def createFields(self):
yield SpectrumHeader(self, "header")
yield RawBytes(self, "uknown area 1", 16)
for index in range(1, 2 + 1):
yield UInt32(self, "unknown index[%s]" % index)
yield TimestampUnix32(self, "start")
yield TimestampUnix32(self, "end")
yield UInt32(self, "unknown long[%s]" % 1)
yield RawBytes(self, "uknown area 2", 16)
for index in range(2, 6 + 1):
yield UInt32(self, "unknown long[%s]" % index)
yield Float64(self, "unknown double")
yield StructTwo(self, "unknown 52-byte structure")
yield Struct100(self, "unknown 100-byte structure[1]")
for index in range(1, 4 + 1):
yield UInt16(self, "short[%s]" % index)
yield Struct100(self, "unknown 100-byte structure[2]")
for index in range(5, 6 + 1):
yield UInt16(self, "short[%s]" % index)
yield Struct100(self, "unknown 100-byte structure[3]")
for index in range(7, 10 + 1):
yield UInt16(self, "short[%s]" % index)
yield Struct100(self, "unknown 100-byte structure[4]")
for index in range(11, 14 + 1):
yield UInt16(self, "short[%s]" % index)
def createFields(self):
yield textHandler(UInt32(self, "magic", "File information magic (0xFEEF04BD)"), hexadecimal)
if self["magic"].value != 0xFEEF04BD:
raise ParserError("EXE resource: invalid file info magic")
yield Version(self, "struct_ver", "Structure version (1.0)")
yield Version(self, "file_ver_ms", "File version MS")
yield Version(self, "file_ver_ls", "File version LS")
yield Version(self, "product_ver_ms", "Product version MS")
yield Version(self, "product_ver_ls", "Product version LS")
yield textHandler(UInt32(self, "file_flags_mask"), hexadecimal)
yield Bit(self, "debug")
yield Bit(self, "prerelease")
yield Bit(self, "patched")
yield Bit(self, "private_build")
yield Bit(self, "info_inferred")
yield Bit(self, "special_build")
yield NullBits(self, "reserved", 26)
yield Enum(textHandler(UInt16(self, "file_os_major"), hexadecimal), MAJOR_OS_NAME)
yield Enum(textHandler(UInt16(self, "file_os_minor"), hexadecimal), MINOR_OS_NAME)
yield Enum(textHandler(UInt32(self, "file_type"), hexadecimal), FILETYPE_NAME)
field = textHandler(UInt32(self, "file_subfile"), hexadecimal)
if field.value == FILETYPE_DRIVER:
field = Enum(field, DRIVER_SUBTYPE_NAME)
elif field.value == FILETYPE_FONT:
field = Enum(field, FONT_SUBTYPE_NAME)
yield field
yield TimestampUnix32(self, "date_ms")
yield TimestampUnix32(self, "date_ls")
def createFields(self):
yield RawBytes(self, "unknown string", 24,
"detritus from a previous write?")
yield UInt32(self, "unknown long 1")
yield UInt32(self, "trailer addr")
for index in range(2, 7 + 1):
yield UInt32(self, "unknown long[%s]" % index)
yield TimestampUnix32(self, "start time[1]")
yield TimestampUnix32(self, "end time[1]")
yield TimestampUnix32(self, "start time[2]")
yield TimestampUnix32(self, "end time[2]")
yield RawBytes(self, "unknown area 1", 16)
yield UInt16(self, "unknown short 1")
yield UInt16(self, "unknown short 2")
yield RawBytes(self, "unknown area 2", 8)
yield UInt16(self, "unknown short 3")
yield RawBytes(self, "unknown area 3", 6)
yield UInt16(self, "unknown short 4")
yield UInt16(self, "unknown short 5")
yield RawBytes(self, "unknown area 4", 0x2c)
yield UInt32(self, "unknown long[%s]" % 8)
yield RawBytes(self, "unknown string or buffer", 76,
"detritus from a previous write?")
