def parse_Compound_File(file_to_parse): file_object = open(file_to_parse, "rb") olecf_file = pyolecf.file() olecf_file.open_file_object(file_object) SQLitedb.CreateTempTable(table_name + '_temp', table_columns) root_item = olecf_file.get_root_item() Base_Name = ntpath.basename(file_to_parse) (File_Name, Extension) = ntpath.splitext(Base_Name) if (App_Id.CheckAppId(File_Name)): App_Id_Desc = App_Id.SelectAppId(File_Name)[0] else: App_Id_Desc = File_Name for i in range(0, root_item.get_number_of_sub_items()): jl_record = [] jl_record.append(File_Name) jl_record.append(App_Id_Desc) new_item = root_item.get_sub_item(i) jl_record.append(new_item.get_name()) if new_item.get_name() == u'DestList': continue new_link_item = pylnk.file() new_link_item.open_file_object(new_item) jl_record = Create_Bind_Values(jl_record, new_link_item) SQLitedb.InsertBindValues(table_name + '_temp', sql_ins_columns, sql_bind, jl_record) if (SQLitedb.TableExists(table_name)): SQLitedb.AppendTempToPermanentTable(table_name) else: SQLitedb.CreatePermanentTable(table_name) SQLitedb.DropTable(table_name + '_temp')
def ParseFileObject(self, parser_mediator, file_object): """Parses an OLE Compound File (OLECF) file-like object. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO): file-like object. """ olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(parser_mediator.codepage) try: olecf_file.open_file_object(file_object) except IOError as exception: parser_mediator.ProduceExtractionWarning( 'unable to open file with error: {0!s}'.format(exception)) return root_item = olecf_file.root_item if not root_item: return # Get a list of all items in the root item from the OLECF file. item_names = [item.name for item in root_item.sub_items] # Compare the list of available plugin objects. # We will try to use every plugin against the file (except # the default plugin) and run it. Only if none of the plugins # works will we use the default plugin. item_names = frozenset(item_names) try: for plugin in self._plugins: if parser_mediator.abort: break if not plugin.REQUIRED_ITEMS.issubset(item_names): continue try: plugin.UpdateChainAndProcess(parser_mediator, root_item=root_item) except Exception as exception: # pylint: disable=broad-except parser_mediator.ProduceExtractionWarning(( 'plugin: {0:s} unable to parse OLECF file with error: ' '{1!s}').format(plugin.NAME, exception)) if self._default_plugin and not parser_mediator.abort: try: self._default_plugin.UpdateChainAndProcess( parser_mediator, root_item=root_item) except Exception as exception: # pylint: disable=broad-except parser_mediator.ProduceExtractionWarning(( 'plugin: {0:s} unable to parse OLECF file with error: ' '{1!s}').format(self._default_plugin.NAME, exception)) finally: olecf_file.close()
def pyolecf_test_multi_open_close_file(filename, mode): """Tests multiple open and close.""" description = ("Testing multi open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: olecf_file = pyolecf.file() olecf_file.open(filename, mode) olecf_file.close() olecf_file.open(filename, mode) olecf_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def test_open_close(self): """Tests the open and close functions.""" if not unittest.source: return olecf_file = pyolecf.file() # Test open and close. olecf_file.open(unittest.source) olecf_file.close() # Test open and close a second time to validate clean up on close. olecf_file.open(unittest.source) olecf_file.close() file_object = open(unittest.source, "rb") # Test open_file_object and close. olecf_file.open_file_object(file_object) olecf_file.close() # Test open_file_object and close a second time to validate clean up on close. olecf_file.open_file_object(file_object) olecf_file.close() # Test open_file_object and close and dereferencing file_object. olecf_file.open_file_object(file_object) del file_object olecf_file.close()
def pyolecf_test_single_open_close_file_object_with_dereference( filename, mode): """Tests single file-like object open and close with dereference.""" description = ( "Testing single open close of file-like object with dereference of: " "{0:s} with access: {1:s}\t").format( get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: file_object = open(filename, "rb") olecf_file = pyolecf.file() olecf_file.open_file_object(file_object, mode) del file_object olecf_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def ParseFileObject(self, parser_mediator, file_object): """Parses an OLE Compound File (OLECF) file-like object. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO): file-like object. """ olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(parser_mediator.codepage) try: olecf_file.open_file_object(file_object) except (IOError, TypeError) as exception: parser_mediator.ProduceExtractionWarning( 'unable to open file with error: {0!s}'.format(exception)) return root_item = olecf_file.root_item if not root_item: return # Get a list of all items in the root item from the OLECF file. item_names = [item.name for item in root_item.sub_items] # Compare the list of available plugin objects. # We will try to use every plugin against the file (except # the default plugin) and run it. Only if none of the plugins # works will we use the default plugin. item_names = frozenset(item_names) try: for plugin in self._plugins: if parser_mediator.abort: break if not plugin.REQUIRED_ITEMS.issubset(item_names): continue try: plugin.UpdateChainAndProcess(parser_mediator, root_item=root_item) except Exception as exception: # pylint: disable=broad-except parser_mediator.ProduceExtractionWarning(( 'plugin: {0:s} unable to parse OLECF file with error: ' '{1!s}').format(plugin.NAME, exception)) if self._default_plugin and not parser_mediator.abort: try: self._default_plugin.UpdateChainAndProcess( parser_mediator, root_item=root_item) except Exception as exception: # pylint: disable=broad-except parser_mediator.ProduceExtractionWarning(( 'plugin: {0:s} unable to parse OLECF file with error: ' '{1!s}').format(self._default_plugin.NAME, exception)) finally: olecf_file.close()
def pyolecf_test_multi_open_close_file(filename, mode): """Tests multiple open and close.""" description = ( "Testing multi open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: olecf_file = pyolecf.file() olecf_file.open(filename, mode) olecf_file.close() olecf_file.open(filename, mode) olecf_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def pyolecf_test_single_open_close_file_object_with_dereference( filename, mode): """Tests single file-like object open and close with dereference.""" description = ( "Testing single open close of file-like object with dereference of: " "{0:s} with access: {1:s}\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: file_object = open(filename, "rb") olecf_file = pyolecf.file() olecf_file.open_file_object(file_object, mode) del file_object olecf_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def _enum_link_files(self): olecf_file = None if pyolecf.check_file_signature_file_object(self.file_io): olecf_file = pyolecf.file() olecf_file.open_file_object(self.file_io) dest_list_item = olecf_file.root_item.get_sub_item_by_name( 'DestList') data_size = dest_list_item.get_size() raw_data = dest_list_item.read(data_size) dest_list = DestList(raw_data) for entry in dest_list: item_name = hex(entry.entry_number)[2:] link_item = olecf_file.root_item.get_sub_item_by_name( item_name) data_size = link_item.get_size() raw_data = link_item.read(data_size) byte_io = io.BytesIO(raw_data) lnk_parser = LnkParser(byte_io, "{} [{}]".format( self.source_description, item_name), jmp_info=entry.as_dict()) self.lnk_files.append(lnk_parser) else: logging.debug("{} does not have valid olecf signature.".format( self.source_description))
def test_close(self): """Tests the close function.""" if not unittest.source: return olecf_file = pyolecf.file() with self.assertRaises(IOError): olecf_file.close()
def extractOleFile(file_name,destination): olecf_file = pyolecf.file() olecf_file.open(file_name) root = olecf_file.get_root_item() for x in range(0, root.get_number_of_sub_items()): sub_item = root.get_sub_item(x) if sub_item.get_name() == "CONTENTS": extractOleItem(item=sub_item, path=destination) olecf_file.close()
def test_close(self): """Tests the close function.""" if not unittest.source: raise unittest.SkipTest("missing source") olecf_file = pyolecf.file() with self.assertRaises(IOError): olecf_file.close()
def main( argc, argv ): result = 0 if argc != 1: print "Usage: pyolecf_test_set_ascii_codepage.py\n" return 1 supported_codepages = [ "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258" ] unsupported_codepages = [ "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u" ] olecf_file = pyolecf.file() for codepage in supported_codepages: print "Testing setting supported ASCII codepage of: %s:\t" %( codepage ), try: olecf_file.ascii_codepage = codepage result = 0 except: result = 1 if result != 0: print "(FAIL)" return 1 print "(PASS)" print "Testing setting supported ASCII codepage of: %s:\t" %( codepage ), try: olecf_file.set_ascii_codepage( codepage ) result = 0 except: result = 1 if result != 0: print "(FAIL)" return 1 print "(PASS)" for codepage in unsupported_codepages: print "Testing setting unsupported ASCII codepage of: %s:\t" %( codepage ), result = 1 try: olecf_file.ascii_codepage = codepage except RuntimeError, exception: if exception.message == "pyolecf_file_set_ascii_codepage_from_string: unable to determine ASCII codepage.": result = 0 except:
