OLENativeStream structure doesn't match the documentation

Question

Hi all.

The documentation for OLENativeStream says that it's just a 4 byte header and then the data:

http://msdn.microsoft.com/en-us/library/dd942447(v=PROT.10).aspx

However this is not what we see at all.  What we seem to be seeing:

• 2 bytes - some kind of header (always 02 00)
• variable - a null-terminated string label
• variable - a null-terminated string filename
• 2 bytes - unknown (always 00 00)
• variable unknown structure of some sort (have seen 03 00 and 01 00 00 00 and 00 00 00 00 00 00)

Questions:

1. Is this an older format?
2. Is this documented somewhere?
3. How do I distinguish files in this format from files in the simpler 4-byte header format?

 

Answer 1

Hi,
Thank you for your inquiry regarding MS-OLEDS. One of our engineers will follow-up with you shortly.

Regards,
Edgar

Answer 2

Hi Just Some Developer,

I'll be looking into this for you and will get back to you as soon as I have something.

Best regards,
Tom Jebo
Escalation Engineer
Microsoft Open Specifications

Answer 3

Hi Just Some Developer,

Can you please send the sample compound file in which you observe the discrepancy to me?  Just send it to dochelp at microsoft dot com, referencing the URL for this thread and my name.

Best regards,
Tom Jebo
Escalation Engineer
Microsoft Open Specifications

Answer 4

I'm not sure I can do it but I'm asking the source of the file to see if we can.  In the meantime, here's a hex dump of the relevant streams, from ObjectPool\_1149058240.  I have X'ed out all the bits which could leak information about the file contents.

\001CompObj

00000000  01 00 fe ff 03 0a 00 00  ff ff ff ff 0c 00 03 00  |................|
00000010  00 00 00 00 c0 00 00 00  00 00 00 46 08 00 00 00  |...........F....|
00000020  50 61 63 6b 61 67 65 00  08 00 00 00 50 61 63 6b  |Package.....Pack|
00000030  61 67 65 00 08 00 00 00  50 61 63 6b 61 67 65 00  |age.....Package.|
00000040  f4 39 b2 71 00 00 00 00  00 00 00 00 00 00 00 00  |.9.q............|
00000050

\001Ole

00000000  01 00 00 02 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00                                       |....|
00000014

\001Ole10Native (truncated, just included the OLE2 header so you can see where the embedded file starts)

00000000  a3 ce 00 00 02 00 58 78  78 78 78 78 78 78 20 58  |......Xxxxxxxx X|
00000010  78 78 78 78 78 78 78 20  58 78 20 20 58 58 58 58  |xxxxxxx Xx  XXXX|
00000020  2d 58 58 58 20 28 58 78  78 78 78 78 78 20 58 78  |-XXX (Xxxxxxx Xx|
00000030  78 78 78 29 2e 6d 73 67  00 43 3a 5c 44 4f 43 55  |xxx).msg.C:\DOCU|
00000040  4d 45 7e 31 5c 58 58 58  58 58 58 7e 31 5c 4c 4f  |ME~1\XXXXXX~1\LO|
00000050  43 41 4c 53 7e 31 5c 54  65 6d 70 5c 58 58 58 58  |CALS~1\Temp\XXXX|
00000060  58 58 7e 31 2e 4d 53 47  00 00 00 03 00 30 00 00  |XX~1.MSG.....0..|
00000070  00 43 3a 5c 44 4f 43 55  4d 45 7e 31 5c 58 58 58  |.C:\DOCUME~1\XXX|
00000080  58 58 58 7e 31 5c 4c 4f  43 41 4c 53 7e 31 5c 54  |XXX~1\LOCALS~1\T|
00000090  65 6d 70 5c 58 58 58 58  58 58 7e 31 2e 4d 53 47  |emp\XXXXXX~1.MSG|
000000a0  00 00 ce 00 00 d0 cf 11  e0 a1 b1 1a e1           |.............|
000000ad

\003ObjInfo

00000000  40 00 03 00                                       |@...|
00000004

Answer 5

Thanks.  It would be best if you could send the files to me. 

Tom

Answer 6

Hi Tom,

My colleague is on leave now, but is there a private address I can send the sample data to?

 

Cheers,

Luke 

Answer 7

Hi Tom,

Can you provide an email address we can send it to?  I don't see anyway I can attach a file here on my reply.

Cheers

 

 

Answer 8

Just send an email to dochelp at microsoft dot com, and I'll reply from my own email address.  Then you can send me the files directly.

Best regards,
Tom Jebo
Escalation Engineer
Microsoft Open Specifications

Answer 9

I reviewed the streams and structures again. 

The Ole stream under \Root Entry\ObjectPool\_1149058240 tells us that this is an embedded object because Flags == 0.

The ObjInfo stream's ODT struct only tells us that the object in \Root Entry\ObjectPool\_1149058240 is represented by an icon (ODTPersist1's G bit) and that the embedded object's server communicates with this host container app via metafile data (for presentation).

The CompObj stream (also under \Root Entry\ObjectPool\_1149058240), tell us that the clipboard format for this object is "Package":

1040h: 01 00 FE FF 03 0A 00 00 FF FF FF FF 0C 00 03 00  ..þÿ....ÿÿÿÿ....
1050h: 00 00 00 00 C0 00 00 00 00 00 00 46 08 00 00 00  ....À......F....
1060h: 50 61 63 6B 61 67 65 00 08 00 00 00 50 61 63 6B  Package.....Pack
1070h: 61 67 65 00 08 00 00 00 50 61 63 6B 61 67 65 00  age.....Package.
1080h: F4 39 B2 71 00 00 00 00 00 00 00 00 00 00 00 00  ô9²q............

This means that the data in the OleNative stream following the 4-byte size is written by "Package".    This is the Packager object server, a legacy of OLE1 days, which is designed as a generic OLE embedding server for inserting files that don't have their own associated OLE servers.  It's what happens if you select Insert | Object... in Word and then select "From File..." and point to a file that doesn't belong an OLE embedding server application.  The Packager format is not documented well, if at all, and is not part of the Open Specification documentation set.  However, it's basically two bytes (usually 0x0002) followed by the file's name, followed by the file's path, followed by the contents of the file. 

I think that would be all you'd need to know to parse the OleNative stream when encountering this kind of embedding.  Let me know if this makes sense and if I've addressed your question accurately.

Tom