yield PascalStringWin32(self, "file path",
"The full filesystem path to this file")
yield RawBytes(self, "uknown area 5", 16)
yield PascalStringWin32(self, "method file",
"The filesystem path to method file")
yield PascalStringWin32(self, "tune file",
"The filesystem path to tune file")
yield StructOne(self, "unknown structure")
def createFields(self):
yield UInt32(self, "inodes_count", "Inodes count")
yield UInt32(self, "blocks_count", "Blocks count")
yield UInt32(self, "r_blocks_count", "Reserved blocks count")
yield UInt32(self, "free_blocks_count", "Free blocks count")
yield UInt32(self, "free_inodes_count", "Free inodes count")
yield UInt32(self, "first_data_block", "First data block")
yield UInt32(self, "log_block_size", "Block size")
yield UInt32(self, "log_frag_size", "Fragment size")
yield UInt32(self, "blocks_per_group", "Blocks per group")
yield UInt32(self, "frags_per_group", "Fragments per group")
yield UInt32(self, "inodes_per_group", "Inodes per group")
yield TimestampUnix32(self, "mtime", "Mount time")
yield TimestampUnix32(self, "wtime", "Write time")
yield UInt16(self, "mnt_count", "Mount count")
yield UInt16(self, "max_mnt_count", "Max mount count")
yield String(self, "magic", 2, "Magic number (0x53EF)")
yield Enum(UInt16(self, "state", "File system state"), self.state_desc)
yield Enum(UInt16(self, "errors", "Behaviour when detecting errors"),
self.error_handling_desc)
yield UInt16(self, "minor_rev_level", "Minor revision level")
yield TimestampUnix32(self, "last_check", "Time of last check")
yield textHandler(
UInt32(self, "check_interval", "Maximum time between checks"),
self.postMaxTime)
yield Enum(UInt32(self, "creator_os", "Creator OS"), self.os_name)
yield UInt32(self, "rev_level", "Revision level")
yield UInt16(self, "def_resuid", "Default uid for reserved blocks")
yield UInt16(self, "def_resgid", "Default gid for reserved blocks")
yield UInt32(self, "first_ino", "First non-reserved inode")
yield UInt16(self, "inode_size", "Size of inode structure")
yield UInt16(self, "block_group_nr",
"Block group # of this superblock")
yield UInt32(self, "feature_compat", "Compatible feature set")
yield UInt32(self, "feature_incompat", "Incompatible feature set")
yield UInt32(self, "feature_ro_compat",
"Read-only compatible feature set")
yield RawBytes(self, "uuid", 16, "128-bit uuid for volume")
yield String(self, "volume_name", 16, "Volume name", strip="\0")
yield String(self,
"last_mounted",
64,
"Directory where last mounted",
strip="\0")
yield UInt32(self, "compression",
"For compression (algorithm usage bitmap)")
yield UInt8(self, "prealloc_blocks",
"Number of blocks to try to preallocate")
yield UInt8(self, "prealloc_dir_blocks",
"Number to preallocate for directories")
yield UInt16(self, "padding", "Padding")
yield String(self, "journal_uuid", 16, "uuid of journal superblock")
yield UInt32(self, "journal_inum", "inode number of journal file")
yield UInt32(self, "journal_dev", "device number of journal file")
yield UInt32(self, "last_orphan", "start of list of inodes to delete")
yield RawBytes(self, "reserved", 197, "Reserved")
def createFields(self):
# File mode
yield Bit(self, "other_exec")
yield Bit(self, "other_write")
yield Bit(self, "other_read")
yield Bit(self, "group_exec")
yield Bit(self, "group_write")
yield Bit(self, "group_read")
yield Bit(self, "owner_exec")
yield Bit(self, "owner_write")
yield Bit(self, "owner_read")
yield Bit(self, "sticky")
yield Bit(self, "setgid")
yield Bit(self, "setuid")
yield Enum(Bits(self, "file_type", 4), self.file_type)
yield UInt16(self, "uid", "User ID")
yield UInt32(self, "size", "File size (in bytes)")
yield TimestampUnix32(self, "atime", "Last access time")
yield TimestampUnix32(self, "ctime", "Creation time")
