private void GetPrinters(OleDocument doc) { using (Stream WordDocument = doc.OpenStream("WordDocument")) { if (WordDocument == null) { return; } BinaryReader br = new BinaryReader(WordDocument); WordDocument.Seek(0xB, SeekOrigin.Begin); Byte tipo = br.ReadByte(); WordDocument.Seek(0x172, SeekOrigin.Begin); UInt32 dir = br.ReadUInt32(); UInt32 tam = br.ReadUInt32(); if (tam > 0) { Stream table = doc.OpenStream((tipo & 2) == 2 ? "1Table" : "0Table"); Byte[] DriverImpresora = new Byte[tam]; table.Seek(dir, SeekOrigin.Begin); table.Read(DriverImpresora, 0, (int)tam); FoundPrinters.AddUniqueItem(Functions.FilterPrinter(Encoding.Default.GetString(DriverImpresora).Replace("\0", ""))); table.Close(); } } }
private void ReadDocument(OleDocument doc) { doc.readMSAT(); doc.readSAT(); doc.readSSAT(); doc.readDir(); }
private void GetPathPpt(OleDocument doc) { using (var WordDocument = doc.OpenStream("PowerPoint Document")) { if (WordDocument == null) { return; } try { WordDocument.Seek(0, SeekOrigin.Begin); using (var sr = new StreamReader(doc.OpenStream("PowerPoint Document"), Encoding.Unicode)) { foreach (Match m in Regex.Matches(sr.ReadToEnd(), @"([a-z]:|\\)\\[a-zá-ú0-9\\\s,;.\-_#\$%&()=ñ´'¨{}Ç`/n/r\[\]+^@]+\\[a-zá-ú0-9\\\s,;.\-_#\$%&()=ñ´'¨{}Ç`/n/r\[\]+^@]+", RegexOptions.IgnoreCase)) { string path = m.Value.Trim(); FoundPaths.AddUniqueItem(PathAnalysis.CleanPath(path), true); } } } catch (Exception) { } } }
private void GetImagesPpt(OleDocument doc) { using (Stream stmPictures = doc.OpenStream("Pictures")) { if (stmPictures == null) { return; } int ImagesFound = 0; stmPictures.Seek(0, SeekOrigin.Begin); while (stmPictures.Position < stmPictures.Length - 0x19) { stmPictures.Seek(0x4, SeekOrigin.Current); BinaryReader brData = new BinaryReader(stmPictures); UInt32 PICLength = brData.ReadUInt32(); if (PICLength == 0 || stmPictures.Position + PICLength > stmPictures.Length) { break; } byte[] bufferPIC = brData.ReadBytes((int)PICLength); string strImageName = "Image" + ImagesFound++; using (MemoryStream msJPG = new MemoryStream(bufferPIC, 0x11, bufferPIC.Length - 0x11)) { EXIFDocument eDoc = new EXIFDocument(msJPG, ".jpg"); eDoc.analyzeFile(); eDoc.Close(); if (eDoc.Thumbnail != null) { lon += eDoc.Thumbnail.Length; } cont++; System.Diagnostics.Debug.WriteLine(cont.ToString()); System.Diagnostics.Debug.WriteLine(lon / (1024 * 1024) + " Megacas"); dicPictureEXIF.Add(strImageName, eDoc); foreach (UserItem uiEXIF in eDoc.FoundUsers.Items) { FoundUsers.AddUniqueItem(uiEXIF.Name, false, uiEXIF.Notes); } foreach (ApplicationsItem Application in eDoc.FoundMetaData.Applications.Items) { string strApplication = Application.Name; if (!string.IsNullOrEmpty(strApplication.Trim()) && !FoundMetaData.Applications.Items.Any(A => A.Name == strApplication.Trim())) { FoundMetaData.Applications.Items.Add(new ApplicationsItem(strApplication.Trim())); } } } } } }
private void GetLinksBinary(OleDocument doc) { var pending = new List <Action>() { () => GetLinksBinaryWorkbook(doc.OpenStream("Workbook")), () => GetLinksWordDocument(doc.OpenStream("WordDocument")), () => GetLinksBinaryPowerPointDocument(doc.OpenStream("PowerPoint Document")) }; foreach (var call in pending) { call(); } pending.Clear(); }
public override void analyzeFile() { OleDocument doc = null; try { doc = new OleDocument(stm); if (!doc.isValid()) { return; } ReadDocument(doc); GetSummaryInformation(doc); AnalizarTitulo(); AnalizarPlantilla(); GetPrinters(doc); GetRelatedDocuments(doc); GetPrintersInXls(doc); GetHistory(doc); GetOperatingSystem(doc); GetPathPpt(doc); GetImagesDoc(doc); GetImagesPpt(doc); GetLinksBinary(doc); GetUserFromPaths(); } catch (Exception e) { System.Diagnostics.Debug.WriteLine(e.ToString()); return; } finally { if (doc != null) { doc.Close(); } } }
private void GetRelatedDocuments(OleDocument doc) { using (Stream WordDocument = doc.OpenStream("WordDocument")) { if (WordDocument == null) { return; } BinaryReader br = new BinaryReader(WordDocument); WordDocument.Seek(0xB, SeekOrigin.Begin); Byte tipo = br.ReadByte(); WordDocument.Seek(0x19A, SeekOrigin.Begin); UInt32 dir = br.ReadUInt32(); UInt32 tam = br.ReadUInt32(); if (tam > 8) { Stream table = doc.OpenStream((tipo & 2) == 2 ? "1Table" : "0Table"); BinaryReader br1 = new BinaryReader(table); table.Seek(dir, SeekOrigin.Begin); bool unicode = br1.ReadUInt16() == 0xFFFF; int nro_strings = br1.ReadInt16(); int len_extradata = br1.ReadInt32(); if (nro_strings > 0) { int strSize = br1.ReadInt16(); string ruta; if (unicode) { Byte[] cadena = br1.ReadBytes(strSize * 2); ruta = Encoding.Unicode.GetString(cadena).Replace('\0', ' '); } else { Byte[] cadena = br1.ReadBytes(strSize); ruta = Encoding.Default.GetString(cadena).Replace('\0', ' '); } FoundPaths.AddUniqueItem(PathAnalysis.CleanPath(ruta), true); } table.Close(); } } }
private void GetSummaryInformation(OleDocument doc) { using (Stream SummaryInformation = doc.OpenStream("SummaryInformation")) { if (SummaryInformation != null) { SummaryInformation.Seek(0, SeekOrigin.Begin); OleStream os = new OleStream(SummaryInformation); os.GetMetadata(FoundMetaData, FoundUsers, FoundDates, FoundEmails); } } using (Stream DocumentSummaryInformation = doc.OpenStream("DocumentSummaryInformation")) { if (DocumentSummaryInformation != null) { DocumentSummaryInformation.Seek(0, SeekOrigin.Begin); OleStream os = new OleStream(DocumentSummaryInformation); os.GetMetadata(FoundMetaData, FoundUsers, FoundDates, FoundEmails); } } }
private void GetImagesDoc(OleDocument doc) { using (Stream WordDocument = doc.OpenStream("WordDocument")) { using (Stream stmData = doc.OpenStream("Data")) { if (WordDocument == null || stmData == null) { return; } WordDocument.Seek(0x18, SeekOrigin.Begin); BinaryReader br = new BinaryReader(WordDocument); Int32 fcMin = br.ReadInt32(); Int32 fcMac = br.ReadInt32(); Int32 FKPStart = fcMac % 0x200 == 0 ? fcMac : (fcMac - fcMac % 0x200) + 0x200; WordDocument.Seek(FKPStart, SeekOrigin.Begin); int ImagesFound = 0; while (WordDocument.Position + 0x200 < WordDocument.Length) { byte[] FKP = br.ReadBytes(0x200); if (FKP[0x1FF] == 00) { break; } foreach (int offset in Functions.SearchBytesInBytes(FKP, new byte[] { 0x03, 0x6A })) { if (offset < 0x200 - 5) { int PICOffset = FKP[offset + 5] * 0x1000000 + FKP[offset + 4] * 0x10000 + FKP[offset + 3] * 0x100 + FKP[offset + 2]; if (PICOffset >= 0 && PICOffset < stmData.Length) { stmData.Seek(PICOffset, SeekOrigin.Begin); BinaryReader brData = new BinaryReader(stmData); UInt32 PICLength = brData.ReadUInt32(); long posOri = stmData.Position; int bufferLen = PICLength < stmData.Length - stmData.Position ? (int)PICLength - 4 : (int)(stmData.Length - stmData.Position); if (bufferLen == 0) { continue; } byte[] bufferPIC = brData.ReadBytes(bufferLen); string strImageName = "Image" + ImagesFound++; using (StreamReader sr = new StreamReader(new MemoryStream(bufferPIC), Encoding.Unicode)) { String sRead = sr.ReadToEnd(); foreach (Match m in Regex.Matches(sRead, @"([a-z]:|\\)\\[a-zá-ú0-9\\\s,;.\-_#\$%&()=ñ´'¨{}Ç`/n/r\[\]+^@]+\\[a-zá-ú0-9\\\s,;.\-_#\$%&()=ñ´'¨{}Ç`/n/r\[\]+^@]+", RegexOptions.IgnoreCase)) { String path = m.Value.Trim(); FoundPaths.AddUniqueItem(PathAnalysis.CleanPath(path), true); strImageName = Path.GetFileName(path); } } List <int> lstJPEG = Functions.SearchBytesInBytes(bufferPIC, new byte[] { 0xFF, 0xD8 }); if (lstJPEG.Count > 0) { using (MemoryStream msJPG = new MemoryStream(bufferPIC, lstJPEG[0], bufferPIC.Length - lstJPEG[0])) { EXIFDocument eDoc = new EXIFDocument(msJPG, ".jpg"); eDoc.analyzeFile(); dicPictureEXIF.Add(strImageName, eDoc); foreach (UserItem uiEXIF in eDoc.FoundUsers.Items) { FoundUsers.AddUniqueItem(uiEXIF.Name, false, uiEXIF.Notes); } foreach (ApplicationsItem Application in eDoc.FoundMetaData.Applications.Items) { string strApplication = Application.Name; if (!string.IsNullOrEmpty(strApplication.Trim()) && !FoundMetaData.Applications.Items.Any(A => A.Name == strApplication.Trim())) { FoundMetaData.Applications.Items.Add(new ApplicationsItem(strApplication.Trim())); } } eDoc.Close(); } } } } } } } } }
private void GetOperatingSystem(OleDocument doc) { byte intHighVersion, intLowVersion; doc.GetOperatingSystemFromStreamHeaders(out intHighVersion, out intLowVersion); switch (intHighVersion) { case 1: switch (intLowVersion) { case 0: if (FoundMetaData.Applications.Items.Count == 0) { FoundMetaData.Applications.Items.Add(new ApplicationsItem("OpenOffice")); } break; } break; case 3: switch (intLowVersion) { case 10: FoundMetaData.OperativeSystem = "Mac OS"; break; case 51: FoundMetaData.OperativeSystem = "Windows NT 3.51"; break; } break; case 4: switch (intLowVersion) { case 0: FoundMetaData.OperativeSystem = "Windows NT 4.0"; break; case 10: FoundMetaData.OperativeSystem = "Windows 98"; break; } break; case 5: switch (intLowVersion) { case 0: FoundMetaData.OperativeSystem = "Windows Server 2000"; break; case 1: FoundMetaData.OperativeSystem = "Windows XP"; break; case 2: FoundMetaData.OperativeSystem = "Windows Server 2003"; break; } break; case 6: switch (intLowVersion) { case 0: FoundMetaData.OperativeSystem = "Windows Vista"; break; case 1: FoundMetaData.OperativeSystem = "Windows 7"; break; } break; } }
