/ open-webui.git / app / env / lib64 / python3.11 / site-packages / oletools / doc / rtfobj.html

Save
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="" xml:lang=""> <head> <meta charset="utf-8" /> <meta name="generator" content="pandoc" /> <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" /> <title>-</title> <style> html { line-height: 1.5; font-family: Georgia, serif; font-size: 20px; color: #1a1a1a; background-color: #fdfdfd; } body { margin: 0 auto; max-width: 36em; padding-left: 50px; padding-right: 50px; padding-top: 50px; padding-bottom: 50px; hyphens: auto; overflow-wrap: break-word; text-rendering: optimizeLegibility; font-kerning: normal; } @media (max-width: 600px) { body { font-size: 0.9em; padding: 1em; } h1 { font-size: 1.8em; } } @media print { body { background-color: transparent; color: black; font-size: 12pt; } p, h2, h3 { orphans: 3; widows: 3; } h2, h3, h4 { page-break-after: avoid; } } p { margin: 1em 0; } a { color: #1a1a1a; } a:visited { color: #1a1a1a; } img { max-width: 100%; } h1, h2, h3, h4, h5, h6 { margin-top: 1.4em; } h5, h6 { font-size: 1em; font-style: italic; } h6 { font-weight: normal; } ol, ul { padding-left: 1.7em; margin-top: 1em; } li > ol, li > ul { margin-top: 0; } blockquote { margin: 1em 0 1em 1.7em; padding-left: 1em; border-left: 2px solid #e6e6e6; color: #606060; } code { font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace; font-size: 85%; margin: 0; } pre { margin: 1em 0; overflow: auto; } pre code { padding: 0; overflow: visible; overflow-wrap: normal; } .sourceCode { background-color: transparent; overflow: visible; } hr { background-color: #1a1a1a; border: none; height: 1px; margin: 1em 0; } table { margin: 1em 0; border-collapse: collapse; width: 100%; overflow-x: auto; display: block; font-variant-numeric: lining-nums tabular-nums; } table caption { margin-bottom: 0.75em; } tbody { margin-top: 0.5em; border-top: 1px solid #1a1a1a; border-bottom: 1px solid #1a1a1a; } th { border-top: 1px solid #1a1a1a; padding: 0.25em 0.5em 0.25em 0.5em; } td { padding: 0.125em 0.5em 0.25em 0.5em; } header { margin-bottom: 4em; text-align: center; } #TOC li { list-style: none; } #TOC ul { padding-left: 1.3em; } #TOC > ul { padding-left: 0; } #TOC a:not(:hover) { text-decoration: none; } code{white-space: pre-wrap;} span.smallcaps{font-variant: small-caps;} span.underline{text-decoration: underline;} div.column{display: inline-block; vertical-align: top; width: 50%;} div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;} ul.task-list{list-style: none;} pre > code.sourceCode { white-space: pre; position: relative; } pre > code.sourceCode > span { display: inline-block; line-height: 1.25; } pre > code.sourceCode > span:empty { height: 1.2em; } .sourceCode { overflow: visible; } code.sourceCode > span { color: inherit; text-decoration: inherit; } div.sourceCode { margin: 1em 0; } pre.sourceCode { margin: 0; } @media screen { div.sourceCode { overflow: auto; } } @media print { pre > code.sourceCode { white-space: pre-wrap; } pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; } } pre.numberSource code { counter-reset: source-line 0; } pre.numberSource code > span { position: relative; left: -4em; counter-increment: source-line; } pre.numberSource code > span > a:first-child::before { content: counter(source-line); position: relative; left: -1em; text-align: right; vertical-align: baseline; border: none; display: inline-block; -webkit-touch-callout: none; -webkit-user-select: none; -khtml-user-select: none; -moz-user-select: none; -ms-user-select: none; user-select: none; padding: 0 4px; width: 4em; color: #aaaaaa; } pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; } div.sourceCode { } @media screen { pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; } } code span.al { color: #ff0000; font-weight: bold; } /* Alert */ code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */ code span.at { color: #7d9029; } /* Attribute */ code span.bn { color: #40a070; } /* BaseN */ code span.bu { color: #008000; } /* BuiltIn */ code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */ code span.ch { color: #4070a0; } /* Char */ code span.cn { color: #880000; } /* Constant */ code span.co { color: #60a0b0; font-style: italic; } /* Comment */ code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */ code span.do { color: #ba2121; font-style: italic; } /* Documentation */ code span.dt { color: #902000; } /* DataType */ code span.dv { color: #40a070; } /* DecVal */ code span.er { color: #ff0000; font-weight: bold; } /* Error */ code span.ex { } /* Extension */ code span.fl { color: #40a070; } /* Float */ code span.fu { color: #06287e; } /* Function */ code span.im { color: #008000; font-weight: bold; } /* Import */ code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */ code span.kw { color: #007020; font-weight: bold; } /* Keyword */ code span.op { color: #666666; } /* Operator */ code span.ot { color: #007020; } /* Other */ code span.pp { color: #bc7a00; } /* Preprocessor */ code span.sc { color: #4070a0; } /* SpecialChar */ code span.ss { color: #bb6688; } /* SpecialString */ code span.st { color: #4070a0; } /* String */ code span.va { color: #19177c; } /* Variable */ code span.vs { color: #4070a0; } /* VerbatimString */ code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */ .display.math{display: block; text-align: center; margin: 0.5rem auto;} </style> </head> <body> <h1 id="rtfobj">rtfobj</h1> <p>rtfobj is a Python module to detect and extract embedded objects stored in RTF files, such as OLE objects. It can also detect OLE Package objects, and extract the embedded files.</p> <p>Since v0.50, rtfobj contains a custom RTF parser that has been designed to match MS Word’s behaviour, in order to handle obfuscated RTF files. See my article <a href="http://decalage.info/rtf_tricks">“Anti-Analysis Tricks in Weaponized RTF”</a> for some concrete examples.</p> <p>rtfobj can be used as a Python library or a command-line tool.</p> <p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p> <h2 id="usage">Usage</h2> <pre class="text"><code>rtfobj [options] &lt;filename&gt; [filename2 ...] Options: -h, --help show this help message and exit -r find files recursively in subdirectories. -z ZIP_PASSWORD, --zip=ZIP_PASSWORD if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+) -f ZIP_FNAME, --zipfname=ZIP_FNAME if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*) -l LOGLEVEL, --loglevel=LOGLEVEL logging level debug/info/warning/error/critical (default=warning) -s SAVE_OBJECT, --save=SAVE_OBJECT Save the object corresponding to the provided number to a file, for example &quot;-s 2&quot;. Use &quot;-s all&quot; to save all objects at once. -d OUTPUT_DIR use specified directory to save output files.</code></pre> <p>rtfobj displays a list of the OLE and Package objects that have been detected, with their attributes such as class and filename.</p> <p>When an OLE Package object contains an executable file or script, it is highlighted as such. For example:</p> <p><img src="rtfobj1.png" /></p> <p>To extract an object or file, use the option -s followed by the object number as shown in the table.</p> <p>Example:</p> <pre class="text"><code>rtfobj -s 0</code></pre> <p>It extracts and decodes the corresponding object, and saves it as a file named “object_xxxx.bin”, xxxx being the location of the object in the RTF file.</p> <h2 id="how-to-use-rtfobj-in-python-applications">How to use rtfobj in Python applications</h2> <p>As of v0.50, the API has changed significantly and it is not final yet. For now, see the class RtfObjectParser in the code.</p> <h3 id="deprecated-api-still-functional">Deprecated API (still functional):</h3> <p>rtf_iter_objects(filename) is an iterator which yields a tuple (index, orig_len, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.</p> <p>Example:</p> <div class="sourceCode" id="cb3"><pre class="sourceCode python"><code class="sourceCode python"><span id="cb3-1"><a href="#cb3-1" aria-hidden="true" tabindex="-1"></a><span class="im">from</span> oletools <span class="im">import</span> rtfobj</span> <span id="cb3-2"><a href="#cb3-2" aria-hidden="true" tabindex="-1"></a><span class="cf">for</span> index, orig_len, data <span class="kw">in</span> rtfobj.rtf_iter_objects(<span class="st">&quot;myfile.rtf&quot;</span>):</span> <span id="cb3-3"><a href="#cb3-3" aria-hidden="true" tabindex="-1"></a> <span class="bu">print</span>(<span class="st">&#39;found object size </span><span class="sc">%d</span><span class="st"> at index </span><span class="sc">%08X</span><span class="st">&#39;</span> <span class="op">%</span> (<span class="bu">len</span>(data), index))</span></code></pre></div> <hr /> <h2 id="python-oletools-documentation">python-oletools documentation</h2> <ul> <li><a href="Home.html">Home</a></li> <li><a href="License.html">License</a></li> <li><a href="Install.html">Install</a></li> <li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li> <li>Tools: <ul> <li><a href="mraptor.html">mraptor</a></li> <li><a href="msodde.html">msodde</a></li> <li><a href="olebrowse.html">olebrowse</a></li> <li><a href="oledir.html">oledir</a></li> <li><a href="oleid.html">oleid</a></li> <li><a href="olemap.html">olemap</a></li> <li><a href="olemeta.html">olemeta</a></li> <li><a href="oleobj.html">oleobj</a></li> <li><a href="oletimes.html">oletimes</a></li> <li><a href="olevba.html">olevba</a></li> <li><a href="pyxswf.html">pyxswf</a></li> <li><a href="rtfobj.html">rtfobj</a></li> </ul></li> </ul> </body> </html>
Memory