def createFields(self):
yield Bytes(self, "jump", 3, "Intel x86 jump instruction")
yield String(self, "name", 8)
yield BiosParameterBlock(self, "bios", "BIOS parameters")
yield textHandler(UInt8(self, "physical_drive", "(0x80)"), hexadecimal)
yield NullBytes(self, "current_head", 1)
yield textHandler(
UInt8(self, "ext_boot_sig", "Extended boot signature (0x80)"),
hexadecimal)
yield NullBytes(self, "unused", 1)
yield UInt64(self, "nb_sectors")
yield UInt64(self, "mft_cluster", "Cluster location of MFT data")
yield UInt64(self, "mftmirr_cluster",
"Cluster location of copy of MFT")
yield UInt8(self, "cluster_per_mft", "MFT record size in clusters")
yield NullBytes(self, "reserved[]", 3)
yield UInt8(self, "cluster_per_index", "Index block size in clusters")
yield NullBytes(self, "reserved[]", 3)
yield textHandler(UInt64(self, "serial_number"), hexadecimal)
yield textHandler(UInt32(self, "checksum", "Boot sector checksum"),
hexadecimal)
yield Bytes(self, "boot_code", 426)
yield Bytes(self, "mbr_magic", 2,
r"Master boot record magic number (\x55\xAA)")
def createFields(self):
bytes = self.stream.readBytes(self.absolute_address, 4)
if bytes == b"\0R\0\0":
charset = "UTF-16-BE"
else:
charset = "UTF-16-LE"
yield String(self, "name", 64, charset=charset, truncate="\0")
yield UInt16(self, "namelen", "Length of the name")
yield Enum(UInt8(self, "type", "Property type"), self.TYPE_NAME)
yield Enum(UInt8(self, "decorator", "Decorator"), self.DECORATOR_NAME)
yield SECT(self, "left")
yield SECT(self, "right")
yield SECT(self, "child",
"Child node (valid for storage and root types)")
yield GUID(self, "clsid",
"CLSID of this storage (valid for storage and root types)")
yield NullBytes(self, "flags", 4, "User flags")
yield TimestampWin64(
self, "creation",
"Creation timestamp(valid for storage and root types)")
yield TimestampWin64(
self, "lastmod",
"Modify timestamp (valid for storage and root types)")
yield SECT(
self, "start",
"Starting SECT of the stream (valid for stream and root types)")
if self["/header/bb_shift"].value == 9:
yield filesizeHandler(
UInt32(self, "size",
"Size in bytes (valid for stream and root types)"))
yield NullBytes(self, "padding", 4)
else:
yield filesizeHandler(
UInt64(self, "size",
"Size in bytes (valid for stream and root types)"))
def createFields(self):
# Read chunk header
yield Bytes(self, "signature", 3, r"Property signature (\x8E\xAD\xE8)")
if self["signature"].value != b"\x8E\xAD\xE8":
raise ParserError("Invalid property signature")
yield UInt8(self, "version", "Signature version")
yield NullBytes(self, "reserved", 4, "Reserved")
yield UInt32(self, "count", "Count")
yield UInt32(self, "size", "Size")
# Read item header
items = []
for i in range(0, self["count"].value):
item = ItemHeader(self, "item[]")
yield item
items.append(item)
# Sort items by their offset
items.sort(key=lambda field: field["offset"].value)
# Read item content
start = self.current_size // 8
for item in items:
offset = item["offset"].value
diff = offset - (self.current_size // 8 - start)
if 0 < diff:
yield NullBytes(self, "padding[]", diff)
yield ItemContent(self, "content[]", item)
size = start + self["size"].value - self.current_size // 8
if 0 < size:
yield NullBytes(self, "padding[]", size)
def createFields(self):
yield UInt16(self, "size", "Node size (in bytes)")
yield UInt16(self, "data_size")
yield Enum(UInt16(self, "type"), self.TYPE_NAME)
yield CString(self, "name", charset="UTF-16-LE")
size = paddingSize(self.current_size // 8, 4)
if size:
yield NullBytes(self, "padding[]", size)
size = self["data_size"].value
if size:
if self["type"].value == self.TYPE_STRING:
if self.is_32bit:
size *= 2
yield String(self,
"value",
size,
charset="UTF-16-LE",
truncate="\0")
elif self["name"].value == "VS_VERSION_INFO":
yield VersionInfoBinary(self, "value", size=size * 8)
if self["value/file_flags_mask"].value == 0:
self.is_32bit = False
else:
yield RawBytes(self, "value", size)
while 12 <= (self.size - self.current_size) // 8:
yield VersionInfoNode(self, "node[]", self.is_32bit)
size = (self.size - self.current_size) // 8
if size:
yield NullBytes(self, "padding[]", size)
def createFields(self):
yield String(self, "header_id", 4, "DataBase Header Markup (\"mhbd\")", charset="ISO-8859-1")
yield UInt32(self, "header_length", "Header Length")
yield UInt32(self, "entry_length", "Entry Length")
yield UInt32(self, "unknown[]")
yield UInt32(self, "version_number", "Version Number")
yield UInt32(self, "child_number", "Number of Children")
yield UInt64(self, "id", "ID for this database")
yield UInt16(self, "unknown[]")
yield UInt32(self, "unknown[]")
yield UInt64(self, "unknown[]")
yield UInt16(self, "unknown[]")
yield UInt16(self, "hashing_scheme[]", "Algorithm used to calculate the database hash")
yield NullBytes(self, "unknown[]", 20)
yield String(self, "language_id", 2, "Language ID")
yield UInt64(self, "persistent_id", "Library Persistent ID")
yield UInt32(self, "unknown[]")
yield UInt32(self, "unknown[]")
yield RawBytes(self, "hash[]", 20)
yield Int32(self, "timezone_offset[]", "Timezone offset in seconds")
yield UInt16(self, "unknown[]")
yield RawBytes(self, "iphone_hash[]", 45)
size = self["header_length"].value - self.current_size / 8
if size > 0:
yield NullBytes(self, "padding", size)
for i in range(self["child_number"].value):
yield DataSet(self, "dataset[]")
padding = self.seekByte(self["entry_length"].value, "entry padding")
if padding:
yield padding
def createFields(self):
yield Bytes(self, "jmp", 3,
"Jump instruction (to skip over header on boot)")
yield String(self,
"oem_name",
8,
"OEM Name (padded with spaces)",
charset="ASCII")
yield UInt16(self, "sector_size", "Bytes per sector")
yield UInt8(self, "cluster_size", "Sectors per cluster")
yield UInt16(self, "reserved_sectors",
"Reserved sector count (including boot sector)")
yield UInt8(self, "fat_nb", "Number of file allocation tables")
yield UInt16(self, "max_root",
"Maximum number of root directory entries")
yield UInt16(self, "sectors1",
"Total sectors (if zero, use 'sectors2')")
yield UInt8(self, "media_desc", "Media descriptor")
yield UInt16(self, "fat_size", "Sectors per FAT")
yield UInt16(self, "track_size", "Sectors per track")
yield UInt16(self, "head_nb", "Number of heads")
yield UInt32(self, "hidden", "Hidden sectors")
yield UInt32(self, "sectors2", "Total sectors (if greater than 65535)")
if self.parent.version == 32:
yield UInt32(self, "fat32_size", "Sectors per FAT")
yield UInt16(self, "fat_flags", "FAT Flags")
yield UInt16(self, "version", "Version")
yield UInt32(self, "root_start",
"Cluster number of root directory start")
yield UInt16(self, "inf_sector",
"Sector number of FS Information Sector")
yield UInt16(self, "boot_copy",
"Sector number of a copy of this boot sector")
yield NullBytes(self, "reserved[]", 12, "Reserved")
yield UInt8(self, "phys_drv", "Physical drive number")
yield NullBytes(self, "reserved[]", 1, 'Reserved ("current head")')
yield UInt8(self, "sign", "Signature")
yield textHandler(UInt32(self, "serial", "ID (serial number)"),
hexadecimal)
yield String(self,
"label",
11,
"Volume Label",
strip=' ',
charset="ASCII")
yield String(self,
"fs_type",
8,
"FAT file system type",
strip=' ',
charset="ASCII")
yield Bytes(self, "code", 510 - self.current_size // 8,
"Operating system boot code")
yield Bytes(self, "trail_sig", 2, "Signature (0x55 0xAA)")
def parseVideoHeader(parent):
yield NullBytes(parent, "padding[]", 2)
yield String(parent, "fourcc", 4)
yield UInt32(parent, "size")
yield textHandler(UInt64(parent, "time_unit", "Frame duration"),
formatTimeUnit)
yield UInt64(parent, "sample_per_unit")
yield UInt32(parent, "default_len")
yield UInt32(parent, "buffer_size")
yield UInt16(parent, "bits_per_sample")
yield NullBytes(parent, "padding[]", 2)
yield UInt32(parent, "width")
yield UInt32(parent, "height")
