Created
November 21, 2018 07:01
-
-
Save hyuunnn/a2ec77f95c9f4e01120ef8157fa711ea to your computer and use it in GitHub Desktop.
IconCache_parser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| import binascii | |
| class IconCache_parser: | |
| def __init__(self, filename): | |
| self.filename = filename | |
| self.data = open(self.filename,"rb").read() | |
| self.header_size = struct.unpack("<L",self.data[:0x4])[0] | |
| self.signature = self.data[0x4:0x8] | |
| self.file_version = self.data[0x8:0xc] | |
| self.build_number = self.data[0xc:0x10] | |
| def check_os_version(self): | |
| if self.build_number == b"\x54\x0b\x00\x06": | |
| return "WinXP" | |
| elif self.build_number == b"\x72\x17\x00\x06": | |
| return "WinVista" | |
| elif self.build_number == b"\xb1\x1d\x01\x06": | |
| return "Win7" | |
| elif self.build_number == b"\xf0\x2d\x02\x06": | |
| return "Win8" | |
| elif self.build_number == b"\x5a\x29\x00\x00": | |
| return "Win10" | |
| else: | |
| return None | |
| def run(self): | |
| self.os_version = self.check_os_version() | |
| print("[*] filename : {}".format(self.filename)) | |
| print("[*] header_size : {}".format(self.header_size)) | |
| print("[*] signature : {}".format(self.signature)) | |
| print("[*] file_version : {}".format(self.file_version)) | |
| print("[*] build_number : {}".format(self.build_number)) | |
| print("[*] os_version : {}".format(self.os_version)) | |
| if self.os_version == "Win7": | |
| start_offset = 0x44 | |
| self.header_size = struct.unpack("<L",self.data[0x40:start_offset])[0] | |
| ## 반복 | |
| signature = struct.unpack("<H",self.data[start_offset:start_offset+2])[0] | |
| path_length = struct.unpack("<H",self.data[start_offset+2:start_offset+4])[0] | |
| if signature == 0x01 or signature == 0x11 or signature == 0x41: | |
| print("[*] File Path Length * 2 : {}".format(path_length * 2)) | |
| print(self.data[start_offset + 4:start_offset + 4 + path_length * 2].replace(b"\x00",b"").decode("utf-8")) | |
| elif signature == 0x02 or signature == 0x22 or signature == 0x42: | |
| print("[*] File Path Length : {}".format(path_length)) | |
| print(self.data[start_offset + 4:start_offset + 4 + path_length * 2].replace(b"\x00",b"").decode("utf-8")) | |
| elif self.os_version == "Win10": | |
| start_offset = 0x4C | |
| self.header_size = struct.unpack("<L",self.data[0x48:start_offset])[0] | |
| ## 반복 | |
| signature = struct.unpack("<H",self.data[start_offset:start_offset+2])[0] | |
| path_length = struct.unpack("<H",self.data[start_offset+2:start_offset+4])[0] | |
| if signature == 0x1 or signature == 0x41 or signature == 0x81 or signature == 0x91 or signature == 0xa1 or signature == 0xc1: | |
| print("[*] File Path Length * 2 : {}".format(path_length * 2)) | |
| print(self.data[start_offset + 4:start_offset + 4 + path_length * 2].replace(b"\x00",b"").decode("utf-8")) | |
| elif signature == 0x2 or signature == 0x22 or signature == 0x42: | |
| print("[*] File Path Length : {}".format(path_length)) | |
| print(self.data[start_offset + 4:start_offset + 4 + path_length * 2].replace(b"\x00",b"").decode("utf-8")) | |
| a = IconCache_parser("IconCache_win10.db") | |
| a.run() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment