WinHex_Templates/SHD spool shadow file.tpl at master · kacos2000/WinHex_Templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
template "SHD spool shadow file"

// Costas Katsavounidis - 2021 v1.0
// kacos2000 [at] gmail.com
// https://github.com/kacos2000

// To be applied on byte 0 of a .SHD spool shadow file

description "Windows - SHD spool shadow file"
applies_to file
read-only

// Reference: https://www.codeproject.com/Articles/9720/The-Windows-NT-print-spool-shadow-file-format
// Reference: http://www.undocprint.org/winspool/spool_files
// SPL file viewer: http://www.lvbprint.de/html/splviewer1.html

begin
    section "SHD - Microsoft Windows Spool Shadow File"
    hex 4  "Signature"
    move -4
    ifEqual Signature 0x23510000
        big-endian hexadecimal uint32 "=> Windows 10"
        uint32 "Header Size (bytes)"
        hexadecimal uint16 "Status Flags (hex)"
        move 2 // unknown
        uint32 "Print Job ID"
        uint32 "Priority (99 highest)" // values: 1-99
        // offsets
        move 4
        uint32 "Username_offset"
        move 4
        uint32 "NotifyName_offset"
        move 4
        uint32 "DocumentName_offset"
        move 4
        uint32 "PrinterPort_offset"
        move 4
        uint32 "PrinterName_offset"
        move 4
        uint32 "DriverName_offset"
        move 4
        uint32 "DevMode_offset"
        move 4
        uint32 "PrintProcessorName_offset"
        move 4
        uint32 "DataType_offset"
        move 12
    else
    ifEqual Signature 0x4B490000
        big-endian hexadecimal uint32 "=> Windows 98"
        hexadecimal uint16 "Status Flags (hex)"
        move 2 // unknown
        uint32 "Print Job ID"
        uint32 "Priority (99 highest)" // values: 1-99
        // offsets
        uint32 "Username_offset"
        uint32 "NotifyName_offset"
        uint32 "DocumentName_offset"
        uint32 "PrinterPort_offset"
        uint32 "PrinterName_offset"
        uint32 "DriverName_offset"
        uint32 "DevMode_offset"
        uint32 "PrintProcessorName_offset"
        uint32 "DataType_offset"
        move 4
    else
    ifEqual Signature 0x66490000
        big-endian hexadecimal uint32 "=> Windows NT"
        hexadecimal uint16 "Status Flags (hex)"
        move 2 // unknown
        uint32 "Print Job ID"
        uint32 "Priority (99 highest)" // values: 1-99
        // offsets
        uint32 "Username_offset"
        uint32 "NotifyName_offset"
        uint32 "DocumentName_offset"
        uint32 "PrinterPort_offset"
        uint32 "PrinterName_offset"
        uint32 "DriverName_offset"
        uint32 "DevMode_offset"
        uint32 "PrintProcessorName_offset"
        uint32 "DataType_offset"
        move 4
    else
    ifEqual Signature 0x67490000
        big-endian hexadecimal uint32 "=> Win2000/XP"
        uint32 "Header Size (bytes)"
        hexadecimal uint16 "Status Flags (hex)"
        move 2 // unknown
        uint32 "Print Job ID"
        uint32 "Priority (99 highest)" // values: 1-99
        // offsets
        uint32 "Username_offset"
        uint32 "NotifyName_offset"
        uint32 "DocumentName_offset"
        uint32 "PrinterPort_offset"
        uint32 "PrinterName_offset"
        uint32 "DriverName_offset"
        uint32 "DevMode_offset"
        uint32 "PrintProcessorName_offset"
        uint32 "DataType_offset"
        move 4
    else
    ifEqual Signature 0x68490000
        big-endian hexadecimal uint32 "=> Windows 2003"
        uint32 "Header Size (bytes)"
        hexadecimal uint16 "Status Flags (hex)"
        move 2 // unknown
        uint32 "Print Job ID"
        uint32 "Priority (99 highest)" // values: 1-99
        // offsets
        uint32 "Username_offset"
        uint32 "NotifyName_offset"
        uint32 "DocumentName_offset"
        uint32 "PrinterPort_offset"
        uint32 "PrinterName_offset"
        uint32 "DriverName_offset"
        uint32 "DevMode_offset"
        uint32 "PrintProcessorName_offset"
        uint32 "DataType_offset"
        move 4
    endIf

    uint16 "Year"
    uint16 "Month"
    uint16 "Day of Week"
    uint16 "Day"
    uint16 "Hour (UTC)"
    uint16 "Minute"
    uint16 "Second"
    uint16 "Millisecond"
    move 8
    uint32 "SPL FileSize (bytes)"
    uint32 "SPL PageCount"
    goto DataType_offset
    string16 6 "SPL Data type"
    endSection

    section "Metadata"
    ifGreater "Username_offset" 0
        goto "Username_offset"
        string16 (NotifyName_offset-Username_offset) "Username"
    endIf
    ifGreater "NotifyName_offset" 0
        goto "NotifyName_offset"
        string16 (DocumentName_offset-NotifyName_offset) "Notifyname"
    endIf
    ifGreater "DocumentName_offset" 0
        goto "DocumentName_offset"
        string16 (PrinterName_offset-DocumentName_offset) "Document Name"
    endIf
    ifGreater "PrinterName_offset" 0
        goto "PrinterName_offset"
        string16 (DriverName_offset-PrinterName_offset) "Printer Name"
    endIf
    ifGreater "DriverName_offset" 0
        goto "DriverName_offset"
        string16 (PrintProcessorName_offset-DriverName_offset) "Driver Name"
    endIf
    endSection
end