yield NullBytes(parent, "padding[]", 4)
def createFields(self):
yield NullBytes(self, "options", 4)
yield TimestampUnix32(self, "creation_date")
yield UInt16(self, "maj_ver", "Major version")
yield UInt16(self, "min_ver", "Minor version")
yield UInt16(self, "nb_name", "Number of named entries")
yield UInt16(self, "nb_index", "Number of indexed entries")
def createFields(self):
# Header
yield NullBytes(self, "zero_vector", 16)
yield GUID(self, "fs_guid")
yield UInt64(self, "volume_len")
yield String(self, "signature", 4)
yield UInt32(self, "attributes")
yield UInt16(self, "header_len")
yield UInt16(self, "checksum")
yield UInt16(self, "ext_header_offset")
yield UInt8(self, "reserved")
yield UInt8(self, "revision")
while True:
bm = BlockMap(self, "block_map[]")
yield bm
if bm['num_blocks'].value == 0 and bm['len'].value == 0:
break
# TODO must handle extended header
# Content
while not self.eof:
padding = paddingSize(self.current_size // 8, 8)
if padding:
yield PaddingBytes(self, "padding[]", padding)
yield File(self, "file[]")
def createFields(self):
yield FIB(self, "FIB", "File Information Block")
getOLE2Parser(self.ole2, "table" +
str(self["FIB/fWhichTblStm"].value))
padding = (self['FIB/fcMin'].value - self.current_size // 8)
if padding:
yield NullBytes(self, "padding[]", padding)
# Guess whether the file uses UTF16 encoding.
is_unicode = False
if self['FIB/array2/ccpText'].value * 2 == self['FIB/fcMax'].value - self['FIB/fcMin'].value:
is_unicode = True
for fieldname, textname in [('Text', 'text'), ('Ftn', 'text_footnote'),
('Hdr', 'text_header'), ('Mcr',
'text_macro'), ('Atn', 'text_annotation'),
('Edn', 'text_endnote'), ('Txbx', 'text_textbox'), ('HdrTxbx', 'text_header_textbox')]:
size = self['FIB/array2/ccp' + fieldname].value
if size:
if is_unicode:
yield String(self, textname, size * 2, charset="UTF-16-LE")
else:
yield Bytes(self, textname, size)
padding = (self['FIB/fcMax'].value - self.current_size // 8)
if padding:
yield RawBytes(self, "padding[]", padding)
def createFields(self):
yield String(self,
"magic",
len(self.MAGIC),
'Magic string (%r)' % self.MAGIC,
charset="ASCII")
yield UInt8(self, "major_version")
yield UInt8(self, "minor_version")
yield Enum(UInt8(self, "crypto"), self.CRYPTO_NAMES)
yield Enum(UInt8(self, "hash"), self.HASH_NAMES)
yield KeyringString(self, "keyring_name")
yield TimestampUnix64(self, "mtime")
yield TimestampUnix64(self, "ctime")
yield Bit(self, "lock_on_idle")
yield NullBits(self, "reserved[]", 31, "Reserved for future flags")
yield UInt32(self, "lock_timeout")
yield UInt32(self, "hash_iterations")
yield RawBytes(self, "salt", 8)
yield NullBytes(self, "reserved[]", 16)
yield Items(self, "items")
yield UInt32(self, "encrypted_size")
yield Deflate(
SubFile(self,
"encrypted",
self["encrypted_size"].value,
"AES128 CBC",
parser_class=EncryptedData))
def createNullField(parent, nbits, name="padding[]", description=None):
if nbits <= 0:
raise FieldError("Unable to create null padding of %s bits" % nbits)
if (nbits % 8) == 0:
return NullBytes(parent, name, nbits // 8, description)
else:
return NullBits(parent, name, nbits, description)
def createFields(self):
yield FIB(self, "FIB", "File Information Block")
padding = (self['FIB/fcMin'].value - self.current_size // 8)
if padding:
yield NullBytes(self, "padding[]", padding)
if self['FIB/ccpText'].value:
yield Bytes(self, "text", self['FIB/ccpText'].value)
if self['FIB/ccpFtn'].value:
yield Bytes(self, "text_footnote", self['FIB/ccpFtn'].value)
if self['FIB/ccpHdr'].value:
yield Bytes(self, "text_header", self['FIB/ccpHdr'].value)
if self['FIB/ccpMcr'].value:
yield Bytes(self, "text_macro", self['FIB/ccpMcr'].value)
if self['FIB/ccpAtn'].value:
yield Bytes(self, "text_annotation", self['FIB/ccpAtn'].value)
padding = (self['FIB/fcMax'].value - self.current_size // 8)
if padding:
yield RawBytes(self, "padding[]", padding)
sepx_size = (self['FIB/pnChpFirst'].value *
