def createFields(self):
bytes = self.stream.readBytes(self.absolute_address, 4)
if bytes == "\0R\0\0":
charset = "UTF-16-BE"
else:
charset = "UTF-16-LE"
yield String(self, "name", 64, charset=charset, truncate="\0")
yield UInt16(self, "namelen", "Length of the name")
yield Enum(UInt8(self, "type", "Property type"), self.TYPE_NAME)
yield Enum(UInt8(self, "decorator", "Decorator"), self.DECORATOR_NAME)
yield SECT(self, "left")
yield SECT(self, "right")
yield SECT(self, "child",
"Child node (valid for storage and root types)")
yield GUID(self, "clsid",
"CLSID of this storage (valid for storage and root types)")
yield NullBytes(self, "flags", 4, "User flags")
yield TimestampWin64(
self, "creation",
"Creation timestamp(valid for storage and root types)")
yield TimestampWin64(
self, "lastmod",
"Modify timestamp (valid for storage and root types)")
yield SECT(
self, "start",
"Starting SECT of the stream (valid for stream and root types)")
if self["/header/bb_shift"].value == 9:
yield filesizeHandler(
UInt32(self, "size",
"Size in bytes (valid for stream and root types)"))
yield NullBytes(self, "padding", 4)
else:
yield filesizeHandler(
UInt64(self, "size",
"Size in bytes (valid for stream and root types)"))
def fileHeader(self):
yield filesizeHandler(
UInt32(self, "compressed_size", "Size of the compressed file"))
yield filesizeHandler(
UInt32(self, "uncompressed_size", "Uncompressed file size"))
yield TimeDateMSDOS32(self, "ftime", "Date and time (MS DOS format)")
if self["/header/host_os"].value in (OS_MSDOS, OS_WIN32):
yield MSDOSFileAttr32(self, "file_attr", "File attributes")
else:
yield textHandler(UInt32(self, "file_attr", "File attributes"),
hexadecimal)
yield textHandler(
UInt32(self, "file_crc32", "CRC32 checksum over the compressed file)"),
hexadecimal)
yield Enum(UInt8(self, "compression_type", "Type of compression"),
COMPRESSION_TYPE)
yield Enum(UInt8(self, "compression_mode", "Quality of compression"),
COMPRESSION_MODE)
yield textHandler(UInt16(self, "parameters", "Compression parameters"),
hexadecimal)
yield textHandler(UInt16(self, "reserved", "Reserved data"), hexadecimal)
# Filename
yield PascalString16(self, "filename", "Filename")
# Comment
if self["flags/has_comment"].value:
yield filesizeHandler(
UInt16(self, "comment_size", "Size of the compressed comment"))
if self["comment_size"].value > 0:
yield RawBytes(self, "comment_data", self["comment_size"].value,
"Comment data")
def createFields(self):
yield textHandler(UInt32(self, "file_crc32",
"Checksum (CRC32)"), hexadecimal)
yield filesizeHandler(UInt32(self, "file_compressed_size",
"Compressed size (bytes)"))
yield filesizeHandler(UInt32(self, "file_uncompressed_size",
"Uncompressed size (bytes)"))
def createFields(self):
yield String(self, "magic", 4, "ITSP", charset="ASCII")
yield UInt32(self, "version", "Version (=1)")
yield filesizeHandler(
UInt32(self, "size",
"Length (in bytes) of the directory header (84)"))
yield UInt32(self, "unknown[]", "(=10)")
yield filesizeHandler(
UInt32(self, "block_size", "Directory block size"))
yield UInt32(self, "density", "Density of quickref section, usually 2")
yield UInt32(self, "index_depth", "Depth of the index tree")
yield Int32(self, "nb_dir", "Chunk number of root index chunk")
yield UInt32(self, "first_pmgl",
"Chunk number of first PMGL (listing) chunk")
yield UInt32(self, "last_pmgl",
"Chunk number of last PMGL (listing) chunk")
yield Int32(self, "unknown[]", "-1")
yield UInt32(self, "nb_dir_chunk",
"Number of directory chunks (total)")
yield Enum(UInt32(self, "lang_id", "Windows language ID"), LANGUAGE_ID)
yield GUID(self, "system_uuid",
"{5D02926A-212E-11D0-9DF9-00A0C922E6EC}")
yield filesizeHandler(UInt32(self, "size2", "Same value than size"))
yield Int32(self, "unknown[]", "-1")
yield Int32(self, "unknown[]", "-1")
yield Int32(self, "unknown[]", "-1")
def specialHeader(s, is_file):
yield filesizeHandler(UInt32(s, "compressed_size", "Compressed size (bytes)"))
yield filesizeHandler(UInt32(s, "uncompressed_size", "Uncompressed size (bytes)"))
yield Enum(UInt8(s, "host_os", "Operating system used for archiving"), OS_NAME)
yield textHandler(UInt32(s, "crc32", "File CRC32"), hexadecimal)
yield TimeDateMSDOS32(s, "ftime", "Date and time (MS DOS format)")
yield textHandler(UInt8(s, "version", "RAR version needed to extract file"), formatRARVersion)
yield Enum(UInt8(s, "method", "Packing method"), COMPRESSION_NAME)
yield filesizeHandler(UInt16(s, "filename_length", "File name size"))
if s["host_os"].value in (OS_MSDOS, OS_WIN32):
yield MSDOSFileAttr32(s, "file_attr", "File attributes")
else:
yield textHandler(UInt32(s, "file_attr", "File attributes"), hexadecimal)
# Start additional field from unrar
if s["flags/is_large"].value:
yield filesizeHandler(UInt64(s, "large_size", "Extended 64bits filesize"))
# End additional field
size = s["filename_length"].value
if size > 0:
if s["flags/is_unicode"].value:
charset = "UTF-8"
else:
charset = "ISO-8859-15"
yield String(s, "filename", size, "Filename", charset=charset)
# Start additional fields from unrar - file only
if is_file:
if s["flags/has_salt"].value:
yield textHandler(UInt8(s, "salt", "Salt"), hexadecimal)
if s["flags/has_ext_time"].value:
yield ExtTime(s, "extra_time", "Extra time info")
def commentHeader(s):
yield filesizeHandler(
UInt16(s, "total_size", "Comment header size + comment size"))
yield filesizeHandler(
UInt16(s, "uncompressed_size", "Uncompressed comment size"))
yield UInt8(s, "required_version", "RAR version needed to extract comment")
yield UInt8(s, "packing_method", "Comment packing method")
yield UInt16(s, "comment_crc16", "Comment CRC")
def createFields(self):
yield Bytes(self, "signature", 2, "New executable signature (NE)")
yield UInt8(self, "link_ver", "Linker version number")
yield UInt8(self, "link_rev", "Linker revision number")
yield UInt16(self, "entry_table_ofst", "Offset to the entry table")
yield UInt16(self, "entry_table_size", "Length (in bytes) of the entry table")
yield PaddingBytes(self, "reserved[]", 4)
yield Bit(self, "is_dll", "Is a dynamic-link library (DLL)?")
yield Bit(self, "is_win_app", "Is a Windows application?")
yield PaddingBits(self, "reserved[]", 9)
yield Bit(self, "first_seg_code", "First segment contains code that loads the application?")
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "link_error", "Load even if linker detects errors?")