def Parse(self, file_entry): """Extracts data from an OLE Compound File (OLECF). Args: file_entry: A file entry object. Yields: Event objects (EventObject) that contains the parsed attributes. """ file_object = file_entry.GetFileObject() olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(self._codepage) try: olecf_file.open_file_object(file_object) except IOError as exception: raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s}: {2:s}'.format( self.parser_name, file_entry.name, exception)) # Get a list of all root items from the OLE CF file. root_item = olecf_file.root_item item_names = [item.name for item in root_item.sub_items] # Compare the list of available plugins. # We will try to use every plugin against the file (except # the default plugin) and run it. Only if none of the plugins # works will we use the default plugin. parsed = False for olecf_name, olecf_plugin in self._plugins.iteritems(): # We would like to skip the default plugin for now. if olecf_name == 'olecf_default': continue try: for event_object in olecf_plugin.Process( root_item=root_item, item_names=item_names): parsed = True event_object.plugin = olecf_plugin.plugin_name yield event_object except errors.WrongPlugin: logging.debug( u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}'.format( self.parser_name, olecf_plugin.plugin_name, file_entry.name)) # Check if we still haven't parsed the file, and if so we will use # the default OLECF plugin. if not parsed: default_plugin = self._plugins.get('olecf_default', None) if default_plugin: for event_object in default_plugin.Process( root_item=root_item, item_names=item_names): event_object.plugin = default_plugin.plugin_name yield event_object file_object.close()
def _ParseOLECFFileWithPlugin(self, path_segments, plugin, codepage='cp1252', knowledge_base_values=None): """Parses a file as an OLE compound file and returns an event generator. Args: path_segments (list[str]): path segments inside the test data directory. plugin (OLECFPlugin): OLE CF plugin. codepage (Optional[str]): codepage. knowledge_base_values (Optional[dict[str, object]]): knowledge base values. Returns: FakeStorageWriter: storage writer. Raises: SkipTest: if the path inside the test data directory does not exist and the test should be skipped. """ session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter(session) storage_writer.Open() file_entry = self._GetTestFileEntry(path_segments) parser_mediator = self._CreateParserMediator( storage_writer, file_entry=file_entry, knowledge_base_values=knowledge_base_values) file_object = file_entry.GetFileObject() try: olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(codepage) olecf_file.open_file_object(file_object) # Get a list of all root items from the OLE CF file. root_item = olecf_file.root_item item_names = [item.name for item in root_item.sub_items] plugin.Process(parser_mediator, root_item=root_item, item_names=item_names) olecf_file.close() finally: file_object.close() return storage_writer
def _OpenOleCfFile(self, path, codepage='cp1252'): """Opens an OLE compound file and returns back a pyolecf.file object.""" path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=path) file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec) file_object = file_entry.GetFileObject() olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(codepage) olecf_file.open_file_object(file_object) return olecf_file
