Didier Stevens

Monday 22 October 2018

New tool: decompress_rtf.py

Filed under: My Software — Didier Stevens @ 0:00

A reader over at the Internet Storm Center asked how to analyze a particular email file (.msg) with my oledump.py tool. MSG files are ole files, and can be analyzed with oledump. In this particular email, one stream contains compressed RTF.

I quickly wrote a tool to decompress compressed RTF using Python module compressed_rtf, using my binary file Python template.

Template process-binary-file.py is a Python program that reads binary files (normal files, stdin, contained in a ZIP file, …) and comes with various options to process these files. The class cBinaryFile can read a complete or partial file into memory for further processing.

Just a few lines of code of the template need to be added/changed to create this new decompression tool.

First I need to import module compressed_rtf. A single line “import compressed_rtf” would be sufficient, but I’m adding some error handling in case the module is not installed:

    import compressed_rtf
except ImportError:
    print('Module compressed_rtf missing, please install with command: pip install compressed_rtf')

Next, I search for “# —– Put your data processing code here —–” (line 1315 in the current version 0.0.1 of the template):

Lines 1316 and 1317 (starting with oOutput.Line) are just demo lines, to be replaced by this line:

        oOutput.Line(compressed_rtf.decompress(data), eol='')

Variable data contains the complete binary content of the processed file (e.g. the compressed RTF), and a call to method compressed_rtf.decompress will decompress the data. Then I output the result with method Line of object oOutput. I use this method in stead of a print statement, because then I have more control over the output format and destination by using command-line option -o. eol=” directs the Line method not to append a new-line after outputting the decompressed RTF file.

That’s essentially all that needs to be done to create this new tool with my template.

Documentation is also important, so I also updated the description (line 5), date (line 8) and the manual (starting line 67).

And now with this tool, I can decompress compressed RTF streams found inside a .msg file:

decompress_rtf_V0_0_1.zip (https)
MD5: 41127F62897479FB5135D36675C396F5
SHA256: 581F2E1B2B508C3941EC22040FB0C76999E5DF293C8AD0DC1FDE921D121F3A26


  1. […] New tool: decompress_rtf.py […]

    Pingback by Week 43 – 2018 – This Week In 4n6 — Sunday 28 October 2018 @ 3:55

  2. […] New tool: decompress_rtf.py […]

    Pingback by Overview of Content Published in October | Didier Stevens — Friday 2 November 2018 @ 0:00

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.