extract_msg.structures package

Submodules

extract_msg.structures.business_card module

class extract_msg.structures.business_card.BusinessCardDisplayDefinition(data: bytes)[source]

Bases: object

Data structure for PidLidBusinessCardDisplayDefinition.

Contains information used to contruct a business card for a contact.

property backgroundColor: Tuple[int, int, int]: A tuple of the RGB value of the color of the background.

property fields: List[FieldInfo]: The field info structures.

property imageAlignment: BCImageAlignment

The alignment of the image within the image area.

Ignored if card is text only.

property imageArea: int

An integer that specified the percent of space that the image will occupy on the business card.

Should be between 4 and 50.

property imageSource: BCImageSource: The source of the image.

property majorVersion: int

An 8-bit value that specified the major version number.

Must be 3 or greater.

property minorVersion: int

An 8-bit value that specifies the minor version number.

SHOULD be set to 0.

property templateID: BCTemplateID: The layout of the business card.

toBytes() → bytes[source]

class extract_msg.structures.business_card.FieldInfo(data: bytes | None = None, extraInfo: bytes | None = None)[source]

Bases: object

property fontSize: int

An integer that specifies the font size, in points, of the text field.

MUST be between 3 and 32, or MUST be 0 if the text field is displayed as an empty line.

property labelFontColor: Tuple[int, int, int]

A tuple of the RGB value of the color of the label.

Each channel is a number in range [0, 256).

property labelFormat: BCLabelFormat: The format to use for the label.

property labelText: str | None: The text of the label, if it exists.

property textFormat: BCTextFormat: An enum value representing the formatting to use for the text.

property textPropertyID: int

The property to be used for the text field.

If the value is 0, it represents an empty field.

toBytes(offset: int) → bytes[source]

Converts to bytes using the offset into the ExtraInfo field.

Raises:: ValueError – The offset was out of range.

property valueFontColor: Tuple[int, int, int]

A tuple of the RGB value of the color of the text field.

Each channel is a number in range [0, 256).

extract_msg.structures.cfoas module

class extract_msg.structures.cfoas.ClipboardFormatOrAnsiString(reader: bytes | BytesReader | None = None)[source]

Bases: object

property ansiString: bytes | None

The null-terminated ANSI string, as bytes, of the name of a registered clipboard format. Only set if markerOrLength is not 0x00000000, 0xFFFFFFFE, or 0xFFFFFFFF.

Setting this will modify the markerOrLength field automatically.

property clipboardFormat: ClipboardFormat | None

The clipboard format, if any.

To set this, make sure that :property markerOrLength: is 0xFFFFFFFE or 0xFFFFFFFF before setting.

property markerOrLength: int: If set the 0x00000000, then neither the format property nor the ansiString property will be set. If it is 0xFFFFFFFF or 0xFFFFFFFE, then the clipboardFormat property will be set. Otherwise, the ansiString property will be set.

toBytes() → bytes[source]

extract_msg.structures.contact_link_entry module

class extract_msg.structures.contact_link_entry.ContactLinkEntry(data: bytes)[source]

Bases: object

entries: List[EntryID]

toBytes() → bytes[source]

extract_msg.structures.dev_mode_a module

class extract_msg.structures.dev_mode_a.DevModeA(data: bytes | None = None)[source]

Bases: object

A DEVMODEA structure, as specified in [MS-OLEDS].

For the purposes of parsing from bytes, if something goes wrong this will evaluate to False when converting to bool. If no data is prodided, the fields are set to default values.

PARSE_STRUCT: Final[Struct] = <Struct object>

property collate: int

property color: int

property copies: int

property defaultSource: int

property deviceName: bytes: A 32 byte ANSI string.

property ditherType: int

property driverExtra: int

property driverVersion: int

property duplex: int

property formName: bytes: A 32 byte ANSI string.

property icmIntent: int

property icmMethod: int

property mediaType: int

property nup: int

property orientation: int

property paperLength: int

property paperSize: int

property paperWidth: int

property printQuality: int

property scale: int

property specVersion: int

toBytes() → bytes[source]

property ttOption: int

property yResolution: int

extract_msg.structures.dv_target_device module

class extract_msg.structures.dv_target_device.DVTargetDevice(data: bytes | None)[source]

Bases: object

Specifies information about a device that renders the presentation data.

The creator of this data structure MUST NOT assume that it will be understood during processing.

property deviceName: bytes | None: Optional ANSI string that contains a hunt on how to display or print presentation data.

property driverName: bytes | None: Optional ANSI string that contains a hunt on how to display or print presentation data.

property extDevMode: DevModeA | None: Optional ANSI string that contains a hunt on how to display or print presentation data.

property portName: bytes | None: Optional ANSI string that contains any arbitrary value.

toBytes() → bytes | None[source]

extract_msg.structures.entry_id module

class extract_msg.structures.entry_id.AddressBookEntryID(data: bytes)[source]

Bases: EntryID

An Address Book EntryID structure, as specified in [MS-OXCDATA].

property X5000DN: bytes: The X500 DN of the Address Book object.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

property type: AddressBookType: The type of the object.

property version: int: The version. MUST be 1.

class extract_msg.structures.entry_id.ContactAddressEntryID(data: bytes)[source]

Bases: EntryID

A Contact Address EntryID structure, as defined in [MS-OXCDATA]. Specifies a set of data representing recipients whose information is stored in a Contact object.

property entryID: MessageEntryID: The EntryID contained in this object.

property entryIDCount: int: The size, in bytes, of the EntryID contained in this object.

property index: ContactAddressIndex: The electronic address in the contact information to use.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

class extract_msg.structures.entry_id.EntryID(data: bytes)[source]

Bases: ABC

Base class for all EntryID structures. Use :classmethod autoCreate: to automatically create the correct EntryID structure type from the specified data.

classmethod autoCreate(data: bytes | None) → EntryID | None[source]: Automatically determines the type of EntryID and returns an instance of the correct subclass. If the subclass cannot be determined, will return a plain EntryID instance.

property entryIDType: EntryIDType | bytes: Returns an instance of EntryIDType corresponding to the provider UID of this EntryID. If none is found, returns the bytes.

property flags: bytes: The flags for this Entry ID.

property longTerm: bool: Whether the EntryID is long term or not.

abstract property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

property providerUID: bytes: The 16 byte UID that identifies the type of Entry ID.

toBytes() → bytes[source]

class extract_msg.structures.entry_id.FolderEntryID(data: bytes)[source]

Bases: EntryID

A Folder EntryID structure, as defined in [MS-OXCDATA].

property databaseGuid: str: A GUID associated with the Store Object and corresponding to the ReplicaID field of the FID structure.

property folderType: MessageType: The type of folder.

property globalCounter: int: An unsigned integer identifying the folder.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

class extract_msg.structures.entry_id.MessageEntryID(data: bytes)[source]

Bases: EntryID

A Message EntryID structure, as defined in [MS-OXCDATA].

property folderDatabaseGuid: str: A GUID associated with the Store object of the folder in which the message resides and corresponding to the ReplicaId field in the folder ID structure.

property folderGlobalCounter: int: An unsigned integer identifying the folder in which the message resides.

property messageDatabaseGuid: str: A GUID associated with the Store object of the message and corresponding to the ReplicaId field of the Message ID structure.

property messageGlobalCounter: int: An unsigned integer identifying the message.

property messageType: MessageType: The Store object type.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

class extract_msg.structures.entry_id.NNTPNewsgroupFolderEntryID(data: bytes)[source]

Bases: EntryID

A NNTP Newsgroup Folder EntryID structure, as defined in [MS-OXCDATA].

property folderType: int: The type of folder. MUST be 0x000C.

property newsgroupName: bytes: The name of the newsgroup, as an ANSI string.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

class extract_msg.structures.entry_id.OneOffRecipient(data: bytes)[source]

Bases: EntryID

A One-Off EntryID structure, as specified in [MS-OXCDATA].