yield TimestampUnix32(self, "mtime", "Last modification time")
yield TimestampUnix32(self, "dtime", "Delete time")
yield UInt16(self, "gid", "Group ID")
yield UInt16(self, "links_count", "Links count")
yield UInt32(self, "blocks", "Number of blocks")
yield UInt32(self, "flags", "Flags")
yield NullBytes(self, "reserved[]", 4, "Reserved")
for index in xrange(15):
yield UInt32(self, "block[]")
yield UInt32(self, "version", "Version")
yield UInt32(self, "file_acl", "File ACL")
yield UInt32(self, "dir_acl", "Directory ACL")
yield UInt32(self, "faddr",
"Block where the fragment of the file resides")
os = self["/superblock/creator_os"].value
if os == SuperBlock.OS_LINUX:
yield UInt8(self, "frag", "Number of fragments in the block")
yield UInt8(self, "fsize", "Fragment size")
yield UInt16(self, "padding", "Padding")
yield UInt16(self, "uid_high", "High 16 bits of user ID")
yield UInt16(self, "gid_high", "High 16 bits of group ID")
yield NullBytes(self, "reserved[]", 4, "Reserved")
elif os == SuperBlock.OS_HURD:
yield UInt8(self, "frag", "Number of fragments in the block")
yield UInt8(self, "fsize", "Fragment size")
yield UInt16(self, "mode_high", "High 16 bits of mode")
yield UInt16(self, "uid_high", "High 16 bits of user ID")
yield UInt16(self, "gid_high", "High 16 bits of group ID")
yield UInt32(self, "author", "Author ID (?)")
else:
yield RawBytes(self, "raw", 12, "Reserved")
def createFields(self):
yield Bytes(self, "header", 4, r"PE header signature (PE\0\0)")
if self["header"].value != "PE\0\0":
raise ParserError("Invalid PE header signature")
yield Enum(UInt16(self, "cpu", "CPU type"), self.cpu_name)
yield UInt16(self, "nb_section", "Number of sections")
yield TimestampUnix32(self, "creation_date", "Creation date")
yield UInt32(self, "ptr_to_sym", "Pointer to symbol table")
yield UInt32(self, "nb_symbols", "Number of symbols")
yield UInt16(self, "opt_hdr_size", "Optional header size")
yield Bit(self, "reloc_stripped",
"If true, don't contain base relocations.")
yield Bit(self, "exec_image", "Executable image?")
yield Bit(self, "line_nb_stripped", "COFF line numbers stripped?")
yield Bit(self, "local_sym_stripped",
"COFF symbol table entries stripped?")
yield Bit(self, "aggr_ws", "Aggressively trim working set")
yield Bit(self, "large_addr",
"Application can handle addresses greater than 2 GB")
yield NullBits(self, "reserved", 1)
yield Bit(self, "reverse_lo",
"Little endian: LSB precedes MSB in memory")
yield Bit(self, "32bit", "Machine based on 32-bit-word architecture")
yield Bit(self, "is_stripped", "Debugging information removed?")
yield Bit(
self, "swap",
"If image is on removable media, copy and run from swap file")
yield PaddingBits(self, "reserved2", 1)
yield Bit(self, "is_system", "It's a system file")
yield Bit(self, "is_dll", "It's a dynamic-link library (DLL)")
yield Bit(self, "up", "File should be run only on a UP machine")
yield Bit(self, "reverse_hi", "Big endian: MSB precedes LSB in memory")
def createFields(self):
yield NullBytes(self, "options", 4)
yield TimestampUnix32(self, "creation_date")
yield UInt16(self, "maj_ver", "Major version")
yield UInt16(self, "min_ver", "Minor version")
yield UInt16(self, "nb_name", "Number of named entries")
yield UInt16(self, "nb_index", "Number of indexed entries")
def createFields(self):
# Gzip header
yield Bytes(self, "signature", 2, r"GZip file signature (\x1F\x8B)")
yield Enum(UInt8(self, "compression", "Compression method"),
self.COMPRESSION_NAME)
# Flags
yield Bit(self, "is_text", "File content is probably ASCII text")
yield Bit(self, "has_crc16", "Header CRC16")
yield Bit(self, "has_extra", "Extra informations (variable size)")
yield Bit(self, "has_filename", "Contains filename?")
