From 25ca8d85a6ddeb185b46ada43c0183972f5f73ba Mon Sep 17 00:00:00 2001 From: n1073645 Date: Thu, 21 Nov 2019 11:14:56 +0000 Subject: [PATCH 1/4] Added extractor for OLE2 and modified the PLIST one. --- src/core/lib/FileSignatures.mjs | 110 +++++++++++++++++++++++++++++++- 1 file changed, 107 insertions(+), 3 deletions(-) diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs index dc7ced4d..e151a844 100644 --- a/src/core/lib/FileSignatures.mjs +++ b/src/core/lib/FileSignatures.mjs @@ -2914,15 +2914,119 @@ export function extractSQLITE(bytes, offset) { export function extractPListXML(bytes, offset) { const stream = new Stream(bytes.slice(offset)); - // Find closing tag () - stream.continueUntil([0x3c, 0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e]); - stream.moveForwardsBy(8); + let braceCount = 0; + + // Continue to the first ( 0 && stream.hasMore()) { + if (stream.readInt(1) === 0x3c) { + + // If we hit an . + if (stream.getBytes(7).join("") === [0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e].join("")) { + braceCount--; + } else { + stream.moveBackwardsBy(7); + } + } + } stream.consumeIf(0x0a); return stream.carve(); } +/** + * OLE2 extractor. + * + * @param {Uint8Array} bytes + * @param {number} offset + * @returns {Uint8Array} + */ +export function extractOLE2(bytes, offset) { + const stream = new Stream(bytes.slice(offset)); + const entries = [[[0x52, 0x00, 0x6f, 0x00, 0x6f, 0x00, 0x74, 0x00, 0x20, 0x00, 0x45, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x72, 0x00, 0x79], 19, "Root Entry"], + [[0x57, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x6b, 0x00, 0x62, 0x00, 0x6f, 0x00, 0x6f, 0x00, 0x6b], 15, "Workbook"], + [[0x43, 0x00, 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x20, 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00, 0x72], 23, "Current User"], + [[0x50, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x65, 0x00, 0x72, 0x00, 0x50, 0x00, 0x6f, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x20, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74], 37, "PowerPoint Document"], + [[0x57, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x64, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74], 23, "WordDocument"], + [[0x44, 0x00, 0x61, 0x00, 0x74, 0x00, 0x61], 7, "Data"], + [[0x50, 0x00, 0x69, 0x00, 0x63, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00, 0x73], 15, "Pictures"], + [[0x31, 0x00, 0x54, 0x00, 0x61, 0x00, 0x62, 0x00, 0x6c, 0x00, 0x65], 11, "1Table"], + [[0x05, 0x00, 0x53, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x72, 0x00, 0x79, 0x00, 0x49, 0x00, 0x6e, 0x00, 0x66, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e], 37, "SummaryInformation"], + [[0x05, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x53, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x72, 0x00, 0x79, 0x00, 0x49, 0x00, 0x6e, 0x00, 0x66, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e], 53, "DocumentSummaryInformation"], + [[0x43, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x70, 0x00, 0x4f, 0x00, 0x62, 0x00, 0x6a], 13, "Comp Obj"], + [[0x01, 0x00], 2, "Entry"]]; + let endianness = "le"; + + // Move to endianess field. + stream.moveForwardsBy(28); + if (stream.readInt(2, endianness) === 0xfffe) + endianness = "le"; + + // Calculate the size of the normal sectors. + const sizeOfSector = 2 ** stream.readInt(2, endianness); + + // Move to root directory offset field. + stream.moveTo(48); + + // Read root directory offset. + const rootStuff = stream.readInt(4, endianness); + + // Calculate root directory offset. + let total = 512 + (rootStuff * sizeOfSector); + stream.moveTo(total); + let found = true; + + // While valid directory entries. + while (found) { + found = false; + + // Attempt to determine what directory entry it is. + for (const element of entries) { + if (stream.getBytes(element[1]).join("") === element[0].join("")) { + stream.moveBackwardsBy(element[1]); + found = true; + + // Move forwards by the size of the comp obj. + if (element[2] === "Comp Obj") { + total += (128*6); + stream.moveTo(total); + } else if (element[2] === "Entry") { + + // If there is an entry move backwards by 126 to then move forwards by 128. Hence a total displacement of 2. + stream.moveBackwardsBy(126); + } + break; + } + stream.moveBackwardsBy(element[1]); + } + + // If we have found a valid entry, move forwards by 128. + if (found) { + total += 128; + stream.moveForwardsBy(128); + } + } + + // Round up to a multiple of 512. + total = Math.ceil(total / 512) * 512; + + stream.moveTo(total); + return stream.carve(); +} + + /** * GZIP extractor. * From 7386c145ef8d22b8a1e7334c006d2ee58eee43f2 Mon Sep 17 00:00:00 2001 From: n1073645 Date: Thu, 21 Nov 2019 11:23:28 +0000 Subject: [PATCH 2/4] Comments for OLE2 extractor. --- src/core/lib/FileSignatures.mjs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs index e151a844..656df190 100644 --- a/src/core/lib/FileSignatures.mjs +++ b/src/core/lib/FileSignatures.mjs @@ -2994,6 +2994,8 @@ export function extractOLE2(bytes, offset) { // Attempt to determine what directory entry it is. for (const element of entries) { + + // If the byte pattern matches. if (stream.getBytes(element[1]).join("") === element[0].join("")) { stream.moveBackwardsBy(element[1]); found = true; From 071c1bdea6af3131e98faf86f5a00bf8418ebe8b Mon Sep 17 00:00:00 2001 From: n1073645 Date: Thu, 21 Nov 2019 11:29:45 +0000 Subject: [PATCH 3/4] Comments for OLE2 extractor. --- src/core/lib/FileSignatures.mjs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs index 656df190..1683a950 100644 --- a/src/core/lib/FileSignatures.mjs +++ b/src/core/lib/FileSignatures.mjs @@ -3016,6 +3016,8 @@ export function extractOLE2(bytes, offset) { // If we have found a valid entry, move forwards by 128. if (found) { + + // Every entry is at least 128 in size, some are bigger which is dealt with by the above if statement. total += 128; stream.moveForwardsBy(128); } From 725b0d42f89e15f1ca3727cafb094167d4c53b94 Mon Sep 17 00:00:00 2001 From: n1073645 Date: Thu, 21 Nov 2019 11:34:11 +0000 Subject: [PATCH 4/4] Comments to OLE2 extractor --- src/core/lib/FileSignatures.mjs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs index 1683a950..d997f823 100644 --- a/src/core/lib/FileSignatures.mjs +++ b/src/core/lib/FileSignatures.mjs @@ -3002,6 +3002,8 @@ export function extractOLE2(bytes, offset) { // Move forwards by the size of the comp obj. if (element[2] === "Comp Obj") { + + // The size of the Comp Obj entry - 128. Since we add 128 later. total += (128*6); stream.moveTo(total); } else if (element[2] === "Entry") {