def createFields(self):
bytes = self.stream.readBytes(self.absolute_address, 4)
if bytes == b"\0R\0\0":
charset = "UTF-16-BE"
else:
charset = "UTF-16-LE"
yield String(self, "name", 64, charset=charset, truncate="\0")
yield UInt16(self, "namelen", "Length of the name")
yield Enum(UInt8(self, "type", "Property type"), self.TYPE_NAME)
yield Enum(UInt8(self, "decorator", "Decorator"), self.DECORATOR_NAME)
yield SECT(self, "left")
yield SECT(self, "right")
yield SECT(self, "child",
"Child node (valid for storage and root types)")
yield GUID(self, "clsid",
"CLSID of this storage (valid for storage and root types)")
yield NullBytes(self, "flags", 4, "User flags")
yield TimestampWin64(
self, "creation",
"Creation timestamp(valid for storage and root types)")
yield TimestampWin64(
self, "lastmod",
"Modify timestamp (valid for storage and root types)")
yield SECT(
self, "start",
"Starting SECT of the stream (valid for stream and root types)")
if self["/header/bb_shift"].value == 9:
yield filesizeHandler(
UInt32(self, "size",
"Size in bytes (valid for stream and root types)"))
yield NullBytes(self, "padding", 4)
else:
yield filesizeHandler(
UInt64(self, "size",
"Size in bytes (valid for stream and root types)"))
def parseStandardInfo(self):
yield TimestampWin64(self, "ctime", "File Creation")
yield TimestampWin64(self, "atime", "File Altered")
yield TimestampWin64(self, "mtime", "MFT Changed")
yield TimestampWin64(self, "rtime", "File Read")
yield MSDOSFileAttr32(self, "file_attr", "DOS File Permissions")
yield UInt32(self, "max_version", "Maximum Number of Versions")
yield UInt32(self, "version", "Version Number")
yield UInt32(self, "class_id")
yield UInt32(self, "owner_id")
yield UInt32(self, "security_id")
yield filesizeHandler(UInt64(self, "quota_charged", "Quota Charged"))
yield UInt64(self, "usn", "Update Sequence Number (USN)")
def parseFilename(self):
yield UInt64(self, "ref", "File reference to the parent directory")
yield TimestampWin64(self, "ctime", "File Creation")
yield TimestampWin64(self, "atime", "File Altered")
yield TimestampWin64(self, "mtime", "MFT Changed")
yield TimestampWin64(self, "rtime", "File Read")
yield filesizeHandler(UInt64(self, "alloc_size", "Allocated size of the file"))
yield filesizeHandler(UInt64(self, "real_size", "Real size of the file"))
yield UInt32(self, "file_flags")
yield UInt32(self, "file_flags2", "Used by EAs and Reparse")
yield UInt8(self, "filename_length", "Filename length in characters")
yield Enum(UInt8(self, "filename_namespace"), self.FILENAME_NAMESPACE)
size = self["filename_length"].value * 2
if size:
yield String(self, "filename", size, charset="UTF-16-LE")
def createFields(self):
yield GUID(self, "guid")
yield filesizeHandler(UInt64(self, "file_size"))
yield TimestampWin64(self, "creation_date")
yield UInt64(self, "pckt_count")
yield TimedeltaWin64(self, "play_duration")
yield TimedeltaWin64(self, "send_duration")
yield TimedeltaMillisWin64(self, "preroll")
yield Bit(self, "broadcast", "Is broadcast?")
yield Bit(self, "seekable", "Seekable stream?")
yield PaddingBits(self, "reserved[]", 30)
yield filesizeHandler(UInt32(self, "min_pckt_size"))
yield filesizeHandler(UInt32(self, "max_pckt_size"))
yield displayHandler(UInt32(self, "max_bitrate"), humanBitRate)
def createFields(self):
yield PropID(self, "id")
yield SZUInt64(self, "size")
definearr = SevenZipBitVector(self,
"defined",
self['../num_files'].value,
has_all_byte=True)
yield definearr
yield UInt8(self, "is_external")
if self['is_external'].value:
yield SZUInt64(self, "folder_data_offset",
"Offset to folder data within data stream")
else:
for index in definearr.value:
yield TimestampWin64(self, "timestamp[%d]" % index)
def createFields(self):
yield UInt16(self, "length", "Length of Item ID Entry")
if not self["length"].value:
return
yield Enum(UInt8(self, "type"), self.ITEM_TYPE)
entrytype = self["type"].value
if entrytype in (0x1F, 0x70):
# GUID
yield RawBytes(self, "dummy", 1, "should be 0x50")
yield GUID(self, "guid")
elif entrytype == 0x2E:
# Shell extension
yield RawBytes(self, "dummy", 1, "should be 0x50")
if self["dummy"].value == '\0':
yield UInt16(self, "length_data",
"Length of shell extension-specific data")
if self["length_data"].value:
yield RawBytes(self, "data", self["length_data"].value,
"Shell extension-specific data")
yield GUID(self, "handler_guid")
yield GUID(self, "guid")
elif entrytype in (0x23, 0x25, 0x29, 0x2F):
# Drive
yield String(self, "drive", self["length"].value - 3, strip="\0")
elif entrytype in (0x30, 0x31, 0x32, 0x61, 0xb1):
yield RawBytes(self, "dummy", 1, "should be 0x00")
yield UInt32(self, "size", "size of file; 0 for folders")
yield DateTimeMSDOS32(self, "date_time",
"File/folder date and time")
yield MSDOSFileAttr16(self, "attribs", "File/folder attributes")
yield CString(self, "name", "File/folder name")
if self.root.hasUnicodeNames():
# Align to 2-bytes
n = paddingSize(self.current_size // 8, 2)
if n:
yield PaddingBytes(self, "pad", n)
yield UInt16(self, "length_w", "Length of wide struct member")
yield RawBytes(self, "unknown[]", 6)
yield DateTimeMSDOS32(self, "creation_date_time",
"File/folder creation date and time")
yield DateTimeMSDOS32(self, "access_date_time",
"File/folder last access date and time")
yield RawBytes(self, "unknown[]", 2)
yield UInt16(
self, "length_next",
"Length of next two strings (if zero, ignore this field)")
yield CString(self,
"unicode_name",
"File/folder name",
charset="UTF-16-LE")
if self["length_next"].value:
yield CString(self, "localized_name", "Localized name")
yield RawBytes(self, "unknown[]", 2)
else:
yield CString(self, "name_short", "File/folder short name")
elif entrytype in (0x41, 0x42, 0x46):
yield RawBytes(self, "unknown[]", 2)
yield CString(self, "name")
yield CString(self, "protocol")
yield RawBytes(self, "unknown[]", 2)
elif entrytype == 0x47:
# Whole Network
yield RawBytes(self, "unknown[]", 2)
yield CString(self, "name")
elif entrytype == 0xC3:
# Network Share
yield RawBytes(self, "unknown[]", 2)
yield CString(self, "name")
yield CString(self, "protocol")
yield CString(self, "description")
yield RawBytes(self, "unknown[]", 2)
elif entrytype == 0x4C:
# Web Folder
yield RawBytes(self, "unknown[]", 5)
yield TimestampWin64(self, "modification_time")
yield UInt32(self, "unknown[]")
yield UInt32(self, "unknown[]")
yield UInt32(self, "unknown[]")
yield LnkString(self, "name")
yield RawBytes(self, "padding[]", 2)
yield LnkString(self, "address")
if self["address/length"].value:
yield RawBytes(self, "padding[]", 2)
else:
yield RawBytes(self, "raw", self["length"].value - 3)
def createFields(self):
yield UInt32(self, "signature", "Shortcut signature (0x0000004C)")
yield GUID(self, "guid",
"Shortcut GUID (00021401-0000-0000-C000-000000000046)")
yield Bit(self, "has_shell_id", "Is the Item ID List present?")
yield Bit(self, "target_is_file", "Is a file or a directory?")
yield Bit(self, "has_description", "Is the Description field present?")
yield Bit(self, "has_rel_path",
"Is the relative path to the target available?")
yield Bit(self, "has_working_dir", "Is there a working directory?")
yield Bit(self, "has_cmd_line_args",
"Are there any command line arguments?")
yield Bit(self, "has_custom_icon", "Is there a custom icon?")
yield Bit(self, "has_unicode_names", "Are Unicode names used?")
yield Bit(self, "force_no_linkinfo")
yield Bit(self, "has_exp_sz")
yield Bit(self, "run_in_separate")
yield Bit(self, "has_logo3id", "Is LOGO3 ID info present?")
yield Bit(self, "has_darwinid", "Is the DarwinID info present?")
yield Bit(self, "runas_user", "Is the target run as another user?")
yield Bit(self, "has_exp_icon_sz",
"Is custom icon information available?")
yield Bit(self, "no_pidl_alias")
yield Bit(self, "force_unc_name")
yield Bit(self, "run_with_shim_layer")
yield PaddingBits(self, "reserved[]", 14,
"Flag bits reserved for future use")
yield MSDOSFileAttr32(self, "target_attr")
yield TimestampWin64(self, "creation_time")
yield TimestampWin64(self, "modification_time")
yield TimestampWin64(self, "last_access_time")
yield filesizeHandler(UInt32(self, "target_filesize"))
yield UInt32(self, "icon_number")
yield Enum(UInt32(self, "show_window"), self.SHOW_WINDOW_STATE)
yield textHandler(
UInt8(self, "hot_key", "Hot key used for quick access"),
text_hot_key)
yield Bit(self, "hot_key_shift", "Hot key: is Shift used?")