yield Bit(self, "has_comment", "Contains comment?")
yield NullBits(self, "reserved[]", 3)
yield TimestampUnix32(self, "mtime", "Modification time")
# Extra flags
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "slowest",
"Compressor used maximum compression (slowest)")
yield Bit(self, "fastest", "Compressor used the fastest compression")
yield NullBits(self, "reserved[]", 5)
yield Enum(UInt8(self, "os", "Operating system"), self.os_name)
# Optional fields
if self["has_extra"].value:
yield UInt16(self, "extra_length", "Extra length")
yield RawBytes(self, "extra", self["extra_length"].value, "Extra")
if self["has_filename"].value:
yield CString(self, "filename", "Filename", charset="ISO-8859-1")
if self["has_comment"].value:
yield CString(self, "comment", "Comment")
if self["has_crc16"].value:
yield textHandler(UInt16(self, "hdr_crc16", "CRC16 of the header"),
hexadecimal)
if self._size is None: # TODO: is it possible to handle piped input?
raise NotImplementedError()
# Read file
size = (self._size - self.current_size) // 8 - 8 # -8: crc32+size
if 0 < size:
if self["has_filename"].value:
filename = self["filename"].value
else:
for tag, filename in self.stream.tags:
if tag == "filename" and filename.endswith(".gz"):
filename = filename[:-3]
break
else:
filename = None
yield Deflate(SubFile(self, "file", size, filename=filename))
# Footer
yield textHandler(
UInt32(self, "crc32", "Uncompressed data content CRC32"),
hexadecimal)
yield filesizeHandler(UInt32(self, "size", "Uncompressed size"))
def createFields(self):
yield TimestampUnix32(self, "ts_epoch", "Timestamp (Epoch)")
yield UInt32(self, "ts_nanosec", "Timestamp (nano second)")
yield UInt32(self, "caplen", "length of portion present")
yield UInt32(self, "len", "length this packet (off wire)")
# Read different layers
field = self._first_parser(self, self._first_name)
while field:
yield field
field = field.parseNext(self)
# Read data if any
size = (self.size - self.current_size) // 8
if size:
yield RawBytes(self, "data", size)
def createFields(self):
yield Enum(
Bytes(self, "signature", 4, "Python file signature and version"),
self.STR_MAGIC)
yield TimestampUnix32(self, "timestamp", "Timestamp")
yield Object(self, "content")
def createFields(self):
#yield CString(self, "finnigan signature", "Finnigan signature (wide ASCIIZ string)", charset="UTF-16-LE") #, strip="\0")
yield String(self, "finnigan signature", 120, "Finnigan signature (wide ASCIIZ string)", charset="UTF-16-LE", truncate="\0")
for index in range(2, 4+1):
yield UInt32(self, "unknown long[%s]" % index)
yield TimestampUnix32(self, "time[1]")
yield UInt32(self, "unknown long[%s]" % 6)
yield RawBytes(self, "zero[2]", 120, "padding")
for index in range(7, 10+1):
yield UInt32(self, "unknown long[%s]" % index)
#####################################################################
#yield ArrayOfLong(self, "unknown array")
yield ArrayOfLong(self, "unknown array")
yield RawBytes(self, "zero[3]", 80, "padding")
yield LinearRamp(self, "linear ramp")
yield CString(self, "header file", "The full filesystem path to the header file", charset="UTF-16-LE")
yield ArrayOfShort172(self, "unknown array[2]")
yield CString(self, "method file", "The full filesystem path to the method file", charset="UTF-16-LE")
yield RawBytes(self, "zero[4]", 1044, "padding")
## --------------- struct 2 --------------------
yield UInt16(self, "unknown short")
yield RawBytes(self, "zero[5]", 28, "padding")
# ----- strutct 1 --------------
yield Struct1(self, "Struct1[1]")
yield Struct1(self, "Struct1[2]")
yield ArrayOfShort96(self, "unknown array[3]")
yield RawBytes(self, "zero[6]", 1586, "padding")
