Subject: [iSF] MS File Format Manipulation Tool From: Darien Kindlund Date: Tue, 25 Nov 2003 15:32:40 -0500 To: INFOSEC-LIST@lists.mitre.org Are you interested in Microsoft application file formats? With the release of the Windows 3.0/3.1 operating systems, Microsoft designed an interoperable file format designed for use with any Windows-based application, loosely known as the “MS OLE File System Specification.” Analogous to .ZIP files, this MS file format stores data in a hierarchical file system-based structure, where directory and file entries are considered storages and streams, respectively. Revised in 1993, Microsoft released the MS OLE v2.0 File System Specification, also known as Structured Storage or Compound File Format. Microsoft has released this specification to application developers in order to promote its use, implementing the base format in all Office application versions since Office 95. As part of the work for my sponsor, I’ve released a Java-based “MS File Format Manipulation Utility,” capable of: - Graphically viewing an internal OLE file system - Viewing the file system in binary (hex) form - Deleting specified storages/streams - Renaming specified storages/streams - Exporting specified storages/streams to another OLE file system or translated to physical directories/files - Importing specified storages/streams [via same methods] - Defragment an OLE file system (to remove unused space between storages/streams) Subsequently, this tool facilitates understanding application data within Microsoft Office file formats, such as PowerPoint, Word, and Excel. Microsoft has not released the technical implementation details regarding the OLE v2.0 File System Specification but provides a set of Windows libraries to access data within this format. However, other open-source efforts exist for manipulating this format. This work leverages an existing, open-source effort entitled the “Apache Jakarta Project: POI File System”. URL: http://jakarta.apache.org/poi/index.html Note: POI stands for Microsoft’s (P)oorly (O)bfuscated (I)mplementation of an internal file system. This project has a MITRE iSF project URL: http://developer.mitre.org/projects/oleutil/ For detailed questions regarding this project’s use, please email me directly (kindlund@mitre.org) rather than posting to the SourceForge website, as primary work on this project has been completed. Requirements: Java JRE v1.4.2 Source (including JavaDOC) can be downloaded at: http://download.developer.mitre.org/oleutil/OLEUtil-src.tar.gz A complete .JAR file can be downloaded at: http://download.developer.mitre.org/oleutil/OLEUtil.jar Usage: With the java executable in your path, the basic command style is: "java -jar OLEUtil.jar [args]" For help, you would type: "java -jar OLEUtil.jar -help" Use Case Examples: - Let's say you want to graphically browse the "temp.doc" Word document. Type: "java -jar OLEUtil.jar -b temp.doc" - Let's say you want to get a basic hex output of the "temp.doc" Word document. Type: "java -jar OLEUtil.jar -h temp.doc" It would probably be helpful to pipe the output to a file, since it's usually long. Type: "java -jar OLEUtil.jar -b temp.doc > output.txt" - Let's say you want to delete the "Macros" storage in the "temp.doc" Word document. Type: "java -jar OLEUtil.jar -d temp.doc /Macros" - Let's say you want to rename the "Macros" storage to "OldMacros" in the "temp.doc" Word document. Type: "java -jar OLEUtil.jar -r temp.doc /Macros /OldMacros" - Let's say you want to export ALL storages/streams in the "temp.doc" Word document out to a directory. Create the subdirectory "test" by typing: "mkdir test". We're going to need to create a text file containing all entries to export. Create a "list.txt" file, with "/.*" as the only text in the file; this is a regular expression indicating we want to export all storages/streams from the root storage onward. Type: "java -jar OLEUtil.jar -e temp.doc list.txt test/" - Let's say you want to subsequently import ALL storages/streams within the "test" subdirectory into a new "temp2.doc" Word document. Type: "java -jar OLEUtil.jar -i temp.doc list.txt test/" - Let's say you want to defragment the "temp.doc" Word document. Type: "java -jar OLEUtil.jar -x temp.doc" -- Darien Kindlund The MITRE Corporation InfoSec Engr / Scientist kindlund@mitre.org - (703) 883-5858 http://rei1.m-plify.net/poi-docs/ What does POI stand for? POI stands for Poor Obfuscation Implementation. Why would we name our project such a derogatory name? Well, Microsoft's OLE 2 Compound Document Format is a poorly conceived thing. It is essentially an archive structured much like the old DOS FAT filesystem. Redmond chose, instead of using tar, gzip, zip or arc, to invent their own archive format that does not provide any standard encryption or compression, is not very appendable and is prone to fragmentation.