Twitter
Facebook
Flickr
RSS
OLE2 File Format
We use DFVIEW.EXE to show OLE2 file structure.
w97waz-c.vot id dumped as an example, It contains several data folder and documents ,In OLE2 jargon, data folder is called ‘Data Storage’, document is called ‘Data Stream’ .
File header information
[0000H-0003H] OLE2 File signature
“D0 CF 11 E0” Look like “DOCFILE”
[0030H-0033H] Root Entry Cluster NO.#
Address = (NO.+1) * 200H = (21H+1) * 200H = 4400H
[Go to Root Entry Address]
[0038H-003BH] Use Small FAT system on data stream below this size
Check Size = 1000H Bytes
[003CH-003FH] Small FAT system FAT Table entry cluster NO.#
Address = (NO.+1) * 200H = (23H+1) * 200H = 4800H
[Go to Small FAT Table Address]
[0044H-0047H] Second Big FAT Index Table entry cluster
if first Big FAT Index Table is exhausted¡Muse the second one (not use second Big FAT index Table in this example)
[004CH-01FFH] First Big FAT Index Table
4 bytes as a unit, from offset 004CH to 01FFH, there are 6DH units, each unit contains a entry cluster # , it pointer to a Big FAT Table .
[004CH-004FH] First Big FAT Table entry cluster NO.#
Address = (NO.+1) * 200H = (20H+1) * 200H = 4200H
[Go to First Big FAT Table Address]
BIG FAT Table
Example: FCB link
1. From File header information wegot FCB Root Entry cluster NO.=21H
To find the cluster link list of FCB from Big FAT Table:
Next link address = Big FAT Table Start Address + Offset
Offset = NO.* 4
First cluster NO. = 21H
Next link cluster NO. = The contains of Next link address
(4200H+21H*4 = 4284H) , [4284H] = 22H
Next link cluster NO. = The contains of Next link address
(4200H+22H*4 = 4288H) , [4288H] = 26H
Next link cluster NO. = The contains of Next link address
(4200H+26H*4 = 4298H) , [4298] = 34H
Next link cluster NO. = The contains of Next link address
(4200H+34H*4 = 42D0H) , [42D0] = NIL
There are 4 clustersIn Big FAT Table every link points to a 200H bytes Big Cluster
Compute addresses of the clusters by {Big Cluster address = (NO.+1) * 200H }
FCB size = 80H , Big Cluster size = 200H
One cluster contains 4 FCB, numbered from 0 , In this example, we have at most 16 FCB, number from 0 to 0FH, the last cluster may have < 4 FCBs
[Go to FCB NO. #0 #1 #2 #3 #4 #5 #6 #7 #8 #9 #A #B #C #D]
By applying this rule, we can find the Cluster link list of FCB link or Data stream link from FAT Table if we know its Entry Cluster NO.#
Big FAT Table (For Small FAT example)
Small FAT Table
Example: Data stream [autoOpen]
By FCB #8 we know data stream [autoOpen] of data stream total length = 0A24His less than 1000H bytes, so we have to use Small FAT system;
In Small FAT Table every Link points to a 40H bytes sCluster (Small Cluster), So the original Big Cluster size = 200H bytes can contains 8 sCluster(size = 40H bytes)
For convenient we call
Big Cluster (Size 200H bytes) = bCluster
Small Cluster (Size 40H bytes) = sClusterFrom offset 74H of Root Entry , we have Entry bCluster NO. of sCluster #0 = 24H
Entry Address = (NO.+1) * 200H = (24H + 1) * 200H = 4A00H
So the 200H bytes from offset 4A00H contains sCluster NO.#0 ~ #7
[Go to Small Cluster NO.#0-#7]By Big FAT Table to find bCluster link lists starting from bCluster NO.#24H, each bCluter contains 8 sCluster
Next link address = Big FAT Table Start Address + Offset
Offset = NO.* 4
First cluster NO. = 24H
Next link cluster NO. = The contains of Next link address
(4200H+24H*4 = 4290H) , [4290H] = 25H
Next link cluster NO. = The contains of Next link address
(4200H+25H*4 = 4294H) , [4294H] = 27H
Next link cluster NO. = The contains of Next link address
(4200H+27H*4 = 429CH) , [429CH] = 28H
:
Next link cluster NO. = The contains of Next link address
(4200H+33H*4 = 42CCH) , [42CCH] = 35H
Next link cluster NO. = The contains of Next link address
(4200H+35H*4 = 42D4) , [42D4H] = NIL
There are 17 Big ClusterOne bCluster contains 8 sCluster , numbered sCluster from 0, this number we called sCluster NO.
By FCB #8 can know , data stream [autoOpen] of data entry Small Cluster NO.=10H
Use Small FAT Table find out data stream [autoOpen] of small cluster link list
Next link address = Small FAT Start Address + Offset
Offset = NO.* 4
First small cluster NO. = 10H
Next link small cluster NO. = The contains of Next link address
(4800H+10H*4 = 4840H) , [4840H] = 11H
Next link small cluster NO. = The contains of Next link address
(4800H+11H*4 = 4844H) , [4844H] = 12H
Next link small cluster NO. = The contains of Next link address
(4800H+12H*4 = 4848H) , [4848H] = 13H
:
Next link small cluster NO. = The contains of Next link address
(4800H+37H*4 = 489CH) , [48DCH] = 38H
Next link small cluster NO. = The contains of Next link address
(4800H+38H*4 = 48E0H) , [48E0H] = NIL
There are 41 Small ClusterCompute Small cluster NO. Owner of Big Cluster NO. (Reference step 4 , step 5 )
Small cluster address
= [(Owner Big_cluster_NO + 1)* 200H] + [(Small_cluster_NO. MOD 8) * 40H]
= [(27H + 1)*200H] + [(10H MOD 8) * 40H] = 5000H
By applying this rule, we can find the Small Cluster link list of data stream if we know its Entry Small Cluster NO.#
FCB Directory link
OLE2 File have tree view directory structure Each FCB use Offset 44H,48H,4CH to do store Left Link, Right Link, Child Link, Use these information link all FCB together¡C
Example "w9cwaz-c.vot” Directory link diagram(click mouse button to get more information)
FCB #0 #1 #2
FCB #3 #4 #5
FCB #6 #7
FCB #8 #9 #0AH
FCB #0BH
FCB #0CH #0DH
Small Cluster NO.#0 - #7
NIL Pointer
FCB link NO. = FF FF FF FF , FCB link terminal
Data stream length
Data stream total bytes
Data stream entry cluster NO.#
Data stream entry address = (NO.+ 1) * 200H
FCB – Storage or Stream name length
OLE2 Storage or Stream Name support Unicode, so a character need 2 bytes
FCB – Data stream total length
If stream data total length more then 1000H bytes OLE2 use Big FAT else use Small FAT
FCB – Data stream entry cluster NO.#
If use Big FAT
Data stream entry address = (NO. + 1) * 200H
If use Small FAT
Reference Small FAT Table
0 意見 (+add yours?)
張貼留言