property addressType: str | bytes: The address type for this Recipient.

property areStringUnicode: bool: Whether or not the strings are in UTF-16 format.

property canLookup: bool: Whether the server can lookup the user’s email in the address book.

property displayName: str | bytes: The display name for this Recipient.

property emailAddress: str | bytes: The email address for this Recipient.

property format: OORBodyFormat: The message body format desired for this recipient.

property macintoshEncoding: MacintoshEncoding: The encoding used for Macintosh-specific data attachments.

property messageFormat: MessageFormat: The message format to use for messages sent to this recipient.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

class extract_msg.structures.entry_id.PermanentEntryID(data: bytes)[source]

Bases: EntryID

A Permanent EntryID structure, as defined in [MS-OXNSPI].

property displayTypeString: DisplayType: Returns the display type string value.

property distinguishedName: str: Returns the distinguished name.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

class extract_msg.structures.entry_id.PersonalDistributionListEntryID(data: bytes)[source]

Bases: EntryID

A Personal Distribution List EntryID structure, as defined in [MS-OXCDATA].

property entryID: MessageEntryID: The EntryID contained in this object.

property entryIDCount: int: The size, in bytes, of the EntryID contained in this object.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

class extract_msg.structures.entry_id.StoreObjectEntryID(data: bytes)[source]

Bases: EntryID

A Store Object EntryID structure, as defined in [MS-OXCDATA].

property dllFileName: bytes: Must be set to b’emsmdb.dllx00x00x00x00’.

property flag: int

property mailboxDN: str | None: A string representing the X500 DN of the mailbox, as specified in [MS-OXOAB]. THis field is present only for mailbox databases.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

property serverShortname: bytes: A string of single-byte characters indicating the short name or NetBIOS name of the server.

property version: int

property wrappedProviderUID: bytes

property wrappedType: WrappedType: Determined by where the folder is located.

class extract_msg.structures.entry_id.WrappedEntryID(data: bytes)[source]

Bases: EntryID

A WrappedEntryId structure, as specified in [MS-OXOCNTC].

property embeddedEntryID: EntryID: The embedded EntryID of this object.

property embeddedIsOneOff: bool: Whether the embedded EntryID is a One-Off EntryID.

property position: int: Used to tell the amount of bytes read in this EntryID. Useful for EntryID data that has been chained together with no separator.

property type: int: The type bits of this object.

extract_msg.structures.misc_id module

Miscellaneous ID structures used in MSG files that don’t fit into any of the other ID structure classifications.

class extract_msg.structures.misc_id.FolderID(data: bytes)[source]

Bases: object

A Folder ID structure specified in [MS-OXCDATA].

property globalCounter: int: An unsigned integer identifying the folder within its Store object.

property replicaID: int: An unsigned integer identifying a Store object.

toBytes() → bytes[source]

class extract_msg.structures.misc_id.GlobalObjectID(data: bytes)[source]

Bases: object

A GlobalObjectID structure, as specified in [MS-OXOCAL].

property byteArrayID: bytes: An array of 16 bytes identifying the bytes this BLOB as a Global Object ID.

property creationTime: datetime: The date and time when this Global Object ID was generated.

property data: bytes: An array of bytes that ensures the uniqueness of the Global Object ID amoung all Calendar objects in all mailboxes.

property day: int: The day from the PidLidExceptionReplaceTime property if the object represents an exception. Otherwise, this is 0.

property month: int: The month from the PidLidExceptionReplaceTime property if the object represents an exception. Otherwise, this is 0.

toBytes() → bytes[source]

property year: int: The year from the PidLidExceptionReplaceTime property if the object represents an exception. Otherwise, this is 0.

class extract_msg.structures.misc_id.MessageID(data: bytes)[source]

Bases: object

A Message ID structure, as defined in [MS-OXCDATA].

property globalCounter: int: An unsigned integer identifying the folder within its Store object.

property isFolder: bool: Tells if the object pointed to is actually a folder.

property replicaID: int: An unsigned integer identifying a Store object.