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "is_lib", "Is a library module?")
yield UInt16(self, "auto_data_seg", "Automatic data segment number")
yield filesizeHandler(UInt16(self, "local_heap_size", "Initial size (in bytes) of the local heap"))
yield filesizeHandler(UInt16(self, "stack_size", "Initial size (in bytes) of the stack"))
yield textHandler(UInt32(self, "cs_ip", "Value of CS:IP"), hexadecimal)
yield textHandler(UInt32(self, "ss_sp", "Value of SS:SP"), hexadecimal)
yield UInt16(self, "nb_entry_seg_tab", "Number of entries in the segment table")
yield UInt16(self, "nb_entry_modref_tab", "Number of entries in the module-reference table")
yield filesizeHandler(UInt16(self, "size_nonres_name_tab", "Number of bytes in the nonresident-name table"))
yield UInt16(self, "seg_tab_ofs", "Segment table offset")
yield UInt16(self, "rsrc_ofs", "Resource offset")
yield UInt16(self, "res_name_tab_ofs", "Resident-name table offset")
yield UInt16(self, "mod_ref_tab_ofs", "Module-reference table offset")
yield UInt16(self, "import_tab_ofs", "Imported-name table offset")
yield UInt32(self, "non_res_name_tab_ofs", "Nonresident-name table offset")
yield UInt16(self, "nb_mov_ent_pt", "Number of movable entry points")
yield UInt16(self, "log2_sector_size", "Log2 of the segment sector size")
yield UInt16(self, "nb_rsrc_seg", "Number of resource segments")
yield Bit(self, "unknown_os_format", "Operating system format is unknown")
yield PaddingBits(self, "reserved[]", 1)
yield Bit(self, "os_windows", "Operating system is Microsoft Windows")
yield NullBits(self, "reserved[]", 6)
yield Bit(self, "is_win20_prot", "Is Windows 2.x application running in version 3.x protected mode")
yield Bit(self, "is_win20_font", "Is Windows 2.x application supporting proportional fonts")
yield Bit(self, "fast_load", "Contains a fast-load area?")
yield NullBits(self, "reserved[]", 4)
yield UInt16(self, "fastload_ofs", "Fast-load area offset (in sector)")
yield UInt16(self, "fastload_size", "Fast-load area length (in sector)")
yield NullBytes(self, "reserved[]", 2)
yield textHandler(UInt16(self, "win_version", "Expected Windows version number"), hexadecimal)
def createFields(self):
yield GUID(self, "guid")
yield filesizeHandler(UInt64(self, "file_size"))
yield TimestampWin64(self, "creation_date")
yield UInt64(self, "pckt_count")
yield TimedeltaWin64(self, "play_duration")
yield TimedeltaWin64(self, "send_duration")
yield UInt64(self, "preroll")
yield Bit(self, "broadcast", "Is broadcast?")
yield Bit(self, "seekable", "Seekable stream?")
yield PaddingBits(self, "reserved[]", 30)
yield filesizeHandler(UInt32(self, "min_pckt_size"))
yield filesizeHandler(UInt32(self, "max_pckt_size"))
yield displayHandler(UInt32(self, "max_bitrate"), humanBitRate)
def createFields(self):
yield GUID(self, "guid")
yield filesizeHandler(UInt64(self, "file_size"))
yield TimestampWin64(self, "creation_date")
yield UInt64(self, "pckt_count")
yield TimedeltaWin64(self, "play_duration")
yield TimedeltaWin64(self, "send_duration")
yield UInt64(self, "preroll")
yield Bit(self, "broadcast", "Is broadcast?")
yield Bit(self, "seekable", "Seekable stream?")
yield PaddingBits(self, "reserved[]", 30)
yield filesizeHandler(UInt32(self, "min_pckt_size"))
yield filesizeHandler(UInt32(self, "max_pckt_size"))
yield displayHandler(UInt32(self, "max_bitrate"), humanBitRate)
def createFields(self):
yield String(self, "magic", 4, "ITSF", charset="ASCII")
yield UInt32(self, "version")
yield UInt32(self, "header_size", "Total header length (in bytes)")
yield UInt32(self, "one")
yield UInt32(self, "last_modified")
yield Enum(UInt32(self, "lang_id", "Windows Language ID"), LANGUAGE_ID)
yield GUID(self, "dir_uuid", "{7C01FD10-7BAA-11D0-9E0C-00A0-C922-E6EC}")
yield GUID(self, "stream_uuid", "{7C01FD11-7BAA-11D0-9E0C-00A0-C922-E6EC}")
yield UInt64(self, "filesize_offset")
yield filesizeHandler(UInt64(self, "filesize_len"))
yield UInt64(self, "dir_offset")
yield filesizeHandler(UInt64(self, "dir_len"))
if 3 <= self["version"].value:
yield UInt64(self, "data_offset")
def createFields(self):
if self.stream.readBits(self.absolute_address, 6, self.endian) == 63:
yield Bits(self, "length_ext", 6)
yield Bits(self, "code", 10)
yield filesizeHandler(UInt32(self, "length"))
else:
yield filesizeHandler(Bits(self, "length", 6))
yield Bits(self, "code", 10)
size = self["length"].value
if 0 < size:
if self.parser:
for field in self.parser(self, size):
yield field
else:
yield RawBytes(self, "data", size)
def createFields(self):
yield String(self, "magic", 4, "ITSF", charset="ASCII")
yield UInt32(self, "version")
yield UInt32(self, "header_size", "Total header length (in bytes)")
yield UInt32(self, "one")
yield UInt32(self, "last_modified", "Lower 32 bits of the time expressed in units of 0.1 us")
yield Enum(UInt32(self, "lang_id", "Windows Language ID"), LANGUAGE_ID)
yield GUID(self, "dir_uuid", "{7C01FD10-7BAA-11D0-9E0C-00A0-C922-E6EC}")
yield GUID(self, "stream_uuid", "{7C01FD11-7BAA-11D0-9E0C-00A0-C922-E6EC}")
yield UInt64(self, "filesize_offset")
yield filesizeHandler(UInt64(self, "filesize_len"))
yield UInt64(self, "dir_offset")
yield filesizeHandler(UInt64(self, "dir_len"))
if 3 <= self["version"].value:
yield UInt64(self, "data_offset")
def createFields(self):
if self.stream.readBits(self.absolute_address, 6, self.endian) == 63:
yield Bits(self, "length_ext", 6)
yield Bits(self, "code", 10)
yield filesizeHandler(UInt32(self, "length"))
else:
yield filesizeHandler(Bits(self, "length", 6))
yield Bits(self, "code", 10)
size = self["length"].value
if 0 < size:
if self.parser:
for field in self.parser(self, size):
yield field
else:
yield RawBytes(self, "data", size)
def parseFilename(self):
yield UInt64(self, "ref", "File reference to the parent directory")
yield TimestampWin64(self, "ctime", "File Creation")
yield TimestampWin64(self, "atime", "File Altered")
yield TimestampWin64(self, "mtime", "MFT Changed")
yield TimestampWin64(self, "rtime", "File Read")