private void GetHistory(OleDocument doc) { using (Stream WordDocument = doc.OpenStream("WordDocument")) { if (WordDocument == null) { return; } BinaryReader br = new BinaryReader(WordDocument); WordDocument.Seek(0xB, SeekOrigin.Begin); Byte tipo = br.ReadByte(); WordDocument.Seek(0x2D2, SeekOrigin.Begin); UInt32 dir = br.ReadUInt32(); UInt32 tam = br.ReadUInt32(); if (tam > 0) { using (var table = doc.OpenStream((tipo & 2) == 2 ? "1Table" : "0Table")) { table.Seek(dir, SeekOrigin.Begin); br = new BinaryReader(table); Boolean unicode = br.ReadUInt16() == 0xFFFF; UInt32 nroCadenas = br.ReadUInt16(); UInt32 extraDataTable = br.ReadUInt16(); for (int i = 0; i < nroCadenas; i += 2) { HistoryItem hi = new HistoryItem(); UInt16 strSize = br.ReadUInt16(); if (unicode) { Byte[] cadena = br.ReadBytes(strSize * 2); hi.Author = Encoding.Unicode.GetString(cadena).Replace('\0', ' '); } else { Byte[] cadena = br.ReadBytes(strSize); hi.Author = Encoding.Default.GetString(cadena).Replace('\0', ' '); } FoundUsers.AddUniqueItem(hi.Author, false, "History"); strSize = br.ReadUInt16(); if (unicode) { Byte[] cadena = br.ReadBytes(strSize * 2); hi.Path = Encoding.Unicode.GetString(cadena).Replace('\0', ' '); } else { Byte[] cadena = br.ReadBytes(strSize); hi.Path = Encoding.Default.GetString(cadena).Replace('\0', ' '); } FoundHistory.Items.Add(hi); bool IsComputerPath = false; foreach (UserItem ui in FoundUsers.Items) { if (hi.Author.Trim() == ui.Name.Trim()) { IsComputerPath = ui.IsComputerUser; } } FoundPaths.AddUniqueItem(PathAnalysis.CleanPath(hi.Path), IsComputerPath); } } } } }
private void GetPrintersInXls(OleDocument doc) { using (Stream Workbook = doc.OpenStream("Workbook")) { if (Workbook == null) { return; } BinaryReader br = new BinaryReader(Workbook); Workbook.Seek(0, SeekOrigin.Begin); while (Workbook.Position <= Workbook.Length - 2) { try { Int16 Tipo = br.ReadInt16(); Int16 Len = br.ReadInt16(); if (Len < 0) { break; } if (Tipo == 0x4D) { long PosOri = Workbook.Position; if (br.ReadInt16() == 0) { String PrinterName = Encoding.Unicode.GetString(br.ReadBytes(32 * 2)).Replace('\0', ' '); br.ReadInt16(); br.ReadInt16(); Int16 StructSize = br.ReadInt16(); Int16 DriverSize = br.ReadInt16(); if (DriverSize != 0) { Workbook.Seek(StructSize - (8 + 64), SeekOrigin.Current); Byte[] Driver = br.ReadBytes(DriverSize); String ImpresoraDriver = Functions.ExtractPrinterFromBytes(Driver); if (!string.IsNullOrEmpty(ImpresoraDriver.Trim())) { FoundPrinters.AddUniqueItem(Functions.FilterPrinter(ImpresoraDriver.Replace("\0", ""))); } else { FoundPrinters.AddUniqueItem(Functions.FilterPrinter(PrinterName.Replace("\0", ""))); } } else { FoundPrinters.AddUniqueItem(Functions.FilterPrinter(PrinterName.Replace("\0", ""))); } } Workbook.Position = PosOri; } Workbook.Seek(Len, SeekOrigin.Current); } catch { break; } } } }