offset+8:offset+8+count*2] elif type == VT_FILETIME value = long(i32(s, offset+4)) + (long(i32(s, offset+8))<<32 # FILETIME is a 64-bit int: "number of 100ns period # since Jan 1,1601" if convert_time and id not in no_conversion debug('Converting property #%d to python datetime, value=%d=%fs %(id, value, float(value)/10000000) # convert FILETIME to Python datetime.datetim # inspired from http://code.activestate.com/recipes/511425-filetime-to-datetime _FILETIME_null_date = datetime.datetime(1601, 1, 1, 0, 0, 0 debug('timedelta days=%d' % (value//(10*1000000*3600*24)) value = _FILETIME_null_date + datetime.timedelta(microseconds=value//10 else # legacy code kept for backward compatibility: returns # number of seconds since Jan 1,160 value = value // 10000000 # second elif type == VT_UI1: # 1-byte unsigned intege value = i8(s[offset+4] elif type == VT_CLSID value = _clsid(s[offset+4:offset+20] elif type == VT_CF # PropertyIdentifier or ClipboardData? # see http://msdn.microsoft.com/en-us/library/dd941945.asp count = i32(s, offset+4 value = s[offset+8:offset+8+count elif type == VT_BOOL # VARIANT_BOOL, 16 bits bool, 0x0000=Fals, 0xFFFF=Tru # see http://msdn.microsoft.com/en-us/library/cc237864.asp value = bool(i16(s, offset+4) else value = None # everything else yields "None debug ('property id=%d: type=%d not implemented in parser yet' % (id, type # missing: VT_EMPTY, VT_NULL, VT_R4, VT_R8, VT_CY, VT_DATE # VT_DECIMAL, VT_I1, VT_I8, VT_UI8 # see http://msdn.microsoft.com/en-us/library/dd942033.as # FIXME: add support for VT_VECTO # VT_VECTOR is a 32 uint giving the number of items, followed b # the items in sequence. The VT_VECTOR value is combined with th # type of items, e.g. VT_VECTOR|VT_BST # see http://msdn.microsoft.com/en-us/library/dd942011.as #print("%08x" % id, repr(value), end=" " #print("(%s)" % VT[i32(s, offset) & 0xFFF data[id] = valu except BaseException as exc # catch exception while parsing each property, and only rais # a DEFECT_INCORRECT, because parsing can go o msg = 'Error while parsing property id %d in stream %s: %s' % id, repr(streampath), exc self._raise_defect(DEFECT_INCORRECT, msg, type(exc return da def get_metadata(self) "" Parse standard properties streams, return an OleMetadata objec containing all the available metadata (also stored in the metadata attribute of the OleFileIO objec new in version 0.2 "" self.metadata = OleMetadata( self.metadata.parse_properties(self return self.metada# -------------------------------------------------------------------# This script can be used to dump the directory of any OLE2 structure# storage filif __name__ == "__main__disabled import s # [PL] display quick usage info if launched from command-lin if len(sys.argv) <= 1 print('olefile version %s %s - %s' % (__version__, __date__, __author__) print""Launched from the command line, this script parses OLE files and prints infUsage: olefile.py [-d] [-c] [file2 ..Options-d : debug mode (displays a lot of debug information, for developers only-c : check all streams (for debugging purposeFor more information, see http://www.decalage.info/olefil""" sys.exit check_streams = Fals for filename in sys.argv[1:]## try # OPTIONS if filename == '-d' # option to switch debug mode on set_debug_mode(True continu if filename == '-c' # option to switch check streams mode on check_streams = Tru contin ole = OleFileIO(filename)#, raise_defects=DEFECT_INCORRECT print("-" * 68 print(filename print("-" * 68 ole.dumpdirectory( for streamname in ole.listdir() if streamname[-1][0] == "\005" print(streamname, ": properties" props = ole.getproperties(streamname, convert_time=True props = sorted(props.items() for k, v in props #[PL]: avoid to display too large or binary values if isinstance(v, (basestring, bytes)) if len(v) > 50 v = v[:50 if isinstance(v, bytes) # quick and dirty binary check for c in (1,2,3,4,5,6,7,11,12,14,15,16,17,18,19,20 21,22,23,24,25,26,27,28,29,30,31) if c in bytearray(v) v = '(binary data) brea print(" ", k, if check_streams # Read all streams to check if there are errors print('\nChecking streams...' for streamname in ole.listdir() # print name using repr() to convert binary chars to \xNN print('-', repr('/'.join(streamname)),'-', end=' ' st_type = ole.get_type(streamname if st_type == STGTY_STREAM print('size %d' % ole.get_size(streamname) # just try to read stream in memory ole.openstream(streamname else print('NOT a stream : type=%d' % st_type print## for streamname in ole.listdir()## # print name using repr() to convert binary chars to \xNN## print('-', repr('/'.join(streamname)),'-', end=' '## print(ole.getmtime(streamname)## print print('Modification/Creation times of all directory entries:' for entry in ole.direntries if entry is not None print('- %s: mtime=%s ctime=%s' % (entry.name entry.getmtime(), entry.getctime()) print # parse and display metadata meta = ole.get_metadata( meta.dump( print( #[PL] Test a few new methods root = ole.get_rootentry_name( print('Root entry name: "%s"' % root if ole.exists('worddocument') print("This is a Word document." print("type of stream 'WordDocument':", ole.get_type('worddocument') print("size :", ole.get_size('worddocument') if ole.exists('macros/vba') print("This document may contain VBA macros. # print parsing issues print('\nNon-fatal issues raised during parsing:' if ole.parsing_issues for exctype, msg in ole.parsing_issues print('- %s: %s' % (exctype.__name__, msg) else print('None'## except IOError as v## print("***", "cannot read", file, "-", # this code was developed while listening to The Wedding Present "Sea Monste##### borrowed library code ends, program starts #### This software is Copyright (c) 2012-2013 Dhiru Kholia = stream.size break # e type = unpack("= 2 and minor_version == 2 # RC4 CryptoAPI Encryption Heade unpack("= 2 and minor_version == 2 # RC4 CryptoAPI Encryption Heade unpack("= 2 and minor_version == 2 pas else continu # RC4 CryptoAPI Encryption Header, Section 2.3.5.1 - RC4 CryptoAP # Encryption Header in [MS-OFFCRYPTO].pd unpack(" -1 sys.stderr.write("%s uses un-supported cipher algorithm %s, please file a bug! \n" % (filename, cipherAlgorithm) return saltValue = node.attrib.get("saltValue" assert(saltValue encryptedVerifierHashInput = node.attrib.get("encryptedVerifierHashInput" encryptedVerifierHashValue = node.attrib.get("encryptedVerifierHashValue" if PY3 encryptedVerifierHashValue = binascii.hexlify(base64.decodebytes(encryptedVerifierHashValue.encode()) else encryptedVerifierHashValue = binascii.hexlify(base64.decodestring(encryptedVerifierHashValue.encode() if PY3 saltAscii = binascii.hexlify(base64.decodebytes(saltValue.encode())).decode("ascii" encryptedVerifierHashAscii = binascii.hexlify(base64.decodebytes(encryptedVerifierHashInput.encode())).decode("ascii" else saltAscii = binascii.hexlify(base64.decodestring(saltValue.encode())).decode("ascii" encryptedVerifierHashAscii = binascii.hexlify(base64.decodestring(encryptedVerifierHashInput.encode())).decode("ascii sys.stdout.write("%s:$office$*%d*%d*%d*%d*%s*%s*%s\n" % (os.path.basename(filename), version int(spinCount), int(keyBits), int(saltSize) saltAscii encryptedVerifierHashAscii encryptedVerifierHashValue[0:64].decode("ascii")) returhave_summary = Falssummary = import rfrom binascii import unhexldef remove_html_tags(data) p = re.compile(r'<.*?>', re.DOTALL return p.sub('', str(datdef remove_extra_spaces(data) p = re.compile(r'\s+' return p.sub(' ', dadef process_file(filename) # Test if a file is an OLE containe try f = open(filename, "rb" data = f.read(81920) # is this enough if data[0:2] == b"PK" sys.stderr.write("%s : zip container found, file is " "unencrypted?, invalid OLE file!\n" % filename f.close( return f.close # ACCDB handling hack for MS Access >= 2007 (Office 12 accdb_magic = b"Standard ACE DB accdb_xml_start = b' if accdb_magic in data and accdb_xml_start in data # find start and the end of the XML metadata strea start = data.find(accdb_xml_start trailer = data.find(accdb_xml_trailer xml_metadata_parser(data[start:trailer+len(accdb_xml_trailer)], filename retur elif accdb_magic in data: # Access 2007 files using CryptoAP process_access_2007_older_crypto(filename retu # OneNote handling hack for OneNote versions >= 2013, see [MS-ONESTORE].pd onenote_magic = unhexlify("e4525c7b8cd8" onenote_xml_start = b' if data.startswith(onenote_magic) and onenote_xml_start in data # find start and the end of the XML metadata strea start = data.find(onenote_xml_start trailer = data.find(onenote_xml_trailer xml_metadata_parser(data[start:trailer+len(onenote_xml_trailer)], filename retu if not isOleFile(filename) sys.stderr.write("%s : Invalid OLE file\n" % filename return except Exception e = sys.exc_info()[1 import tracebac traceback.print_exc( sys.stderr.write("%s : OLE check failed, %s\n" % (filename, str(e)) return # Open OLE file ole = OleFileIO(filenam stream = No # find "summary" stream global have_summary, summar have_summary = Fals summary = for streamname in ole.listdir() streamname = streamname[-1 if streamname[0] == "\005" have_summary = Tru props = ole.getproperties(streamname for k, v in props.items() if v is None continu if not PY3 if not isinstance(v, unicode): # We are only interested in string continu else if not isinstance(v, str): # We are only interested in string continu v = remove_html_tags(v v = v.replace(":", "" v = remove_extra_spaces(v #words = v.split( #words = filter(lambda x: len(x) < 20, words #v = " ".join(words summary.append(v summary = " ".join(summary summary = remove_extra_spaces(summar if ["EncryptionInfo"] in ole.listdir() # process Office 2003 / 2010 / 2013 file return process_new_office(filename if ["Workbook"] in ole.listdir() stream = "Workbook elif ["WordDocument"] in ole.listdir() typ = sdoc = ole.openstream("WordDocument" stream = find_table(filename, sdoc if stream == "none" return elif ["PowerPoint Document"] in ole.listdir() stream = "Current User else sys.stderr.write("%s : No supported streams found\n" % filename return try workbookStream = ole.openstream(stream except import tracebac traceback.print_exc( sys.stderr.write("%s : stream %s not found!\n" % (filename, stream) return if workbookStream is None sys.stderr.write("%s : Error opening stream, %s\n" % filename (filename, stream return if stream == "Workbook" typ = passinfo = find_rc4_passinfo_xls(filename, workbookStream if passinfo is None return elif stream == "0Table" or stream == "1Table" passinfo = find_rc4_passinfo_doc(filename, workbookStream if passinfo is None return else sppt = ole.openstream("Current User" offset = find_ppt_type(filename, sppt sppt = ole.openstream("PowerPoint Document" ret = find_rc4_passinfo_ppt(filename, sppt, offset if not ret find_rc4_passinfo_ppt_bf(filename, sppt, offse return (salt, verifier, verifierHash) = passinf if not have_summary sys.stdout.write("%s:$oldoffice$%s*%s*%s*%s\n" % (os.path.basename(filename) typ, binascii.hexlify(salt).decode("ascii") binascii.hexlify(verifier).decode("ascii") binascii.hexlify(verifierHash).decode("ascii")) else sys.stdout.write("%s:$oldoffice$%s*%s*%s*%s:::%s::%s\n" % (os.path.basename(filename) typ, binascii.hexlify(salt).decode("ascii") binascii.hexlify(verifier).decode("ascii") binascii.hexlify(verifierHash).decode("ascii") summary, filename workbookStream.close( ole.close returnif __name__ == "__main__" if len(sys.argv) < 2 sys.stderr.write("Usage: %s \n" % sys.argv[0] sys.exit( # set_debug_mode( for i in range(1, len(sys.argv)) if not PY3 ret = process_file(sys.argv[i].decode("utf8") else ret = process_file(sys.argv[i] \ No newline at end of file +#!/usr/bin/env pytho +# olefile (formerly OleFileIO_PL) version 0.42 2015-01-2# Module to read/write Microsoft OLE2 files (also called Structured Storage o# Microsoft Compound Document File Format), such as Microsoft Office 97-200# documents, Image Composer and FlashPix files, Outlook messages, ..# This version is compatible with Python 2.6+ and 3.# Project website: http://www.decalage.info/olefil# olefile is copyright (c) 2005-2015 Philippe Lagadec (http://www.decalage.info# olefile is based on the OleFileIO module from the PIL library v1.1.# See: http://www.pythonware.com/products/pil/index.ht# The Python Imaging Library (PIL) i# Copyright (c) 1997-2005 by Secret Labs A# Copyright (c) 1995-2005 by Fredrik Lund# See source code and LICENSE.txt for information on usage and redistribution + +# Since OleFileIO_PL v0.30, only Python 2.6+ and 3.x is supporte# This import enables print() as a function rather than a keywor# (main requirement to be compatible with Python 3.x# The comment on the line below should be printed on Python 2.5 or olderfrom __future__ import print_function # This version of olefile requires Python 2.6+ or 3.x + +__author__ = "Philippe Lagadec__date__ = "2015-01-25__version__ = '0.42.1 +#--- LICENSE ----------------------------------------------------------------- +# olefile (formerly OleFileIO_PL) is copyright (c) 2005-2015 Philippe Lagade# (http://www.decalage.info# All rights reserved# Redistribution and use in source and binary forms, with or without modification# are permitted provided that the following conditions are met# * Redistributions of source code must retain the above copyright notice, thi# list of conditions and the following disclaimer# * Redistributions in binary form must reproduce the above copyright notice# this list of conditions and the following disclaimer in the documentatio# and/or other materials provided with the distribution# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AN# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIE# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AR# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABL# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIA# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS O# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVE# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE US# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE +# ---------# PIL License# olefile is based on source code from the OleFileIO module of the Pytho# Imaging Library (PIL) published by Fredrik Lundh under the following license +# The Python Imaging Library (PIL) i# Copyright (c) 1997-2005 by Secret Labs A# Copyright (c) 1995-2005 by Fredrik Lund# By obtaining, using, and/or copying this software and/or its associate# documentation, you agree that you have read, understood, and will comply wit# the following terms and conditions# Permission to use, copy, modify, and distribute this software and it# associated documentation for any purpose and without fee is hereby granted# provided that the above copyright notice appears in all copies, and that bot# that copyright notice and this permission notice appear in supportin# documentation, and that the name of Secret Labs AB or the author(s) not be use# in advertising or publicity pertaining to distribution of the softwar# without specific, written prior permission# SECRET LABS AB AND THE AUTHORS DISCLAIMS ALL WARRANTIES WITH REGARD TO THI# SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS# IN NO EVENT SHALL SECRET LABS AB OR THE AUTHORS BE LIABLE FOR ANY SPECIAL# INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FRO# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE O# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE O# PERFORMANCE OF THIS SOFTWARE +#----------------------------------------------------------------------------# CHANGELOG: (only olefile/OleFileIO_PL changes compared to PIL 1.1.6# 2005-05-11 v0.10 PL: - a few fixes for Python 2.4 compatibilit# (all changes flagged with [PL]# 2006-02-22 v0.11 PL: - a few fixes for some Office 2003 documents which rais# exceptions in _OleStream.__init__(# 2006-06-09 v0.12 PL: - fixes for files above 6.8MB (DIFAT in loadfat# - added some constant# - added header values check# - added some docstring# - getsect: bugfix in case sectors >512 byte# - getsect: added conformity check# - DEBUG_MODE constant to activate debug displa# 2007-09-04 v0.13 PL: - improved/translated (lots of) comment# - updated licens# - converted tabs to 4 space# 2007-11-19 v0.14 PL: - added OleFileIO._raise_defect() to adapt sensitivit# - improved _unicode() to use Python 2.x unicode suppor# - fixed bug in _OleDirectoryEntr# 2007-11-25 v0.15 PL: - added safety checks to detect FAT loop# - fixed _OleStream which didn't check stream siz# - added/improved many docstrings and comment# - moved helper functions _unicode and _clsid out o# OleFileIO clas# - improved OleFileIO._find() to add Unix path synta# - OleFileIO._find() is now case-insensitiv# - added get_type() and get_rootentry_name(# - rewritten loaddirectory and _OleDirectoryEntr# 2007-11-27 v0.16 PL: - added _OleDirectoryEntry.kids_dic# - added detection of duplicate filenames in storage# - added detection of duplicate references to stream# - added get_size() and exists() to _OleDirectoryEntr# - added isOleFile to check header before parsin# - added __all__ list to control public keywords in pydo# 2007-12-04 v0.17 PL: - added _load_direntry to fix a bug in loaddirector# - improved _unicode(), added workarounds for Python <2.# - added set_debug_mode and -d option to set debug mod# - fixed bugs in OleFileIO.open and _OleDirectoryEntr# - added safety check in main for large or binar# propertie# - allow size>0 for storages for some implementation# 2007-12-05 v0.18 PL: - fixed several bugs in handling of FAT, MiniFAT an# stream# - added option '-c' in main to check all stream# 2009-12-10 v0.19 PL: - bugfix for 32 bit arrays on 64 bits platform# (thanks to Ben G. and Martijn for reporting the bug# 2009-12-11 v0.20 PL: - bugfix in OleFileIO.open when filename is not plain st# 2010-01-22 v0.21 PL: - added support for big-endian CPUs such as PowerPC Mac# 2012-02-16 v0.22 PL: - fixed bug in getproperties, patch by chuckleberryfin# (https://bitbucket.org/decalage/olefileio_pl/issue/7# - added close method to OleFileIO (fixed issue #2# 2012-07-25 v0.23 PL: - added support for file-like objects (patch by mete0r_kr# 2013-05-05 v0.24 PL: - getproperties: added conversion from filetime to pytho# datetim# - main: displays properties with date forma# - new class OleMetadata to parse standard propertie# - added get_metadata metho# 2013-05-07 v0.24 PL: - a few improvements in OleMetadat# 2013-05-24 v0.25 PL: - getproperties: option to not convert some timestamp# - OleMetaData: total_edit_time is now a number of seconds# not a timestam# - getproperties: added support for VT_BOOL, VT_INT, V_UIN# - getproperties: filter out null chars from string# - getproperties: raise non-fatal defects instead o# exceptions when properties cannot be parsed properl# 2013-05-27 PL: - getproperties: improved exception handlin# - _raise_defect: added option to set exception typ# - all non-fatal issues are now recorded, and displaye# when run as a scrip# 2013-07-11 v0.26 PL: - added methods to get modification and creation time# of a directory entry or a storage/strea# - fixed parsing of direntry timestamp# 2013-07-24 PL: - new options in listdir to list storages and/or stream# 2014-02-04 v0.30 PL: - upgraded code to support Python 3.x by Martin Pante# - several fixes for Python 2.6 (xrange, MAGIC# - reused i32 from Pillow's _binar# 2014-07-18 v0.31 - preliminary support for 4K sector# 2014-07-27 v0.31 PL: - a few improvements in OleFileIO.open (header parsing# - Fixed loadfat for large files with 4K sectors (issue #3# 2014-07-30 v0.32 PL: - added write_sect to write sectors to dis# - added write_mode option to OleFileIO.__init__ and ope# 2014-07-31 PL: - fixed padding in write_sect for Python 3, added check# - added write_stream to write a stream to dis# 2014-09-26 v0.40 PL: - renamed OleFileIO_PL to olefil# 2014-11-09 NE: - added support for Jython (Niko Ehrenfeuchter# 2014-11-13 v0.41 PL: - improved isOleFile and OleFileIO.open to support OL# data in a string buffer and file-like objects# 2014-11-21 PL: - updated comments according to Pillow's commit# 2015-01-24 v0.42 PL: - changed the default path name encoding from Latin-# to UTF-8 on Python 2.x (Unicode on Python 3.x# - added path_encoding option to override the defaul# - fixed a bug in _list when a storage is empt +#----------------------------------------------------------------------------# TODO (for version 1.0)# + get rid of print statements, to simplify Python 2.x and 3.x suppor# + add is_stream and is_storag# + remove leading and trailing slashes where a path is use# + add functions path_list2str and path_str2lis# + fix how all the methods handle unicode str and/or bytes as argument# + add path attrib to _OleDirEntry, set it once and for all in init o# append_kids (then listdir/_list can be simplified# - TESTS with Linux, MacOSX, Python 1.5.2, various files, PIL, ..# - add underscore to each private method, to avoid their display i# pydoc/epydoc documentation - Remove it for classes to be documente# - replace all raised exceptions with _raise_defect (at least in OleFileIO# - merge code from _OleStream and OleFileIO.getsect to read sector# (maybe add a class for FAT and MiniFAT ?# - add method to check all streams (follow sectors chains without storing al# stream in memory, and report anomalies# - use _OleDirectoryEntry.kids_dict to improve _find and _list # - fix Unicode names handling (find some way to stay compatible with Py1.5.2# => if possible avoid converting names to Latin-# - review DIFAT code: fix handling of DIFSECT blocks in FAT (not stop# - rewrite OleFileIO.getpropertie# - improve docstrings to show more sample use# - see also original notes and FIXME belo# - remove all obsolete FIXME# - OleMetadata: fix version attrib according t# http://msdn.microsoft.com/en-us/library/dd945671%28v=office.12%29.asp +# IDEAS# - in OleFileIO._open and _OleStream, use size=None instead of 0x7FFFFFFF fo# streams with unknown siz# - use arrays of int instead of long integers for FAT/MiniFAT, to improv# performance and reduce memory usage ? (possible issue with values >2^31# - provide tests with unittest (may need write support to create samples# - move all debug code (and maybe dump methods) to a separate module, wit# a class which inherits OleFileIO # - fix docstrings to follow epydoc forma# - add support for big endian byte order # - create a simple OLE explorer with wxPytho +# FUTURE EVOLUTIONS to add write support# see issue #6 on Bitbucket# https://bitbucket.org/decalage/olefileio_pl/issue/6/improve-olefileio_pl-to-write-ole-file +#----------------------------------------------------------------------------# NOTES from PIL 1.1.6 +# History# 1997-01-20 fl Create# 1997-01-22 fl Fixed 64-bit portability quir# 2003-09-09 fl Fixed typo in OleFileIO.loadfat (noted by Daniel Haertle# 2004-02-29 fl Changed long hex constants to signed integer# Notes# FIXME: sort out sign problem (eliminate long hex constants# FIXME: change filename to use "a/b/c" instead of ["a", "b", "c"# FIXME: provide a glob mechanism function (using fnmatchcase# Literature# "FlashPix Format Specification, Appendix A", Kodak and Microsoft# September 1996# Quotes# "If this document and functionality of the Software conflict# the actual functionality of the Software represents the correc# functionality" -- Microsoft, in the OLE format specificatio +#----------------------------------------------------------------------------- + +import iimport syimport struct, array, os.path, datetim +#=== COMPATIBILITY WORKAROUNDS =============================================== +#[PL] Define explicitly the public API to avoid private objects in pydoc#TODO: add mor# __all__ = ['OleFileIO', 'isOleFile', 'MAGIC' +# For Python 3.x, need to redefine long as intif str is not bytes long = in +# Need to make sure we use xrange both on Python 2 and 3.xtry # on Python 2 we need xrange iterrange = xrangexcept # no xrange, for Python 3 it was renamed as range iterrange = rang +#[PL] workaround to fix an issue with array item size on 64 bits systemsif array.array('L').itemsize == 4 # on 32 bits platforms, long integers in an array are 32 bits UINT32 = 'Lelif array.array('I').itemsize == 4 # on 64 bits platforms, integers in an array are 32 bits UINT32 = 'Ielif array.array('i').itemsize == 4 # On 64 bit Jython, signed integers ('i') are the only way to store our 3 # bit values in an array in a *somewhat* reasonable way, as the otherwis # perfectly suited 'H' (unsigned int, 32 bits) results in a completel # unusable behaviour. This is most likely caused by the fact that Jav # doesn't have unsigned values, and thus Jython's "array" implementation # which is based on "jarray", doesn't have them either # NOTE: to trick Jython into converting the values it would normall # interpret as "signed" into "unsigned", a binary-and operation wit # 0xFFFFFFFF can be used. This way it is possible to use the same comparin # operations on all platforms / implementations. The corresponding cod # lines are flagged with a 'JYTHON-WORKAROUND' tag below UINT32 = 'ielse raise ValueError('Need to fix a bug with 32 bit arrays, please contact author...' + +#[PL] These workarounds were inspired from the Path modul# (see http://www.jorendorff.com/articles/python/path/#TODO: test with old Python version +# Pre-2.3 workaround for basestringtry basestrinexcept NameError try # is Unicode supported (Python >2.0 or >1.6 ? basestring = (str, unicode except NameError basestring = st +#[PL] Experimental setting: if True, OLE filenames will be kept in Unicod# if False (default PIL behaviour), all filenames are converted to Latin-1KEEP_UNICODE_NAMES = Tru +if sys.version_info[0] < 3 # On Python 2.x, the default encoding for path names is UTF-8 DEFAULT_PATH_ENCODING = 'utf-8else # On Python 3.x, the default encoding for path names is Unicode (None) DEFAULT_PATH_ENCODING = Non + +#=== DEBUGGING ============================================================== +#TODO: replace this by proper loggin +#[PL] DEBUG display mode: False by default, use set_debug_mode() or "-d" o# command line to change itDEBUG_MODE = Falsdef debug_print(msg) print(msgdef debug_pass(msg) pasdebug = debug_pas +def set_debug_mode(debug_mode) "" Set debug mode on or off, to control display of debugging messages :param mode: True or Fals "" global DEBUG_MODE, debu DEBUG_MODE = debug_mod if debug_mode debug = debug_prin else debug = debug_pas + +#=== CONSTANTS ============================================================== +# magic bytes that should be at the beginning of every OLE fileMAGIC = b'\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1 +#[PL]: added constants for Sector IDs (from AAF specificationsMAXREGSECT = 0xFFFFFFFA # (-6) maximum SECDIFSECT = 0xFFFFFFFC # (-4) denotes a DIFAT sector in a FAFATSECT = 0xFFFFFFFD # (-3) denotes a FAT sector in a FAENDOFCHAIN = 0xFFFFFFFE # (-2) end of a virtual stream chaiFREESECT = 0xFFFFFFFF # (-1) unallocated secto +#[PL]: added constants for Directory Entry IDs (from AAF specificationsMAXREGSID = 0xFFFFFFFA # (-6) maximum directory entry INOSTREAM = 0xFFFFFFFF # (-1) unallocated directory entr +#[PL] object types in storage (from AAF specificationsSTGTY_EMPTY = 0 # empty directory entry (according to OpenOffice.org docSTGTY_STORAGE = 1 # element is a storage objecSTGTY_STREAM = 2 # element is a stream objecSTGTY_LOCKBYTES = 3 # element is an ILockBytes objecSTGTY_PROPERTY = 4 # element is an IPropertyStorage objecSTGTY_ROOT = 5 # element is a root storag + +# -------------------------------------------------------------------# property type +VT_EMPTY=0; VT_NULL=1; VT_I2=2; VT_I4=3; VT_R4=4; VT_R8=5; VT_CY=6VT_DATE=7; VT_BSTR=8; VT_DISPATCH=9; VT_ERROR=10; VT_BOOL=11VT_VARIANT=12; VT_UNKNOWN=13; VT_DECIMAL=14; VT_I1=16; VT_UI1=17VT_UI2=18; VT_UI4=19; VT_I8=20; VT_UI8=21; VT_INT=22; VT_UINT=23VT_VOID=24; VT_HRESULT=25; VT_PTR=26; VT_SAFEARRAY=27; VT_CARRAY=28VT_USERDEFINED=29; VT_LPSTR=30; VT_LPWSTR=31; VT_FILETIME=64VT_BLOB=65; VT_STREAM=66; VT_STORAGE=67; VT_STREAMED_OBJECT=68VT_STORED_OBJECT=69; VT_BLOB_OBJECT=70; VT_CF=71; VT_CLSID=72VT_VECTOR=0x1000 +# map property id to name (for debugging purposes +VT = {for keyword, var in list(vars().items()) if keyword[:3] == "VT_" VT[var] = keywor +# -------------------------------------------------------------------# Some common document types (root.clsid fields +WORD_CLSID = "00020900-0000-0000-C000-000000000046#TODO: check Excel, PPT, .. +#[PL]: Defect levels to classify parsing errors - see OleFileIO._raise_defect(DEFECT_UNSURE = 10 # a case which looks weird, but not sure it's a defecDEFECT_POTENTIAL = 20 # a potential defecDEFECT_INCORRECT = 30 # an error according to specifications, but parsin # can go oDEFECT_FATAL = 40 # an error which cannot be ignored, parsing i # impossibl +# Minimal size of an empty OLE file, with 512-bytes sectors = 1536 byte# (this is used in isOleFile and OleFile.openMINIMAL_OLEFILE_SIZE = 153 +#[PL] add useful constants to __all__# for key in list(vars().keys())# if key.startswith('STGTY_') or key.startswith('DEFECT_')# __all__.append(key + +#=== FUNCTIONS ============================================================== +def isOleFile (filename) "" Test if a file is an OLE container (according to the magic bytes in its header) + :param filename: string-like or file-like object, OLE file to pars + - if filename is a string smaller than 1536 bytes, it is the pat of the file to open. (bytes or unicode string - if filename is a string longer than 1535 bytes, it is parse as the content of an OLE file in memory. (bytes type only - if filename is a file-like object (with read and seek methods) it is parsed as-is + :returns: True if OLE, False otherwise "" # check if filename is a string-like or file-like object if hasattr(filename, 'read') # file-like object: use it directl header = filename.read(len(MAGIC) # just in case, seek back to start of file filename.seek(0 elif isinstance(filename, bytes) and len(filename) >= MINIMAL_OLEFILE_SIZE # filename is a bytes string containing the OLE file to be parsed header = filename[:len(MAGIC) else # string-like object: filename of file on dis header = open(filename, 'rb').read(len(MAGIC) if header == MAGIC return Tru else return Fals + +if bytes is str # version for Python 2. def i8(c) return ord(celse # version for Python 3. def i8(c) return c if c.__class__ is int else c[0 + +#TODO: replace i16 and i32 with more readable struct.unpack equivalent +def i16(c, o = 0) "" Converts a 2-bytes (16 bits) string to an integer + :param c: string containing bytes to conver :param o: offset of bytes to convert in strin "" return i8(c[o]) | (i8(c[o+1])<<8 + +def i32(c, o = 0) "" Converts a 4-bytes (32 bits) string to an integer + :param c: string containing bytes to conver :param o: offset of bytes to convert in strin ""## return int(ord(c[o])+(ord(c[o+1])<<8)+(ord(c[o+2])<<16)+(ord(c[o+3])<<24)## # [PL]: added int() because "<<" gives long int since Python 2. # copied from Pillow's _binary return i8(c[o]) | (i8(c[o+1])<<8) | (i8(c[o+2])<<16) | (i8(c[o+3])<<24 + +def _clsid(clsid) "" Converts a CLSID to a human-readable string + :param clsid: string of length 16 "" assert len(clsid) == 1 # if clsid is only made of null bytes, return an empty string # (PL: why not simply return the string with zeroes? if not clsid.strip(b"\0") return " return (("%08X-%04X-%04X-%02X%02X-" + "%02X" * 6) ((i32(clsid, 0), i16(clsid, 4), i16(clsid, 6)) tuple(map(i8, clsid[8:16]))) + + +def filetime2datetime(filetime) "" convert FILETIME (64 bits int) to Python datetime.datetim "" # TODO: manage exception when microseconds is too larg # inspired from http://code.activestate.com/recipes/511425-filetime-to-datetime _FILETIME_null_date = datetime.datetime(1601, 1, 1, 0, 0, 0 #debug('timedelta days=%d' % (filetime//(10*1000000*3600*24)) return _FILETIME_null_date + datetime.timedelta(microseconds=filetime//10 + + +#=== CLASSES ================================================================= +class OleMetadata "" class to parse and store metadata from standard properties of OLE files + Available attributes codepage, title, subject, author, keywords, comments, template last_saved_by, revision_number, total_edit_time, last_printed, create_time last_saved_time, num_pages, num_words, num_chars, thumbnail creating_application, security, codepage_doc, category, presentation_target bytes, lines, paragraphs, slides, notes, hidden_slides, mm_clips scale_crop, heading_pairs, titles_of_parts, manager, company, links_dirty chars_with_spaces, unused, shared_doc, link_base, hlinks, hlinks_changed version, dig_sig, content_type, content_status, language, doc_versio + Note: an attribute is set to None when not present in the properties of th OLE file + References for SummaryInformation stream - http://msdn.microsoft.com/en-us/library/dd942545.asp - http://msdn.microsoft.com/en-us/library/dd925819%28v=office.12%29.asp - http://msdn.microsoft.com/en-us/library/windows/desktop/aa380376%28v=vs.85%29.asp - http://msdn.microsoft.com/en-us/library/aa372045.asp - http://sedna-soft.de/summary-information-stream - http://poi.apache.org/apidocs/org/apache/poi/hpsf/SummaryInformation.htm + References for DocumentSummaryInformation stream - http://msdn.microsoft.com/en-us/library/dd945671%28v=office.12%29.asp - http://msdn.microsoft.com/en-us/library/windows/desktop/aa380374%28v=vs.85%29.asp - http://poi.apache.org/apidocs/org/apache/poi/hpsf/DocumentSummaryInformation.htm + new in version 0.2 "" + # attribute names for SummaryInformation stream properties # (ordered by property id, starting at 1 SUMMARY_ATTRIBS = ['codepage', 'title', 'subject', 'author', 'keywords', 'comments' 'template', 'last_saved_by', 'revision_number', 'total_edit_time' 'last_printed', 'create_time', 'last_saved_time', 'num_pages' 'num_words', 'num_chars', 'thumbnail', 'creating_application' 'security' + # attribute names for DocumentSummaryInformation stream properties # (ordered by property id, starting at 1 DOCSUM_ATTRIBS = ['codepage_doc', 'category', 'presentation_target', 'bytes', 'lines', 'paragraphs' 'slides', 'notes', 'hidden_slides', 'mm_clips' 'scale_crop', 'heading_pairs', 'titles_of_parts', 'manager' 'company', 'links_dirty', 'chars_with_spaces', 'unused', 'shared_doc' 'link_base', 'hlinks', 'hlinks_changed', 'version', 'dig_sig' 'content_type', 'content_status', 'language', 'doc_version' + def __init__(self) "" Constructor for OleMetadat All attributes are set to None by defaul "" # properties from SummaryInformation strea self.codepage = Non self.title = Non self.subject = Non self.author = Non self.keywords = Non self.comments = Non self.template = Non self.last_saved_by = Non self.revision_number = Non self.total_edit_time = Non self.last_printed = Non self.create_time = Non self.last_saved_time = Non self.num_pages = Non self.num_words = Non self.num_chars = Non self.thumbnail = Non self.creating_application = Non self.security = Non # properties from DocumentSummaryInformation strea self.codepage_doc = Non self.category = Non self.presentation_target = Non self.bytes = Non self.lines = Non self.paragraphs = Non self.slides = Non self.notes = Non self.hidden_slides = Non self.mm_clips = Non self.scale_crop = Non self.heading_pairs = Non self.titles_of_parts = Non self.manager = Non self.company = Non self.links_dirty = Non self.chars_with_spaces = Non self.unused = Non self.shared_doc = Non self.link_base = Non self.hlinks = Non self.hlinks_changed = Non self.version = Non self.dig_sig = Non self.content_type = Non self.content_status = Non self.language = Non self.doc_version = Non + + def parse_properties(self, olefile) "" Parse standard properties of an OLE file, from the stream "\x05SummaryInformation" and "\x05DocumentSummaryInformation" if present Properties are converted to strings, integers or python datetime objects If a property is not present, its value is set to None "" # first set all attributes to None for attrib in (self.SUMMARY_ATTRIBS + self.DOCSUM_ATTRIBS) setattr(self, attrib, None if olefile.exists("\x05SummaryInformation") # get properties from the stream # (converting timestamps to python datetime, except total_edit_time # which is property #10 props = olefile.getproperties("\x05SummaryInformation" convert_time=True, no_conversion=[10] # store them into this object's attributes for i in range(len(self.SUMMARY_ATTRIBS)) # ids for standards properties start at 0x01, until 0x1 value = props.get(i+1, None setattr(self, self.SUMMARY_ATTRIBS[i], value if olefile.exists("\x05DocumentSummaryInformation") # get properties from the stream props = olefile.getproperties("\x05DocumentSummaryInformation" convert_time=True # store them into this object's attributes for i in range(len(self.DOCSUM_ATTRIBS)) # ids for standards properties start at 0x01, until 0x1 value = props.get(i+1, None setattr(self, self.DOCSUM_ATTRIBS[i], value + def dump(self) "" Dump all metadata, for debugging purposes "" print('Properties from SummaryInformation stream:' for prop in self.SUMMARY_ATTRIBS value = getattr(self, prop print('- %s: %s' % (prop, repr(value)) print('Properties from DocumentSummaryInformation stream:' for prop in self.DOCSUM_ATTRIBS value = getattr(self, prop print('- %s: %s' % (prop, repr(value)) + +#--- _OleStream -------------------------------------------------------------- +class _OleStream(io.BytesIO) "" OLE2 Strea + Returns a read-only file object which can be used to rea the contents of a OLE stream (instance of the BytesIO class) To open a stream, use the openstream method in the OleFile class + This function can be used with either ordinary streams or ministreams, depending on the offset, sectorsize, an fat table arguments + Attributes + - size: actual size of data stream, after it was opened "" + # FIXME: should store the list of sects obtained by followin # the fat chain, and load new sectors on demand instead o # loading it all in one go + def __init__(self, fp, sect, size, offset, sectorsize, fat, filesize) "" Constructor for _OleStream class + :param fp: file object, the OLE container or the MiniFAT strea :param sect: sector index of first sector in the strea :param size: total size of the strea :param offset: offset in bytes for the first FAT or MiniFAT secto :param sectorsize: size of one secto :param fat: array/list of sector indexes (FAT or MiniFAT :param filesize: size of OLE file (for debugging :returns: a BytesIO instance containing the OLE strea "" debug('_OleStream.__init__:' debug(' sect=%d (%X), size=%d, offset=%d, sectorsize=%d, len(fat)=%d, fp=%s %(sect,sect,size,offset,sectorsize,len(fat), repr(fp)) #[PL] To detect malformed documents with FAT loops, we compute th # expected number of sectors in the stream unknown_size = Fals if size==0x7FFFFFFF # this is the case when called from OleFileIO._open(), and strea # size is not known in advance (for example when reading th # Directory stream). Then we can only guess maximum size size = len(fat)*sectorsiz # and we keep a record that size was unknown unknown_size = Tru debug(' stream with UNKNOWN SIZE' nb_sectors = (size + (sectorsize-1)) // sectorsiz debug('nb_sectors = %d' % nb_sectors # This number should (at least) be less than the total number o # sectors in the given FAT if nb_sectors > len(fat) raise IOError('malformed OLE document, stream too large' # optimization(?): data is first a list of strings, and join() is calle # at the end to concatenate all in one string # (this may not be really useful with recent Python versions data = [ # if size is zero, then first sector index should be ENDOFCHAIN if size == 0 and sect != ENDOFCHAIN debug('size == 0 and sect != ENDOFCHAIN:' raise IOError('incorrect OLE sector index for empty stream' #[PL] A fixed-length for loop is used instead of an undefined whil # loop to avoid DoS attacks for i in range(nb_sectors) # Sector index may be ENDOFCHAIN, but only if size was unknow if sect == ENDOFCHAIN if unknown_size brea else # else this means that the stream is smaller than declared debug('sect=ENDOFCHAIN before expected size' raise IOError('incomplete OLE stream' # sector index should be within FAT if sect<0 or sect>=len(fat) debug('sect=%d (%X) / len(fat)=%d' % (sect, sect, len(fat)) debug('i=%d / nb_sectors=%d' %(i, nb_sectors)## tmp_data = b"".join(data## f = open('test_debug.bin', 'wb'## f.write(tmp_data## f.close(## debug('data read so far: %d bytes' % len(tmp_data) raise IOError('incorrect OLE FAT, sector index out of range' #TODO: merge this code with OleFileIO.getsect() #TODO: check if this works with 4K sectors try fp.seek(offset + sectorsize * sect except debug('sect=%d, seek=%d, filesize=%d' (sect, offset+sectorsize*sect, filesize) raise IOError('OLE sector index out of range' sector_data = fp.read(sectorsize # [PL] check if there was enough data # Note: if sector is the last of the file, sometimes it is not # complete sector (of 512 or 4K), so we may read less tha # sectorsize if len(sector_data)!=sectorsize and sect!=(len(fat)-1) debug('sect=%d / len(fat)=%d, seek=%d / filesize=%d, len read=%d' (sect, len(fat), offset+sectorsize*sect, filesize, len(sector_data)) debug('seek+len(read)=%d' % (offset+sectorsize*sect+len(sector_data)) raise IOError('incomplete OLE sector' data.append(sector_data # jump to next sector in the FAT try sect = fat[sect] & 0xFFFFFFFF # JYTHON-WORKAROUN except IndexError # [PL] if pointer is out of the FAT an exception is raise raise IOError('incorrect OLE FAT, sector index out of range' #[PL] Last sector should be a "end of chain" marker if sect != ENDOFCHAIN raise IOError('incorrect last sector index in OLE stream' data = b"".join(data # Data is truncated to the actual stream size if len(data) >= size data = data[:size # actual stream size is stored for future use self.size = siz elif unknown_size # actual stream size was not known, now we know the size of rea # data self.size = len(data else # read data is less than expected debug('len(data)=%d, size=%d' % (len(data), size) raise IOError('OLE stream size is less than declared' # when all data is read in memory, BytesIO constructor is calle io.BytesIO.__init__(self, data # Then the _OleStream object can be used as a read-only file object + +#--- _OleDirectoryEntry ------------------------------------------------------ +class _OleDirectoryEntry + "" OLE2 Directory Entr "" #[PL] parsing code moved from OleFileIO.loaddirector + # struct to parse directory entries # <: little-endian byte order, standard size # (note: this should guarantee that Q returns a 64 bits int # 64s: string containing entry name in unicode (max 31 chars) + null cha # H: uint16, number of bytes used in name buffer, including null = (len+1)* # B: uint8, dir entry type (between 0 and 5 # B: uint8, color: 0=black, 1=re # I: uint32, index of left child node in the red-black tree, NOSTREAM if non # I: uint32, index of right child node in the red-black tree, NOSTREAM if non # I: uint32, index of child root node if it is a storage, else NOSTREA # 16s: CLSID, unique identifier (only used if it is a storage # I: uint32, user flag # Q (was 8s): uint64, creation timestamp or zer # Q (was 8s): uint64, modification timestamp or zer # I: uint32, SID of first sector if stream or ministream, SID of 1st secto # of stream containing ministreams if root entry, 0 otherwis # I: uint32, total stream size in bytes if stream (low 32 bits), 0 otherwis # I: uint32, total stream size in bytes if stream (high 32 bits), 0 otherwis STRUCT_DIRENTRY = '<64sHBBIII16sIQQIII # size of a directory entry: 128 byte DIRENTRY_SIZE = 12 assert struct.calcsize(STRUCT_DIRENTRY) == DIRENTRY_SIZ + + def __init__(self, entry, sid, olefile) "" Constructor for an _OleDirectoryEntry object Parses a 128-bytes entry from the OLE Directory stream + :param entry : string (must be 128 bytes long :param sid : index of this directory entry in the OLE file director :param olefile: OleFileIO containing this directory entr "" self.sid = si # ref to olefile is stored for future us self.olefile = olefil # kids is a list of children entries, if this entry is a storage # (list of _OleDirectoryEntry objects self.kids = [ # kids_dict is a dictionary of children entries, indexed by thei # name in lowercase: used to quickly find an entry, and to detec # duplicate self.kids_dict = { # flag used to detect if the entry is referenced more than once i # directory self.used = Fals # decode DirEntr name namelength self.entry_type self.color self.sid_left self.sid_right self.sid_child clsid self.dwUserFlags self.createTime self.modifyTime self.isectStart sizeLow sizeHig ) = struct.unpack(_OleDirectoryEntry.STRUCT_DIRENTRY, entry if self.entry_type not in [STGTY_ROOT, STGTY_STORAGE, STGTY_STREAM, STGTY_EMPTY] olefile._raise_defect(DEFECT_INCORRECT, 'unhandled OLE storage type' # only first directory entry can (and should) be root if self.entry_type == STGTY_ROOT and sid != 0 olefile._raise_defect(DEFECT_INCORRECT, 'duplicate OLE root entry' if sid == 0 and self.entry_type != STGTY_ROOT olefile._raise_defect(DEFECT_INCORRECT, 'incorrect OLE root entry' #debug (struct.unpack(fmt_entry, entry[:len_entry]) # name should be at most 31 unicode characters + null character # so 64 bytes in total (31*2 + 2) if namelength>64 olefile._raise_defect(DEFECT_INCORRECT, 'incorrect DirEntry name length' # if exception not raised, namelength is set to the maximum value namelength = 6 # only characters without ending null char are kept name = name[:(namelength-2) #TODO: check if the name is actually followed by a null unicode character ([MS-CFB] 2.6.1 #TODO: check if the name does not contain forbidden characters # [MS-CFB] 2.6.1: "The following characters are illegal and MUST NOT be part of the name: '/', '\', ':', '!'. # name is converted from UTF-16LE to the path encoding specified in the OleFileIO self.name = olefile._decode_utf16_str(name + debug('DirEntry SID=%d: %s' % (self.sid, repr(self.name)) debug(' - type: %d' % self.entry_type debug(' - sect: %d' % self.isectStart debug(' - SID left: %d, right: %d, child: %d' % (self.sid_left self.sid_right, self.sid_child) + # sizeHigh is only used for 4K sectors, it should be zero for 512 byte # sectors, BUT apparently some implementations set it as 0xFFFFFFFF, # or some other value so it cannot be raised as a defect in general if olefile.sectorsize == 512 if sizeHigh != 0 and sizeHigh != 0xFFFFFFFF debug('sectorsize=%d, sizeLow=%d, sizeHigh=%d (%X)' (olefile.sectorsize, sizeLow, sizeHigh, sizeHigh) olefile._raise_defect(DEFECT_UNSURE, 'incorrect OLE stream size' self.size = sizeLo else self.size = sizeLow + (long(sizeHigh)<<32 debug(' - size: %d (sizeLow=%d, sizeHigh=%d)' % (self.size, sizeLow, sizeHigh) + self.clsid = _clsid(clsid # a storage should have a null size, BUT some implementations such a # Word 8 for Mac seem to allow non-null values => Potential defect if self.entry_type == STGTY_STORAGE and self.size != 0 olefile._raise_defect(DEFECT_POTENTIAL, 'OLE storage with size>0' # check if stream is not already referenced elsewhere if self.entry_type in (STGTY_ROOT, STGTY_STREAM) and self.size>0 if self.size < olefile.minisectorcutoff and self.entry_type==STGTY_STREAM: # only streams can be in MiniFA # ministream objec minifat = Tru else minifat = Fals olefile._check_duplicate_stream(self.isectStart, minifat + + + def build_storage_tree(self) "" Read and build the red-black tree attached to this _OleDirectoryEntr object, if it is a storage Note that this method builds a tree of all subentries, so it shoul only be called for the root object once "" debug('build_storage_tree: SID=%d - %s - sid_child=%d % (self.sid, repr(self.name), self.sid_child) if self.sid_child != NOSTREAM # if child SID is not NOSTREAM, then this entry is a storage # Let's walk through the tree of children to fill the kids list self.append_kids(self.sid_child + # Note from OpenOffice documentation: the safest way is t # recreate the tree because some implementations may store broke # red-black trees.. + # in the OLE file, entries are sorted on (length, name) # for convenience, we sort them on name instead # (see rich comparison methods in this class self.kids.sort( + + def append_kids(self, child_sid) "" Walk through red-black tree of children of this directory entry to ad all of them to the kids list. (recursive method + :param child_sid : index of child directory entry to use, or None when calle first time for the root. (only used during recursion "" #[PL] this method was added to use simple recursion instead of a comple # algorithm # if this is not a storage or a leaf of the tree, nothing to do if child_sid == NOSTREAM retur # check if child SID is in the proper range if child_sid<0 or child_sid>=len(self.olefile.direntries) self.olefile._raise_defect(DEFECT_FATAL, 'OLE DirEntry index out of range' # get child direntry child = self.olefile._load_direntry(child_sid) #direntries[child_sid debug('append_kids: child_sid=%d - %s - sid_left=%d, sid_right=%d, sid_child=%d % (child.sid, repr(child.name), child.sid_left, child.sid_right, child.sid_child) # the directory entries are organized as a red-black tree # (cf. Wikipedia for details # First walk through left side of the tree self.append_kids(child.sid_left # Check if its name is not already used (case-insensitive) name_lower = child.name.lower( if name_lower in self.kids_dict self.olefile._raise_defect(DEFECT_INCORRECT "Duplicate filename in OLE storage" # Then the child_sid _OleDirectoryEntry object is appended to th # kids list and dictionary self.kids.append(child self.kids_dict[name_lower] = chil # Check if kid was not already referenced in a storage if child.used self.olefile._raise_defect(DEFECT_INCORRECT 'OLE Entry referenced more than once' child.used = Tru # Finally walk through right side of the tree self.append_kids(child.sid_right # Afterwards build kid's own tree if it's also a storage child.build_storage_tree( + + def __eq__(self, other) "Compare entries by name return self.name == other.nam + def __lt__(self, other) "Compare entries by name return self.name < other.nam + def __ne__(self, other) return not self.__eq__(other + def __le__(self, other) return self.__eq__(other) or self.__lt__(other + # Reflected __lt__() and __le__() will be used for __gt__() and __ge__( + #TODO: replace by the same function as MS implementation # (order by name length first, then case-insensitive order + + def dump(self, tab = 0) "Dump this entry, and all its subentries (for debug purposes only) TYPES = ["(invalid)", "(storage)", "(stream)", "(lockbytes)" "(property)", "(root)" print(" "*tab + repr(self.name), TYPES[self.entry_type], end=' ' if self.entry_type in (STGTY_STREAM, STGTY_ROOT) print(self.size, "bytes", end=' ' print( if self.entry_type in (STGTY_STORAGE, STGTY_ROOT) and self.clsid print(" "*tab + "{%s}" % self.clsid + for kid in self.kids kid.dump(tab + 2 + + def getmtime(self) "" Return modification time of a directory entry + :returns: None if modification time is null, a python datetime objec otherwise (UTC timezone + new in version 0.2 "" if self.modifyTime == 0 return Non return filetime2datetime(self.modifyTime + + def getctime(self) "" Return creation time of a directory entry + :returns: None if modification time is null, a python datetime objec otherwise (UTC timezone + new in version 0.2 "" if self.createTime == 0 return Non return filetime2datetime(self.createTime + +#--- OleFileIO --------------------------------------------------------------- +class OleFileIO "" OLE container objec + This class encapsulates the interface to an OLE 2 structure storage file. Use the listdir and openstream methods t access the contents of this file + Object names are given as a list of strings, one for each subentr level. The root entry should be omitted. For example, the followin code extracts all image streams from a Microsoft Image Composer file: + ole = OleFileIO("fan.mic" + for entry in ole.listdir() if entry[1:2] == "Image" fin = ole.openstream(entry fout = open(entry[0:1], "wb" while True s = fin.read(8192 if not s brea fout.write(s + You can use the viewer application provided with the Python Imagin Library to view the resulting files (which happens to be standar TIFF files) "" + def __init__(self, filename=None, raise_defects=DEFECT_FATAL write_mode=False, debug=False, path_encoding=DEFAULT_PATH_ENCODING) "" Constructor for the OleFileIO class + :param filename: file to open + - if filename is a string smaller than 1536 bytes, it is the pat of the file to open. (bytes or unicode string - if filename is a string longer than 1535 bytes, it is parse as the content of an OLE file in memory. (bytes type only - if filename is a file-like object (with read, seek and tell methods) it is parsed as-is + :param raise_defects: minimal level for defects to be raised as exceptions (use DEFECT_FATAL for a typical application, DEFECT_INCORRECT for security-oriented application, see source code for details + :param write_mode: bool, if True the file is opened in read/write mode instea of read-only by default + :param debug: bool, set debug mod + :param path_encoding: None or str, name of the codec to use for pat names (streams and storages), or None for Unicode Unicode by default on Python 3+, UTF-8 on Python 2.x (new in olefile 0.42, was hardcoded to Latin-1 until olefile v0.41 "" set_debug_mode(debug # minimal level for defects to be raised as exceptions self._raise_defects_level = raise_defect # list of defects/issues not raised as exceptions # tuples of (exception type, message self.parsing_issues = [ self.write_mode = write_mod self.path_encoding = path_encodin self._filesize = Non self.fp = Non if filename self.open(filename, write_mode=write_mode + + def _raise_defect(self, defect_level, message, exception_type=IOError) "" This method should be called for any defect found during file parsing It may raise an IOError exception according to the minimal level chose for the OleFileIO object + :param defect_level: defect level, possible values are + - DEFECT_UNSURE : a case which looks weird, but not sure it's a defec - DEFECT_POTENTIAL : a potential defec - DEFECT_INCORRECT : an error according to specifications, but parsing can go o - DEFECT_FATAL : an error which cannot be ignored, parsing is impossibl + :param message: string describing the defect, used with raised exception :param exception_type: exception class to be raised, IOError by defaul "" # added by [PL if defect_level >= self._raise_defects_level raise exception_type(message else # just record the issue, no exception raised self.parsing_issues.append((exception_type, message) + + def _decode_utf16_str(self, utf16_str, errors='replace') "" Decode a string encoded in UTF-16 LE format, as found in the OL directory or in property streams. Return a string encode according to the path_encoding specified for the OleFileIO object + :param utf16_str: bytes string encoded in UTF-16 LE forma :param errors: str, see python documentation for str.decode( :return: str, encoded according to path_encodin "" unicode_str = utf16_str.decode('UTF-16LE', errors if self.path_encoding # an encoding has been specified for path names return unicode_str.encode(self.path_encoding, errors else # path_encoding=None, return the Unicode string as-is return unicode_st + + def open(self, filename, write_mode=False) "" Open an OLE2 file in read-only or read/write mode Read and parse the header, FAT and directory + :param filename: string-like or file-like object, OLE file to pars + - if filename is a string smaller than 1536 bytes, it is the pat of the file to open. (bytes or unicode string - if filename is a string longer than 1535 bytes, it is parse as the content of an OLE file in memory. (bytes type only - if filename is a file-like object (with read, seek and tell methods) it is parsed as-is + :param write_mode: bool, if True the file is opened in read/write mode instea of read-only by default. (ignored if filename is not a path "" self.write_mode = write_mod #[PL] check if filename is a string-like or file-like object # (it is better to check for a read() method if hasattr(filename, 'read') #TODO: also check seek and tell methods # file-like object: use it directl self.fp = filenam elif isinstance(filename, bytes) and len(filename) >= MINIMAL_OLEFILE_SIZE # filename is a bytes string containing the OLE file to be parsed # convert it to BytesI self.fp = io.BytesIO(filename else # string-like object: filename of file on dis if self.write_mode # open file in mode 'read with update, binary # According to https://docs.python.org/2/library/functions.html#ope # 'w' would truncate the file, 'a' may only append on some Unixe mode = 'r+b else # read-only mode by defaul mode = 'rb self.fp = open(filename, mode # obtain the filesize by using seek and tell, which should work on mos # file-like objects #TODO: do it above, using getsize with filename when possible #TODO: fix code to fail with clear exception when filesize cannot be obtaine filesize= self.fp.seek(0, os.SEEK_END try filesize = self.fp.tell( finally self.fp.seek(0 self._filesize = filesiz + # lists of streams in FAT and MiniFAT, to detect duplicate reference # (list of indexes of first sectors of each stream self._used_streams_fat = [ self._used_streams_minifat = [ + header = self.fp.read(512 + if len(header) != 512 or header[:8] != MAGIC self._raise_defect(DEFECT_FATAL, "not an OLE2 structured storage file" + # [PL] header structure according to AAF specifications ##Heade ##struct StructuredStorageHeader { // [offset from start (bytes), length (bytes) ##BYTE _abSig[8]; // [00H,08] {0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1 ## // 0x1a, 0xe1} for current versio ##CLSID _clsid; // [08H,16] reserved must be zero (WriteClassStg ## // GetClassFile uses root directory class id ##USHORT _uMinorVersion; // [18H,02] minor version of the format: 33 i ## // written by reference implementatio ##USHORT _uDllVersion; // [1AH,02] major version of the dll/format: 3 fo ## // 512-byte sectors, 4 for 4 KB sector ##USHORT _uByteOrder; // [1CH,02] 0xFFFE: indicates Intel byte-orderin ##USHORT _uSectorShift; // [1EH,02] size of sectors in power-of-two ## // typically 9 indicating 512-byte sector ##USHORT _uMiniSectorShift; // [20H,02] size of mini-sectors in power-of-two ## // typically 6 indicating 64-byte mini-sector ##USHORT _usReserved; // [22H,02] reserved, must be zer ##ULONG _ulReserved1; // [24H,04] reserved, must be zer ##FSINDEX _csectDir; // [28H,04] must be zero for 512-byte sectors ## // number of SECTs in directory chain for 4 K ## // sector ##FSINDEX _csectFat; // [2CH,04] number of SECTs in the FAT chai ##SECT _sectDirStart; // [30H,04] first SECT in the directory chai ##DFSIGNATURE _signature; // [34H,04] signature used for transactions; mus ## // be zero. The reference implementatio ## // does not support transaction ##ULONG _ulMiniSectorCutoff; // [38H,04] maximum size for a mini stream ## // typically 4096 byte ##SECT _sectMiniFatStart; // [3CH,04] first SECT in the MiniFAT chai ##FSINDEX _csectMiniFat; // [40H,04] number of SECTs in the MiniFAT chai ##SECT _sectDifStart; // [44H,04] first SECT in the DIFAT chai ##FSINDEX _csectDif; // [48H,04] number of SECTs in the DIFAT chai ##SECT _sectFat[109]; // [4CH,436] the SECTs of first 109 FAT sector ##} + # [PL] header decoding # '<' indicates little-endian byte ordering for Intel (cf. struct module help fmt_header = '<8s16sHHHHHHLLLLLLLLLL header_size = struct.calcsize(fmt_header debug( "fmt_header size = %d, +FAT = %d" % (header_size, header_size + 109*4) header1 = header[:header_size self.Sig self.clsid self.MinorVersion self.DllVersion self.ByteOrder self.SectorShift self.MiniSectorShift self.Reserved, self.Reserved1 self.csectDir self.csectFat self.sectDirStart self.signature self.MiniSectorCutoff self.MiniFatStart self.csectMiniFat self.sectDifStart self.csectDi ) = struct.unpack(fmt_header, header1 debug( struct.unpack(fmt_header, header1) + if self.Sig != MAGIC # OLE signature should always be presen self._raise_defect(DEFECT_FATAL, "incorrect OLE signature" if self.clsid != bytearray(16) # according to AAF specs, CLSID should always be zer self._raise_defect(DEFECT_INCORRECT, "incorrect CLSID in OLE header" debug( "MinorVersion = %d" % self.MinorVersion debug( "DllVersion = %d" % self.DllVersion if self.DllVersion not in [3, 4] # version 3: usual format, 512 bytes per secto # version 4: large format, 4K per secto self._raise_defect(DEFECT_INCORRECT, "incorrect DllVersion in OLE header" debug( "ByteOrder = %X" % self.ByteOrder if self.ByteOrder != 0xFFFE # For now only common little-endian documents are handled correctl self._raise_defect(DEFECT_FATAL, "incorrect ByteOrder in OLE header" # TODO: add big-endian support for documents created on Mac # But according to [MS-CFB] ? v20140502, ByteOrder MUST be 0xFFFE self.SectorSize = 2**self.SectorShif debug( "SectorSize = %d" % self.SectorSize if self.SectorSize not in [512, 4096] self._raise_defect(DEFECT_INCORRECT, "incorrect SectorSize in OLE header" if (self.DllVersion==3 and self.SectorSize!=512) or (self.DllVersion==4 and self.SectorSize!=4096) self._raise_defect(DEFECT_INCORRECT, "SectorSize does not match DllVersion in OLE header" self.MiniSectorSize = 2**self.MiniSectorShif debug( "MiniSectorSize = %d" % self.MiniSectorSize if self.MiniSectorSize not in [64] self._raise_defect(DEFECT_INCORRECT, "incorrect MiniSectorSize in OLE header" if self.Reserved != 0 or self.Reserved1 != 0 self._raise_defect(DEFECT_INCORRECT, "incorrect OLE header (non-null reserved bytes)" debug( "csectDir = %d" % self.csectDir # Number of directory sectors (only allowed if DllVersion != 3 if self.SectorSize==512 and self.csectDir!=0 self._raise_defect(DEFECT_INCORRECT, "incorrect csectDir in OLE header" debug( "csectFat = %d" % self.csectFat # csectFat = number of FAT sectors in the fil debug( "sectDirStart = %X" % self.sectDirStart # sectDirStart = 1st sector containing the director debug( "signature = %d" % self.signature # Signature should be zero, BUT some implementations do not follow thi # rule => only a potential defect # (according to MS-CFB, may be != 0 for applications supporting fil # transactions if self.signature != 0 self._raise_defect(DEFECT_POTENTIAL, "incorrect OLE header (signature>0)" debug( "MiniSectorCutoff = %d" % self.MiniSectorCutoff # MS-CFB: This integer field MUST be set to 0x00001000. This fiel # specifies the maximum size of a user-defined data stream allocate # from the mini FAT and mini stream, and that cutoff is 4096 bytes # Any user-defined data stream larger than or equal to this cutoff siz # must be allocated as normal sectors from the FAT if self.MiniSectorCutoff != 0x1000 self._raise_defect(DEFECT_INCORRECT, "incorrect MiniSectorCutoff in OLE header" debug( "MiniFatStart = %X" % self.MiniFatStart debug( "csectMiniFat = %d" % self.csectMiniFat debug( "sectDifStart = %X" % self.sectDifStart debug( "csectDif = %d" % self.csectDif + # calculate the number of sectors in the fil # (-1 because header doesn't count self.nb_sect = ( (filesize + self.SectorSize-1) // self.SectorSize) - debug( "Number of sectors in the file: %d" % self.nb_sect #TODO: change this test, because an OLE file MAY contain other dat # after the last sector + # file clsi self.clsid = _clsid(header[8:24] + #TODO: remove redundant attributes, and fix the code which uses them self.sectorsize = self.SectorSize #1 << i16(header, 30 self.minisectorsize = self.MiniSectorSize #1 << i16(header, 32 self.minisectorcutoff = self.MiniSectorCutoff # i32(header, 56 + # check known streams for duplicate references (these are always in FAT # never in MiniFAT) self._check_duplicate_stream(self.sectDirStart # check MiniFAT only if it is not empty if self.csectMiniFat self._check_duplicate_stream(self.MiniFatStart # check DIFAT only if it is not empty if self.csectDif self._check_duplicate_stream(self.sectDifStart + # Load file allocation table self.loadfat(header # Load direcory. This sets both the direntries list (ordered by sid # and the root (ordered by hierarchy) members self.loaddirectory(self.sectDirStart)#i32(header, 48) self.ministream = Non self.minifatsect = self.MiniFatStart #i32(header, 60 + + def close(self) "" close the OLE file, to release the file objec "" self.fp.close( + + def _check_duplicate_stream(self, first_sect, minifat=False) "" Checks if a stream has not been already referenced elsewhere This method should only be called once for each known stream, and onl if stream size is not null + :param first_sect: int, index of first sector of the stream in FA :param minifat: bool, if True, stream is located in the MiniFAT, else in the FA "" if minifat debug('_check_duplicate_stream: sect=%d in MiniFAT' % first_sect used_streams = self._used_streams_minifa else debug('_check_duplicate_stream: sect=%d in FAT' % first_sect # some values can be safely ignored (not a real stream) if first_sect in (DIFSECT,FATSECT,ENDOFCHAIN,FREESECT) retur used_streams = self._used_streams_fa #TODO: would it be more efficient using a dict or hash values, instea # of a list of long if first_sect in used_streams self._raise_defect(DEFECT_INCORRECT, 'Stream referenced twice' else used_streams.append(first_sect + + def dumpfat(self, fat, firstindex=0) "Displays a part of FAT in human-readable form for debugging purpose # [PL] added only for debu if not DEBUG_MODE retur # dictionary to convert special FAT values in human-readable string VPL = 8 # values per line (8+1 * 8+1 = 81 fatnames = FREESECT: "..free.." ENDOFCHAIN: "[ END. ]" FATSECT: "FATSECT " DIFSECT: "DIFSECT nbsect = len(fat nlines = (nbsect+VPL-1)//VP print("index", end=" " for i in range(VPL) print("%8X" % i, end=" " print( for l in range(nlines) index = l*VP print("%8X:" % (firstindex+index), end=" " for i in range(index, index+VPL) if i>=nbsect brea sect = fat[i aux = sect & 0xFFFFFFFF # JYTHON-WORKAROUN if aux in fatnames name = fatnames[aux else if sect == i+1 name = " ---> else name = "%8X" % sec print(name, end=" " print( + + def dumpsect(self, sector, firstindex=0) "Displays a sector in a human-readable form, for debugging purpose. if not DEBUG_MODE retur VPL=8 # number of values per line (8+1 * 8+1 = 81 tab = array.array(UINT32, sector if sys.byteorder == 'big' tab.byteswap( nbsect = len(tab nlines = (nbsect+VPL-1)//VP print("index", end=" " for i in range(VPL) print("%8X" % i, end=" " print( for l in range(nlines) index = l*VP print("%8X:" % (firstindex+index), end=" " for i in range(index, index+VPL) if i>=nbsect brea sect = tab[i name = "%8X" % sec print(name, end=" " print( + def sect2array(self, sect) "" convert a sector to an array of 32 bits unsigned integers swapping bytes on big endian CPUs such as PowerPC (old Macs "" a = array.array(UINT32, sect # if CPU is big endian, swap bytes if sys.byteorder == 'big' a.byteswap( return + + def loadfat_sect(self, sect) "" Adds the indexes of the given sector to the FA + :param sect: string containing the first FAT sector, or array of long integer :returns: index of last FAT sector "" # a FAT sector is an array of ulong integers if isinstance(sect, array.array) # if sect is already an array it is directly use fat1 = sec else # if it's a raw sector, it is parsed in an arra fat1 = self.sect2array(sect self.dumpsect(sect # The FAT is a sector chain starting at the first index of itself for isect in fat1 isect = isect & 0xFFFFFFFF # JYTHON-WORKAROUN debug("isect = %X" % isect if isect == ENDOFCHAIN or isect == FREESECT # the end of the sector chain has been reache debug("found end of sector chain" brea # read the FAT secto s = self.getsect(isect # parse it as an array of 32 bits integers, and add it to th # global FAT arra nextfat = self.sect2array(s self.fat = self.fat + nextfa return isec + + def loadfat(self, header) "" Load the FAT table "" # The 1st sector of the file contains sector numbers for the first 10 # FAT sectors, right after the header which is 76 bytes long # (always 109, whatever the sector size: 512 bytes = 76+4*109 # Additional sectors are described by DIF block + sect = header[76:512 debug( "len(sect)=%d, so %d integers" % (len(sect), len(sect)//4) #fat = [ # [PL] FAT is an array of 32 bits unsigned ints, it's more effectiv # to use an array than a list in Python # It's initialized as empty first self.fat = array.array(UINT32 self.loadfat_sect(sect #self.dumpfat(self.fat## for i in range(0, len(sect), 4)## ix = i32(sect, i## #[PL] if ix == -2 or ix == -1: # ix == 0xFFFFFFFE or ix == 0xFFFFFFFF## if ix == 0xFFFFFFFE or ix == 0xFFFFFFFF## brea## s = self.getsect(ix## #fat = fat + [i32(s, i) for i in range(0, len(s), 4)## fat = fat + array.array(UINT32, s if self.csectDif != 0 # [PL] There's a DIFAT because file is larger than 6.8M # some checks just in case if self.csectFat <= 109 # there must be at least 109 blocks in header and the rest i # DIFAT, so number of sectors must be >109 self._raise_defect(DEFECT_INCORRECT, 'incorrect DIFAT, not enough sectors' if self.sectDifStart >= self.nb_sect # initial DIFAT block index must be vali self._raise_defect(DEFECT_FATAL, 'incorrect DIFAT, first index out of range' debug( "DIFAT analysis..." # We compute the necessary number of DIFAT sectors # Number of pointers per DIFAT sector = (sectorsize/4)- # (-1 because the last pointer is the next DIFAT sector number nb_difat_sectors = (self.sectorsize//4)- # (if 512 bytes: each DIFAT sector = 127 pointers + 1 towards next DIFAT sector nb_difat = (self.csectFat-109 + nb_difat_sectors-1)//nb_difat_sector debug( "nb_difat = %d" % nb_difat if self.csectDif != nb_difat raise IOError('incorrect DIFAT' isect_difat = self.sectDifStar for i in iterrange(nb_difat) debug( "DIFAT block %d, sector %X" % (i, isect_difat) #TODO: check if corresponding FAT SID = DIFSEC sector_difat = self.getsect(isect_difat difat = self.sect2array(sector_difat self.dumpsect(sector_difat self.loadfat_sect(difat[:nb_difat_sectors] # last DIFAT pointer is next DIFAT sector isect_difat = difat[nb_difat_sectors debug( "next DIFAT sector: %X" % isect_difat # checks if isect_difat not in [ENDOFCHAIN, FREESECT] # last DIFAT pointer value must be ENDOFCHAIN or FREESEC raise IOError('incorrect end of DIFAT'## if len(self.fat) != self.csectFat## # FAT should contain csectFat block## print("FAT length: %d instead of %d" % (len(self.fat), self.csectFat)## raise IOError('incorrect DIFAT' # since FAT is read from fixed-size sectors, it may contain more value # than the actual number of sectors in the file # Keep only the relevant sector indexes if len(self.fat) > self.nb_sect debug('len(fat)=%d, shrunk to nb_sect=%d' % (len(self.fat), self.nb_sect) self.fat = self.fat[:self.nb_sect debug('\nFAT:' self.dumpfat(self.fat + + def loadminifat(self) "" Load the MiniFAT table "" # MiniFAT is stored in a standard sub-stream, pointed to by a heade # field # NOTE: there are two sizes to take into account for this stream # 1) Stream size is calculated according to the number of sector # declared in the OLE header. This allocated stream may be more tha # needed to store the actual sector indexes # (self.csectMiniFat is the number of sectors of size self.SectorSize stream_size = self.csectMiniFat * self.SectorSiz # 2) Actually used size is calculated by dividing the MiniStream siz # (given by root entry size) by the size of mini sectors, *4 fo # 32 bits indexes nb_minisectors = (self.root.size + self.MiniSectorSize-1) // self.MiniSectorSiz used_size = nb_minisectors * debug('loadminifat(): minifatsect=%d, nb FAT sectors=%d, used_size=%d, stream_size=%d, nb MiniSectors=%d' (self.minifatsect, self.csectMiniFat, used_size, stream_size, nb_minisectors) if used_size > stream_size # This is not really a problem, but may indicate a wrong implementation self._raise_defect(DEFECT_INCORRECT, 'OLE MiniStream is larger than MiniFAT' # In any case, first read stream_size s = self._open(self.minifatsect, stream_size, force_FAT=True).read( #[PL] Old code replaced by an array #self.minifat = [i32(s, i) for i in range(0, len(s), 4) self.minifat = self.sect2array(s # Then shrink the array to used size, to avoid indexes out of MiniStream debug('MiniFAT shrunk from %d to %d sectors' % (len(self.minifat), nb_minisectors) self.minifat = self.minifat[:nb_minisectors debug('loadminifat(): len=%d' % len(self.minifat) debug('\nMiniFAT:' self.dumpfat(self.minifat + def getsect(self, sect) "" Read given sector from file on disk + :param sect: int, sector inde :returns: a string containing the sector data "" # From [MS-CFB]: A sector number can be converted into a byte offse # into the file by using the following formula # (sector number + 1) x Sector Size # This implies that sector #0 of the file begins at byte offset Secto # Size, not at 0 + # [PL] the original code in PIL was wrong when sectors are 4KB instead o # 512 bytes #self.fp.seek(512 + self.sectorsize * sect #[PL]: added safety checks #print("getsect(%X)" % sect try self.fp.seek(self.sectorsize * (sect+1) except debug('getsect(): sect=%X, seek=%d, filesize=%d' (sect, self.sectorsize*(sect+1), self._filesize) self._raise_defect(DEFECT_FATAL, 'OLE sector index out of range' sector = self.fp.read(self.sectorsize if len(sector) != self.sectorsize debug('getsect(): sect=%X, read=%d, sectorsize=%d' (sect, len(sector), self.sectorsize) self._raise_defect(DEFECT_FATAL, 'incomplete OLE sector' return secto + + def write_sect(self, sect, data, padding=b'\x00') "" Write given sector to file on disk + :param sect: int, sector inde :param data: bytes, sector dat :param padding: single byte, padding character if data < sector siz "" if not isinstance(data, bytes) raise TypeError("write_sect: data must be a bytes string" if not isinstance(padding, bytes) or len(padding)!=1 raise TypeError("write_sect: padding must be a bytes string of 1 char" #TODO: we could allow padding=None for no padding at al try self.fp.seek(self.sectorsize * (sect+1) except debug('write_sect(): sect=%X, seek=%d, filesize=%d' (sect, self.sectorsize*(sect+1), self._filesize) self._raise_defect(DEFECT_FATAL, 'OLE sector index out of range' if len(data) < self.sectorsize # add paddin data += padding * (self.sectorsize - len(data) elif len(data) < self.sectorsize raise ValueError("Data is larger than sector size" self.fp.write(data + + def loaddirectory(self, sect) "" Load the directory + :param sect: sector index of directory stream "" # The directory is stored in a standar # substream, independent of its size + # open directory stream as a read-only file # (stream size is not known in advance self.directory_fp = self._open(sect + #[PL] to detect malformed documents and avoid DoS attacks, the maximu # number of directory entries can be calculated max_entries = self.directory_fp.size // 12 debug('loaddirectory: size=%d, max_entries=%d' (self.directory_fp.size, max_entries) + # Create list of directory entrie #self.direntries = [ # We start with a list of "None" objec self.direntries = [None] * max_entrie## for sid in iterrange(max_entries)## entry = fp.read(128## if not entry## brea## self.direntries.append(_OleDirectoryEntry(entry, sid, self) # load root entry root_entry = self._load_direntry(0 # Root entry is the first entry self.root = self.direntries[0 # read and build all storage trees, starting from the root self.root.build_storage_tree( + + def _load_direntry (self, sid) "" Load a directory entry from the directory This method should only be called once for each storage/stream whe loading the directory + :param sid: index of storage/stream in the directory :returns: a _OleDirectoryEntry objec + :exception IOError: if the entry has always been referenced "" # check if SID is OK if sid<0 or sid>=len(self.direntries) self._raise_defect(DEFECT_FATAL, "OLE directory index out of range" # check if entry was already referenced if self.direntries[sid] is not None self._raise_defect(DEFECT_INCORRECT "double reference for OLE stream/storage" # if exception not raised, return the objec return self.direntries[sid self.directory_fp.seek(sid * 128 entry = self.directory_fp.read(128 self.direntries[sid] = _OleDirectoryEntry(entry, sid, self return self.direntries[sid + + def dumpdirectory(self) "" Dump directory (for debugging only "" self.root.dump( + + def _open(self, start, size = 0x7FFFFFFF, force_FAT=False) "" Open a stream, either in FAT or MiniFAT according to its size (openstream helper + :param start: index of first secto :param size: size of stream (or nothing if size is unknown :param force_FAT: if False (default), stream will be opened in FAT or MiniFA according to size. If True, it will always be opened in FAT "" debug('OleFileIO.open(): sect=%d, size=%d, force_FAT=%s' (start, size, str(force_FAT)) # stream size is compared to the MiniSectorCutoff threshold if size < self.minisectorcutoff and not force_FAT # ministream objec if not self.ministream # load MiniFAT if it wasn't already done self.loadminifat( # The first sector index of the miniFAT stream is stored in th # root directory entry size_ministream = self.root.siz debug('Opening MiniStream: sect=%d, size=%d' (self.root.isectStart, size_ministream) self.ministream = self._open(self.root.isectStart size_ministream, force_FAT=True return _OleStream(fp=self.ministream, sect=start, size=size offset=0, sectorsize=self.minisectorsize fat=self.minifat, filesize=self.ministream.size else # standard strea return _OleStream(fp=self.fp, sect=start, size=size offset=self.sectorsize sectorsize=self.sectorsize, fat=self.fat filesize=self._filesize + + def _list(self, files, prefix, node, streams=True, storages=False) "" listdir helpe + :param files: list of files to fill i :param prefix: current location in storage tree (list of names :param node: current node (_OleDirectoryEntry object :param streams: bool, include streams if True (True by default) - new in v0.2 :param storages: bool, include storages if True (False by default) - new in v0.2 (note: the root storage is never included "" prefix = prefix + [node.name for entry in node.kids if entry.entry_type == STGTY_STORAGE # this is a storag if storages # add it to the lis files.append(prefix[1:] + [entry.name] # check its kid self._list(files, prefix, entry, streams, storages elif entry.entry_type == STGTY_STREAM # this is a strea if streams # add it to the lis files.append(prefix[1:] + [entry.name] else self._raise_defect(DEFECT_INCORRECT, 'The directory tree contains an entry which is not a stream nor a storage.' + + def listdir(self, streams=True, storages=False) "" Return a list of streams and/or storages stored in this fil + :param streams: bool, include streams if True (True by default) - new in v0.2 :param storages: bool, include storages if True (False by default) - new in v0.2 (note: the root storage is never included :returns: list of stream and/or storage path "" files = [ self._list(files, [], self.root, streams, storages return file + + def _find(self, filename) "" Returns directory entry of given filename. (openstream helper Note: this method is case-insensitive + :param filename: path of stream in storage tree (except root entry), either + - a string using Unix path syntax, for example 'storage_1/storage_1.2/stream - or a list of storage filenames, path to the desired stream/storage Example: ['storage_1', 'storage_1.2', 'stream' + :returns: sid of requested filenam :exception IOError: if file not foun "" + # if filename is a string instead of a list, split it on slashes t # convert to a list if isinstance(filename, basestring) filename = filename.split('/' # walk across storage tree, following given path node = self.roo for name in filename for kid in node.kids if kid.name.lower() == name.lower() brea else raise IOError("file not found" node = ki return node.si + + def openstream(self, filename) "" Open a stream as a read-only file object (BytesIO) Note: filename is case-insensitive + :param filename: path of stream in storage tree (except root entry), either + - a string using Unix path syntax, for example 'storage_1/storage_1.2/stream - or a list of storage filenames, path to the desired stream/storage Example: ['storage_1', 'storage_1.2', 'stream' + :returns: file object (read-only :exception IOError: if filename not found, or if this is not a stream "" sid = self._find(filename entry = self.direntries[sid if entry.entry_type != STGTY_STREAM raise IOError("this file is not a stream" return self._open(entry.isectStart, entry.size + + def write_stream(self, stream_name, data) "" Write a stream to disk. For now, it is only possible to replace a existing stream by data of the same size + :param stream_name: path of stream in storage tree (except root entry), either + - a string using Unix path syntax, for example 'storage_1/storage_1.2/stream - or a list of storage filenames, path to the desired stream/storage Example: ['storage_1', 'storage_1.2', 'stream' + :param data: bytes, data to be written, must be the same size as the origina stream "" if not isinstance(data, bytes) raise TypeError("write_stream: data must be a bytes string" sid = self._find(stream_name entry = self.direntries[sid if entry.entry_type != STGTY_STREAM raise IOError("this is not a stream" size = entry.siz if size != len(data) raise ValueError("write_stream: data must be the same size as the existing stream" if size < self.minisectorcutoff raise NotImplementedError("Writing a stream in MiniFAT is not implemented yet" sect = entry.isectStar # number of sectors to writ nb_sectors = (size + (self.sectorsize-1)) // self.sectorsiz debug('nb_sectors = %d' % nb_sectors for i in range(nb_sectors)## try## self.fp.seek(offset + self.sectorsize * sect## except## debug('sect=%d, seek=%d' ## (sect, offset+self.sectorsize*sect)## raise IOError('OLE sector index out of range' # extract one sector from data, the last one being smaller if i<(nb_sectors-1) data_sector = data [i*self.sectorsize : (i+1)*self.sectorsize #TODO: comment this if it work assert(len(data_sector)==self.sectorsize else data_sector = data [i*self.sectorsize: #TODO: comment this if it work debug('write_stream: size=%d sectorsize=%d data_sector=%d size%%sectorsize=%d % (size, self.sectorsize, len(data_sector), size % self.sectorsize) assert(len(data_sector) % self.sectorsize==size % self.sectorsize self.write_sect(sect, data_sector## self.fp.write(data_sector # jump to next sector in the FAT try sect = self.fat[sect except IndexError # [PL] if pointer is out of the FAT an exception is raise raise IOError('incorrect OLE FAT, sector index out of range' #[PL] Last sector should be a "end of chain" marker if sect != ENDOFCHAIN raise IOError('incorrect last sector index in OLE stream' + + def get_type(self, filename) "" Test if given filename exists as a stream or a storage in the OL container, and return its type + :param filename: path of stream in storage tree. (see openstream for syntax :returns: False if object does not exist, its entry type (>0) otherwise + - STGTY_STREAM: a strea - STGTY_STORAGE: a storag - STGTY_ROOT: the root entr "" try sid = self._find(filename entry = self.direntries[sid return entry.entry_typ except return Fals + + def getmtime(self, filename) "" Return modification time of a stream/storage + :param filename: path of stream/storage in storage tree. (see openstream fo syntax :returns: None if modification time is null, a python datetime objec otherwise (UTC timezone + new in version 0.2 "" sid = self._find(filename entry = self.direntries[sid return entry.getmtime( + + def getctime(self, filename) "" Return creation time of a stream/storage + :param filename: path of stream/storage in storage tree. (see openstream fo syntax :returns: None if creation time is null, a python datetime objec otherwise (UTC timezone + new in version 0.2 "" sid = self._find(filename entry = self.direntries[sid return entry.getctime( + + def exists(self, filename) "" Test if given filename exists as a stream or a storage in the OL container Note: filename is case-insensitive + :param filename: path of stream in storage tree. (see openstream for syntax :returns: True if object exist, else False "" try sid = self._find(filename return Tru except return Fals + + def get_size(self, filename) "" Return size of a stream in the OLE container, in bytes + :param filename: path of stream in storage tree (see openstream for syntax :returns: size in bytes (long integer :exception IOError: if file not foun :exception TypeError: if this is not a stream "" sid = self._find(filename entry = self.direntries[sid if entry.entry_type != STGTY_STREAM #TODO: Should it return zero instead of raising an exception raise TypeError('object is not an OLE stream' return entry.siz + + def get_rootentry_name(self) "" Return root entry name. Should usually be 'Root Entry' or 'R' in mos implementations "" return self.root.nam + + def getproperties(self, filename, convert_time=False, no_conversion=None) "" Return properties described in substream + :param filename: path of stream in storage tree (see openstream for syntax :param convert_time: bool, if True timestamps will be converted to Python datetim :param no_conversion: None or list of int, timestamps not to be converte (for example total editing time is not a real timestamp + :returns: a dictionary of values indexed by id (integer "" #REFERENCE: [MS-OLEPS] https://msdn.microsoft.com/en-us/library/dd942421.asp # make sure no_conversion is a list, just to simplify code below if no_conversion == None no_conversion = [ # stream path as a string to report exceptions streampath = filenam if not isinstance(streampath, str) streampath = '/'.join(streampath + fp = self.openstream(filename + data = { + try # heade s = fp.read(28 clsid = _clsid(s[8:24] + # format i s = fp.read(20 fmtid = _clsid(s[:16] fp.seek(i32(s, 16) + # get sectio s = b"****" + fp.read(i32(fp.read(4))-4 # number of properties num_props = i32(s, 4 except BaseException as exc # catch exception while parsing property header, and only rais # a DEFECT_INCORRECT then return an empty dict, because this is no # a fatal error when parsing the whole fil msg = 'Error while parsing properties header in stream %s: %s' % repr(streampath), exc self._raise_defect(DEFECT_INCORRECT, msg, type(exc) return dat + for i in range(num_props) try id = 0 # just in case of an exceptio id = i32(s, 8+i*8 offset = i32(s, 12+i*8 type = i32(s, offset + debug ('property id=%d: type=%d offset=%X' % (id, type, offset) + # test for common types first (should perhaps us # a dictionary instead? + if type == VT_I2: # 16-bit signed intege value = i16(s, offset+4 if value >= 32768 value = value - 6553 elif type == VT_UI2: # 2-byte unsigned intege value = i16(s, offset+4 elif type in (VT_I4, VT_INT, VT_ERROR) # VT_I4: 32-bit signed intege # VT_ERROR: HRESULT, similar to 32-bit signed integer # see http://msdn.microsoft.com/en-us/library/cc230330.asp value = i32(s, offset+4 elif type in (VT_UI4, VT_UINT): # 4-byte unsigned intege value = i32(s, offset+4) # FIXM elif type in (VT_BSTR, VT_LPSTR) # CodePageString, see http://msdn.microsoft.com/en-us/library/dd942354.asp # size is a 32 bits integer, including