512 - self.current_size // 8)
if sepx_size:
yield SEPXGroup(self, "sepx", sepx_size)
def createFields(self):
yield String(self,
"signature",
4,
"PSD signature (8BPS)",
charset="ASCII")
yield UInt16(self, "version")
yield NullBytes(self, "reserved[]", 6)
yield UInt16(self, "nb_channels")
yield UInt32(self, "width")
yield UInt32(self, "height")
yield UInt16(self, "depth")
yield Enum(UInt16(self, "color_mode"), self.COLOR_MODE)
# Mode data
yield UInt32(self, "mode_data_size")
size = self["mode_data_size"].value
if size:
yield RawBytes(self, "mode_data", size)
# Resources
yield Config(self, "config")
# Reserved
yield UInt32(self, "reserved_data_size")
size = self["reserved_data_size"].value
if size:
yield RawBytes(self, "reserved_data", size)
yield Enum(UInt16(self, "compression"), self.COMPRESSION_NAME)
size = (self.size - self.current_size) // 8
if size:
yield RawBytes(self, "end", size)
def createFields(self):
yield UInt16(self, "left", "Left")
yield UInt16(self, "top", "Top")
yield UInt16(self, "width", "Width")
yield UInt16(self, "height", "Height")
yield Bits(self, "size_local_map", 3,
"log2(size of local map) minus one")
yield NullBits(self, "reserved", 2)
yield Bit(self, "sort_flag",
"Is the local map sorted by decreasing importance?")
yield Bit(self, "interlaced", "Interlaced?")
yield Bit(self, "has_local_map", "Use local color map?")
if self["has_local_map"].value:
nb_color = 1 << (1 + self["size_local_map"].value)
yield PaletteRGB(self, "local_map", nb_color, "Local color map")
yield UInt8(self, "lzw_min_code_size", "LZW Minimum Code Size")
group = None
while True:
size = UInt8(self, "image_block_size[]")
if size.value == 0:
break
yield size
block = CustomFragment(self, "image_block[]", size.value * 8,
GifImageBlock, "GIF Image Block", group)
if group is None:
block.group.args["startbits"] = self["lzw_min_code_size"].value
group = block.group
yield block
yield NullBytes(self, "terminator", 1, "Terminator (0)")
def createFields(self):
# First kilobyte: boot sectors
yield RawBytes(self, "boot", 1024, "Space for disklabel etc.")
# Header
yield UInt32(self, "version")
yield UInt32(self, "last_page")
yield UInt32(self, "nb_badpage")
yield UUID(self, "sws_uuid")
yield UUID(self, "sws_volume")
yield NullBytes(self, "reserved", 117 * 4)
# Read bad pages (if any)
count = self["nb_badpage"].value
if count:
if MAX_SWAP_BADPAGES < count:
raise ParserError("Invalid number of bad page (%u)" % count)
yield GenericVector(self, "badpages", count, UInt32, "badpage")
# Read magic
padding = self.seekByte(PAGE_SIZE - 10, "padding", null=True)
if padding:
yield padding
yield String(self, "magic", 10, charset="ASCII")
# Read all pages
yield GenericVector(self, "pages", self["last_page"].value, Page,
"page")
# Padding at the end
padding = self.seekBit(self.size, "end_padding", null=True)
if padding:
yield padding
def parseAviHeader(self):
yield UInt32(self, "microsec_per_frame", "Microsecond per frame")
yield UInt32(self, "max_byte_per_sec", "Maximum byte per second")
yield NullBytes(self, "reserved", 4)
# Flags
yield NullBits(self, "reserved[]", 4)
yield Bit(self, "has_index")
yield Bit(self, "must_use_index")
yield NullBits(self, "reserved[]", 2)
yield Bit(self, "is_interleaved")
yield NullBits(self, "reserved[]", 2)
yield Bit(self, "trust_cktype")
yield NullBits(self, "reserved[]", 4)
yield Bit(self, "was_capture_file")
yield Bit(self, "is_copyrighted")
yield NullBits(self, "reserved[]", 14)
yield UInt32(self, "total_frame", "Total number of frames in the video")
yield UInt32(self, "init_frame",
"Initial frame (used in interleaved video)")
yield UInt32(self, "nb_stream", "Number of streams")
yield UInt32(self, "sug_buf_size", "Suggested buffer size")
yield UInt32(self, "width", "Width in pixel")
yield UInt32(self, "height", "Height in pixel")
yield UInt32(self, "scale")
yield UInt32(self, "rate")
yield UInt32(self, "start")
yield UInt32(self, "length")