yield Bit(self, "hot_key_ctrl", "Hot key: is Ctrl used?")
yield Bit(self, "hot_key_alt", "Hot key: is Alt used?")
yield PaddingBits(self, "hot_key_reserved", 21, "Hot key: (reserved)")
yield NullBytes(self, "reserved[]", 8)
if self["has_shell_id"].value:
yield ItemIdList(self, "item_idlist", "Item ID List")
if self["target_is_file"].value:
yield FileLocationInfo(self, "file_location_info",
"File Location Info")
if self["has_description"].value:
yield LnkString(self, "description")
if self["has_rel_path"].value:
yield LnkString(self, "relative_path", "Relative path to target")
if self["has_working_dir"].value:
yield LnkString(self, "working_dir",
"Working directory (dir to start target in)")
if self["has_cmd_line_args"].value:
yield LnkString(self, "cmd_line_args", "Command Line Arguments")
if self["has_custom_icon"].value:
yield LnkString(self, "custom_icon", "Custom Icon Path")
while not self.eof:
yield ExtraInfo(self, "extra_info[]")
def createFields(self):
yield UInt16(self, "cfclcb", "Count of fields in the array of FC/LCB pairs")
self._size = self['cfclcb'].value * 64 + 16
yield FCLCB(self, "StshfOrig", "Original STSH allocation")
yield FCLCB(self, "Stshf", "Current STSH allocation")
yield FCLCB(self, "PlcffndRef", "Footnote reference (FRD) PLC")
yield FCLCB(self, "PlcffndTxt", "Footnote text PLC")
yield FCLCB(self, "PlcfandRef", "Annotation reference (ATRD) PLC")
yield FCLCB(self, "PlcfandTxt", "Annotation text PLC")
yield FCLCB(self, "Plcfsed", "Section descriptor (SED) PLC")
yield FCLCB(self, "Plcpad", "No longer used; used to be Plcfpgd (Page descriptor PLC)")
yield FCLCB(self, "Plcfphe", "Paragraph heights (PHE) PLC (only for Complex files)")
yield FCLCB(self, "Sttbfglsy", "Glossary string table")
yield FCLCB(self, "Plcfglsy", "Glossary PLC")
yield FCLCB(self, "Plcfhdd", "Header (HDD) PLC")
yield FCLCB(self, "PlcfbteChpx", "Character property bin table PLC")
yield FCLCB(self, "PlcfbtePapx", "Paragraph property bin table PLC")
yield FCLCB(self, "Plcfsea", "Private Use PLC")
yield FCLCB(self, "Sttbfffn", "Font information STTB")
yield FCLCB(self, "PlcffldMom", "Main document field position (FLD) PLC")
yield FCLCB(self, "PlcffldHdr", "Header subdocument field position (FLD) PLC")
yield FCLCB(self, "PlcffldFtn", "Footnote subdocument field position (FLD) PLC")
yield FCLCB(self, "PlcffldAtn", "Annotation subdocument field position (FLD) PLC")
yield FCLCB(self, "PlcffldMcr", "No longer used")
yield FCLCB(self, "Sttbfbkmk", "Bookmark names STTB")
yield FCLCB(self, "Plcfbkf", "Bookmark begin position (BKF) PLC")
yield FCLCB(self, "Plcfbkl", "Bookmark end position (BKL) PLC")
yield FCLCB(self, "Cmds", "Macro commands")
yield FCLCB(self, "Plcmcr", "No longer used")
yield FCLCB(self, "Sttbfmcr", "No longer used")
yield FCLCB(self, "PrDrvr", "Printer Driver information")
yield FCLCB(self, "PrEnvPort", "Printer environment for Portrait mode")
yield FCLCB(self, "PrEnvLand", "Printer environment for Landscape mode")
yield FCLCB(self, "Wss", "Window Save State")
yield FCLCB(self, "Dop", "Document Property data")
yield FCLCB(self, "SttbfAssoc", "Associated strings STTB")
yield FCLCB(self, "Clx", "Complex file information")
yield FCLCB(self, "PlcfpgdFtn", "Not used")
yield FCLCB(self, "AutosaveSource", "Original filename for Autosave purposes")
yield FCLCB(self, "GrpXstAtnOwners", "String Group for Annotation Owner Names")
yield FCLCB(self, "SttbfAtnbkmk", "Annotation subdocument bookmark names STTB")
yield FCLCB(self, "PlcdoaMom", "No longer used")
