Some Notes SOPHOS File Structure

SOPHOS uses a number of files using proprietary format on completing its tasks (e.g. *.vdb, *.dat, *.ide, etc). Viewing and updates upon these files, is certainly should be done through SOPHOS application user interfaces.

However, some basic understanding about the structure of these files will also be helpful in anyway for using the SOPHOS application efficiently.

One of the essential task in examining the file is to figure out the location and size, which can be use to traverse each record precisely.

I will use one of SOPHOS file (vdl.dat) as an illustration of how to complete the above task.

Here is the partial portion of vdl.dat file:

sp01

The red box denotes header information, with SOPH as its signature bytes. As you can see, it has 0x18 as its size.

Immediately followed after the header info, is the TOC record:

sp02

TOC has 0x1C size, and offset 0x04 to 0x07, which is 0x00000224 is the size of this record, including the header length of 0x1C. TOC usually contains PLIST, SLIST and each items for SLIST record.

PLIST, whose purpose is currently not clearly defined, other than occupying a space of 0x10 🙂 is usually followed by SLIST:

sp03

As usual, offset 0x04 to 0x07 (0x00000208) is the size of SLIST, and there are new property at offset 0x08 to 0x0B (0x0000000C) which is the record count of SLIST items.

After the SLIST, comes the item records, and in this example is geninfo record:

sp04

Offset 0x08 to 0x0B (0x00000044) is size (excluding header of 0x10), 0x0C to 0x0F (0x0000023C) is the offset location of detail record inside the file.

Here is the stream at offset 0x23C (geninfo):

sp05

Including header, it has 0x54 as its size.

Using the above information, you can perform manual traversing the records of interest, or creates a small application to perform raw low level dump for each records.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: