Didier Stevens

Syndicate content Didier Stevens
(blog \'DidierStevens)
Updated: 26 min 46 sec ago

New tool: decompress_rtf.py

12 hours 12 min ago
A reader over at the Internet Storm Center asked how to analyze a particular email file (.msg) with my oledump.py tool. MSG files are ole files, and can be analyzed with oledump. In this particular email, one stream contains compressed RTF. I quickly wrote a tool to decompress compressed RTF using Python module compressed_rtf, using my binary file Python template. Template process-binary-file.py is a Python program that reads binary files (normal files, stdin, contained in a ZIP file, …) and comes with various options to process these files. The class cBinaryFile can read a complete or partial file into memory for further processing. Just a few lines of code of the template need to be added/changed to create this new decompression tool. First I need to import module compressed_rtf. A single line “import compressed_rtf” would be sufficient, but I’m adding some error handling in case the module is not installed: try: import compressed_rtf except ImportError: print('Module compressed_rtf missing, please install with command: pip install compressed_rtf') sys.exit(-1) Next, I search for “# —– Put your data processing code here —–” (line 1315 in the current version 0.0.1 of the template): Lines 1316 and 1317 (starting with oOutput.Line) are just demo lines, to be replaced by this line: oOutput.Line(compressed_rtf.decompress(data), eol='') Variable data contains the complete binary content of the processed file (e.g. the compressed RTF), and a call to method compressed_rtf.decompress will decompress the data. Then I output the result with method Line of object oOutput. I use this method in stead of a print statement, because then I have more control over the output format and destination by using command-line option -o. eol=” directs the Line method not to append a new-line after outputting the decompressed RTF file. That’s essentially all that needs to be done to create this new tool with my template. Documentation is also important, so I also updated the description (line 5), date (line 8) and the manual (starting line 67). And now with this tool, I can decompress compressed RTF streams found inside a .msg file: decompress_rtf_V0_0_1.zip (https)
MD5: 41127F62897479FB5135D36675C396F5
SHA256: 581F2E1B2B508C3941EC22040FB0C76999E5DF293C8AD0DC1FDE921D121F3A26
Categories: Security Posts