Mirror/CyberChef
1
0
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2024-11-02 14:11:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added support for many more file types to file signature operations

Browse Source
This commit is contained in:
n1474335 2019-10-01 16:54:19 +01:00
parent 3d086beed2
commit 22028b074a
2 changed files with 600 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

605
src/core/lib/FileSignatures.mjs
View File

@ -241,6 +241,28 @@ export const FILE_SIGNATURES = {
],
extractor: null
},
{
name: "The GIMP image",
extension: "xcf",
mime: "image/x-xcf",
description: "",
signature: {
0: 0x67, // gimp xcf
1: 0x69,
2: 0x6d,
3: 0x70,
4: 0x20,
5: 0x78,
6: 0x63,
7: 0x66,
8: 0x20,
9: [0x66, 0x76],
10: [0x69, 0x30],
11: [0x6c, 0x30],
12: [0x65, 0x31, 0x32, 0x33]
},
extractor: null
},
{
name: "Icon image",
extension: "ico",
@ -363,10 +385,40 @@ export const FILE_SIGNATURES = {
3: 0x00
},
extractor: null
},
{
name: "Joint Photographic Experts Group image (under Base64)",
extension: "B64",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x2f,
1: 0x39,
2: 0x6a,
3: 0x2f,
4: 0x34
},
extractor: null
},
{
name: "Portable Network Graphics image (under Base64)",
extension: "B64",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x69,
1: 0x56,
2: 0x42,
3: 0x4f,
4: 0x52,
5: 0x77,
6: 0x30
},
extractor: null
}
],
"Video": [
{ // Place before webm
{
name: "Matroska Multimedia Container",
extension: "mkv",
mime: "video/x-matroska",
@ -392,7 +444,28 @@ export const FILE_SIGNATURES = {
0: 0x1a,
1: 0x45,
2: 0xdf,
3: 0xa3
3: 0xa3,
4: 0x01,
5: 0x00,
6: 0x00,
7: 0x00
},
extractor: null
},
{ // Place before MPEG-4
name: "Flash MP4 video",
extension: "f4v",
mime: "video/mp4",
description: "",
signature: {
4: 0x66,
5: 0x74,
6: 0x79,
7: 0x70,
8: [0x66, 0x46],
9: 0x34,
10: [0x76, 0x56],
11: 0x20
},
extractor: null
},
@ -766,6 +839,41 @@ export const FILE_SIGNATURES = {
},
extractor: extractPDF
},
{
name: "Portable Document Format (under Base64)",
extension: "B64",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x41,
1: 0x4a,
2: 0x56,
3: 0x42,
4: 0x45,
5: 0x52,
6: 0x69
},
extractor: null
},
{ // Place before PostScript
name: "Adobe PostScript",
extension: "ps,eps,ai,pfa",
mime: "application/postscript",
description: "",
signature: {
0: 0x25,
1: 0x21,
2: 0x50,
3: 0x53,
4: 0x2d,
5: 0x41,
6: 0x64,
7: 0x6f,
8: 0x62,
9: 0x65
},
extractor: null
},
{
name: "PostScript",
extension: "ps",
@ -792,7 +900,7 @@ export const FILE_SIGNATURES = {
extractor: extractRTF
},
{
name: "Microsoft Office documents/OLE2",
name: "Microsoft Office document/OLE2",
extension: "ole2,doc,xls,dot,ppt,xla,ppa,pps,pot,msi,sdw,db,vsd,msg",
mime: "application/msword,application/vnd.ms-excel,application/vnd.ms-powerpoint",
description: "Microsoft Office documents",
@ -809,7 +917,24 @@ export const FILE_SIGNATURES = {
extractor: null
},
{
name: "Microsoft Office 2007+ documents",
name: "Microsoft Office document/OLE2 (under Base64)",
extension: "B64",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x30,
1: 0x4d,
2: 0x38,
3: 0x52,
4: 0x34,
5: 0x4b,
6: 0x47,
7: 0x78
},
extractor: null
},
{
name: "Microsoft Office 2007+ document",
extension: "docx,xlsx,pptx",
mime: "application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.presentationml.presentation",
description: "",
@ -828,6 +953,131 @@ export const FILE_SIGNATURES = {
},
extractor: extractZIP
},
{
name: "Microsoft Access database",
extension: "mdb,mda,mde,mdt,fdb,psa",
mime: "application/msaccess",
description: "",
signature: {
0: 0x00,
1: 0x01,
2: 0x00,
3: 0x00,
4: 0x53, // Standard Jet
5: 0x74,
6: 0x61,
7: 0x6e,
8: 0x64,
9: 0x61,
10: 0x72,
11: 0x64,
12: 0x20,
13: 0x4a,
14: 0x65,
15: 0x74
},
extractor: null
},
{
name: "Microsoft Access 2007+ database",
extension: "accdb,accde,accda,accdu",
mime: "application/msaccess",
description: "",
signature: {
0: 0x00,
1: 0x01,
2: 0x00,
3: 0x00,
4: 0x53, // Standard ACE DB
5: 0x74,
6: 0x61,
7: 0x6e,
8: 0x64,
9: 0x61,
10: 0x72,
11: 0x64,
12: 0x20,
13: 0x41,
14: 0x43,
15: 0x45,
16: 0x20
},
extractor: null
},
{
name: "Microsoft OneNote document",
extension: "one",
mime: "application/onenote",
description: "",
signature: {
0: 0xe4,
1: 0x52,
2: 0x5c,
3: 0x7b,
4: 0x8c,
5: 0xd8,
6: 0xa7,
7: 0x4d,
8: 0xae,
9: 0xb1,
10: 0x53,
11: 0x78,
12: 0xd0,
13: 0x29,
14: 0x96,
15: 0xd3
},
extractor: null
},
{
name: "Outlook Express database",
extension: "dbx",
mime: "application/octet-stream",
description: "",
signature: {
0: 0xcf,
1: 0xad,
2: 0x12,
3: 0xfe,
4: [0x30, 0xc5, 0xc6, 0xc7],
11: 0x11
},
extractor: null
},
{
name: "Personal Storage Table (Outlook)",
extension: "pst,ost,fdb,pab",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x21, // !BDN
1: 0x42,
2: 0x44,
3: 0x4e
},
extractor: null
},
{
name: "Microsoft Exchange Database",
extension: "edb",
mime: "application/octet-stream",
description: "",
signature: {
4: 0xef,
5: 0xcd,
6: 0xab,
7: 0x89,
8: [0x20, 0x23],
9: 0x06,
10: 0x00,
11: 0x00,
12: [0x00, 0x01],
13: 0x00,
14: 0x00,
15: 0x00
},
extractor: null
},
{
name: "EPUB e-book",
extension: "epub",
@ -897,6 +1147,36 @@ export const FILE_SIGNATURES = {
},
extractor: extractELF
},
{
name: "MacOS Mach-O object file",
extension: "dylib",
mime: "application/octet-stream",
description: "",
signature: {
0: 0xca,
1: 0xfe,
2: 0xba,
3: 0xbe,
4: 0x00,
5: 0x00,
6: 0x00,
7: [0x01, 0x02, 0x03]
},
extractor: null
},
{
name: "MacOS Mach-O 64-bit object file",
extension: "dylib",
mime: "application/octet-stream",
description: "",
signature: {
0: 0xcf,
1: 0xfa,
2: 0xed,
3: 0xfe
},
extractor: null
},
{
name: "Adobe Flash",
extension: "swf",
@ -905,7 +1185,7 @@ export const FILE_SIGNATURES = {
signature: {
0: [0x43, 0x46],
1: 0x57,
2: 0x53
2: 0x53,
},
extractor: null
},
@ -967,13 +1247,28 @@ export const FILE_SIGNATURES = {
},
extractor: extractZIP
},
{
name: "PKZIP archive (under Base64)",
extension: "B64",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x55,
1: 0x45,
2: 0x73,
3: 0x44,
4: 0x42,
5: 0x42
},
extractor: null
},
{
name: "TAR archive",
extension: "tar",
mime: "application/x-tar",
description: "",
signature: {
257: 0x75,
257: 0x75, // ustar
258: 0x73,
259: 0x74,
260: 0x61,
@ -1111,7 +1406,45 @@ export const FILE_SIGNATURES = {
signature: {
0: 0x4b,
1: 0x44,
2: 0x4d
2: 0x4d,
3: 0x56,
5: 0x00,
6: 0x00,
7: 0x00
},
extractor: null
},
{
name: "Virtual Hard Drive",
extension: "vhd",
mime: "application/x-vhd",
description: "",
signature: {
0: 0x63, // conectix
1: 0x6f,
2: 0x6e,
3: 0x65,
4: 0x63,
5: 0x74,
6: 0x69,
7: 0x78
},
extractor: null
},
{
name: "Macintosh disk image",
extension: "dmf,dmg",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x78,
1: 0x01,
2: 0x73,
3: 0x0d,
4: 0x62,
5: 0x62,
6: 0x60,
7: 0x60
},
extractor: null
},
@ -1218,7 +1551,37 @@ export const FILE_SIGNATURES = {
9: 0x2d
},
extractor: null
}
},
{
name: "Microsoft Cabinet file",
extension: "cab",
mime: "vnd.ms-cab-compressed",
description: "",
signature: {
0: 0x4d,
1: 0x53,
2: 0x43,
3: 0x46,
4: 0x00,
5: 0x00,
6: 0x00,
7: 0x00
},
extractor: null
},
{
name: "Jar Archive",
extension: "jar",
mime: "application/java-archive",
description: "",
signature: {
0: 0x5f,
1: 0x27,
2: 0xa8,
3: 0x89
},
extractor: null
},
],
"Miscellaneous": [
{
@ -1398,7 +1761,213 @@ export const FILE_SIGNATURES = {
}
],
extractor: null
}
},
{
name: "Cryptocurrency wallet",
extension: "wallet",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x00,
