def createFields(self): yield textHandler( UInt32(self, "magic", "File information magic (0xFEEF04BD)"), hexadecimal) if self["magic"].value != 0xFEEF04BD: raise ParserError("EXE resource: invalid file info magic") yield Version(self, "struct_ver", "Structure version (1.0)") yield Version(self, "file_ver_ms", "File version MS") yield Version(self, "file_ver_ls", "File version LS") yield Version(self, "product_ver_ms", "Product version MS") yield Version(self, "product_ver_ls", "Product version LS") yield textHandler(UInt32(self, "file_flags_mask"), hexadecimal) yield Bit(self, "debug") yield Bit(self, "prerelease") yield Bit(self, "patched") yield Bit(self, "private_build") yield Bit(self, "info_inferred") yield Bit(self, "special_build") yield NullBits(self, "reserved", 26) yield Enum(textHandler(UInt16(self, "file_os_major"), hexadecimal), MAJOR_OS_NAME) yield Enum(textHandler(UInt16(self, "file_os_minor"), hexadecimal), MINOR_OS_NAME) yield Enum(textHandler(UInt32(self, "file_type"), hexadecimal), FILETYPE_NAME) field = textHandler(UInt32(self, "file_subfile"), hexadecimal) if field.value == FILETYPE_DRIVER: field = Enum(field, DRIVER_SUBTYPE_NAME) elif field.value == FILETYPE_FONT: field = Enum(field, FONT_SUBTYPE_NAME) yield field yield TimestampUnix32(self, "date_ms") yield TimestampUnix32(self, "date_ls")
def createFields(self): yield NullBytes(self, "options", 4) yield TimestampUnix32(self, "creation_date") yield UInt16(self, "maj_ver", "Major version") yield UInt16(self, "min_ver", "Minor version") yield UInt16(self, "nb_name", "Number of named entries") yield UInt16(self, "nb_index", "Number of indexed entries")
def createFields(self): yield Bytes(self, "header", 4, r"PE header signature (PE\0\0)") if self["header"].value != b"PE\0\0": raise ParserError("Invalid PE header signature") yield Enum(UInt16(self, "cpu", "CPU type"), self.cpu_name) yield UInt16(self, "nb_section", "Number of sections") yield TimestampUnix32(self, "creation_date", "Creation date") yield UInt32(self, "ptr_to_sym", "Pointer to symbol table") yield UInt32(self, "nb_symbols", "Number of symbols") yield UInt16(self, "opt_hdr_size", "Optional header size") yield Bit(self, "reloc_stripped", "If true, don't contain base relocations.") yield Bit(self, "exec_image", "Executable image?") yield Bit(self, "line_nb_stripped", "COFF line numbers stripped?") yield Bit(self, "local_sym_stripped", "COFF symbol table entries stripped?") yield Bit(self, "aggr_ws", "Aggressively trim working set") yield Bit(self, "large_addr", "Application can handle addresses greater than 2 GB") yield NullBits(self, "reserved", 1) yield Bit(self, "reverse_lo", "Little endian: LSB precedes MSB in memory") yield Bit(self, "32bit", "Machine based on 32-bit-word architecture") yield Bit(self, "is_stripped", "Debugging information removed?") yield Bit(self, "swap", "If image is on removable media, copy and run from swap file") yield PaddingBits(self, "reserved2", 1) yield Bit(self, "is_system", "It's a system file") yield Bit(self, "is_dll", "It's a dynamic-link library (DLL)") yield Bit(self, "up", "File should be run only on a UP machine") yield Bit(self, "reverse_hi", "Big endian: MSB precedes LSB in memory")
def createFields(self): # Gzip header yield Bytes(self, "signature", 2, r"GZip file signature (\x1F\x8B)") yield Enum(UInt8(self, "compression", "Compression method"), self.COMPRESSION_NAME) # Flags yield Bit(self, "is_text", "File content is probably ASCII text") yield Bit(self, "has_crc16", "Header CRC16") yield Bit(self, "has_extra", "Extra informations (variable size)") yield Bit(self, "has_filename", "Contains filename?") yield Bit(self, "has_comment", "Contains comment?") yield NullBits(self, "reserved[]", 3) yield TimestampUnix32(self, "mtime", "Modification time") # Extra flags yield NullBits(self, "reserved[]", 1) yield Bit(self, "slowest", "Compressor used maximum compression (slowest)") yield Bit(self, "fastest", "Compressor used the fastest compression") yield NullBits(self, "reserved[]", 5) yield Enum(UInt8(self, "os", "Operating system"), self.os_name) # Optional fields if self["has_extra"].value: yield UInt16(self, "extra_length", "Extra length") yield RawBytes(self, "extra", self["extra_length"].value, "Extra") if self["has_filename"].value: yield CString(self, "filename", "Filename", charset="ISO-8859-1") if self["has_comment"].value: yield CString(self, "comment", "Comment") if self["has_crc16"].value: yield textHandler(UInt16(self, "hdr_crc16", "CRC16 of the header"), hexadecimal) if self._size is None: # TODO: is it possible to handle piped input? raise NotImplementedError() # Read file size = (self._size - self.current_size) // 8 - 8 # -8: crc32+size if 0 < size: if self["has_filename"].value: filename = self["filename"].value else: for tag, filename in self.stream.tags: if tag == "filename" and filename.endswith(".gz"): filename = filename[:-3] break else: filename = None yield Deflate(SubFile(self, "file", size, filename=filename)) # Footer yield textHandler( UInt32(self, "crc32", "Uncompressed data content CRC32"), hexadecimal) yield filesizeHandler(UInt32(self, "size", "Uncompressed size"))
def createFields(self): yield UInt16(self, "magic_number", "Magic number") yield String(self, "magic_string", 2, r"Magic string \r\n", charset="ASCII") yield TimestampUnix32(self, "timestamp", "Timestamp") version = self.getVersion() if version >= 0x3030000 and self['magic_number'].value >= 3200: yield UInt32(self, "filesize", "Size of the Python source file (.py) modulo 2**32") yield Object(self, "content")
def createFields(self): yield TimestampUnix32(self, "ts_epoch", "Timestamp (Epoch)") yield UInt32(self, "ts_nanosec", "Timestamp (nano second)") yield UInt32(self, "caplen", "length of portion present") yield UInt32(self, "len", "length this packet (off wire)") # Read different layers field = self._first_parser(self, self._first_name) while field: yield field field = field.parseNext(self) # Read data if any size = (self.size - self.current_size) // 8 if size: yield RawBytes(self, "data", size)
def createFields(self): yield UInt32(self, "inodes_count", "Total inode count") yield UInt32(self, "blocks_count", "Total block count") yield UInt32(self, "r_blocks_count", "Reserved (superuser-only) block count") yield UInt32(self, "free_blocks_count", "Free block count") yield UInt32(self, "free_inodes_count", "Free inode count") yield UInt32(self, "first_data_block", "First data block") yield UInt32(self, "log_block_size", "Block size = 2**(10+log_block_size)") yield UInt32(self, "log_frag_size", "Cluster size = 2**log_frag_size") yield UInt32(self, "blocks_per_group", "Blocks per group") yield UInt32(self, "frags_per_group", "Fragments per group") yield UInt32(self, "inodes_per_group", "Inodes per group") yield TimestampUnix32(self, "mtime", "Mount time") yield TimestampUnix32(self, "wtime", "Write time") yield UInt16(self, "mnt_count", "Mount count since the last fsck") yield UInt16(self, "max_mnt_count", "Max mount count before fsck is needed") yield UInt16(self, "magic", "Magic number (0xEF53)") yield Enum(UInt16(self, "state", "File system state"), self.state_desc) yield Enum(UInt16(self, "errors", "Behaviour when detecting errors"), self.error_handling_desc) yield UInt16(self, "minor_rev_level", "Minor revision level") yield TimestampUnix32(self, "last_check", "Time of last check") yield textHandler( UInt32(self, "check_interval", "Maximum time between checks"), self.postMaxTime) yield Enum(UInt32(self, "creator_os", "Creator OS"), self.os_name) yield Enum(UInt32(self, "rev_level", "Revision level"), self.revision_levels) yield UInt16(self, "def_resuid", "Default uid for reserved blocks") yield UInt16(self, "def_resgid", "Default gid for reserved blocks") yield UInt32(self, "first_ino", "First non-reserved inode") yield UInt16(self, "inode_size", "Size of inode structure") yield UInt16(self, "block_group_nr", "Block group # of this superblock") yield FeatureCompatFlags( self, "feature_compat", "Compatible feature set (can mount even if these features are unsupported)" ) yield FeatureIncompatFlags( self, "feature_incompat", "Incompatible feature set (must support all features to mount)") yield FeatureROCompatFlags( self, "feature_ro_compat", "Read-only compatible feature set (can only mount r/o if a feature is unsupported)" ) yield UUID(self, "uuid", "128-bit UUID for volume") yield String(self, "volume_name", 16, "Volume name", strip="\0") yield String(self, "last_mounted", 64, "Directory where last mounted", strip="\0") yield UInt32(self, "compression", "For compression (algorithm usage bitmap)") yield UInt8(self, "prealloc_blocks", "Number of blocks to try to preallocate") yield UInt8(self, "prealloc_dir_blocks", "Number to preallocate for directories") yield UInt16(self, "reserved_gdt_blocks", "Number of reserved GDT entries for future expansion") yield RawBytes(self, "journal_uuid", 16, "UUID of journal superblock") yield UInt32(self, "journal_inum", "Inode number of journal file") yield UInt32( self, "journal_dev", "Device number of journal file (if ext_journal feature is set)") yield UInt32(self, "last_orphan", "Start of list of orphaned inodes to delete") # ext3 stuff yield RawBytes(self, "hash_seed", 16, "Seeds used for the directory indexing hash algorithm") yield Enum( UInt8(self, "def_hash_version", "Default hash version for directory indexing"), self.htree_hash_algo_desc) yield UInt8(self, "jnl_backup_type", "Does jnl_blocks contain a backup of i_block and i_size?") yield UInt16(self, "desc_size", "Size of group descriptors (if 64bit feature is set)") yield DefaultMountOptionFlags(self, "default_mount_opts", "Default mount options") yield UInt32( self, "first_meta_bg", "First metablock block group (if meta_bg feature is set)") yield TimestampUnix32(self, "mkfs_time", "When the filesystem was created") yield RawBytes(self, "jnl_blocks", 17 * 4, "Backup of the journal inode's i_block and i_size") yield PaddingBytes(self, "reserved[]", (1024 << self['log_block_size'].value) - self.current_size // 8)
def createFields(self): os = self["/superblock/creator_os"].value yield FileMode(self, "mode", "File mode") yield UInt16(self, "uid", "User ID") yield UInt32(self, "size", "File size (in bytes)") yield TimestampUnix32(self, "atime", "Last access time") yield TimestampUnix32(self, "ctime", "Last inode change time") yield TimestampUnix32(self, "mtime", "Last data modification time") yield TimestampUnix32(self, "dtime", "Deletion time") yield UInt16(self, "gid", "Group ID") yield UInt16(self, "links_count", "Hard link count") yield UInt32(self, "blocks", "Number of blocks") yield InodeFlags(self, "flags", "Flags") if os == SuperBlock.OS_LINUX: yield UInt32(self, "version_high", "High 32 bits of the version field") else: yield NullBytes(self, "reserved[]", 4, "Reserved") filetype = FileMode.file_type_letter.get(self['mode/file_type'].value, '-') if filetype in 'bc': yield UInt8(self, "dev_minor", "Minor number of the block/char device") yield UInt8(self, "dev_major", "Major number of the block/char device") yield NullBytes(self, "block_unused", 58) elif filetype == 'l' and self.is_fast_symlink(): yield String(self, "link_target", self['size'].value, "Target filename of this symlink") rest = 60 - self['size'].value if rest: yield NullBytes(self, "block_unused", rest) elif self['flags/extents'].value: yield ExtentNode(self, "extent_root", size=60 * 8) else: for index in range(15): yield UInt32(self, "block[]") yield UInt32(self, "version", "File version, for NFS") yield UInt32(self, "file_acl", "File ACL of the xattr block") yield UInt32(self, "size_high", "High 32 bits of the file size") yield UInt32( self, "faddr", "Block where the fragment of the file resides (obsolete)") if os == SuperBlock.OS_LINUX: yield UInt16(self, "blocks_high", "High 16 bits of the block count") yield UInt16(self, "file_acl_high", "High 16 bits of the xattr block") yield UInt16(self, "uid_high", "High 16 bits of user ID") yield UInt16(self, "gid_high", "High 16 bits of group ID") yield UInt16(self, "checksum", "inode checksum") yield NullBytes(self, "reserved[]", 2, "Reserved") elif os == SuperBlock.OS_HURD: yield UInt8(self, "frag", "Number of fragments in the block") yield UInt8(self, "fsize", "Fragment size") yield UInt16(self, "mode_high", "High 16 bits of mode") yield UInt16(self, "uid_high", "High 16 bits of user ID") yield UInt16(self, "gid_high", "High 16 bits of group ID") yield UInt32(self, "author", "Author ID (?)") else: yield RawBytes(self, "raw", 12, "Reserved")