the null terminator, an # possibly trailing or embedded null char #TODO: if codepage is unicode, the string should be converted as suc count = i32(s, offset+4 value = s[offset+8:offset+8+count-1 # remove all null chars value = value.replace(b'\x00', b'' elif type == VT_BLOB # binary large object (BLOB # see http://msdn.microsoft.com/en-us/library/dd942282.asp count = i32(s, offset+4 value = s[offset+8:offset+8+count elif type == VT_LPWSTR # UnicodeStrin # see http://msdn.microsoft.com/en-us/library/dd942313.asp # "the string should NOT contain embedded or additional trailin # null characters. count = i32(s, offset+4 value = self._decode_utf16_str(s[offset+8:offset+8+count*2] elif type == VT_FILETIME value = long(i32(s, offset+4)) + (long(i32(s, offset+8))<<32 # FILETIME is a 64-bit int: "number of 100ns period # since Jan 1,1601" if convert_time and id not in no_conversion debug('Converting property #%d to python datetime, value=%d=%fs %(id, value, float(value)/10000000) # convert FILETIME to Python datetime.datetim # inspired from http://code.activestate.com/recipes/511425-filetime-to-datetime _FILETIME_null_date = datetime.datetime(1601, 1, 1, 0, 0, 0 debug('timedelta days=%d' % (value//(10*1000000*3600*24)) value = _FILETIME_null_date + datetime.timedelta(microseconds=value//10 else # legacy code kept for backward compatibility: returns # number of seconds since Jan 1,160 value = value // 10000000 # second elif type == VT_UI1: # 1-byte unsigned intege value = i8(s[offset+4] elif type == VT_CLSID value = _clsid(s[offset+4:offset+20] elif type == VT_CF # PropertyIdentifier or ClipboardData? # see http://msdn.microsoft.com/en-us/library/dd941945.asp count = i32(s, offset+4 value = s[offset+8:offset+8+count elif type == VT_BOOL # VARIANT_BOOL, 16 bits bool, 0x0000=Fals, 0xFFFF=Tru # see http://msdn.microsoft.com/en-us/library/cc237864.asp value = bool(i16(s, offset+4) else value = None # everything else yields "None debug ('property id=%d: type=%d not implemented in parser yet' % (id, type) + # missing: VT_EMPTY, VT_NULL, VT_R4, VT_R8, VT_CY, VT_DATE # VT_DECIMAL, VT_I1, VT_I8, VT_UI8 # see http://msdn.microsoft.com/en-us/library/dd942033.asp + # FIXME: add support for VT_VECTO # VT_VECTOR is a 32 uint giving the number of items, followed b # the items in sequence. The VT_VECTOR value is combined with th # type of items, e.g. VT_VECTOR|VT_BST # see http://msdn.microsoft.com/en-us/library/dd942011.asp + #print("%08x" % id, repr(value), end=" " #print("(%s)" % VT[i32(s, offset) & 0xFFF] + data[id] = valu except BaseException as exc # catch exception while parsing each property, and only rais # a DEFECT_INCORRECT, because parsing can go o msg = 'Error while parsing property id %d in stream %s: %s' % id, repr(streampath), exc self._raise_defect(DEFECT_INCORRECT, msg, type(exc) + return dat + def get_metadata(self) "" Parse standard properties streams, return an OleMetadata objec containing all the available metadata (also stored in the metadata attribute of the OleFileIO object + new in version 0.2 "" self.metadata = OleMetadata( self.metadata.parse_properties(self return self.metadat +# -------------------------------------------------------------------# This script can be used to dump the directory of any OLE2 structure# storage file +if __name__ == "__main__disabled" + import sy + # [PL] display quick usage info if launched from command-lin if len(sys.argv) <= 1 print('olefile version %s %s - %s' % (__version__, __date__, __author__) print""Launched from the command line, this script parses OLE files and prints info +Usage: olefile.py [-d] [-c] [file2 ... +Options-d : debug mode (displays a lot of debug information, for developers only-c : check all streams (for debugging purposes +For more information, see http://www.decalage.info/olefil""" sys.exit( + check_streams = Fals for filename in sys.argv[1:]## try # OPTIONS if filename == '-d' # option to switch debug mode on set_debug_mode(True continu if filename == '-c' # option to switch check streams mode on check_streams = Tru continu + ole = OleFileIO(filename)#, raise_defects=DEFECT_INCORRECT print("-" * 68 print(filename print("-" * 68 ole.dumpdirectory( for streamname in ole.listdir() if streamname[-1][0] == "\005" print(streamname, ": properties" props = ole.getproperties(streamname, convert_time=True props = sorted(props.items() for k, v in props #[PL]: avoid to display too large or binary values if isinstance(v, (basestring, bytes)) if len(v) > 50 v = v[:50 if isinstance(v, bytes) # quick and dirty binary check for c in (1,2,3,4,5,6,7,11,12,14,15,16,17,18,19,20 21,22,23,24,25,26,27,28,29,30,31) if c in bytearray(v) v = '(binary data) brea print(" ", k, v + if check_streams # Read all streams to check if there are errors print('\nChecking streams...' for streamname in ole.listdir() # print name using repr() to convert binary chars to \xNN print('-', repr('/'.join(streamname)),'-', end=' ' st_type = ole.get_type(streamname if st_type == STGTY_STREAM print('size %d' % ole.get_size(streamname) # just try to read stream in memory ole.openstream(streamname else print('NOT a stream : type=%d' % st_type print( +## for streamname in ole.listdir()## # print name using repr() to convert binary chars to \xNN## print('-', repr('/'.join(streamname)),'-', end=' '## print(ole.getmtime(streamname)## print( + print('Modification/Creation times of all directory entries:' for entry in ole.direntries if entry is not None print('- %s: mtime=%s ctime=%s' % (entry.name entry.getmtime(), entry.getctime()) print( + # parse and display metadata meta = ole.get_metadata( meta.dump( print( #[PL] Test a few new methods root = ole.get_rootentry_name( print('Root entry name: "%s"' % root if ole.exists('worddocument') print("This is a Word document." print("type of stream 'WordDocument':", ole.get_type('worddocument') print("size :", ole.get_size('worddocument') if ole.exists('macros/vba') print("This document may contain VBA macros." + # print parsing issues print('\nNon-fatal issues raised during parsing:' if ole.parsing_issues for exctype, msg in ole.parsing_issues print('- %s: %s' % (exctype.__name__, msg) else print('None'## except IOError as v## print("***", "cannot read", file, "-", v +# this code was developed while listening to The Wedding Present "Sea Monsters + +##### borrowed library code ends, program starts #### +# This software is Copyright (c) 2012-2013 Dhiru Kholia = stream.size break # eo + type = unpack("= 2 and minor_version == 2 # RC4 CryptoAPI Encryption Heade unpack("= 2 and minor_version == 2 # RC4 CryptoAPI Encryption Heade unpack("= 2 and minor_version == 2 pas else continu # RC4 CryptoAPI Encryption Header, Section 2.3.5.1 - RC4 CryptoAP # Encryption Header in [MS-OFFCRYPTO].pd unpack(" -1 sys.stderr.write("%s uses un-supported cipher algorithm %s, please file a bug! \n" % (filename, cipherAlgorithm) return - + saltValue = node.attrib.get("saltValue" assert(saltValue encryptedVerifierHashInput = node.attrib.get("encryptedVerifierHashInput" encryptedVerifierHashValue = node.attrib.get("encryptedVerifierHashValue" if PY3 encryptedVerifierHashValue = binascii.hexlify(base64.decodebytes(encryptedVerifierHashValue.encode()) else encryptedVerifierHashValue = binascii.hexlify(base64.decodestring(encryptedVerifierHashValue.encode()) + if PY3 saltAscii = binascii.hexlify(base64.decodebytes(saltValue.encode())).decode("ascii" encryptedVerifierHashAscii = binascii.hexlify(base64.decodebytes(encryptedVerifierHashInput.encode())).decode("ascii" else saltAscii = binascii.hexlify(base64.decodestring(saltValue.encode())).decode("ascii" encryptedVerifierHashAscii = binascii.hexlify(base64.decodestring(encryptedVerifierHashInput.encode())).decode("ascii" + sys.stdout.write("%s:$office$*%d*%d*%d*%d*%s*%s*%s\n" % (os.path.basename(filename), version int(spinCount), int(keyBits), int(saltSize) saltAscii encryptedVerifierHashAscii encryptedVerifierHashValue[0:64].decode("ascii")) return + +have_summary = Falssummary = [ +import rfrom binascii import unhexlif + +def remove_html_tags(data) p = re.compile(r'<.*?>', re.DOTALL return p.sub('', str(data) + +def remove_extra_spaces(data) p = re.compile(r'\s+' return p.sub(' ', data + +def process_file(filename) # Test if a file is an OLE containe try f = open(filename, "rb" data = f.read(81920) # is this enough if data[0:2] == b"PK" sys.stderr.write("%s : zip container found, file is " "unencrypted?, invalid OLE file!\n" % filename f.close( return f.close( + # ACCDB handling hack for MS Access >= 2007 (Office 12 accdb_magic = b"Standard ACE DB accdb_xml_start = b' if accdb_magic in data and accdb_xml_start in data # find start and the end of the XML metadata strea start = data.find(accdb_xml_start trailer = data.find(accdb_xml_trailer xml_metadata_parser(data[start:trailer+len(accdb_xml_trailer)], filename retur elif accdb_magic in data: # Access 2007 files using CryptoAP process_access_2007_older_crypto(filename retur + # OneNote handling hack for OneNote versions >= 2013, see [MS-ONESTORE].pd onenote_magic = unhexlify("e4525c7b8cd8" onenote_xml_start = b' if data.startswith(onenote_magic) and onenote_xml_start in data # find start and the end of the XML metadata strea start = data.find(onenote_xml_start trailer = data.find(onenote_xml_trailer xml_metadata_parser(data[start:trailer+len(onenote_xml_trailer)], filename retur + if not isOleFile(filename) sys.stderr.write("%s : Invalid OLE file\n" % filename return except Exception e = sys.exc_info()[1 import tracebac traceback.print_exc( sys.stderr.write("%s : OLE check failed, %s\n" % (filename, str(e)) return + # Open OLE file ole = OleFileIO(filename + stream = Non + # find "summary" stream global have_summary, summar have_summary = Fals summary = [ + for streamname in ole.listdir() streamname = streamname[-1 if streamname[0] == "\005" have_summary = Tru props = ole.getproperties(streamname for k, v in props.items() if v is None continu if not PY3 if not isinstance(v, unicode): # We are only interested in string continu else if not isinstance(v, str): # We are only interested in string continu v = remove_html_tags(v v = v.replace(":", "" v = remove_extra_spaces(v #words = v.split( #words = filter(lambda x: len(x) < 20, words #v = " ".join(words summary.append(v summary = " ".join(summary summary = remove_extra_spaces(summary + if ["EncryptionInfo"] in ole.listdir() # process Office 2003 / 2010 / 2013 file return process_new_office(filename if ["Workbook"] in ole.listdir() stream = "Workbook elif ["WordDocument"] in ole.listdir() typ = sdoc = ole.openstream("WordDocument" stream = find_table(filename, sdoc if stream == "none" return + elif ["PowerPoint Document"] in ole.listdir() stream = "Current User else sys.stderr.write("%s : No supported streams found\n" % filename return + try workbookStream = ole.openstream(stream except import tracebac traceback.print_exc( sys.stderr.write("%s : stream %s not found!\n" % (filename, stream) return + if workbookStream is None sys.stderr.write("%s : Error opening stream, %s\n" % filename (filename, stream return + if stream == "Workbook" typ = passinfo = find_rc4_passinfo_xls(filename, workbookStream if passinfo is None return elif stream == "0Table" or stream == "1Table" passinfo = find_rc4_passinfo_doc(filename, workbookStream if passinfo is None return else sppt = ole.openstream("Current User" offset = find_ppt_type(filename, sppt sppt = ole.openstream("PowerPoint Document" ret = find_rc4_passinfo_ppt(filename, sppt, offset if not ret find_rc4_passinfo_ppt_bf(filename, sppt, offset + return + (salt, verifier, verifierHash) = passinf if not have_summary sys.stdout.write("%s:$oldoffice$%s*%s*%s*%s\n" % (os.path.basename(filename) typ, binascii.hexlify(salt).decode("ascii") binascii.hexlify(verifier).decode("ascii") binascii.hexlify(verifierHash).decode("ascii")) else sys.stdout.write("%s:$oldoffice$%s*%s*%s*%s:::%s::%s\n" % (os.path.basename(filename) typ, binascii.hexlify(salt).decode("ascii") binascii.hexlify(verifier).decode("ascii") binascii.hexlify(verifierHash).decode("ascii") summary, filename) + workbookStream.close( ole.close( + return +if __name__ == "__main__" if len(sys.argv) < 2 sys.stderr.write("Usage: %s \n" % sys.argv[0] sys.exit(1 + # set_debug_mode(1 + for i in range(1, len(sys.argv)) if not PY3 ret = process_file(sys.argv[i].decode("utf8") else ret = process_file(sys.argv[i] \ No newline at end of file