1: 0x00,
2: 0x00,
3: 0x00,
4: 0x01,
5: 0x00,
6: 0x00,
7: 0x00,
8: 0x00,
9: 0x00,
10: 0x00,
11: 0x00,
12: 0x62,
13: 0x31,
14: 0x05,
15: 0x00
},
extractor: null
},
{
name: "Registry fragment",
extension: "hbin",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x68, // hbin
1: 0x62,
2: 0x69,
3: 0x6e,
4: 0x00
},
extractor: null
},
{
name: "Registry script",
extension: "rgs",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x48, // HKCR
1: 0x4b,
2: 0x43,
3: 0x52,
4: 0x0d,
5: 0x0a,
6: 0x5c,
7: 0x7b
},
extractor: null
},
{
name: "WinNT Registry Hive",
extension: "registry",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x72,
1: 0x65,
2: 0x67,
3: 0x66
},
extractor: null
},
{
name: "Windows Event Log",
extension: "evt",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x30,
1: 0x00,
2: 0x00,
3: 0x00,
4: 0x4c,
5: 0x66,
6: 0x4c,
7: 0x65
},
extractor: null
},
{
name: "Windows Event Log",
extension: "evtx",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x45, // ElfFile
1: 0x6c,
2: 0x66,
3: 0x46,
4: 0x69,
5: 0x6c,
6: 0x65
},
extractor: null
},
{
name: "Windows Pagedump",
extension: "dmp",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x50, // PAGEDU(MP|64)
1: 0x41,
2: 0x47,
3: 0x45,
4: 0x44,
5: 0x55,
6: [0x4d, 0x36],
7: [0x50, 0x34]
},
extractor: null
},
{
name: "Windows Prefetch",
extension: "pf",
mime: "application/x-pf",
description: "",
signature: {
0: [0x11, 0x17, 0x1a],
1: 0x0,
2: 0x0,
3: 0x0,
4: 0x53,
5: 0x43,
6: 0x43,
7: 0x41
},
extractor: null
},
{
name: "Windows Prefetch (Win 10)",
extension: "pf",
mime: "application/x-pf",
description: "",
signature: {
0: 0x4d,
1: 0x41,
2: 0x4d,
3: 0x04,
7: 0x0
},
extractor: null
},
{
name: "PList (XML)",
extension: "plist",
mime: "application/xml",
description: "",
signature: {
39: 0x3c, // <!DOCTYPE plist
40: 0x21,
41: 0x44,
42: 0x4f,
43: 0x43,
44: 0x54,
45: 0x59,
46: 0x50,
47: 0x45,
48: 0x20,
49: 0x70,
50: 0x6c,
51: 0x69,
52: 0x73,
53: 0x74
},
extractor: extractPListXML
},
{
name: "PList (binary)",
extension: "bplist,plist,ipmeta,abcdp,mdbackup,mdinfo,strings,nib,ichat,qtz,webbookmark,webhistory",
mime: "application/x-plist",
description: "",
signature: {
0: 0x62, // bplist00
1: 0x70,
2: 0x6c,
3: 0x69,
4: 0x73,
5: 0x74,
6: 0x30,
7: 0x30
},
extractor: null
},
{
name: "MacOS X Keychain",
extension: "keychain",
mime: "application/octet-stream",
description: "",
signature: {
0: 0x6b, // keych
1: 0x79,
2: 0x63,
3: 0x68,
4: 0x00,
5: 0x01
},
extractor: null
},
]
};
@ -1732,6 +2301,24 @@ export function extractRTF(bytes, offset) {
}
/**
* PList (XML) extractor.
*
* @param {Uint8Array} bytes
* @param {number} offset
* @returns {Uint8Array}
*/
export function extractPListXML(bytes, offset) {
const stream = new Stream(bytes.slice(offset));
// Find closing tag (</plist>\n)
stream.continueUntil([0x3c, 0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e, 0x0a]);
stream.moveForwardsBy(9);
return stream.carve();
}
/**
* GZIP extractor.
*

8
src/core/operations/DetectFileType.mjs
View File

@ -23,10 +23,10 @@ class DetectFileType extends Operation {
this.module = "Default";
this.description = "Attempts to guess the MIME (Multipurpose Internet Mail Extensions) type of the data based on 'magic bytes'.<br><br>Currently supports the following file types: " +
Object.keys(FILE_SIGNATURES).map(cat =>
FILE_SIGNATURES[cat].map(sig =>
sig.extension.split(",")[0]
).join(", ")
).join(", ") + ".";
[].concat.apply([], FILE_SIGNATURES[cat].map(sig =>
sig.extension.split(",")
)).unique().join(", ")
).unique().join(", ") + ".";
this.infoURL = "https://wikipedia.org/wiki/List_of_file_signatures";
this.inputType = "ArrayBuffer";
this.outputType = "string";