yield FCLCB(self, "PlcdoaHdr", "No longer used")
yield FCLCB(self, "PlcspaMom", "Main document File Shape (FSPA) PLC")
yield FCLCB(self, "PlcspaHdr", "Header subdocument FSPA PLC")
yield FCLCB(self, "PlcfAtnbkf", "Annotation subdocument bookmark begin position (BKF) PLC")
yield FCLCB(self, "PlcfAtnbkl", "Annotation subdocument bookmark end position (BKL) PLC")
yield FCLCB(self, "Pms", "Print Merge State")
yield FCLCB(self, "FormFldSttbs", "Form field values STTB")
yield FCLCB(self, "PlcfendRef", "Endnote Reference (FRD) PLC")
yield FCLCB(self, "PlcfendTxt", "Endnote Text PLC")
yield FCLCB(self, "PlcffldEdn", "Endnote subdocument field position (FLD) PLC)")
yield FCLCB(self, "PlcfpgdEdn", "not used")
yield FCLCB(self, "DggInfo", "Office Art Object Table Data")
yield FCLCB(self, "SttbfRMark", "Editor Author Abbreviations STTB")
yield FCLCB(self, "SttbCaption", "Caption Title STTB")
yield FCLCB(self, "SttbAutoCaption", "Auto Caption Title STTB")
yield FCLCB(self, "Plcfwkb", "WKB PLC")
yield FCLCB(self, "Plcfspl", "Spell Check State PLC")
yield FCLCB(self, "PlcftxbxTxt", "Text Box Text PLC")
yield FCLCB(self, "PlcffldTxbx", "Text Box Reference (FLD) PLC")
yield FCLCB(self, "PlcfhdrtxbxTxt", "Header Text Box Text PLC")
yield FCLCB(self, "PlcffldHdrTxbx", "Header Text Box Reference (FLD) PLC")
yield FCLCB(self, "StwUser", "Macro User storage")
yield FCLCB(self, "Sttbttmbd", "Embedded TrueType Font Data")
yield FCLCB(self, "Unused")
yield FCLCB(self, "PgdMother", "Main text page descriptors PLF")
yield FCLCB(self, "BkdMother", "Main text break descriptors PLF")
yield FCLCB(self, "PgdFtn", "Footnote text page descriptors PLF")
yield FCLCB(self, "BkdFtn", "Footnote text break descriptors PLF")
yield FCLCB(self, "PgdEdn", "Endnote text page descriptors PLF")
yield FCLCB(self, "BkdEdn", "Endnote text break descriptors PLF")
yield FCLCB(self, "SttbfIntlFld", "Field keywords STTB")
yield FCLCB(self, "RouteSlip", "Mailer Routing Slip")
yield FCLCB(self, "SttbSavedBy", "STTB of names of users who have saved the document")
yield FCLCB(self, "SttbFnm", "STTB of filenames of documents referenced by this one")
yield FCLCB(self, "PlcfLst", "List Format information PLC")
yield FCLCB(self, "PlfLfo", "List Format Override information PLC")
yield FCLCB(self, "PlcftxbxBkd", "Main document textbox break table (BKD) PLC")
yield FCLCB(self, "PlcftxbxHdrBkd", "Header subdocument textbox break table (BKD) PLC")
yield FCLCB(self, "DocUndo", "Undo/Versioning data")
yield FCLCB(self, "Rgbuse", "Undo/Versioning data")
yield FCLCB(self, "Usp", "Undo/Versioning data")
yield FCLCB(self, "Uskf", "Undo/Versioning data")
yield FCLCB(self, "PlcupcRgbuse", "Undo/Versioning data")
yield FCLCB(self, "PlcupcUsp", "Undo/Versioning data")
yield FCLCB(self, "SttbGlsyStyle", "Glossary entry style names STTB")
yield FCLCB(self, "Plgosl", "Grammar options PL")
yield FCLCB(self, "Plcocx", "OCX data PLC")
yield FCLCB(self, "PlcfbteLvc", "Character property bin table PLC")
if self['../fMac'].value:
yield TimestampMac32(self, "ftModified", "Date last modified")
yield Int32(self, "padding[]")
else:
yield TimestampWin64(self, "ftModified", "Date last modified")
yield FCLCB(self, "Plcflvc", "LVC PLC")
yield FCLCB(self, "Plcasumy", "Autosummary PLC")
yield FCLCB(self, "Plcfgram", "Grammar check PLC")
yield FCLCB(self, "SttbListNames", "List names STTB")
yield FCLCB(self, "SttbfUssr", "Undo/Versioning data")
while self.current_size < self.size:
yield FCLCB(self, "unknown[]")