Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import sys
- import argparse
- from datetime import datetime, timedelta
- def convertFiletime(value):
- '''
- Definition used to parse PR_CONVERSATION_INDEX value and return human readable value.
- '''
- hex_data = value.decode('base64')
- hex_chars = map(hex, map(ord, hex_data))
- hex_string = "".join(c[2:4].zfill(2) for c in hex_chars)
- ft_value = hex_string[1:12] + '0000'
- guid = hex_string[12:44]
- print "Encoded:\t " + ft_value
- print int(ft_value[:8], 16)
- print int(ft_value[8:], 16)
- time_offset = int(ft_value, 16) / 10.
- filetime = datetime(1601, 1, 1) + timedelta(microseconds=time_offset)
- print "Decoded:\t" + hex_string
- print "FILETIME:\t" + str(filetime)
- print "GUID:\t\t" + guid[:8] + "-" + guid[8:12] + "-" + guid[12:16] + "-" + guid[16:20] + "-" + guid[20:]
- if hex_string > 44:
- child_blocks = hex_string[44:]
- n = 10
- children = [child_blocks[i:i+n]
- for i in range(0, len(child_blocks), n)]
- count = 0
- for child in children:
- scale = 16
- num_of_bits = 40
- binary = bin(int(child, scale))[2:].zfill(num_of_bits)
- print "Delta code:\t" + binary[:1]
- time_diff = '0'*15 + binary[1:32] + '0'*18
- c_time_offset = int(time_diff, 2) / 10.
- filetime = filetime + timedelta(microseconds=c_time_offset)
- print "\tChild Message[" + str(count+1) + "]: " + str(filetime)
- count += 1
- else:
- pass
- def main():
- parser = argparse.ArgumentParser()
- parser.add_argument("value", nargs=1, help='Thread-Index value')
- args = parser.parse_args()
- value = str(args.value)
- convertFiletime(value)
- if __name__ == '__main__':
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement