word and excel file decoding
111 views
Skip to first unread message
Rabail Naseer
Apr 6, 2021, 7:52:01 AM4/6/21
to Wazuh mailing list
Hello Wazuh Team,
I am working on file integrity monitoring in wazuh when i am doing any change in the text file its shows in the log that file has been changed and also shows the content that has been changed but on excel and word file the changed content is shown in encoded format how we can decode it so it can be readable to us.
Miguel Angel Cazajous
Apr 6, 2021, 10:48:23 AM4/6/21
to Wazuh mailing list
Hi, hope you are doing great!
The reason why you can't see the difference between the older and newer version of the file in a readable format it's because they're not text files.
In fact they're containers that contain a whole structure with several files in XML format.
You can check this for more information.
http://officeopenxml.com/anatomyofOOXML.php
If you try to open any of those files as text it will show a bunch of unreadable characters, because that is not the way they're supposed to be read.
To check the diff between those files you should decompress those files as zip files, and check the diff between the XML files.
As a quick example you can see your text ("hello") in this XML file, word/document.xml
word/document.xml:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><w:body><w:p><w:r><w:t xml:space="preserve">hello</w:t></w:r><w:r></w:r></w:p><w:sectPr><w:footnotePr></w:footnotePr><w:endnotePr></w:endnotePr><w:type w:val="nextPage"/><w:pgSz w:w="12240" w:h="15840" w:orient="portrait"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="706" w:footer="706" w:gutter="0"/><w:cols w:num="1" w:sep="0" w:space="708" w:equalWidth="1" ></w:cols><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>
But a Microsoft office file is way more complex than that and multiples files inside that structure may change between changes.
Regards!
The reason why you can't see the difference between the older and newer version of the file in a readable format it's because they're not text files.
In fact they're containers that contain a whole structure with several files in XML format.
You can check this for more information.
http://officeopenxml.com/anatomyofOOXML.php
If you try to open any of those files as text it will show a bunch of unreadable characters, because that is not the way they're supposed to be read.
To check the diff between those files you should decompress those files as zip files, and check the diff between the XML files.
As a quick example you can see your text ("hello") in this XML file, word/document.xml
word/document.xml:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><w:body><w:p><w:r><w:t xml:space="preserve">hello</w:t></w:r><w:r></w:r></w:p><w:sectPr><w:footnotePr></w:footnotePr><w:endnotePr></w:endnotePr><w:type w:val="nextPage"/><w:pgSz w:w="12240" w:h="15840" w:orient="portrait"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="706" w:footer="706" w:gutter="0"/><w:cols w:num="1" w:sep="0" w:space="708" w:equalWidth="1" ></w:cols><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>
But a Microsoft office file is way more complex than that and multiples files inside that structure may change between changes.
Regards!
Reply all
Reply to author
Forward
0 new messages