yield filesizeHandler(UInt64(self, "alloc_size", "Allocated size of the file"))
yield filesizeHandler(UInt64(self, "real_size", "Real size of the file"))
yield UInt32(self, "file_flags")
yield UInt32(self, "file_flags2", "Used by EAs and Reparse")
yield UInt8(self, "filename_length", "Filename length in characters")
yield Enum(UInt8(self, "filename_namespace"), self.FILENAME_NAMESPACE)
size = self["filename_length"].value * 2
if size:
yield String(self, "filename", size, charset="UTF-16-LE")
def createFields(self):
yield String(self, "signature", 17, "XM signature", charset="ASCII")
yield String(self, "title", 20, "XM title", charset="ASCII", strip=' ')
yield UInt8(self, "marker", "Marker (0x1A)")
yield String(self,
"tracker_name",
20,
"XM tracker name",
charset="ASCII",
strip=' ')
yield UInt8(self, "format_minor")
yield UInt8(self, "format_major")
yield filesizeHandler(UInt32(self, "header_size", "Header size (276)"))
yield UInt16(self, "song_length", "Length in patten order table")
yield UInt16(self, "restart", "Restart position")
yield UInt16(self, "channels",
"Number of channels (2,4,6,8,10,...,32)")
yield UInt16(self, "patterns", "Number of patterns (max 256)")
yield UInt16(self, "instruments", "Number of instruments (max 128)")
yield Bit(self, "amiga_ftable", "Amiga frequency table")
yield Bit(self, "linear_ftable", "Linear frequency table")
yield Bits(self, "unused", 14)
yield UInt16(self, "tempo", "Default tempo")
yield UInt16(self, "bpm", "Default BPM")
yield GenericVector(self, "pattern_order", 256, UInt8, "order")
def createFields(self):
yield String(self, "magic", 4)
yield String(self, "version", 4, strip='\0')
yield textHandler(UInt32(self, "checksum"), hexadecimal)
yield RawBytes(self, "signature", 20, description="SHA1 sum over all subsequent data")
yield filesizeHandler(UInt32(self, "filesize"))
yield UInt32(self, "size", description="Header size")
self._size = self['size'].value*8
yield textHandler(UInt32(self, "endian"), hexadecimal)
yield UInt32(self, "link_count")
yield UInt32(self, "link_offset")
yield UInt32(self, "map_offset", description="offset to map footer")
yield UInt32(self, "string_count", description="number of entries in string table")
yield UInt32(self, "string_offset", description="offset to string table")
yield UInt32(self, "type_desc_count", description="number of entries in type descriptor table")
yield UInt32(self, "type_desc_offset", description="offset to type descriptor table")
yield UInt32(self, "meth_desc_count", description="number of entries in method descriptor table")
yield UInt32(self, "meth_desc_offset", description="offset to method descriptor table")
yield UInt32(self, "field_count", description="number of entries in field table")
yield UInt32(self, "field_offset", description="offset to field table")
yield UInt32(self, "method_count", description="number of entries in method table")
yield UInt32(self, "method_offset", description="offset to method table")
yield UInt32(self, "class_count", description="number of entries in class table")
yield UInt32(self, "class_offset", description="offset to class table")
yield UInt32(self, "data_size", description="size of data region")
yield UInt32(self, "data_offset", description="offset to data region")
def createFields(self):
yield String(self,
"signature",
4,
'Format signature (".snd")',
charset="ASCII")
yield UInt32(self, "data_ofs", "Data offset")
yield filesizeHandler(UInt32(self, "data_size", "Data size"))
yield Enum(UInt32(self, "codec", "Audio codec"), self.CODEC_NAME)
yield displayHandler(
UInt32(self, "sample_rate", "Number of samples/second"),
humanFrequency)
yield UInt32(self, "channels", "Number of interleaved channels")
size = self["data_ofs"].value - self.current_size // 8
if 0 < size:
yield String(self,
"info",
size,
"Information",
strip=" \0",
charset="ISO-8859-1")
size = min(self["data_size"].value,
(self.size - self.current_size) // 8)
yield RawBytes(self, "audio_data", size, "Audio data")
def createFields(self):
byte = UInt8(self, "id_size")
yield byte
byte = byte.value
self.info("ID=%u" % byte)
size = byte & 0xF
if size > 0:
name = self.stream.readBytes(
self.absolute_address + self.current_size, size)
if name in self.CODECS:
name = self.CODECS[name]
self.info("Codec is %s" % name)
else:
self.info("Undetermined codec %s" % name)
name = "unknown"
yield RawBytes(self, name, size)
#yield textHandler(Bytes(self, "id", size), lambda: name)
if byte & 0x10:
yield SZUInt64(self, "num_stream_in")
yield SZUInt64(self, "num_stream_out")
self.info("Streams: IN=%u OUT=%u" % \
(self["num_stream_in"].value, self["num_stream_out"].value))
if byte & 0x20:
size = SZUInt64(self, "properties_size[]")
yield size
if size.value == 5:
#[email protected]
yield textHandler(UInt8(self, "parameters"), lzmaParams)
yield filesizeHandler(UInt32(self, "dictionary_size"))
elif size.value > 0:
yield RawBytes(self, "properties[]", size.value)
def createFields(self):
yield String(self,
"signature",
3,
"SWF format signature",
charset="ASCII")
yield UInt8(self, "version")
yield filesizeHandler(UInt32(self, "filesize"))
if self["signature"].value != "CWS":
yield RECT(self, "rect")
yield FixedFloat16(self, "frame_rate")
yield UInt16(self, "frame_count")
while not self.eof:
yield Tag(self, "tag[]")
else:
size = (self.size - self.current_size) // 8
if has_deflate:
data = Deflate(Bytes(self, "compressed_data", size), False)
def createInputStream(cis, source=None, **args):
stream = cis(source=source)
header = StringInputStream("FWS" +
self.stream.readBytes(3 * 8, 5))
args.setdefault("tags", []).append(("class", SwfFile))
return ConcatStream((header, stream),
source=stream.source,
**args)
data.setSubIStream(createInputStream)
yield data
else:
yield Bytes(self, "compressed_data", size)
def createFields(self):
yield CWord(self, "name_len")
yield String(self, "name", self["name_len"].value, charset="UTF-8")
yield CWord(self, "section",
"Section number that the entry data is in.")
yield CWord(self, "start", "Start offset of the data")
yield filesizeHandler(CWord(self, "length", "Length of the data"))
def createFields(self):
byte = UInt8(self, "id_size")
yield byte
byte = byte.value
self.info("ID=%u" % byte)
size = byte & 0xF
if size > 0:
name = self.stream.readBytes(self.absolute_address+self.current_size, size)
if name in self.CODECS:
name = self.CODECS[name]
self.info("Codec is %s" % name)
else:
self.info("Undetermined codec %s" % name)
name = "unknown"
yield RawBytes(self, name, size)
#yield textHandler(Bytes(self, "id", size), lambda: name)
if byte & 0x10:
yield SZUInt64(self, "num_stream_in")
yield SZUInt64(self, "num_stream_out")
self.info("Streams: IN=%u OUT=%u" % \
(self["num_stream_in"].value, self["num_stream_out"].value))
if byte & 0x20:
size = SZUInt64(self, "properties_size[]")
yield size
if size.value == 5:
#[email protected]
yield textHandler(UInt8(self, "parameters"), lzmaParams)
yield filesizeHandler(UInt32(self, "dictionary_size"))
elif size.value > 0:
yield RawBytes(self, "properties[]", size.value)
def createFields(self):
# Header
yield String(self, "magic", 4, "PMGL", charset="ASCII")
yield filesizeHandler(
Int32(
self, "free_space",
"Length of free space and/or quickref area at end of directory chunk"
))
yield Int32(self, "unknown")
yield Int32(self, "previous", "Chunk number of previous listing chunk")
yield Int32(self, "next", "Chunk number of previous listing chunk")
# Entries
stop = self.size - self["free_space"].value * 8
entry_count = 0
while self.current_size < stop:
yield PMGL_Entry(self, "entry[]")
entry_count += 1
# Padding
quickref_frequency = 1 + (1 << self["/dir/itsp/density"].value)
num_quickref = (entry_count // quickref_frequency)
if entry_count % quickref_frequency == 0:
num_quickref -= 1
print self.current_size // 8, quickref_frequency, num_quickref
padding = (self["free_space"].value - (num_quickref * 2 + 2))
if padding:
yield PaddingBytes(self, "padding", padding)
for i in range(num_quickref * quickref_frequency, 0,
-quickref_frequency):
yield UInt16(self, "quickref[%i]" % i)
yield UInt16(self, "entry_count")
def createFields(self):
yield String(self, "signature", 3, "SWF format signature", charset="ASCII")
yield UInt8(self, "version")
yield filesizeHandler(UInt32(self, "filesize"))
if self["signature"].value != "CWS":
yield RECT(self, "rect")
yield FixedFloat16(self, "frame_rate")
yield UInt16(self, "frame_count")
while not self.eof:
yield Tag(self, "tag[]")
else:
size = (self.size - self.current_size) // 8
if has_deflate:
data = Deflate(Bytes(self, "compressed_data", size), False)
def createInputStream(cis, source=None, **args):
stream = cis(source=source)
header = StringInputStream("FWS" + self.stream.readBytes(3 * 8, 5))
args.setdefault("tags", []).append(("class", SwfFile))
return ConcatStream((header, stream), source=stream.source, **args)
data.setSubIStream(createInputStream)
yield data
else:
yield Bytes(self, "compressed_data", size)
def createFields(self):
yield String(self, "magic", 4, "Magic (MSCF)", charset="ASCII")
yield textHandler(UInt32(self, "hdr_checksum", "Header checksum (0 if not used)"), hexadecimal)
yield filesizeHandler(UInt32(self, "filesize", "Cabinet file size"))
yield textHandler(UInt32(self, "fld_checksum", "Folders checksum (0 if not used)"), hexadecimal)
yield UInt32(self, "off_file", "Offset of first file")
yield textHandler(UInt32(self, "files_checksum", "Files checksum (0 if not used)"), hexadecimal)
yield textHandler(UInt16(self, "cab_version", "Cabinet version"), hexadecimal)
yield UInt16(self, "nb_folder", "Number of folders")
yield UInt16(self, "nb_files", "Number of files")
yield Flags(self, "flags")
yield UInt16(self, "setid")
yield UInt16(self, "number", "Zero-based cabinet number")
# --- TODO: Support flags
if self["flags/has_reserved"].value:
yield Reserved(self, "reserved")
#(3) Previous cabinet name, if CAB_HEADER.flags & CAB_FLAG_HASPREV
#(4) Previous disk name, if CAB_HEADER.flags & CAB_FLAG_HASPREV
#(5) Next cabinet name, if CAB_HEADER.flags & CAB_FLAG_HASNEXT
#(6) Next disk name, if CAB_HEADER.flags & CAB_FLAG_HASNEXT
# ----
for index in xrange(self["nb_folder"].value):
yield Folder(self, "folder[]")
for index in xrange(self["nb_files"].value):
yield File(self, "file[]")
end = self.seekBit(self.size, "endraw")
if end:
yield end
def createFields(self):
yield String(self, "filename", 56, truncate="\0")
yield filesizeHandler(UInt32(self, "size"))
yield SubFile(self,
"data",
self["size"].value,
filename=self["filename"].value)
def createFields(self):
# Header
yield String(self, "magic", 4, "PMGL", charset="ASCII")
yield filesizeHandler(Int32(self, "free_space",
"Length of free space and/or quickref area at end of directory chunk"))
yield Int32(self, "unknown")
yield Int32(self, "previous", "Chunk number of previous listing chunk")
yield Int32(self, "next", "Chunk number of previous listing chunk")
# Entries
stop = self.size - self["free_space"].value * 8
entry_count = 0
while self.current_size < stop:
yield PMGL_Entry(self, "entry[]")
entry_count+=1
# Padding
quickref_frequency = 1 + (1 << self["/dir/itsp/density"].value)
num_quickref = (entry_count // quickref_frequency)
if entry_count % quickref_frequency == 0:
num_quickref -= 1
print self.current_size//8, quickref_frequency, num_quickref
padding = (self["free_space"].value - (num_quickref*2+2))
if padding:
yield PaddingBytes(self, "padding", padding)
for i in range(num_quickref*quickref_frequency, 0, -quickref_frequency):
yield UInt16(self, "quickref[%i]"%i)
yield UInt16(self, "entry_count")
def createFields(self):
yield filesizeHandler(UInt32(self, "filesize", "Uncompressed file size"))
yield UInt32(self, "offset", "File offset after decompression")
yield UInt16(self, "iFolder", "file control id")
yield DateTimeMSDOS32(self, "timestamp")
yield MSDOSFileAttr16(self, "attributes")
yield CString(self, "filename", charset="ASCII")
def createFields(self):
yield String(self, "magic", 4, "Magic (MSCF)", charset="ASCII")
yield textHandler(UInt32(self, "hdr_checksum", "Header checksum (0 if not used)"), hexadecimal)
yield filesizeHandler(UInt32(self, "filesize", "Cabinet file size"))
yield textHandler(UInt32(self, "fld_checksum", "Folders checksum (0 if not used)"), hexadecimal)
yield UInt32(self, "off_file", "Offset of first file")
yield textHandler(UInt32(self, "files_checksum", "Files checksum (0 if not used)"), hexadecimal)
yield UInt8(self, "minor_version", "Minor version (should be 3)")
yield UInt8(self, "major_version", "Major version (should be 1)")
yield UInt16(self, "nb_folder", "Number of folders")
yield UInt16(self, "nb_files", "Number of files")
yield Flags(self, "flags")
yield UInt16(self, "setid")
yield UInt16(self, "cabinet_serial", "Zero-based cabinet number")
if self["flags/has_reserved"].value:
yield UInt16(self, "reserved_header_size", "Size of per-cabinet reserved area")
yield UInt8(self, "reserved_folder_size", "Size of per-folder reserved area")
yield UInt8(self, "reserved_data_size", "Size of per-datablock reserved area")
if self["reserved_header_size"].value:
yield RawBytes(self, "reserved_header", self["reserved_header_size"].value, "Per-cabinet reserved area")
if self["flags/has_previous"].value:
yield CString(self, "previous_cabinet", "File name of previous cabinet", charset="ASCII")
yield CString(self, "previous_disk", "Description of disk/media on which previous cabinet resides", charset="ASCII")
if self["flags/has_next"].value:
yield CString(self, "next_cabinet", "File name of next cabinet", charset="ASCII")
yield CString(self, "next_disk", "Description of disk/media on which next cabinet resides", charset="ASCII")
folders = []
files = []
for index in xrange(self["nb_folder"].value):
folder = Folder(self, "folder[]")
yield folder
folders.append(folder)
for index in xrange(self["nb_files"].value):
file = File(self, "file[]")
yield file
files.append(file)
folders = sorted(enumerate(folders), key=lambda x:x[1]["offset"].value)
for i in xrange(len(folders)):
index, folder = folders[i]
padding = self.seekByte(folder["offset"].value)
if padding:
yield padding
files = []
for file in files:
if file["folder_index"].value == index:
files.append(file)
if i+1 == len(folders):
size = (self.size // 8) - folder["offset"].value
else:
size = (folders[i+1][1]["offset"].value) - folder["offset"].value
yield FolderData(self, "folder_data[%i]" % index, folder, files, size=size*8)
end = self.seekBit(self.size, "endraw")
if end:
yield end
def createFields(self):
yield filesizeHandler(
UInt32(self, "filesize", "Uncompressed file size"))
yield UInt32(self, "offset", "File offset after decompression")
yield UInt16(self, "iFolder", "file control id")
yield DateTimeMSDOS32(self, "timestamp")
yield MSDOSFileAttr16(self, "attributes")
yield CString(self, "filename", charset="ASCII")
def parseFilename(self):
yield UInt64(self, "ref", "File reference to the parent directory")
yield TimestampWin64(self, "ctime", "File Creation")
yield TimestampWin64(self, "atime", "File Altered")
yield TimestampWin64(self, "mtime", "MFT Changed")
yield TimestampWin64(self, "rtime", "File Read")
yield filesizeHandler(
UInt64(self, "alloc_size", "Allocated size of the file"))
yield filesizeHandler(
UInt64(self, "real_size", "Real size of the file"))
yield UInt32(self, "file_flags")
yield UInt32(self, "file_flags2", "Used by EAs and Reparse")
yield UInt8(self, "filename_length", "Filename length in characters")
yield Enum(UInt8(self, "filename_namespace"), self.FILENAME_NAMESPACE)
size = self["filename_length"].value * 2
if size:
yield String(self, "filename", size, charset="UTF-16-LE")
def avInfoHeader(s):
yield filesizeHandler(UInt16(s, "total_size", "Total block size"))
yield UInt8(s,
"version",
"Version needed to decompress",
handler=hexadecimal)
yield UInt8(s, "method", "Compression method", handler=hexadecimal)
yield UInt8(s, "av_version", "Version for AV", handler=hexadecimal)
yield UInt32(s, "av_crc", "AV info CRC32", handler=hexadecimal)
def createFields(self):
# Gzip header
yield Bytes(self, "signature", 2, r"GZip file signature (\x1F\x8B)")
yield Enum(UInt8(self, "compression", "Compression method"),
self.COMPRESSION_NAME)
# Flags
yield Bit(self, "is_text", "File content is probably ASCII text")
yield Bit(self, "has_crc16", "Header CRC16")
yield Bit(self, "has_extra", "Extra informations (variable size)")
yield Bit(self, "has_filename", "Contains filename?")
yield Bit(self, "has_comment", "Contains comment?")
yield NullBits(self, "reserved[]", 3)
yield TimestampUnix32(self, "mtime", "Modification time")
# Extra flags
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "slowest",
"Compressor used maximum compression (slowest)")
yield Bit(self, "fastest", "Compressor used the fastest compression")
yield NullBits(self, "reserved[]", 5)
yield Enum(UInt8(self, "os", "Operating system"), self.os_name)
# Optional fields
if self["has_extra"].value:
yield UInt16(self, "extra_length", "Extra length")
yield RawBytes(self, "extra", self["extra_length"].value, "Extra")
if self["has_filename"].value:
yield CString(self, "filename", "Filename", charset="ISO-8859-1")
if self["has_comment"].value:
yield CString(self, "comment", "Comment")
if self["has_crc16"].value:
yield textHandler(UInt16(self, "hdr_crc16", "CRC16 of the header"),
hexadecimal)
if self._size is None: # TODO: is it possible to handle piped input?
raise NotImplementedError()
# Read file
size = (self._size - self.current_size) // 8 - 8 # -8: crc32+size
if 0 < size:
if self["has_filename"].value:
filename = self["filename"].value
else:
for tag, filename in self.stream.tags:
if tag == "filename" and filename.endswith(".gz"):
filename = filename[:-3]
break
else:
filename = None
yield Deflate(SubFile(self, "file", size, filename=filename))
# Footer
yield textHandler(
UInt32(self, "crc32", "Uncompressed data content CRC32"),
hexadecimal)
yield filesizeHandler(UInt32(self, "size", "Uncompressed size"))
def createFields(self):
yield String(self, "name", 8, charset="ASCII", strip="\0 ")
yield filesizeHandler(UInt32(self, "mem_size", "Size in memory"))
yield textHandler(UInt32(self, "rva", "RVA (location) in memory"),
hexadecimal)
yield filesizeHandler(
UInt32(self, "phys_size", "Physical size (on disk)"))
yield filesizeHandler(
UInt32(self, "phys_off", "Physical location (on disk)"))
yield PaddingBytes(self, "reserved", 12)
# 0x0000000#
yield NullBits(self, "reserved[]", 4)
# 0x000000#0
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "has_code", "Contains code")
yield Bit(self, "has_init_data", "Contains initialized data")
yield Bit(self, "has_uninit_data", "Contains uninitialized data")
# 0x00000#00
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "has_comment", "Contains comments?")
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "remove", "Contents will not become part of image")
# 0x0000#000
yield Bit(self, "has_comdata", "Contains comdat?")
yield NullBits(self, "reserved[]", 1)
yield Bit(
self, "no_defer_spec_exc",
"Reset speculative exceptions handling bits in the TLB entries")
yield Bit(self, "gp_rel", "Content can be accessed relative to GP")
# 0x000#0000
yield NullBits(self, "reserved[]", 4)
# 0x00#00000
yield NullBits(self, "reserved[]", 4)
# 0x0#000000
yield Bit(self, "ext_reloc", "Contains extended relocations?")
yield Bit(self, "discarded", "Can be discarded?")
yield Bit(self, "is_not_cached", "Is not cachable?")
yield Bit(self, "is_not_paged", "Is not pageable?")
# 0x#0000000
yield Bit(self, "is_shareable", "Is shareable?")
yield Bit(self, "is_executable", "Is executable?")
yield Bit(self, "is_readable", "Is readable?")
yield Bit(self, "is_writable", "Is writable?")
def createFields(self):
yield UInt32(self, "signature", "Shortcut signature (0x0000004C)")
yield GUID(self, "guid", "Shortcut GUID (00021401-0000-0000-C000-000000000046)")
yield Bit(self, "has_shell_id", "Is the Item ID List present?")
yield Bit(self, "target_is_file", "Is a file or a directory?")
yield Bit(self, "has_description", "Is the Description field present?")
yield Bit(self, "has_rel_path", "Is the relative path to the target available?")
yield Bit(self, "has_working_dir", "Is there a working directory?")
yield Bit(self, "has_cmd_line_args", "Are there any command line arguments?")
yield Bit(self, "has_custom_icon", "Is there a custom icon?")
yield Bit(self, "has_unicode_names", "Are Unicode names used?")
yield Bit(self, "force_no_linkinfo")
yield Bit(self, "has_exp_sz")
yield Bit(self, "run_in_separate")
yield Bit(self, "has_logo3id", "Is LOGO3 ID info present?")
yield Bit(self, "has_darwinid", "Is the DarwinID info present?")
yield Bit(self, "runas_user", "Is the target run as another user?")
yield Bit(self, "has_exp_icon_sz", "Is custom icon information available?")
yield Bit(self, "no_pidl_alias")
yield Bit(self, "force_unc_name")
yield Bit(self, "run_with_shim_layer")
yield PaddingBits(self, "reserved[]", 14, "Flag bits reserved for future use")
yield MSDOSFileAttr32(self, "target_attr")
yield TimestampWin64(self, "creation_time")
yield TimestampWin64(self, "modification_time")
yield TimestampWin64(self, "last_access_time")
yield filesizeHandler(UInt32(self, "target_filesize"))
yield UInt32(self, "icon_number")
yield Enum(UInt32(self, "show_window"), self.SHOW_WINDOW_STATE)
yield textHandler(UInt8(self, "hot_key", "Hot key used for quick access"),text_hot_key)
yield Bit(self, "hot_key_shift", "Hot key: is Shift used?")
yield Bit(self, "hot_key_ctrl", "Hot key: is Ctrl used?")
yield Bit(self, "hot_key_alt", "Hot key: is Alt used?")
yield PaddingBits(self, "hot_key_reserved", 21, "Hot key: (reserved)")
yield NullBytes(self, "reserved[]", 8)
if self["has_shell_id"].value:
yield ItemIdList(self, "item_idlist", "Item ID List")
if self["target_is_file"].value:
yield FileLocationInfo(self, "file_location_info", "File Location Info")
if self["has_description"].value:
yield LnkString(self, "description")
if self["has_rel_path"].value:
yield LnkString(self, "relative_path", "Relative path to target")
if self["has_working_dir"].value:
yield LnkString(self, "working_dir", "Working directory (dir to start target in)")
if self["has_cmd_line_args"].value:
yield LnkString(self, "cmd_line_args", "Command Line Arguments")
if self["has_custom_icon"].value:
yield LnkString(self, "custom_icon", "Custom Icon Path")
while not self.eof:
yield ExtraInfo(self, "extra_info[]")
def createFields(self):
yield String(self, "magic", 4, "ITSP", charset="ASCII")
yield UInt32(self, "version", "Version (=1)")
yield filesizeHandler(UInt32(self, "size", "Length (in bytes) of the directory header (84)"))
yield UInt32(self, "unknown[]", "(=10)")
yield filesizeHandler(UInt32(self, "block_size", "Directory block size"))
yield UInt32(self, "density", "Density of quickref section, usually 2")
yield UInt32(self, "index_depth", "Depth of the index tree")
yield Int32(self, "nb_dir", "Chunk number of root index chunk")
yield UInt32(self, "first_pmgl", "Chunk number of first PMGL (listing) chunk")
yield UInt32(self, "last_pmgl", "Chunk number of last PMGL (listing) chunk")
yield Int32(self, "unknown[]", "-1")
yield UInt32(self, "nb_dir_chunk", "Number of directory chunks (total)")
yield Enum(UInt32(self, "lang_id", "Windows language ID"), LANGUAGE_ID)
yield GUID(self, "system_uuid", "{5D02926A-212E-11D0-9DF9-00A0C922E6EC}")
yield filesizeHandler(UInt32(self, "size2", "Same value than size"))
yield Int32(self, "unknown[]", "-1")
yield Int32(self, "unknown[]", "-1")
yield Int32(self, "unknown[]", "-1")
def createFields(self):
yield String(self, "signature", 4, "Signature (FORM)", charset="ASCII")
yield filesizeHandler(UInt32(self, "filesize"))
yield String(self,
"type",
4,
"Form type (AIFF or AIFC)",
charset="ASCII")
while not self.eof:
yield Chunk(self, "chunk[]")
def createFields(self):
yield GUID(self, "guid")
yield filesizeHandler(UInt64(self, "size"))
size = self["size"].value - self.current_size/8
if 0 < size:
if self.handler:
yield self.handler(self, "content", size=size*8)
else:
yield RawBytes(self, "content", size)
def createFields(self):
yield GUID(self, "guid")
yield filesizeHandler(UInt64(self, "size"))
size = self["size"].value - self.current_size / 8
if 0 < size:
if self.handler:
yield self.handler(self, "content", size=size * 8)
else:
yield RawBytes(self, "content", size)
def fileHeader(self):
yield filesizeHandler(UInt32(self, "compressed_size", "Size of the compressed file"))
yield filesizeHandler(UInt32(self, "uncompressed_size", "Uncompressed file size"))
yield TimeDateMSDOS32(self, "ftime", "Date and time (MS DOS format)")
if self["/header/host_os"].value in (OS_MSDOS, OS_WIN32):
yield MSDOSFileAttr32(self, "file_attr", "File attributes")
else:
yield textHandler(UInt32(self, "file_attr", "File attributes"), hexadecimal)
yield textHandler(UInt32(self, "file_crc32", "CRC32 checksum over the compressed file)"), hexadecimal)
yield Enum(UInt8(self, "compression_type", "Type of compression"), COMPRESSION_TYPE)
yield Enum(UInt8(self, "compression_mode", "Quality of compression"), COMPRESSION_MODE)
yield textHandler(UInt16(self, "parameters", "Compression parameters"), hexadecimal)
yield textHandler(UInt16(self, "reserved", "Reserved data"), hexadecimal)
# Filename
yield PascalString16(self, "filename", "Filename")
# Comment
if self["flags/has_comment"].value:
yield filesizeHandler(UInt16(self, "comment_size", "Size of the compressed comment"))
if self["comment_size"].value > 0:
yield RawBytes(self, "comment_data", self["comment_size"].value, "Comment data")
def createFields(self):
yield String(self, "magic", 4, "PMGI", charset="ASCII")
yield filesizeHandler(UInt32(self, "free_space",
"Length of free space and/or quickref area at end of directory chunk"))
stop = self.size - self["free_space"].value * 8
while self.current_size < stop:
yield PMGI_Entry(self, "entry[]")
padding = (self.size - self.current_size) // 8
if padding:
yield PaddingBytes(self, "padding", padding)
def createFields(self):
yield String(self, "type", 4, "Signature (FORM)", charset="ASCII")
yield filesizeHandler(UInt32(self, "size"))
size = self["size"].value
if size:
if self._parser:
for field in self._parser(self):
yield field
if size % 2:
yield NullBytes(self, "padding", 1)
else:
yield RawBytes(self, "data", size)
def createFields(self):
yield String(self, "magic", 4, "PMGI", charset="ASCII")
yield filesizeHandler(UInt32(self, "free_space",
"Length of free space and/or quickref area at end of directory chunk"))
stop = self.size - self["free_space"].value * 8
while self.current_size < stop:
yield PMGI_Entry(self, "entry[]")
padding = (self.size - self.current_size) // 8
if padding:
yield PaddingBytes(self, "padding", padding)
def createFields(self):
yield String(self, "type", 4, "Signature (FORM)", charset="ASCII")
yield filesizeHandler(UInt32(self, "size"))
size = self["size"].value
if size:
if self._parser:
for field in self._parser(self):
yield field
if size % 2:
yield NullBytes(self, "padding", 1)
else:
yield RawBytes(self, "data", size)
def specialHeader(s, is_file):
yield filesizeHandler(
UInt32(s, "compressed_size", "Compressed size (bytes)"))
yield filesizeHandler(
UInt32(s, "uncompressed_size", "Uncompressed size (bytes)"))
yield Enum(UInt8(s, "host_os", "Operating system used for archiving"),
OS_NAME)
yield textHandler(UInt32(s, "crc32", "File CRC32"), hexadecimal)
yield TimeDateMSDOS32(s, "ftime", "Date and time (MS DOS format)")
yield textHandler(
UInt8(s, "version", "RAR version needed to extract file"),
formatRARVersion)
yield Enum(UInt8(s, "method", "Packing method"), COMPRESSION_NAME)
yield filesizeHandler(UInt16(s, "filename_length", "File name size"))
if s["host_os"].value in (OS_MSDOS, OS_WIN32):
yield MSDOSFileAttr32(s, "file_attr", "File attributes")
else:
yield textHandler(UInt32(s, "file_attr", "File attributes"),
hexadecimal)
# Start additional field from unrar
if s["flags/is_large"].value:
yield filesizeHandler(
UInt64(s, "large_size", "Extended 64bits filesize"))
# End additional field
size = s["filename_length"].value
if size > 0:
if s["flags/is_unicode"].value:
charset = "UTF-8"
else:
charset = "ISO-8859-15"
yield String(s, "filename", size, "Filename", charset=charset)
# Start additional fields from unrar - file only
if is_file:
if s["flags/has_salt"].value:
yield RawBytes(s, "salt", 8,
"Encryption salt to increase security")
if s["flags/has_ext_time"].value:
yield ExtTime(s, "extra_time")
def createFields(self):
# Gzip header
yield Bytes(self, "signature", 2, r"GZip file signature (\x1F\x8B)")
yield Enum(UInt8(self, "compression", "Compression method"), self.COMPRESSION_NAME)
# Flags
yield Bit(self, "is_text", "File content is probably ASCII text")
yield Bit(self, "has_crc16", "Header CRC16")
yield Bit(self, "has_extra", "Extra informations (variable size)")
yield Bit(self, "has_filename", "Contains filename?")
