OLE Package Format Documentation
Switch branches/tags
Nothing to show
Clone or download
Latest commit c451a78 Feb 19, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE initial commit Feb 20, 2018
README.md Update Readme Feb 20, 2018
psparser.py initial commit Feb 20, 2018

README.md

OLE Packager File Format

Research and documentation into the OLE Packager format.

The Packager format is a legacy of OLE1 and was designed as a generic OLE embedding server for inserting objects that don't an associated OLE server.

Packager objects will be embedded or linked using the class name Package (5061636b61676500).

OLE Packager Data Format



Name            Length      Description
-------------------------------------------------------------------------------
Header	        4           Stream Header always set to 0200
Label	        Variable    Label of embedded object defaulted to filename. (Null Terminated)
OrgPath	        Variable    Original path of embedded object. (Null Terminated)
UType	        8           Unknown – Possibly a FormatId
                                – Set to 00000300 for embedded objects
                                – Set to 00000100 for linked objects
DataPathLen     8           Length of DataPath
DataPath        Variable    Extract Path and file name defaulted to %localappdata%/Temp of the source system. (Null Terminated)
DataLen	        8           Length of embedded data.
Data	        Variable    Embedded Data
OrgPathWLen     8           Length of OrgFileW
OrgPathW        Variable    Original path of embedded object. (WChar)
LabelLen        8           Length of LabelW
LabelW	        Variable    Label of embedded object defaulted to filename. (WChar)
DefPathWLen     8           Length of OrgPathW
DefPathW        Variable    Original path of embedded object. (WChar)

Usage

The script can be run against Word documents (.doc), RTF files or carved OLE10Native streams. python psparser.py sample1.doc

 [*] Analyzing file....
 [*] File is an OLE file...
 [*] Processing Streams...
 [*] Found Ole10Native Stream...checking for packager data
 [*] Stream contains Packager Formatted data...
  Header:         0200
  Label:
  FormatId:       00000300
  OriginalPath:   C:\Aaa\exe\v21.exe
  Extract Path:   C:\Users\M\AppData\Local\Temp\v21.exe
  Data Size:      221696
  Data (SHA1):    c8671177cc462bdd6eb1a36935e885103283f7e1

Extracting Data

To extract data pass the --extract switch to extract the data stream to the current directory. The name of the file will be the MD5 hash of the embedded data

python psparser sample2.doc --extract
[*] Analyzing file....
 [*] File is an OLE file...
 [*] Processing Streams...
 [*] Found Ole10Native Stream...checking for packager data
 [*] Stream contains Packager Formatted data...
  Header:         0200
  Label:          krt21.exe
  FormatId:       00000300
  OriginalPath:   C:\Aaa\exe\krt21.exe
  Extract Path:   C:\Users\ADMINI~1\AppData\Local\Temp\krt21.exe
  Data Size:      281600
  Data (SHA1):    dbf612659710fa1e463693ec2cce157be9844a01
 Extracting embedded data as 7000ed249bbb16862e5e6f5af250faba

Future Research

  • Confirm UType field values

References