def Volume(_regData, _shell_item_result, _info):
(shell_item_size, shell_item_type, shell_item_data, pos) = _info
volume_type_flag = cv.Bytes2Int(shell_item_type) & 0x0F
if volume_type_flag == 0x0E: # Root Shell item (doesn't have name flags.) -> Shell folder
volume_item_data = shell_item_data[1:]
(guid, name) = cv.GUID2Text(volume_item_data[0x00:0x10])
extension_blocks = volume_item_data[0x10:]
_shell_item_result["shell_type"] = "Root folder: GUID"
_shell_item_result["mapped_guid"] = (guid, name)
_shell_item_result["value"] = name
elif volume_type_flag == 0x0F:
offset = cv.FindEndOfStream(shell_item_data, 2, b"\x00\x00") - 2
volume_letter = shell_item_data[:offset].decode()
_shell_item_result["shell_type"] = "Drive"
_shell_item_result["value"] = volume_letter
extension_blocks = ""
else:
raise ShellItemFormatError("New volume type flag (Volume Shell Item)")
extension_block_result = parse_extension_block.Parse(
extension_blocks, _regData)
_shell_item_result["extension_block_result"] = extension_block_result
return _shell_item_result
def FileEntry(_regData, _shell_item_result, _info):
(shell_item_size, shell_item_type, shell_item_data, pos) = _info
(ITEM_DATA,
pos) = cv.FormatParser(shell_item_data,
data_format.FILE_ENTRY_SHELL_ITEM_FORMAT, pos)
_shell_item_result["file_size"] = cv.Bytes2Int(ITEM_DATA["file_size"])
_shell_item_result["fat_mtime"] = cv.TSFat(ITEM_DATA["fat_mtime"])
offset = cv.FindEndOfStream(ITEM_DATA["short_name"], 2,
b"\x04\x00\xef\xbe") - 4
_shell_item_result["short_name"] = cv.EncodingWizard(
ITEM_DATA["short_name"][:offset]).replace("\x00", "")
extension_blocks = ITEM_DATA["short_name"][offset:]
if _shell_item_result["file_size"] == 0:
_shell_item_result["shell_type"] = "Directory"
elif _shell_item_result["file_size"] > 0:
_shell_item_result["shell_type"] = "File"
else:
raise ShellItemFormatError("New file size (File Shell Item)")
extension_block_result = parse_extension_block.Parse(
extension_blocks, _regData)
_shell_item_result["extension_block_result"] = extension_block_result
for extension_block_dict in extension_block_result:
if extension_block_dict["extension_sig"] == "0xbeef0004":
_shell_item_result["value"] = extension_block_dict["long_name"]
return _shell_item_result
def RootFolder(_regData, _shell_item_result, _info):
_shell_item_result["shell_type"] = "Root folder"
(shell_item_size, shell_item_type, shell_item_data, pos) = _info
extension_blocks = ""
if shell_item_size in [0x14, 0x3A]:
_shell_item_result["shell_type"] += ": GUID"
(ITEM_DATA,
pos) = cv.FormatParser(shell_item_data,
data_format.ROOT_SHELL_ITEM_0014_FORMAT, pos)
if ITEM_DATA["sort_index"] == b"\x00":
raise ShellItemFormatError("New sort index (Root folder: GUID)")
(guid, name) = cv.GUID2Text(ITEM_DATA["guid"])
_shell_item_result["mapped_guid"] = (guid, name)
_shell_item_result["value"] = name
extension_blocks = ITEM_DATA["extension_block"]
elif shell_item_size == 0x55:
(ITEM_DATA,
pos) = cv.FormatParser(shell_item_data,
data_format.ROOT_SHELL_ITEM_0055_FORMAT, pos)
if ITEM_DATA["sort_index"] != b"\x00":
raise ShellItemFormatError("New sort index (Root folder: Drive)")
if ITEM_DATA["upv_sig"] != b"\x10\xB7\xA6\xF5":
raise ShellItemFormatError(
"New UPV signature of Root folder: Drive --> %s" %
repr(ITEM_DATA["upv_sig"]))
_shell_item_result = UsersPropertyView(_regData, _shell_item_result,
_info)
_shell_item_result["shell_type"] = "Root folder: Drive"
else: # UPV format
(ITEM_DATA, pos) = cv.FormatParser(shell_item_data,
data_format.USERS_SHELL_ITEM_FORMAT,
pos)
if ITEM_DATA["upv_sig"] != b"\xD5\xDF\xA3\x23":
raise ShellItemFormatError(
"New UPV signature of Root folder: Variable --> %s" %
repr(ITEM_DATA["upv_sig"]))
_shell_item_result = UsersPropertyView(_regData, _shell_item_result,
_info)
_shell_item_result["shell_type"] += ": Search Folder"
extension_block_result = parse_extension_block.Parse(
extension_blocks, _regData)
_shell_item_result["extension_block_result"] = extension_block_result
return _shell_item_result
def ControlPanel(_regData, _shell_item_result, _info):
(shell_item_size, shell_item_type, shell_item_data, pos) = _info
(ITEM_DATA,
pos) = cv.FormatParser(shell_item_data,