## --------------- struct 2 --------------------
yield UInt16(self, "unknown short (bis)")
yield RawBytes(self, "zero[7]", 28, "padding")
# ----- strutct 1 --------------
yield Struct1(self, "Struct1[3]")
yield Struct1var(self, "unknown struct")
yield Struct1(self, "Struct1[5]")
yield UInt16(self, "unknown short[1]")
yield RawBytes(self, "junk[1]", 766, "probably buffer detritus")
yield Struct1(self, "Struct1[4]")
yield RawBytes(self, "undecoded[1]", 4184, "probably junk, but there are several instances of Struct1 in it")
yield ArrayOfShort32(self, "unknown array[4]")
yield TimestampUnix32(self, "time[1]")
yield CString(self, "tune file", "Path to tune file (wide ASCIIZ string)", charset="UTF-16-LE") #, strip="\0")
yield UInt16(self, "unknown short[2]")
yield CString(self, "file path[1]", "Uknown file path", charset="UTF-16-LE") #, strip="\0")
yield ArrayOfShort120(self, "unknown array[5]", "Contains 9x periodic structure with inrementing element")
yield CString(self, "unknown string[1]", "", charset="UTF-16-LE") #, strip="\0")
yield CString(self, "unknown string[2]", "", charset="UTF-16-LE") #, strip="\0")
yield ArrayOfShort30(self, "unknown array[6]")
yield TimestampUnix32(self, "time[2]")
yield TimestampUnix32(self, "time[3]")
yield CString(self, "unknown string[3]", "", charset="UTF-16-LE") #, strip="\0")
yield ArrayOfShort36(self, "unknown array[7]", "Contains 4x periodic structure")
yield CString(self, "unknown string[4]", "", charset="UTF-16-LE") #, strip="\0")
yield RawBytes(self, "zero[8]", 530, "padding")
yield CString(self, "unknown string[5]", "", charset="UTF-16-LE") #, strip="\0")
yield CString(self, "unknown string[6]", "", charset="UTF-16-LE") #, strip="\0")
yield RawBytes(self, "zero[9]", 266, "padding")
yield CString(self, "unknown string[7]", "", charset="UTF-16-LE") #, strip="\0")
yield CString(self, "unknown string[8]", "", charset="UTF-16-LE") #, strip="\0")
yield RawBytes(self, "zero[10]", 226, "padding")
yield CString(self, "unknown string[9]", "", charset="UTF-16-LE") #, strip="\0")
yield CString(self, "unknown string[10]", "", charset="UTF-16-LE") #, strip="\0")
yield RawBytes(self, "zero[11]", 226, "padding")
yield CString(self, "unknown string[11]", "", charset="UTF-16-LE") #, strip="\0")
yield RawBytes(self, "zero[12]", 236, "padding")
yield ArrayOfShort44(self, "unknown array[8]", "Contains 4x periodic structure with increment [0..3]")
# -------------- Ions --------------------------
for index in range(1, 4+1):
yield IonStruct(self, "ion struct[%s]" % index, "unknown ion-based structure")
yield ArrayOfShort1856(self, "unknown array[9]", "Contains a 4x-periodic structure near the start [25..40]")
for index in range(1, 4+1):
yield Struct2(self, "Struct2[%s]" % index, "")
yield ArrayOfShort2344(self, "unknown array[10]", "Poissibly contains two large and two small periods")
for index in range(1, 2+1):
yield Struct4(self, "Struct4[%s]" % index)
yield ArrayOfLong224(self, "unknown Struct4[%s]-associated array" % index)
yield Struct4(self, "Struct4[%s]" % 3)
yield UInt16(self, "count 1")
yield UInt16(self, "count 2")
for index in range(1, 40+1):
yield Struct3(self, "Struct3[%s]" % index)
for index in range(1, 10+1):
yield Float64(self, "unknown double[%s]" % index)
for index in range(1, 40+1):
yield Struct5(self, "Struct5[%s]" % index)
# --- irregularity ---
for index in range(1, 2+1):
yield UInt32(self, "unknown long[%s]" % index)
for index in range(41, 80+1):
yield Struct5(self, "Struct5[%s]" % index)
for index in range(81, 120+1):
yield Struct5(self, "Struct5var[%s]" % index)
yield self.seekBit(self._size, "trailer")