toBytes() → bytes[source]

class extract_msg.structures.misc_id.ServerID(data: bytes)[source]

Bases: object

Class representing a PtypServerId.

property folderID: FolderID: The folder the message will be in.

property instance: int: Instance number that is only used in multivalue properties for searching for a specific ServerID. Will otherwise be 0.

property messageID: MessageID: A MessageID identifying a message in a folder identified by the folderID instance of this object. If the object pointed to is a folder, both properties will be 0.

toBytes() → bytes[source]

extract_msg.structures.mon_stream module

final class extract_msg.structures.mon_stream.MonikerStream(data: bytes | None = None)[source]

Bases: object

property clsid: bytes: The CLSID, as a stream of 16 bytes, of an implementation specific object capable of processing the stream data.

property streamData: bytes: An array of bytes that specifies the reference to the linked object.

toBytes() → bytes[source]

extract_msg.structures.odt module

final class extract_msg.structures.odt.ODTStruct(data: bytes | None = None)[source]

Bases: object

property cf: ODTCf: An enum value that specifies the format this OLE object uses to transmit data to the host application.

property odtPersist1: ODTPersist1: Flags that specify information about the OLE object.

property odtPersist2: ODTPersist2: Flags that specify additional information about the OLE object.

toBytes() → bytes[source]

extract_msg.structures.ole_pres module

class extract_msg.structures.ole_pres.OLEPresentationStream(data: bytes)[source]

Bases: object

[MS-OLEDS] OLEPresentationStream.

property advf: int | ADVF: An implementation specific hint on how to render the presentation data on screen. May be ignored on processing.

property ansiClipboardFormat: ClipboardFormatOrAnsiString

property aspect: int | DVAspect: An implementation specific hint on how to render the presentation data on screen. May be ignored on processing.

property data: bytes: The presentation data. The form of this data depends on :property clipboardFormat: of :property ansiClipboardFormat:.

property height: int: The height, in pixels, of the presentation data.

property lindex: int: An implementation specific hint on how to render the presentation data on screen. May be ignored on processing.

property reserved1: bytes: 4 bytes that can contain any arbitrary data. Must be exactly 4 bytes when setting.

property reserved2: bytes | None

Optional additional data that is only set if the clipboard format of :property ansiClipboardFormat: is CF_METAFILEPICT.

Getting this will automatically correct the value retrieved based on the clipboard format, but will not modify the underlying data.

Must be exactly 18 bytes when setting.

property targetDevice: DVTargetDevice | None

toBytes() → bytes[source]

property tocEntries: List[TOCEntry]

A list of TOCEntry structures. If :property tocSignature: is not set to 0x494E414E, accessing this value will clear the list.

Returns:: A direct reference to the list, allowing for modification. This class WILL NOT change this reference over the lifetime of the object.

property tocSignature: int

If this field does not contain 0x494E414E, then :property tocEntries: MUST be empty. Modifications to the list will be lost when it is next retrieved, meaning changes while this property is not 0x494E414E WILL be lost.

Setting this to a value other than 0x494E414E will clear the list immediately.

property width: int: The width, in pixels, of the presentation data.

extract_msg.structures.ole_stream_struct module

final class extract_msg.structures.ole_stream_struct.OleStreamStruct(data: bytes | None = None)[source]

Bases: object

The OLEStream structure, as specified in [MS-OLEDS].

Specifically, this is only the version that is used for embedded objects. As such, only some of the fields are ever present.

property flags: int

The flags for the OLEStream.

The bit with mask 0x00001000 is an implementation-specific hint supplied by the application or by a higher-level protocol that creates the data structure. It MAY be ignored on processing. A server implementation which does not ignore this bit MAY cache the storage when the bit is set.

Raises:: ValueError – The property was set with a bit other than the implementation specific bit set.

property linkUpdateOption: int

An implementation-specific hint.