data_format.CONTROL_PANEL_SHELL_ITEM_FORMAT, pos)
(guid, name) = cv.GUID2Text(ITEM_DATA["guid"])
_shell_item_result["mapped_guid"] = (guid, name)
_shell_item_result["value"] = name
extension_blocks = ITEM_DATA["extension_block"]
extension_block_result = parse_extension_block.Parse(
extension_blocks, _regData)
_shell_item_result["extension_block_result"] = extension_block_result
return _shell_item_result
def ControlPanelCategory(_regData, _shell_item_result, _info):
(shell_item_size, shell_item_type, shell_item_data, pos) = _info
(ITEM_DATA, pos) = cv.FormatParser(
shell_item_data, data_format.CONTROL_PANEL_CATEGORY_SHELL_ITEM_FORMAT,
pos)
if ITEM_DATA["sig"] != b"\x84\x21\xDE\x39":
raise ShellItemFormatError("New signature (Control Panel Category)")
category_id = cv.Bytes2Int(ITEM_DATA["category_id"])
if category_id in data_id.CONTROL_PANEL_CATEGORY_ID.keys():
_shell_item_result["value"] = data_id.CONTROL_PANEL_CATEGORY_ID[
category_id]
else:
raise ShellItemFormatError("New category id (Control Panel Category)")
extension_blocks = ITEM_DATA["extension_block"]
extension_block_result = parse_extension_block.Parse(
extension_blocks, _regData)
_shell_item_result["extension_block_result"] = extension_block_result
return _shell_item_result
def UsersPropertyView(_regData, _shell_item_result, _info):
(shell_item_size, shell_item_type, shell_item_data, pos) = _info
(ITEM_DATA, pos) = cv.FormatParser(shell_item_data,
data_format.USERS_SHELL_ITEM_FORMAT,
pos)
_shell_item_result["shell_type"] = "Users property view"
sps_blocks = ""
extension_blocks = ""
upv_size = cv.Bytes2Int(ITEM_DATA["upv_size"])
upv_data_size = cv.Bytes2Int(ITEM_DATA["upv_data_size"])
upv_id_size = cv.Bytes2Int(ITEM_DATA["upv_id_size"])
if ITEM_DATA["upv_sig"] in [b"\x81\x19\x14\x10", b"\x00\xEE\xEB\xBE"]:
upv_id_data = ITEM_DATA["upv_id_data"][:
upv_id_size] # unknown 32 bytes
sps_blocks = ITEM_DATA["upv_id_data"][upv_id_size:]
elif ITEM_DATA["upv_sig"] == b"\xEE\xBB\xFE\x23":
upv_id_data = ITEM_DATA["upv_id_data"][:upv_id_size]
(guid, name) = cv.GUID2Text(upv_id_data)
_shell_item_result["mapped_guid"] = (guid, name)
_shell_item_result["value"] = name
if upv_data_size == 0:
extension_blocks = ITEM_DATA["upv_id_data"][upv_id_size + 2:]
elif upv_id_size > 0:
sps_blocks = ITEM_DATA["upv_id_data"][upv_id_size:]
else:
raise ShellItemFormatError(
"New upv_id_size (Users property view Shell Item --> \\xEE\\xBB\\xFE\\x23)"
)
elif ITEM_DATA["upv_sig"] == b"\xBB\xAF\x93\x3B":
raise ShellItemFormatError(
"New upv_sig (Users property view Shell Item --> \\xBB\\xAF\\x93\\x3B)"
)
elif ITEM_DATA["upv_sig"] == b"\x10\xB7\xA6\xF5":
volume_shell_item_data = shell_item_data[pos - 2:upv_size]
two_guids = shell_item_data[upv_size + 3:]
offset = cv.FindEndOfStream(volume_shell_item_data, 2, b"\x00\x00")
volume_letter = volume_shell_item_data[:offset].decode()
guid1 = cv.GUID2Text(two_guids[:16])
guid2 = cv.GUID2Text(two_guids[16:32])
extension_blocks = two_guids[32:]
_shell_item_result["value"] = volume_letter
_shell_item_result["mapped_guid"] = [guid1, guid2]
elif ITEM_DATA["upv_sig"] == b"\xD5\xDF\xA3\x23":
# size(upv_size, upv_sig, upv_data_size, upv_id_size) == 10
sps_blocks = ITEM_DATA["upv_id_data"][upv_id_size:upv_size - 10]
root_item = ITEM_DATA["upv_id_data"][upv_size -
8:] # 8 == 10 - len(\x00\x00)
guid1 = cv.GUID2Text(root_item[:16])
guid2 = cv.GUID2Text(root_item[16:32])
extension_blocks = root_item[32:]
(guid, name) = guid2
_shell_item_result["value"] = name
_shell_item_result["mapped_guid"] = [guid1, guid2]
else:
htu_size = cv.Bytes2Int(shell_item_data[5:9])
htu_data = shell_item_data[1:htu_size - 3]
if shell_item_data[1:5] == b"\x00\xB0\x01\xC0":
_shell_item_result = HttpURIParser(htu_data, _shell_item_result)
else:
raise ShellItemFormatError(
"New HTTP URI(UTU) sig (Users Property View Shell Item) --> %s"
% repr(ITEM_DATA["upv_sig"]))
sps_result = parse_sps_block.Parse(sps_blocks, _debug=_regData)
_shell_item_result["sps_result"] = sps_result
if sps_result:
RefineSPSResult(sps_result)
extension_block_result = parse_extension_block.Parse(
extension_blocks, _regData)
_shell_item_result["extension_block_result"] = extension_block_result
return _shell_item_result