OleFileIO_PL is a Python module to read Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents, Image Composer and FlashPix files, Outlook messages, ... This my improved version of the OleFileIO module from PIL, the excellent Python Imaging Library, created and maintained by Fredrik Lundh. The API is still compatible with PIL, but I have improved the internal implementation significantly, with many bugfixes and a more robust design.
As far as I know, this module is now the most complete and robust Python implementation to read MS OLE2 files, portable on several operating systems. (please tell me if you know other similar Python modules)
I have also created python-oletools, a package of python tools to analyze OLE files based on OleFileIO_PL, mainly for malware analysis and debugging. It includes olebrowse, a graphical tool to browse and extract OLE streams, oleid to quickly identify characteristics of malicious documents, and pyxswf to extract Flash objects (SWF) from OLE files.
WARNING: THIS IS (STILL) WORK IN PROGRESS.
The archive is available on the project page.
OleFileIO_PL changes are Copyright (c) 2005-2012 by Philippe Lagadec.
The Python Imaging Library (PIL) is
- Copyright (c) 1997-2005 by Secret Labs AB
- Copyright (c) 1995-2005 by Fredrik Lundh
By obtaining, using, and/or copying this software and/or its associated documentation, you agree that you have read, understood, and will comply with the following terms and conditions:
Permission to use, copy, modify, and distribute this software and its associated documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies, and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Secret Labs AB or the author not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.
SECRET LABS AB AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL SECRET LABS AB OR THE AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
See sample code at the end of the module, and also docstrings.
Here are a few examples:
import OleFileIO_PL # Test if a file is an OLE container: assert OleFileIO_PL.isOleFile('myfile.doc') # Open an OLE file: ole = OleFileIO_PL.OleFileIO('myfile.doc') # Get list of streams: print ole.listdir() # Test if known streams/storages exist: if ole.exists('worddocument'): print "This is a Word document." print "size :", ole.get_size('worddocument') if ole.exists('macros/vba'): print "This document seems to contain VBA macros."
# Extract the "Pictures" stream from a PPT file: if ole.exists('Pictures'): pics = ole.openstream('Pictures') data = pics.read() f = open('Pictures.bin', 'w') f.write(data) f.close() # Extract metadata (new in v0.24) - see source code for all attributes: meta = ole.get_metadata() print 'Author:', meta.author print 'Title:', meta.title print 'Creation date:', meta.create_time # print all metadata: meta.dump() # Close the OLE file: ole.close() # Work with a file-like object (e.g. StringIO) instead of a file on disk: data = open('myfile.doc', 'rb').read() f = StringIO.StringIO(data) ole = OleFileIO_PL.OleFileIO(f) print ole.listdir() ole.close()
It can also be used as a script from the command-line to display the structure of an OLE file, for example:
A real-life example: using OleFileIO_PL for malware analysis and forensics.
See also this paper about python tools for forensics, which features OleFileIO_PL.
I have published python-oletools, a package of python tools to analyze OLE files based on OleFileIO_PL, mainly for malware analysis and debugging. It includes olebrowse, a graphical tool to browse and extract OLE streams, oleid to quickly identify characteristics of malicious documents, and pyxswf to extract Flash objects (SWF) from OLE files.
The code is available in a Mercurial repository on bitbucket. You may use it to submit enhancements or to report any issue.
If you would like to help us improve this module, or simply provide feedback, you may also send an e-mail to decalage(at)laposte.net. You can help in many ways:
To report a bug, for example a normal file which is not parsed correctly, please use the issue reporting page, or send an e-mail with an attachment containing the debugging output of OleFileIO_PL.
For this, launch the following command :
OleFileIO_PL.py -d -c file >debug.txt