def createFields(self):
yield textHandler(
UInt32(self, "magic", "File information magic (0xFEEF04BD)"),
hexadecimal)
if self["magic"].value != 0xFEEF04BD:
raise ParserError("EXE resource: invalid file info magic")
yield Version(self, "struct_ver", "Structure version (1.0)")
yield Version(self, "file_ver_ms", "File version MS")
yield Version(self, "file_ver_ls", "File version LS")
yield Version(self, "product_ver_ms", "Product version MS")
yield Version(self, "product_ver_ls", "Product version LS")
yield textHandler(UInt32(self, "file_flags_mask"), hexadecimal)
yield Bit(self, "debug")
yield Bit(self, "prerelease")
yield Bit(self, "patched")
yield Bit(self, "private_build")
yield Bit(self, "info_inferred")
yield Bit(self, "special_build")
yield NullBits(self, "reserved", 26)
yield Enum(textHandler(UInt16(self, "file_os_major"), hexadecimal),
MAJOR_OS_NAME)
yield Enum(textHandler(UInt16(self, "file_os_minor"), hexadecimal),
MINOR_OS_NAME)
yield Enum(textHandler(UInt32(self, "file_type"), hexadecimal),
FILETYPE_NAME)
field = textHandler(UInt32(self, "file_subfile"), hexadecimal)
if field.value == FILETYPE_DRIVER:
field = Enum(field, DRIVER_SUBTYPE_NAME)
elif field.value == FILETYPE_FONT:
field = Enum(field, FONT_SUBTYPE_NAME)
yield field
yield TimestampUnix32(self, "date_ms")
yield TimestampUnix32(self, "date_ls")
def createFields(self):
yield UInt32(self, "inodes_count", "Inodes count")
yield UInt32(self, "blocks_count", "Blocks count")
yield UInt32(self, "r_blocks_count", "Reserved blocks count")
yield UInt32(self, "free_blocks_count", "Free blocks count")
yield UInt32(self, "free_inodes_count", "Free inodes count")
yield UInt32(self, "first_data_block", "First data block")
yield UInt32(self, "log_block_size", "Block size")
yield UInt32(self, "log_frag_size", "Fragment size")
yield UInt32(self, "blocks_per_group", "Blocks per group")
yield UInt32(self, "frags_per_group", "Fragments per group")
yield UInt32(self, "inodes_per_group", "Inodes per group")
yield TimestampUnix32(self, "mtime", "Mount time")
yield TimestampUnix32(self, "wtime", "Write time")
yield UInt16(self, "mnt_count", "Mount count")
yield UInt16(self, "max_mnt_count", "Max mount count")
yield String(self, "magic", 2, "Magic number (0x53EF)")
yield Enum(UInt16(self, "state", "File system state"), self.state_desc)
yield Enum(UInt16(self, "errors", "Behaviour when detecting errors"),
self.error_handling_desc)
yield UInt16(self, "minor_rev_level", "Minor revision level")
yield TimestampUnix32(self, "last_check", "Time of last check")
yield textHandler(
UInt32(self, "check_interval", "Maximum time between checks"),
self.postMaxTime)
yield Enum(UInt32(self, "creator_os", "Creator OS"), self.os_name)
yield UInt32(self, "rev_level", "Revision level")
yield UInt16(self, "def_resuid", "Default uid for reserved blocks")
yield UInt16(self, "def_resgid", "Default gid for reserved blocks")
yield UInt32(self, "first_ino", "First non-reserved inode")
yield UInt16(self, "inode_size", "Size of inode structure")
yield UInt16(self, "block_group_nr",
"Block group # of this superblock")
yield UInt32(self, "feature_compat", "Compatible feature set")
yield UInt32(self, "feature_incompat", "Incompatible feature set")
yield UInt32(self, "feature_ro_compat",
"Read-only compatible feature set")
yield RawBytes(self, "uuid", 16, "128-bit uuid for volume")
yield String(self, "volume_name", 16, "Volume name", strip="\0")
yield String(self,
"last_mounted",
64,
"Directory where last mounted",
strip="\0")
yield UInt32(self, "compression",
"For compression (algorithm usage bitmap)")
yield UInt8(self, "prealloc_blocks",
"Number of blocks to try to preallocate")
yield UInt8(self, "prealloc_dir_blocks",
"Number to preallocate for directories")
yield UInt16(self, "padding", "Padding")
yield String(self, "journal_uuid", 16, "uuid of journal superblock")
yield UInt32(self, "journal_inum", "inode number of journal file")
yield UInt32(self, "journal_dev", "device number of journal file")
yield UInt32(self, "last_orphan", "start of list of inodes to delete")
yield RawBytes(self, "reserved", 197, "Reserved")
def createFields(self):
# File mode
yield Bit(self, "other_exec")
yield Bit(self, "other_write")
yield Bit(self, "other_read")
yield Bit(self, "group_exec")
yield Bit(self, "group_write")
yield Bit(self, "group_read")
yield Bit(self, "owner_exec")
yield Bit(self, "owner_write")
yield Bit(self, "owner_read")
yield Bit(self, "sticky")
yield Bit(self, "setgid")
yield Bit(self, "setuid")
yield Enum(Bits(self, "file_type", 4), self.file_type)
yield UInt16(self, "uid", "User ID")
yield UInt32(self, "size", "File size (in bytes)")
yield TimestampUnix32(self, "atime", "Last access time")
yield TimestampUnix32(self, "ctime", "Creation time")
yield TimestampUnix32(self, "mtime", "Last modification time")
yield TimestampUnix32(self, "dtime", "Delete time")
yield UInt16(self, "gid", "Group ID")
yield UInt16(self, "links_count", "Links count")
yield UInt32(self, "blocks", "Number of blocks")
yield UInt32(self, "flags", "Flags")
yield NullBytes(self, "reserved[]", 4, "Reserved")
for index in xrange(15):
yield UInt32(self, "block[]")
yield UInt32(self, "version", "Version")
yield UInt32(self, "file_acl", "File ACL")
yield UInt32(self, "dir_acl", "Directory ACL")
yield UInt32(self, "faddr",
"Block where the fragment of the file resides")
os = self["/superblock/creator_os"].value
if os == SuperBlock.OS_LINUX:
yield UInt8(self, "frag", "Number of fragments in the block")
yield UInt8(self, "fsize", "Fragment size")
yield UInt16(self, "padding", "Padding")
yield UInt16(self, "uid_high", "High 16 bits of user ID")
yield UInt16(self, "gid_high", "High 16 bits of group ID")
yield NullBytes(self, "reserved[]", 4, "Reserved")
elif os == SuperBlock.OS_HURD:
yield UInt8(self, "frag", "Number of fragments in the block")
yield UInt8(self, "fsize", "Fragment size")
yield UInt16(self, "mode_high", "High 16 bits of mode")
yield UInt16(self, "uid_high", "High 16 bits of user ID")
yield UInt16(self, "gid_high", "High 16 bits of group ID")
yield UInt32(self, "author", "Author ID (?)")
else:
yield RawBytes(self, "raw", 12, "Reserved")
def createFields(self):
yield NullBytes(self, "options", 4)
yield TimestampUnix32(self, "creation_date")
yield UInt16(self, "maj_ver", "Major version")
yield UInt16(self, "min_ver", "Minor version")
yield UInt16(self, "nb_name", "Number of named entries")
yield UInt16(self, "nb_index", "Number of indexed entries")
def createFields(self):
yield Bytes(self, "header", 4, r"PE header signature (PE\0\0)")
if self["header"].value != "PE\0\0":
raise ParserError("Invalid PE header signature")
yield Enum(UInt16(self, "cpu", "CPU type"), self.cpu_name)
yield UInt16(self, "nb_section", "Number of sections")
yield TimestampUnix32(self, "creation_date", "Creation date")
yield UInt32(self, "ptr_to_sym", "Pointer to symbol table")
yield UInt32(self, "nb_symbols", "Number of symbols")
yield UInt16(self, "opt_hdr_size", "Optional header size")
yield Bit(self, "reloc_stripped",
"If true, don't contain base relocations.")
yield Bit(self, "exec_image", "Executable image?")
yield Bit(self, "line_nb_stripped", "COFF line numbers stripped?")
yield Bit(self, "local_sym_stripped",
"COFF symbol table entries stripped?")
yield Bit(self, "aggr_ws", "Aggressively trim working set")
yield Bit(self, "large_addr",
"Application can handle addresses greater than 2 GB")
yield NullBits(self, "reserved", 1)
yield Bit(self, "reverse_lo",
"Little endian: LSB precedes MSB in memory")
yield Bit(self, "32bit", "Machine based on 32-bit-word architecture")
yield Bit(self, "is_stripped", "Debugging information removed?")
yield Bit(
self, "swap",
"If image is on removable media, copy and run from swap file")
yield PaddingBits(self, "reserved2", 1)
yield Bit(self, "is_system", "It's a system file")
yield Bit(self, "is_dll", "It's a dynamic-link library (DLL)")
yield Bit(self, "up", "File should be run only on a UP machine")
yield Bit(self, "reverse_hi", "Big endian: MSB precedes LSB in memory")
def createFields(self):
# Gzip header
yield Bytes(self, "signature", 2, r"GZip file signature (\x1F\x8B)")
yield Enum(UInt8(self, "compression", "Compression method"),
self.COMPRESSION_NAME)
# Flags
yield Bit(self, "is_text", "File content is probably ASCII text")
yield Bit(self, "has_crc16", "Header CRC16")
yield Bit(self, "has_extra", "Extra informations (variable size)")
yield Bit(self, "has_filename", "Contains filename?")
yield Bit(self, "has_comment", "Contains comment?")
yield NullBits(self, "reserved[]", 3)
yield TimestampUnix32(self, "mtime", "Modification time")
# Extra flags
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "slowest",
"Compressor used maximum compression (slowest)")
yield Bit(self, "fastest", "Compressor used the fastest compression")
yield NullBits(self, "reserved[]", 5)
yield Enum(UInt8(self, "os", "Operating system"), self.os_name)
# Optional fields
if self["has_extra"].value:
yield UInt16(self, "extra_length", "Extra length")
yield RawBytes(self, "extra", self["extra_length"].value, "Extra")
if self["has_filename"].value:
yield CString(self, "filename", "Filename", charset="ISO-8859-1")
if self["has_comment"].value:
yield CString(self, "comment", "Comment")
if self["has_crc16"].value:
yield textHandler(UInt16(self, "hdr_crc16", "CRC16 of the header"),
hexadecimal)
if self._size is None: # TODO: is it possible to handle piped input?
raise NotImplementedError()
# Read file
size = (self._size - self.current_size) // 8 - 8 # -8: crc32+size
if 0 < size:
if self["has_filename"].value:
filename = self["filename"].value
else:
for tag, filename in self.stream.tags:
if tag == "filename" and filename.endswith(".gz"):
filename = filename[:-3]
break
else:
filename = None
yield Deflate(SubFile(self, "file", size, filename=filename))
# Footer
yield textHandler(
UInt32(self, "crc32", "Uncompressed data content CRC32"),
hexadecimal)
yield filesizeHandler(UInt32(self, "size", "Uncompressed size"))
def createFields(self):
yield TimestampUnix32(self, "ts_epoch", "Timestamp (Epoch)")
yield UInt32(self, "ts_nanosec", "Timestamp (nano second)")
yield UInt32(self, "caplen", "length of portion present")
yield UInt32(self, "len", "length this packet (off wire)")
# Read different layers
field = self._first_parser(self, self._first_name)
while field:
yield field
field = field.parseNext(self)
# Read data if any
size = (self.size - self.current_size) // 8
if size:
yield RawBytes(self, "data", size)
def createFields(self):
yield Enum(
Bytes(self, "signature", 4, "Python file signature and version"),
self.STR_MAGIC)
yield TimestampUnix32(self, "timestamp", "Timestamp")
yield Object(self, "content")