Git Product home page Git Product logo

olepackagerformat's Introduction

OLE Packager File Format

Research and documentation into the OLE Packager format.

The Packager format is a legacy of OLE1 and was designed as a generic OLE embedding server for inserting objects that don't an associated OLE server.

Packager objects will be embedded or linked using the class name Package (5061636b61676500).

OLE Packager Data Format



Name            Length      Description
-------------------------------------------------------------------------------
Header	        4           Stream Header always set to 0200
Label	        Variable    Label of embedded object defaulted to filename. (Null Terminated)
OrgPath	        Variable    Original path of embedded object. (Null Terminated)
UType	        8           Unknown – Possibly a FormatId
                                – Set to 00000300 for embedded objects
                                – Set to 00000100 for linked objects
DataPathLen     8           Length of DataPath
DataPath        Variable    Extract Path and file name defaulted to %localappdata%/Temp of the source system. (Null Terminated)
DataLen	        8           Length of embedded data.
Data	        Variable    Embedded Data
OrgPathWLen     8           Length of OrgFileW
OrgPathW        Variable    Original path of embedded object. (WChar)
LabelLen        8           Length of LabelW
LabelW	        Variable    Label of embedded object defaulted to filename. (WChar)
DefPathWLen     8           Length of OrgPathW
DefPathW        Variable    Original path of embedded object. (WChar)

Usage

The script can be run against Word documents (.doc), RTF files or carved OLE10Native streams. python psparser.py sample1.doc

 [*] Analyzing file....
 [*] File is an OLE file...
 [*] Processing Streams...
 [*] Found Ole10Native Stream...checking for packager data
 [*] Stream contains Packager Formatted data...
  Header:         0200
  Label:
  FormatId:       00000300
  OriginalPath:   C:\Aaa\exe\v21.exe
  Extract Path:   C:\Users\M\AppData\Local\Temp\v21.exe
  Data Size:      221696
  Data (SHA1):    c8671177cc462bdd6eb1a36935e885103283f7e1

Extracting Data

To extract data pass the --extract switch to extract the data stream to the current directory. The name of the file will be the MD5 hash of the embedded data

python psparser sample2.doc --extract
[*] Analyzing file....
 [*] File is an OLE file...
 [*] Processing Streams...
 [*] Found Ole10Native Stream...checking for packager data
 [*] Stream contains Packager Formatted data...
  Header:         0200
  Label:          krt21.exe
  FormatId:       00000300
  OriginalPath:   C:\Aaa\exe\krt21.exe
  Extract Path:   C:\Users\ADMINI~1\AppData\Local\Temp\krt21.exe
  Data Size:      281600
  Data (SHA1):    dbf612659710fa1e463693ec2cce157be9844a01
 Extracting embedded data as 7000ed249bbb16862e5e6f5af250faba

Future Research

  • Confirm UType field values

References

olepackagerformat's People

Contributors

idiom avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.