Creating Custom Patterns |
You may create your own patterns yourself. An example of a commented pattern parsing an AVI file. The syntax of pattern description is similar to that of the XML language. The folder where the files should be placed is specified on the Main tab of the Settings dialog box. Pattern structure Pattern header Each pattern starts with a standard header <?xml version="1.0" encoding="utf-8"?> Section template Each pattern starts with a section giving to the pattern a name that will be shown in the parsed data pane. Attributes:
Example: <template name="AVI File LIST"> ........ </template> Section signature Attributes:
This section contains elements field with hex-codes of the signature. The attribute offset specifies their offset from the start of the record. Field length is equal to the number of hex-codes. Example: <signature align="1"> <field offset="0">46 49</field> <field offset="2">4c 45</field> </signature> Section section Such sections contain all expressions and operations needed for the pattern to parse the data. A section name is shown in the parsed data pane. In fact, sections are virtual objects used to group logically connected fields. Sections can be nested. The main section is not shown in the parsed data pane. Section contain elements field which are actual data objects. field names are shown in the parsed data pane with their values. Attributes:
Example: <section name="JUNK"> .... </section> List of All Objects in Patterns Data types (in field)
Sub-types: int8 int16 int32 int64 uint8 uint16 uint32 uint64 uintX Attributes:
Attributes:
Attributes:
Shows time in the Win32 format (64 bits)
Shows time in the Unix format (seconds from 01/01/1970)
Shows time in the DOS format (date: hiword, time: loword)
Attributes:
Commands
Specifies a jump to a specified offset (either absolute or relative one) Attributes:
One and only one of the attributes should always be specified.
Evaluates a condition specified in the test attribute and, if the condition is true, reads fields specified in this tag. Attribute:
Reads the fields specified in the tag until the exit condition is equal to 0 or specified times Attributes:
Sets the value of an internal variable. As an example, this command is convenient to store the current offset. The value of the current offset is stored in a predefined variable offset. Attributes:
Expressions Expressions in the patterns are arithmetic expressions which syntax is similar to that of the C language, including operation preceding. The following operations are supported: + - * / & | > < <= >= != == || && Predefined variables
An offset in bytes from the pattern beginning data is currently read at.
An absolute position of the pattern beginning. offset + start_position = absolute offset.
This variable exists only within the context of the ass-offset expression evaluation and is the current value of the data field for which that expression is specified |