Creating Custom Patterns

Top  Previous  Next

You may create your own patterns yourself.

An example of a commented pattern parsing an AVI file.

The syntax of pattern description is similar to that of the XML language. The folder where the files should be placed is specified on the Main tab of the Settings dialog box.

Pattern structure

Pattern header

Each pattern starts with a standard header

<?xml version="1.0" encoding="utf-8"?>

Section template

Each pattern starts with a section giving to the pattern a name that will be shown in the parsed data pane.

Attributes:

name 

Specifies the pattern name shown in the parsed data pane

Example:

<template name="AVI File LIST">

........

</template>

Section signature

Attributes:

align <positive integer> 

Specifies if the data structure address is aligned (i.g., by  a sector: 512)

This section contains elements field with hex-codes of the signature. The attribute offset  specifies their offset from the start of the record. Field length is equal to the number of hex-codes.

Example:

<signature align="1">

<field offset="0">46 49</field>

<field offset="2">4c 45</field>

</signature>

Section section

Such sections contain all expressions and operations needed for the pattern to parse the data. A section name is shown in the parsed data pane. In fact, sections are virtual objects used to group logically connected fields. Sections can be nested.

The main section is not shown in the parsed data pane.

Section contain elements field which are actual data objects. field names are shown in the parsed data pane with their values.

Attributes:

name 

Specifies the pattern name shown in the parsed data pane

Example:

<section name="JUNK">

 ....

</section>

List of All Objects in Patterns

Data types (in field)

integer

Sub-types:

int8

int16

int32

int64

uint8

uint16

uint32

uint64

uintX

Attributes:

endian: (be | le | system) 

Optional.  Default: system.

base: (decimal | hex | octal) 

Optional. Specifies data representation. Default: decimal.

as-offset: <expression> 

Optional. Specifies that this field is an offset and its value should be evaluated using the expression. A special variable this returns the value of  this field.

purpose: (offset | rsector |sector | cluster | rcluster) 

Optional. Specifies the type of the as-offset expression result . If this attribute is present, the attribute  is necessary if the offset value should differ from the value of this field (variable this ).

rsector and rcluster  are offsets relative to the absolute position of the pattern beginning.

assigned-template: <TemplateName> 

Specifies the pattern name linked with this field. Ignored if the as-offset or purpose attributes are not specified.

var: <Name> 

Optional. Specifies the name under which the value of this field can be accessed in expressions.

 

binary

Attributes:

display-encoding: (hex | binary) 

Optional. Default: hex.

size: <bytes> 

Mandatory.

 

char

Attributes:

size: <bytes> 

Mandatory.

codepage: (ansi | oem | utf8 | utf16)

Optional. Specifies which codepage is used. Default: ansi.

 

filetime

Shows time in the Win32 format (64 bits)

 

unixtime

Shows time in the Unix format (seconds from 01/01/1970)

 

filetime

Shows time in the DOS format (date: hiword, time: loword)

 

bits

Attributes:

size: <bytes> 

Mandatory.

pos: <comma separated list of bit positions> 

Mandatory. Specifies bit positions in a data block.

Commands

goto

Specifies a jump to a specified offset (either absolute or relative one)

Attributes:

address: <expression> 

Specifies an absolute address to jump to.

offset: <expression> 

Specifies a relative offset to jump by.

One and only one of the attributes should always be specified.

 

if

Evaluates a condition specified in the test attribute and, if the condition is true, reads fields specified in this tag.

Attribute:

test: <expression> 

Sets a condition to test against.

 

repeat

Reads the fields specified in the tag until the exit condition is equal to 0 or specified times

Attributes:

count: <expression> 

<expression> is evaluated one time upon entering the block. Internal elements are read the specified number of times.

test: <expression> 

<expression> is evaluated upon entering the block. Similar to the C++ construction while(...) {}.

test: <expression>

<expression> is evaluated upon exiting the block. Similar to the C++ construction do {} while(...).

 

setvar

Sets the value of an internal variable. As an example, this command is convenient to store the current offset. The value of the current offset is stored in a predefined variable offset.

Attributes:

var: <string> 

Specifies the name of the variable.

expr: <expression> 

Specifies an expression which result will be assigned to the variable.

Expressions

Expressions in the patterns are arithmetic expressions which syntax is similar to that of the C language, including operation preceding.

The following operations are supported:

+ - * / & | > < <= >= != == || &&

Predefined variables

offset

An offset in bytes from the pattern beginning data is currently read at.

 

start_position

An absolute position of the pattern beginning. offset + start_position = absolute offset.

 

this

This variable exists only within the context of the ass-offset expression evaluation and is the current value of the data field for which that expression is specified