def Parse(self, parser_context, file_entry): """Extracts data from an OLE Compound File (OLECF). Args: parser_context: A parser context object (instance of ParserContext). file_entry: A file entry object (instance of dfvfs.FileEntry). Yields: Event objects (EventObject) that contains the parsed attributes. """ file_object = file_entry.GetFileObject() olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(parser_context.codepage) try: olecf_file.open_file_object(file_object) except IOError as exception: raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s}: {2:s}'.format( self.NAME, file_entry.name, exception)) # Get a list of all root items from the OLE CF file. root_item = olecf_file.root_item item_names = [item.name for item in root_item.sub_items] # Compare the list of available plugins. # We will try to use every plugin against the file (except # the default plugin) and run it. Only if none of the plugins # works will we use the default plugin. parsed = False for plugin_object in self._plugins: try: plugin_object.Process( parser_context, file_entry=file_entry, root_item=root_item, item_names=item_names) except errors.WrongPlugin: logging.debug( u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}'.format( self.NAME, plugin_object.NAME, file_entry.name)) # Check if we still haven't parsed the file, and if so we will use # the default OLECF plugin. if not parsed and self._default_plugin: self._default_plugin.Process( parser_context, file_entry=file_entry, root_item=root_item, item_names=item_names) olecf_file.close() file_object.close()
def test_get_root_item(self): """Tests the get_root_item function and root_item property.""" if not unittest.source: raise unittest.SkipTest("missing source") olecf_file = pyolecf.file() olecf_file.open(unittest.source) _ = olecf_file.get_root_item() _ = olecf_file.root_item olecf_file.close()
def pyolecf_test_single_open_close_file(filename, mode): """Tests a single open and close.""" description = ( "Testing single open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: olecf_file = pyolecf.file() olecf_file.open(filename, mode) olecf_file.close() except TypeError as exception: expected_message = ( "{0:s}: unsupported string object type.").format( "pyolecf_file_open") if not filename and str(exception) == expected_message: pass else: error_string = str(exception) result = False except ValueError as exception: expected_message = ( "{0:s}: unsupported mode: w.").format( "pyolecf_file_open") if mode != "w" or str(exception) != expected_message: error_string = str(exception) result = False except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def test_get_short_sector_size(self): """Tests the get_short_sector_size function and short_sector_size property.""" if not unittest.source: raise unittest.SkipTest("missing source") olecf_file = pyolecf.file() olecf_file.open(unittest.source) short_sector_size = olecf_file.get_short_sector_size() self.assertIsNotNone(short_sector_size) self.assertIsNotNone(olecf_file.short_sector_size) olecf_file.close()
def test_get_ascii_codepage(self): """Tests the get_ascii_codepage function and ascii_codepage property.""" if not unittest.source: raise unittest.SkipTest("missing source") olecf_file = pyolecf.file() olecf_file.open(unittest.source) ascii_codepage = olecf_file.get_ascii_codepage() self.assertIsNotNone(ascii_codepage) self.assertIsNotNone(olecf_file.ascii_codepage) olecf_file.close()
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses an OLE Compound File (OLECF) file-like object. Args: parser_mediator: A parser mediator object (instance of ParserMediator). file_object: A file-like object. """ olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(parser_mediator.codepage) try: olecf_file.open_file_object(file_object) except IOError as exception: parser_mediator.ProduceParseError( u'unable to open file with error: {0:s}'.format(exception)) return root_item = olecf_file.root_item if not root_item: return # Get a list of all items in the root item from the OLE CF file. item_names = [item.name for item in root_item.sub_items] # Compare the list of available plugins. # We will try to use every plugin against the file (except # the default plugin) and run it. Only if none of the plugins # works will we use the default plugin. parsed = False for plugin_object in self._plugins: try: plugin_object.UpdateChainAndProcess(parser_mediator, root_item=root_item, item_names=item_names) except errors.WrongPlugin: logging.debug( u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}' .format(self.NAME, plugin_object.NAME, parser_mediator.GetDisplayName())) # Check if we still haven't parsed the file, and if so we will use # the default OLECF plugin. if not parsed and self._default_plugin: self._default_plugin.UpdateChainAndProcess(parser_mediator, root_item=root_item, item_names=item_names) olecf_file.close()
def _ParseOLECFFileWithPlugin(self, path_segments, plugin, codepage=u'cp1252', knowledge_base_values=None): """Parses a file as an OLE compound file and returns an event generator. Args: path_segments: a list of strings containinge the path segments inside plugin: an OLE CF plugin object (instance of OLECFPlugin). codepage: optional string containing the codepage. knowledge_base_values: optional dictionary containing the knowledge base values. Returns: A storage writer object (instance of FakeStorageWriter). """ session = sessions.Session() storage_writer = fake_storage.FakeStorageWriter(session) storage_writer.Open() file_entry = self._GetTestFileEntry(path_segments) parser_mediator = self._CreateParserMediator( storage_writer, file_entry=file_entry, knowledge_base_values=knowledge_base_values) file_object = file_entry.GetFileObject() try: olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(codepage) olecf_file.open_file_object(file_object) # Get a list of all root items from the OLE CF file. root_item = olecf_file.root_item item_names = [item.name for item in root_item.sub_items] plugin.Process(parser_mediator, root_item=root_item, item_names=item_names) olecf_file.close() finally: file_object.close() return storage_writer
def _OpenOleCfFile(self, path, codepage=u'cp1252'): """Opens an OLE compound file and returns back a pyolecf.file object. Args: path: The path to the OLE CF test file. codepage: Optional codepage. """ file_entry = self._GetTestFileEntryFromPath([path]) file_object = file_entry.GetFileObject() olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(codepage) olecf_file.open_file_object(file_object) return olecf_file
def _OpenOleCfFile(self, path, codepage=u'cp1252'): """Opens an OLE compound file and returns back a pyolecf.file object. Args: path: The path to the OLE CF test file. codepage: Optional codepage. The default is cp1252. """ file_entry = self._GetTestFileEntryFromPath([path]) file_object = file_entry.GetFileObject() olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(codepage) olecf_file.open_file_object(file_object) return olecf_file
def testReadDestList(self): """Tests the _ReadDestList function.""" output_writer = test_lib.TestOutputWriter() test_file = jump_list.AutomaticDestinationsFile(output_writer=output_writer) test_file_path = self._GetTestFilePath([ '1b4dd67f29cb1962.automaticDestinations-ms']) with open(test_file_path, 'rb') as file_object: olecf_file = pyolecf.file() olecf_file.open_file_object(file_object) try: test_file._ReadDestList(olecf_file) finally: olecf_file.close()
def pyolecf_test_single_open_close_file(filename, mode): """Tests a single open and close.""" description = ("Testing single open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: olecf_file = pyolecf.file() olecf_file.open(filename, mode) olecf_file.close() except TypeError as exception: expected_message = ("{0:s}: unsupported string object type." ).format("pyolecf_file_open") if not filename and str(exception) == expected_message: pass else: error_string = str(exception) result = False except ValueError as exception: expected_message = ( "{0:s}: unsupported mode: w.").format("pyolecf_file_open") if mode != "w" or str(exception) != expected_message: error_string = str(exception) result = False except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def pyolecf_test_single_open_close_file_object(filename, mode): print ("Testing single open close of file-like object of: {0:s} with access: " "{1:s}\t").format(filename, get_mode_string(mode)) try: file_object = open(filename, mode) olecf_file = pyolecf.file() olecf_file.open_file_object(file_object, mode) olecf_file.close() except: print "(FAIL)" return False print "(PASS)" return True
def __init__(self, debug=False): """Initializes the .automaticDestinations-ms file object. Args: debug: optional boolean value to indicate if debug information should be printed. """ super(AutomaticDestinationsFile, self).__init__() self._debug = debug self._format_version = None self._file_object = None self._file_object_opened_in_object = False self._file_size = 0 self._olecf_file = pyolecf.file() self.entries = [] self.recovered_entries = []
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses an OLE Compound File (OLECF) file-like object. Args: parser_mediator: A parser mediator object (instance of ParserMediator). file_object: A file-like object. Raises: UnableToParseFile: when the file cannot be parsed. """ olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(parser_mediator.codepage) try: olecf_file.open_file_object(file_object) except IOError as exception: raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s}: {2:s}'.format( self.NAME, parser_mediator.GetDisplayName(), exception)) # Get a list of all root items from the OLE CF file. root_item = olecf_file.root_item item_names = [item.name for item in root_item.sub_items] # Compare the list of available plugins. # We will try to use every plugin against the file (except # the default plugin) and run it. Only if none of the plugins # works will we use the default plugin. parsed = False for plugin_object in self._plugins: try: plugin_object.UpdateChainAndProcess( parser_mediator, root_item=root_item, item_names=item_names) except errors.WrongPlugin: logging.debug( u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}'.format( self.NAME, plugin_object.NAME, parser_mediator.GetDisplayName())) # Check if we still haven't parsed the file, and if so we will use # the default OLECF plugin. if not parsed and self._default_plugin: self._default_plugin.UpdateChainAndProcess( parser_mediator, root_item=root_item, item_names=item_names) olecf_file.close()
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses an OLE Compound File (OLECF) file-like object. Args: parser_mediator: A parser mediator object (instance of ParserMediator). file_object: A file-like object. """ olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(parser_mediator.codepage) try: olecf_file.open_file_object(file_object) except IOError as exception: parser_mediator.ProduceExtractionError( u'unable to open file with error: {0:s}'.format(exception)) return root_item = olecf_file.root_item if not root_item: return # Get a list of all items in the root item from the OLECF file. item_names = [item.name for item in root_item.sub_items] # Compare the list of available plugin objects. # We will try to use every plugin against the file (except # the default plugin) and run it. Only if none of the plugins # works will we use the default plugin. # TODO: add a parser filter. for plugin_object in self._plugin_objects: try: plugin_object.UpdateChainAndProcess( parser_mediator, root_item=root_item, item_names=item_names) except errors.WrongPlugin: logging.debug( u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}'.format( self.NAME, plugin_object.NAME, parser_mediator.GetDisplayName())) if self._default_plugin: self._default_plugin.UpdateChainAndProcess( parser_mediator, root_item=root_item, item_names=item_names) olecf_file.close()
def ReadFileObject(self, file_object): """Reads an Automatic Destinations Jump List file-like object. Args: file_object (file): file-like object. Raises: ParseError: if the file cannot be read. """ olecf_file = pyolecf.file() olecf_file.open_file_object(file_object) try: self._ReadDestList(olecf_file) self._ReadLNKFiles(olecf_file) finally: olecf_file.close()
def pyolecf_test_multi_open_close_file(filename, mode): print "Testing multi open close of: {0:s} with access: {1:s}\t".format( filename, get_mode_string(mode)) try: olecf_file = pyolecf.file() olecf_file.open(filename, mode) olecf_file.close() olecf_file.open(filename, mode) olecf_file.close() except: print "(FAIL)" return False print "(PASS)" return True
def parse_Compound_File(file_to_parse): file_object = open(file_to_parse, "rb") olecf_file = pyolecf.file() olecf_file.open_file_object(file_object) SQLitedb.CreateTempTable(table_name + '_temp', table_columns) root_item = olecf_file.get_root_item() #print ("Root Item Name ==> " + root_item.get_name()) #print ("Number of Sub_Items ==> " + str(root_item.get_number_of_sub_items())) Base_Name = ntpath.basename(file_to_parse) (File_Name, Extension) = ntpath.splitext(Base_Name) if (App_Id.CheckAppId(File_Name)): App_Id_Desc = App_Id.SelectAppId(File_Name)[0] #print ("App id => " + App_Id.SelectAppId(File_Name)[0]) else: App_Id_Desc = File_Name #print ("File Name => " + File_Name) for i in range (0, root_item.get_number_of_sub_items()): jl_record = [] jl_record.append(File_Name) jl_record.append(App_Id_Desc) new_item = root_item.get_sub_item(i) jl_record.append(new_item.get_name()) #print (" Sub Item Name ==> " + new_item.get_name()) #print (" Sub Item Sub Items ==> " + str(new_item.get_number_of_sub_items())) if new_item.get_name() == u'DestList': continue new_link_item = pylnk.file() new_link_item.open_file_object(new_item) jl_record = Create_Bind_Values(jl_record, new_link_item) try: SQLitedb.InsertBindValues(table_name + '_temp', sql_ins_columns, sql_bind, jl_record) except: print ("Error in Link Item ==> " + str(jl_record[1]) + " <==> " + str(jl_record[2])) if (SQLitedb.TableExists(table_name)): SQLitedb.AppendTempToPermanentTable(table_name) else: SQLitedb.CreatePermanentTable(table_name) SQLitedb.DropTable(table_name + '_temp')
def _ParseOLECFFileWithPlugin( self, path_segments, plugin, codepage='cp1252', knowledge_base_values=None): """Parses a file as an OLE compound file and returns an event generator. Args: path_segments (list[str]): path segments inside the test data directory. plugin (OLECFPlugin): OLE CF plugin. codepage (Optional[str]): codepage. knowledge_base_values (Optional[dict[str, object]]): knowledge base values. Returns: FakeStorageWriter: storage writer. """ session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter(session) storage_writer.Open() file_entry = self._GetTestFileEntry(path_segments) parser_mediator = self._CreateParserMediator( storage_writer, file_entry=file_entry, knowledge_base_values=knowledge_base_values) file_object = file_entry.GetFileObject() try: olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(codepage) olecf_file.open_file_object(file_object) # Get a list of all root items from the OLE CF file. root_item = olecf_file.root_item item_names = [item.name for item in root_item.sub_items] plugin.Process( parser_mediator, root_item=root_item, item_names=item_names) olecf_file.close() finally: file_object.close() return storage_writer
def _ParseOleCfFileWithPlugin( self, path_segments, plugin_object, codepage=u'cp1252', knowledge_base_values=None): """Parses a file as an OLE compound file and returns an event generator. Args: path_segments: a list of strings containinge the path segments inside plugin_object: an OLE CF plugin object (instance of OleCfPlugin). codepage: optional string containing the codepage. knowledge_base_values: optional dictionary containing the knowledge base values. Returns: A storage writer object (instance of FakeStorageWriter). """ session = sessions.Session() storage_writer = fake_storage.FakeStorageWriter(session) storage_writer.Open() file_entry = self._GetTestFileEntryFromPath(path_segments) parser_mediator = self._CreateParserMediator( storage_writer, file_entry=file_entry, knowledge_base_values=knowledge_base_values) file_object = file_entry.GetFileObject() try: olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(codepage) olecf_file.open_file_object(file_object) # Get a list of all root items from the OLE CF file. root_item = olecf_file.root_item item_names = [item.name for item in root_item.sub_items] plugin_object.Process( parser_mediator, root_item=root_item, item_names=item_names) olecf_file.close() finally: file_object.close() return storage_writer
def test_open(self): """Tests the open function.""" if not unittest.source: return olecf_file = pyolecf.file() olecf_file.open(unittest.source) with self.assertRaises(IOError): olecf_file.open(unittest.source) olecf_file.close() with self.assertRaises(TypeError): olecf_file.open(None) with self.assertRaises(ValueError): olecf_file.open(unittest.source, mode="w")
def test_set_ascii_codepage(self): """Tests the set_ascii_codepage function.""" supported_codepages = ( "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258") olecf_file = pyolecf.file() for codepage in supported_codepages: olecf_file.set_ascii_codepage(codepage) unsupported_codepages = ( "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u") for codepage in unsupported_codepages: with self.assertRaises(RuntimeError): olecf_file.set_ascii_codepage(codepage)
def test_open_file_object(self): """Tests the open_file_object function.""" if not unittest.source: return file_object = open(unittest.source, "rb") olecf_file = pyolecf.file() olecf_file.open_file_object(file_object) with self.assertRaises(IOError): olecf_file.open_file_object(file_object) olecf_file.close() # TODO: change IOError into TypeError with self.assertRaises(IOError): olecf_file.open_file_object(None) with self.assertRaises(ValueError): olecf_file.open_file_object(file_object, mode="w")
def pyolecf_test_single_open_close_file(filename, mode): if not filename: filename_string = "None" else: filename_string = filename print "Testing single open close of: {0:s} with access: {1:s}\t".format( filename_string, get_mode_string(mode)) try: olecf_file = pyolecf.file() olecf_file.open(filename, mode) olecf_file.close() except TypeError, exception: if (not filename and exception.message == "pyolecf_file_open: unsupported string object type."): pass else: print "(FAIL)" return False
def test_open_file_object(self): """Tests the open_file_object function.""" if not unittest.source: raise unittest.SkipTest("missing source") if not os.path.isfile(unittest.source): raise unittest.SkipTest("source not a regular file") olecf_file = pyolecf.file() with open(unittest.source, "rb") as file_object: olecf_file.open_file_object(file_object) with self.assertRaises(IOError): olecf_file.open_file_object(file_object) olecf_file.close() with self.assertRaises(TypeError): olecf_file.open_file_object(None) with self.assertRaises(ValueError): olecf_file.open_file_object(file_object, mode="w")
def main(): supported_codepages = [ "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258"] unsupported_codepages = [ "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u"] olecf_file = pyolecf.file() result = True for codepage in supported_codepages: print("Testing setting supported ASCII codepage of: {0:s}:\t".format( codepage)), try: olecf_file.ascii_codepage = codepage result = True except: result = False if not result: print("(FAIL)") return False print("(PASS)") print("Testing setting supported ASCII codepage of: {0:s}:\t".format( codepage)), try: olecf_file.set_ascii_codepage(codepage) result = True except: result = False if not result: print("(FAIL)") return False print("(PASS)") for codepage in unsupported_codepages: print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format( codepage)), result = False try: olecf_file.ascii_codepage = codepage except RuntimeError as exception: expected_message = ( "{0:s}: unable to determine ASCII codepage.").format( "pyolecf_file_set_ascii_codepage_from_string") if str(exception) == expected_message: result = True except: pass if not result: print("(FAIL)") return False print("(PASS)") print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format( codepage)), result = False try: olecf_file.set_ascii_codepage(codepage) except RuntimeError as exception: expected_message = ( "{0:s}: unable to determine ASCII codepage.").format( "pyolecf_file_set_ascii_codepage_from_string") if str(exception) == expected_message: result = True except: pass if not result: print("(FAIL)") return False print("(PASS)") return True
def ParseFileObject(self, parser_mediator, file_object): """Parses an OLE Compound File (OLECF) file-like object. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO): file-like object. """ self.IJBsaveFile(file_object) ijb_ret = self.IJBParserRecords(file_object) if ijb_ret is not "NO TYPE": date_time = dfdatetime_semantic_time.SemanticTime('Not set') for ret in ijb_ret: if ret: event_data = WinThumbnailExecutionEventData() event_data.thumbs_info = ret event_data.thumbs_sha1 = self.GetSHA1(ret) event = time_events.DateTimeValuesEvent( date_time, definitions.TIME_DESCRIPTION_NOT_A_TIME) parser_mediator.ProduceEventWithEventData( event, event_data) return else: olecf_file = pyolecf.file() olecf_file.set_ascii_codepage(parser_mediator.codepage) try: olecf_file.open_file_object(file_object) except IOError as exception: parser_mediator.ProduceExtractionError( 'unable to open file with error: {0!s}'.format(exception)) return root_item = olecf_file.root_item if not root_item: return # Get a list of all items in the root item from the OLECF file. item_names = [item.name for item in root_item.sub_items] # Compare the list of available plugin objects. # We will try to use every plugin against the file (except # the default plugin) and run it. Only if none of the plugins # works will we use the default plugin. item_names = frozenset(item_names) try: for plugin in self._plugins: if parser_mediator.abort: break if not plugin.REQUIRED_ITEMS.issubset(item_names): continue try: plugin.UpdateChainAndProcess(parser_mediator, root_item=root_item) except Exception as exception: # pylint: disable=broad-except parser_mediator.ProduceExtractionError(( 'plugin: {0:s} unable to parse OLECF file with error: ' '{1!s}').format(plugin.NAME, exception)) if self._default_plugin and not parser_mediator.abort: try: self._default_plugin.UpdateChainAndProcess( parser_mediator, root_item=root_item) except Exception as exception: # pylint: disable=broad-except parser_mediator.ProduceExtractionError(( 'plugin: {0:s} unable to parse OLECF file with error: ' '{1!s}').format(self._default_plugin.NAME, exception)) finally: olecf_file.close()
def test_signal_abort(self): """Tests the signal_abort function.""" olecf_file = pyolecf.file() olecf_file.signal_abort()