This hint MAY be ignored. On Windows, this field contains values from the OLEUPDATE enumeration.

property reservedMonikerStream: MonikerStream | None: A MonikerStream structure that can contain any arbitrary value.

toBytes() → bytes[source]

extract_msg.structures.recurrence_pattern module

class extract_msg.structures.recurrence_pattern.RecurrencePattern(data: bytes)[source]

Bases: object

A RecurrencePattern structure, as specified in [MS-OXOCAL].

property calendarType: RecurCalendarType: The type of calendar that is used.

property deletedInstanceDates: Tuple[int, ...]: A tuple of the dates (stored as number of minutes between midnight, January 1, 1601, and midnight on the specified day in the timezone specified in the calendar object), ordered from earliest to latest, of either a deleted instance or a modified instance for this recurrence.

property endDate: int

An integer that specifies the ending date for the recurrence.

The value is the number of minutes between midnight, January 1, 1601, and midnight of the date of the last occurrence. When the value of the endType field is END_AFTER_N_OCCURRENCES, this value is calculated based on the number of occurrences. If the recurrence does not have an end date, the value of the endDate field MUST be set to 0x5AE980DF.

property endType: RecurEndType: The ending type for the recurrence.

property firstDateTime: int: The first ever dat, week, or month of a recurring series, dating back to a reference date, which is January 1, 1601, for a Gregorian calendar.

property firstDayOfWeek: RecurDOW: The day on which the calendar week begins.

property modifiedInstanceDates: Tuple[int, ...]: A tuple of the dates (stored as number of minutes between midnight, January 1, 1601, and midnight on the specified day in the timezone specified in the calendar object), ordered from earliest to latest, of a modified instance.

property occurrenceCount: int: Number of occurrences for a recurrence that ends after N occurrences.

property patternType: RecurPatternType: The type of recurrence pattern.

property patternTypeSpecific: Any

The specifics for the pattern type.

Return is different depending on what type of pattern is being used.

RecurPatternType.DAY: No value is returned.
RecurPatternType.WEEK: A set of RecurPatternTypeSpecificWeekday bits.
RecurPatternType.MONTH: The day of the month on which the recurrence falls.
RecurPatternType.MONTH_NTH: A tuple containing information from [MS-OXOCAL] PatternTypeSpecific MonthNth.
RecurPatternType.MONTH_END: The day of the month on which the recurrence falls.
RecurPatternType.HJ_MONTH: The day of the month on which the recurrence falls.
RecurPatternType.HJ_MONTH_NTH: A tuple containing information from [MS-OXOCAL] PatternTypeSpecific MonthNth.
RecurPatternType.HJ_MONTH_END: The day of the month on which the recurrence falls.

property period: int

An integer that specifies the interval at which the meeting pattern specified in PatternTypeSpecific field repeats.

The Period value MUST be between 1 and the maximum recurrence interval, which is 999 days for daily recurrences, 99 weeks for weekly recurrences, and 99 months for monthly recurrences.

property readerVersion: int

property recurFrequency: RecurFrequency: The frequency of the recurring series.

property slidingFlag: int

property startDate: int

An integer that specifies the date of the first occurrence.

The value is the number of minutes between midnight, January 1, 1601, and midnight of the date of the first occurrence.

toBytes() → bytes[source]

property writerVersion: int

extract_msg.structures.report_tag module

class extract_msg.structures.report_tag.ReportTag(data: bytes)[source]

Bases: object

A Report Tag structure, as defined in [MS-OXOMSG].

property ansiText: bytes | None

The subject of the original message.

Set to None if not present.

property cookie: bytes

String used for validation.

Set to b'PCDFEB09\'.

property folderEntryID: EntryID | None: The EntryID of the folder than contains the original message.

property messageEntryID: EntryID | None: The EntryID of the original message.

property messageSearchKey: bytes | None: The search key of the original message.

property searchFolderEntryID: EntryID | None: The EntryID of an alternate folder that contains the original message.

property storeEntryID: EntryID | None: The EntryID of the mailbox that contains the original message.

toBytes() → bytes[source]

property version: int

The version used.

If SearchFolderEntryID is present, this MUST be 0x00020001, otherwise it MUST be 0x00010001.

extract_msg.structures.system_time module

class extract_msg.structures.system_time.SystemTime(data: bytes | None = None)[source]

Bases: object

A SYSTEMTIME struct, as defined in [MS-DTYP].

property day: int

property dayOfWeek: int

property hour: int

property milliseconds: int

property minute: int

property month: int

property second: int

toBytes() → bytes[source]: Packs the current data into bytes.

unpack(data: bytes) → None[source]: Fills out the fields of this instance by unpacking the bytes.

property year: int

extract_msg.structures.time_zone_definition module

class extract_msg.structures.time_zone_definition.TimeZoneDefinition(data: bytes | None = None)[source]

Bases: object

Structure for PidLidAppointmentTimeZoneDefinitionRecur from [MS-OXOCAL].

property keyName: str

The name of the associated time zone.

Not localized but instead set to the unique name of the desired time zone.

property majorVersion: int: The major version.

property minorVersion: int: The minor version.

property rules: List[TZRule]: A tuple of TZRule structures that specifies a time zone.

toBytes() → bytes[source]

extract_msg.structures.time_zone_struct module

class extract_msg.structures.time_zone_struct.TimeZoneStruct(data: bytes | None = None)[source]

Bases: object

A TimeZoneStruct, as specified in [MS-OXOCAL].

property bias: int: The time zone’s offset in minutes from UTC.

property daylightBias: int: The offset in minutes from the value of the bias field during daylight saving time.

property daylightDate: SystemTime: The date and local time that indicate when to begin using the value specified in the daylightBias field. Uses the same format as standardDate.

property daylightYear: int: The value of the daylightDate field’s year.

property standardBias: int: The offset in minutes from the value of the bias field during standard time.

property standardDate: SystemTime

The date and local time that indicate when to begin using the value specified in the standardBias field. If the time zone does not support daylight’s savings time, the month member must be 0. If the year is not 0, then it is an absolute date than only occurs once, otherwise it is a relative date that occurs yearly.

See [MS-OXOCAL] for details.

property standardYear: int: The value of the standardDate field’s year.

toBytes() → bytes[source]

extract_msg.structures.toc_entry module

class extract_msg.structures.toc_entry.TOCEntry(reader: bytes | BytesReader | None = None)[source]

Bases: object

property advf: int | ADVF: An implementation specific hint on how to render the presentation data on screen. May be ignored on processing.

property ansiClipboardFormat: ClipboardFormatOrAnsiString

property aspect: int | DVAspect: An implementation specific hint on how to render the presentation data on screen. May be ignored on processing.

property lindex: int: An implementation specific hint on how to render the presentation data on screen. May be ignored on processing.

property targetDevice: DVTargetDevice

toBytes() → bytes[source]

property tymed: int

extract_msg.structures.tz_rule module

final class extract_msg.structures.tz_rule.TZRule(data: bytes | None = None)[source]

Bases: object

A TZRule structure, as defined in [MS-OXOCAL].

property bias: int: The time zone’s offset in minutes from UTC.

property daylightBias: int: The offset in minutes from the value of the bias field during daylight saving time.

property daylightDate: SystemTime: The date and local time that indicate when to begin using the value specified in the daylightBias field. Uses the same format as standardDate.

property flags: TZFlag: The flags for this rule.

property majorVersion: int: The major version.

property minorVersion: int: The minor version.

property standardBias: int: The offset in minutes from the value of the bias field during standard time.

property standardDate: SystemTime

The date and local time that indicate when to begin using the value specified in the standardBias field. If the time zone does not support daylight’s savings time, the month member must be 0. If the year is not 0, then it is an absolute date than only occurs once, otherwise it is a relative date that occurs yearly.

See [MS-OXOCAL] for details.

toBytes() → bytes[source]

property year: int: The year this rule is scheduled to take place. A rule will remain in effect from January 1 of it’s year until January 1 of the next rule’s year field. If no rules exist for subsequent years, this rule will remain in effect indefinately.

Module contents

extract_msg.structures - Submodule to help with parsing data structures in MSG files. Broken up by structure type.