def createFields(self):
yield IFDTag(self, "tag", "Tag")
yield Enum(UInt16(self, "type", "Type"), self.TYPE_NAME)
self.value_cls = self.ENTRY_FORMAT.get(self['type'].value, Bytes)
if issubclass(self.value_cls, Bytes):
self.value_size = 8
else:
self.value_size = self.value_cls.static_size
yield UInt32(self, "count", "Count")
count = self['count'].value
totalsize = self.value_size * count
if count == 0:
yield NullBytes(self, "padding", 4)
elif totalsize <= 32:
name = "value"
if issubclass(self.value_cls, Bytes):
yield self.value_cls(self, name, count)
elif count == 1:
yield self.value_cls(self, name)
else:
yield ValueArray(self, name, self.value_cls, count)
if totalsize < 32:
yield NullBits(self, "padding", 32 - totalsize)
else:
yield UInt32(self, "offset", "Value offset")
def createFields(self):
yield NullBytes(self, "unused", 6)
yield UInt8(self, "offsetIntSize", "Size (in bytes) of offsets in the offset table")
yield UInt8(self, "objectRefSize", "Size (in bytes) of object numbers in object references")
yield UInt64(self, "numObjects", "Number of objects in this file")
yield UInt64(self, "topObject", "Top-level object reference")
yield UInt64(self, "offsetTableOffset", "File offset to the offset table")
def createFields(self):
yield Bytes(self, "endian", 2, "Endian (\\xfe\\xff for little endian)")
yield UInt16(self, "format", "Format (0)")
yield UInt8(self, "os_version")
yield UInt8(self, "os_revision")
yield Enum(UInt16(self, "os_type"), OS_NAME)
yield GUID(self, "format_id")
yield UInt32(self, "section_count")
if MAX_SECTION_COUNT < self["section_count"].value:
raise ParserError("OLE2: Too much sections (%s)" %
self["section_count"].value)
section_indexes = []
for index in range(self["section_count"].value):
section_index = SummaryIndex(self, "section_index[]")
yield section_index
section_indexes.append(section_index)
for section_index in section_indexes:
self.seekByte(section_index["offset"].value)
yield SummarySection(self, "section[]")
size = (self.size - self.current_size) // 8
if 0 < size:
yield NullBytes(self, "end_padding", size)
def createFields(self):
while not self.eof:
field = FileEntry(self, "file[]")
if field.isEmpty():
yield NullBytes(self, "terminator", 512)
break
yield field
if self.current_size < self._size:
yield self.seekBit(self._size, "end")
def createFields(self):
yield textHandler(
UInt32(self, "signature",
"Placeable Metafiles signature (0x9AC6CDD7)"), hexadecimal)
yield UInt16(self, "handle")
yield RECT16(self, "rect")
yield UInt16(self, "inch")
yield NullBytes(self, "reserved", 4)
yield textHandler(UInt16(self, "checksum"), hexadecimal)
def createFields(self):
yield UInt32(self, "version")
yield UInt8(self, "has_realm")
yield PascalStringWin32(self, "writer_name", charset="UTF-16-BE")
yield PascalStringWin32(self, "reader_name", charset="UTF-16-BE")
yield UInt32(self, "file_version")
size = (self.size - self.current_size) // 8
if size:
yield NullBytes(self, "padding", size)
def createFields(self):
# TODO: This structure is normally divided in two parts:
# _reiserfs_super_block_v1
# _reiserfs_super_block
# It will be divided later to easily support older version of the first
# part
yield UInt32(self, "block_count", "Number of blocks")
yield UInt32(self, "free_blocks", "Number of free blocks")
yield UInt32(self, "root_block", "Root block number")
yield Journal_params(self, "Journal parameters")
yield UInt16(self, "blocksize", "Size of a block")
yield UInt16(self, "oid_maxsize", "Max size of object id array")
yield UInt16(self, "oid_cursize", "Current size of object id array")
yield Enum(UInt16(self, "umount_state", "Filesystem umounted or not"),
self.UMOUNT_STATE)
yield String(self, "magic", 10, "Magic string", strip="\0")
# TODO: change the type of s_fs_state in Enum to have more details
# about this fsck state
yield UInt16(self, "fs_state", "Rebuilding phase of fsck ")
yield Enum(
UInt32(self, "hash_function",
"Hash function to sort names in a directory"),
self.HASH_FUNCTIONS)
yield UInt16(self, "tree_height", "Height of disk tree")
yield UInt16(
self, "bmap_nr",
"Amount of bitmap blocks needed to address each block of file system"
)
# TODO: find a good description for this field
yield UInt16(
self, "version",
"Field only reliable on filesystem with non-standard journal")
yield UInt16(self, "reserved_for_journal",
"Size in blocks of journal area on main device")
# TODO: same as above
yield UInt32(self, "inode_generation", "No description")
# TODO: same as above and should be an enum field
yield UInt32(self, "flags", "No description")
# TODO: Create a special Type to format this id
yield RawBytes(self, "uuid", 16, "Filesystem unique identifier")
yield String(self, "label", 16, "Filesystem volume label", strip="\0")
yield NullBytes(self, "unused", 88)
yield NullBytes(self, "Bytes before end of the block",
self["blocksize"].value - 204)
def createFields(self):
yield UInt32(self, "inode", "Inode")
yield UInt16(self, "rec_len", "Record length")
yield UInt8(self, "name_len", "Name length")
yield Enum(UInt8(self, "file_type", "File type"), self.file_type)
if self["name_len"].value > 0:
yield String(self, "name", self["name_len"].value, "File name")
size = (self._size - self.current_size) // 8
if size:
yield NullBytes(self, "padding", size)
def createFields(self):
yield RawBytes(self, "md5", 16)
while True:
size = (self.size - self.current_size) // 8
if size < 77:
break
yield EncryptedItem(self, "item[]")
size = paddingSize(self.current_size // 8, 16)
if size:
yield NullBytes(self, "padding_align", size)
def createFields(self):
yield UInt16(self, "size", "Node size (in bytes)")
yield UInt16(self, "data_size")
yield CString(self, "name", charset="ISO-8859-1")
size = paddingSize(self.current_size // 8, 4)
if size:
yield NullBytes(self, "padding[]", size)
size = self["data_size"].value
if size:
if self["name"].value == "VS_VERSION_INFO":
yield VersionInfoBinary(self, "value", size=size * 8)
else:
yield String(self, "value", size, charset="ISO-8859-1")
while 12 <= (self.size - self.current_size) // 8:
yield NE_VersionInfoNode(self, "node[]")
size = (self.size - self.current_size) // 8
if size:
yield NullBytes(self, "padding[]", size)
def createFields(self):
yield String(self, "type", 4, "Signature (FORM)", charset="ASCII")
yield filesizeHandler(UInt32(self, "size"))
size = self["size"].value
if size:
if self._parser:
yield from self._parser(self)
if size % 2:
yield NullBytes(self, "padding", 1)
else:
yield RawBytes(self, "data", size)
def createFields(self):
yield UInt8(self, "tag")
yield UInt24(self, "size", "Content size")
yield UInt24(self, "timestamp", "Timestamp in millisecond")
yield NullBytes(self, "reserved", 4)
size = self["size"].value
if size:
if self.parser:
yield from self.parser(self, size)
else:
yield RawBytes(self, "content", size)
def createFields(self):
yield GUID(self, "clsid", "16 bytes GUID used by some apps")
yield UInt16(self, "ver_min", "Minor version")
yield UInt16(self, "ver_maj", "Major version")
yield Bytes(self, "endian", 2, "Endian (\\xfe\\xff for little endian)")
yield UInt16(self, "bb_shift", "Log, base 2, of the big block size")
yield UInt16(self, "sb_shift", "Log, base 2, of the small block size")
yield NullBytes(self, "reserved[]", 6, "(reserved)")
yield UInt32(
self, "csectdir",
"Number of SECTs in directory chain for 4 KB sectors (version 4)")
yield UInt32(self, "bb_count", "Number of Big Block Depot blocks")
yield SECT(self, "bb_start", "Root start block")
yield NullBytes(self, "transaction", 4,
"Signature used for transactions (must be zero)")
yield UInt32(self, "threshold",
"Maximum size for a mini stream (typically 4096 bytes)")
yield SECT(self, "sb_start", "Small Block Depot start block")
yield UInt32(self, "sb_count")
yield SECT(self, "db_start", "First block of DIFAT")
yield UInt32(self, "db_count", "Number of SECTs in DIFAT")
