lucidiot/wiki
lucidiot
/
wiki
2
2
Fork 0
Code Issues 2 Pull Requests Releases Activity

More CFB everywhere

This commit is contained in:
~lucidiot 2024-05-08 02:55:57 +02:00
parent 71fa413788
commit 2a019a4884
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
content/cfb.md
View File

@ -8,7 +8,8 @@ Compound File Binary (CFB) is a file format designed by Microsoft as part of the
* [Official specification][ms-cfb]
* [Wikipedia article][wiki]
* [Python package][olefile] to read and write those files, as well as some Office-specific metadata
* [`olefile` Python package][olefile] to read and write those files, as well as some Office-specific metadata
* [`oletools` Python package][oletools], based on `olefile`, aimed more at dealing with Office-based malware
* [7-Zip][7zip], a file archiver that can extract CFB files
## Detector script
@ -97,16 +98,20 @@ I have observed CFB in use in the following cases:
* Microsoft Office PowerPoint documents (`.ppt`)
* Microsoft Office PowerPoint templates (`.pot`)
* Microsoft Office Access data projects (`.adp`)
* Microsoft Office Access templates (`.mdz`)
* Microsoft Office Access wizard templates (`.mdz`)
* Microsoft Office Outlook messages (`.msg`)
* Microsoft Office Visio diagrams (`.vsd`)
* Microsoft Office Outlook item templates (`.oft`)
* Microsoft Office Visio drawings (`.vsd`)
* Microsoft Office Visio stencils (`.vss`)
* Microsoft Office Visio templates (`.vst`)
* Microsoft Office Publisher documents (`.pub`)
* Microsoft Office Project projects (`.mpp`)
* Microsoft Office Project templates (`.mpt`)
* Microsoft Office FrontPage and Visual Studio 6 user interface preferences (`.prf`)
* Microsoft Photodraw files (`.mix`)
* Microsoft Management Console files (`.msc`)
* Microsoft Photodraw pictures (`.mix`)
* Microsoft Common Console documents / Management Saved Console (`.msc`)
* Microsoft HTML Help cache (`hh.dat`)
* Microsoft Visual Studio Solution User Options (`.suo`)
* Microsoft Works Word Processor documents (`.wps`)
* Microsoft Works Word Processor templates (`.wpt`)
* Microsoft Works Word Processor wizards (`.wwp`)
@ -118,9 +123,13 @@ I have observed CFB in use in the following cases:
* Microsoft Works Database wizards (`.wwd`)
* [Microsoft Works Portfolio](./msworks/portfolio.html) (`.wsb`)
* Windows Installer packages (`.msi`)
* Windows Installer merge modules (`.msm`)
* Windows Installer dialogs (`.wid`)
* Windows 7 Sticky Notes (`.snt`)
* SAP Crystal Reports reports (`.rpt`)
[7zip]: https://7-zip.org/
[ms-cfb]: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/53989ce4-7b05-4f8d-829b-d08d6148375b
[olefile]: https://github.com/decalage2/olefile/
[oletools]: https://github.com/decalage2/oletools/
[wiki]: https://en.wikipedia.org/wiki/Compound_File_Binary_Format