yield Bit(self, "has_comment", "Contains comment?")
yield NullBits(self, "reserved[]", 3)
yield TimestampUnix32(self, "mtime", "Modification time")
# Extra flags
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "slowest", "Compressor used maximum compression (slowest)")
yield Bit(self, "fastest", "Compressor used the fastest compression")
yield NullBits(self, "reserved[]", 5)
yield Enum(UInt8(self, "os", "Operating system"), self.os_name)
# Optional fields
if self["has_extra"].value:
yield UInt16(self, "extra_length", "Extra length")
yield RawBytes(self, "extra", self["extra_length"].value, "Extra")
if self["has_filename"].value:
yield CString(self, "filename", "Filename", charset="ISO-8859-1")
if self["has_comment"].value:
yield CString(self, "comment", "Comment")
if self["has_crc16"].value:
yield textHandler(UInt16(self, "hdr_crc16", "CRC16 of the header"), hexadecimal)
if self._size is None: # TODO: is it possible to handle piped input?
raise NotImplementedError()
# Read file
size = (self._size - self.current_size) // 8 - 8 # -8: crc32+size
if 0 < size:
if self["has_filename"].value:
filename = self["filename"].value
else:
for tag, filename in self.stream.tags:
if tag == "filename" and filename.endswith(".gz"):
filename = filename[:-3]
break
else:
filename = None
yield Deflate(SubFile(self, "file", size, filename=filename))
# Footer
yield textHandler(UInt32(self, "crc32", "Uncompressed data content CRC32"), hexadecimal)
yield filesizeHandler(UInt32(self, "size", "Uncompressed size"))
def createFields(self):
yield filesizeHandler(UInt32(self, "size"))
yield Enum(Int32(self, "format"), self.FORMAT_NAME)
if self["format"].value == self.FORMAT_CLIPBOARD:
yield Enum(UInt32(self, "dib_format"), self.DIB_FORMAT)
if self["dib_format"].value == self.DIB_BMP:
yield BmpHeader(self, "bmp_header")
size = (self.size - self.current_size) // 8
yield parseImageData(self, "pixels", size, self["bmp_header"])
return
size = (self.size - self.current_size) // 8
if size:
yield RawBytes(self, "data", size)
def createFields(self):
yield filesizeHandler(UInt32(self, "size"))
yield Enum(Int32(self, "format"), self.FORMAT_NAME)
if self["format"].value == self.FORMAT_CLIPBOARD:
yield Enum(UInt32(self, "dib_format"), self.DIB_FORMAT)
if self["dib_format"].value == self.DIB_BMP:
yield BmpHeader(self, "bmp_header")
size = (self.size - self.current_size) // 8
yield parseImageData(self, "pixels", size, self["bmp_header"])
return
size = (self.size - self.current_size) // 8
if size:
yield RawBytes(self, "data", size)
def createFields(self):
yield String(self, "name", 8, charset="ASCII", strip="\0 ")
yield filesizeHandler(UInt32(self, "mem_size", "Size in memory"))
yield textHandler(UInt32(self, "rva", "RVA (location) in memory"), hexadecimal)
yield filesizeHandler(UInt32(self, "phys_size", "Physical size (on disk)"))
yield filesizeHandler(UInt32(self, "phys_off", "Physical location (on disk)"))
yield PaddingBytes(self, "reserved", 12)
# 0x0000000#
yield NullBits(self, "reserved[]", 4)
# 0x000000#0
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "has_code", "Contains code")
yield Bit(self, "has_init_data", "Contains initialized data")
yield Bit(self, "has_uninit_data", "Contains uninitialized data")
# 0x00000#00
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "has_comment", "Contains comments?")
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "remove", "Contents will not become part of image")
# 0x0000#000
yield Bit(self, "has_comdata", "Contains comdat?")
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "no_defer_spec_exc", "Reset speculative exceptions handling bits in the TLB entries")
yield Bit(self, "gp_rel", "Content can be accessed relative to GP")
# 0x000#0000
yield NullBits(self, "reserved[]", 4)
# 0x00#00000
yield NullBits(self, "reserved[]", 4)
# 0x0#000000
yield Bit(self, "ext_reloc", "Contains extended relocations?")
yield Bit(self, "discarded", "Can be discarded?")
yield Bit(self, "is_not_cached", "Is not cachable?")
yield Bit(self, "is_not_paged", "Is not pageable?")
# 0x#0000000
yield Bit(self, "is_shareable", "Is shareable?")
yield Bit(self, "is_executable", "Is executable?")
yield Bit(self, "is_readable", "Is readable?")
yield Bit(self, "is_writable", "Is writable?")
def parseStandardInfo(self):
yield TimestampWin64(self, "ctime", "File Creation")
yield TimestampWin64(self, "atime", "File Altered")
yield TimestampWin64(self, "mtime", "MFT Changed")
yield TimestampWin64(self, "rtime", "File Read")
yield MSDOSFileAttr32(self, "file_attr", "DOS File Permissions")
yield UInt32(self, "max_version", "Maximum Number of Versions")
yield UInt32(self, "version", "Version Number")
yield UInt32(self, "class_id")
yield UInt32(self, "owner_id")
yield UInt32(self, "security_id")
yield filesizeHandler(UInt64(self, "quota_charged", "Quota Charged"))
yield UInt64(self, "usn", "Update Sequence Number (USN)")
def createFields(self):
yield filesizeHandler(UInt32(self, "filesize", "Uncompressed file size"))
yield UInt32(self, "folder_offset", "File offset in uncompressed folder")
yield Enum(UInt16(self, "folder_index", "Containing folder ID (index)"), {
0xFFFD:"Folder continued from previous cabinet (real folder ID = 0)",
0xFFFE:"Folder continued to next cabinet (real folder ID = %i)" % (self["../nb_folder"].value - 1),
0xFFFF:"Folder spanning previous, current and next cabinets (real folder ID = 0)"})
yield DateTimeMSDOS32(self, "timestamp")
yield CabFileAttributes(self, "attributes")
if self["attributes/name_is_utf"].value:
yield CString(self, "filename", charset="UTF-8")
else:
yield CString(self, "filename", charset="ASCII")
def parseStandardInfo(self):
yield TimestampWin64(self, "ctime", "File Creation")
yield TimestampWin64(self, "atime", "File Altered")
yield TimestampWin64(self, "mtime", "MFT Changed")
yield TimestampWin64(self, "rtime", "File Read")
yield MSDOSFileAttr32(self, "file_attr", "DOS File Permissions")
yield UInt32(self, "max_version", "Maximum Number of Versions")
yield UInt32(self, "version", "Version Number")
yield UInt32(self, "class_id")
yield UInt32(self, "owner_id")
yield UInt32(self, "security_id")
yield filesizeHandler(UInt64(self, "quota_charged", "Quota Charged"))
yield UInt64(self, "usn", "Update Sequence Number (USN)")
def createFields(self):
yield String(self, "magic", 4)
yield String(self, "version", 4, strip='\0')
yield textHandler(UInt32(self, "checksum"), hexadecimal)
yield RawBytes(self,
"signature",
20,
description="SHA1 sum over all subsequent data")
yield filesizeHandler(UInt32(self, "filesize"))
yield UInt32(self, "size", description="Header size")
self._size = self['size'].value * 8
yield textHandler(UInt32(self, "endian"), hexadecimal)
yield UInt32(self, "link_count")
yield UInt32(self, "link_offset")
yield UInt32(self, "map_offset", description="offset to map footer")
yield UInt32(self,
"string_count",
description="number of entries in string table")
yield UInt32(self,
"string_offset",
description="offset to string table")
yield UInt32(self,
"type_desc_count",
description="number of entries in type descriptor table")
yield UInt32(self,
"type_desc_offset",
description="offset to type descriptor table")
yield UInt32(
self,
"meth_desc_count",
description="number of entries in method descriptor table")
yield UInt32(self,
"meth_desc_offset",
description="offset to method descriptor table")
yield UInt32(self,
"field_count",
description="number of entries in field table")
yield UInt32(self, "field_offset", description="offset to field table")
yield UInt32(self,
"method_count",
description="number of entries in method table")
yield UInt32(self,
"method_offset",
description="offset to method table")
yield UInt32(self,
"class_count",
description="number of entries in class table")
yield UInt32(self, "class_offset", description="offset to class table")
yield UInt32(self, "data_size", description="size of data region")
yield UInt32(self, "data_offset", description="offset to data region")
def createFields(self):
yield String(self, "signature", 4, 'Format signature (".snd")', charset="ASCII")
yield UInt32(self, "data_ofs", "Data offset")
yield filesizeHandler(UInt32(self, "data_size", "Data size"))
yield Enum(UInt32(self, "codec", "Audio codec"), self.CODEC_NAME)
yield displayHandler(UInt32(self, "sample_rate", "Number of samples/second"), humanFrequency)
yield UInt32(self, "channels", "Number of interleaved channels")
size = self["data_ofs"].value - self.current_size // 8
if 0 < size:
yield String(self, "info", size, "Information", strip=" \0", charset="ISO-8859-1")
size = min(self["data_size"].value, (self.size - self.current_size) // 8)
yield RawBytes(self, "audio_data", size, "Audio data")
def createFields(self):
yield String(self, "signature", 4, "AVI header (RIFF)", charset="ASCII")
yield filesizeHandler(UInt32(self, "filesize", "File size"))
yield String(self, "type", 4, "Content type (\"AVI \", \"WAVE\", ...)", charset="ASCII")
# Choose chunk type depending on file type
try:
chunk_cls = self.VALID_TYPES[self["type"].value][0]
except KeyError:
chunk_cls = Chunk
# Parse all chuks
while not self.eof:
yield chunk_cls(self, "chunk[]")
def newRecoveryHeader(self):
"""
This header is described nowhere
"""
if self["flags/extend"].value:
yield filesizeHandler(UInt32(self, "body_size", "Size of the unknown body following"))
self.body_size = self["body_size"].value
yield textHandler(UInt32(self, "unknown[]", "Unknown field, probably 0"),
hexadecimal)
yield String(self, "signature", 7, "Signature, normally '**ACE**'")
yield textHandler(UInt32(self, "relative_start",
"Offset (=crc16's) of this block in the file"), hexadecimal)
yield textHandler(UInt32(self, "unknown[]",
"Unknown field, probably 0"), hexadecimal)
def createFields(self):
bytes = self.stream.readBytes(self.absolute_address, 4)
if bytes == "\0R\0\0":
charset = "UTF-16-BE"
else:
charset = "UTF-16-LE"
yield String(self, "name", 64, charset=charset, truncate="\0")
yield UInt16(self, "namelen", "Length of the name")
yield Enum(UInt8(self, "type", "Property type"), self.TYPE_NAME)
yield Enum(UInt8(self, "decorator", "Decorator"), self.DECORATOR_NAME)
yield SECT(self, "left")
yield SECT(self, "right")
yield SECT(self, "child", "Child node (valid for storage and root types)")
yield GUID(self, "clsid", "CLSID of this storage (valid for storage and root types)")
yield NullBytes(self, "flags", 4, "User flags")
yield TimestampWin64(self, "creation", "Creation timestamp(valid for storage and root types)")
yield TimestampWin64(self, "lastmod", "Modify timestamp (valid for storage and root types)")
yield SECT(self, "start", "Starting SECT of the stream (valid for stream and root types)")
if self["/header/bb_shift"].value == 9:
yield filesizeHandler(UInt32(self, "size", "Size in bytes (valid for stream and root types)"))
yield NullBytes(self, "padding", 4)
else:
yield filesizeHandler(UInt64(self, "size", "Size in bytes (valid for stream and root types)"))
def recoveryHeader(self):
yield filesizeHandler(UInt32(self, "rec_blk_size", "Size of recovery data"))
self.body_size = self["rec_blk_size"].size
yield String(self, "signature", 7, "Signature, normally '**ACE**'")
yield textHandler(UInt32(self, "relative_start",
"Relative start (to this block) of the data this block is mode of"),
hexadecimal)
yield UInt32(self, "num_blocks", "Number of blocks the data is split into")
yield UInt32(self, "size_blocks", "Size of these blocks")
yield UInt16(self, "crc16_blocks", "CRC16 over recovery data")
# size_blocks blocks of size size_blocks follow
# The ultimate data is the xor data of all those blocks
size = self["size_blocks"].value
for index in xrange(self["num_blocks"].value):
yield RawBytes(self, "data[]", size, "Recovery block %i" % index)
yield RawBytes(self, "xor_data", size, "The XOR value of the above data blocks")
def newRecoveryHeader(self):
"""
This header is described nowhere
"""
if self["flags/extend"].value:
yield filesizeHandler(
UInt32(self, "body_size", "Size of the unknown body following"))
self.body_size = self["body_size"].value
yield textHandler(UInt32(self, "unknown[]", "Unknown field, probably 0"),
hexadecimal)
yield String(self, "signature", 7, "Signature, normally '**ACE**'")
yield textHandler(
UInt32(self, "relative_start",
"Offset (=crc16's) of this block in the file"), hexadecimal)
yield textHandler(UInt32(self, "unknown[]", "Unknown field, probably 0"),
hexadecimal)
