From d240d65c5f10d4b4c954b912cfca87f95b4aa95c Mon Sep 17 00:00:00 2001 From: n1073645 Date: Mon, 11 Nov 2019 15:47:16 +0000 Subject: [PATCH 1/9] Improved continueUntil, added consumeWhile and made the EVTX extractor more complete --- src/core/lib/FileSignatures.mjs | 8 ++--- src/core/lib/Stream.mjs | 61 +++++++++++++++++++++++++++++---- 2 files changed, 58 insertions(+), 11 deletions(-) diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs index b93a7c9f..da4509c8 100644 --- a/src/core/lib/FileSignatures.mjs +++ b/src/core/lib/FileSignatures.mjs @@ -3348,11 +3348,11 @@ export function extractEVTX(bytes, offset) { while (stream.hasMore()) { // Loop through ELFCHNKs. - if (stream.getBytes(7).join("") === [0x45, 0x6c, 0x66, 0x43, 0x68, 0x6e, 0x6b].join("")) - stream.moveForwardsBy(0xfff9); - else - break; + if (stream.getBytes(7).join("") !== [0x45, 0x6c, 0x66, 0x43, 0x68, 0x6e, 0x6b].join("")) + break; + stream.moveForwardsBy(0xfff9); } + stream.consumeWhile(0x00); return stream.carve(); } diff --git a/src/core/lib/Stream.mjs b/src/core/lib/Stream.mjs index 7e82a5eb..dca390e5 100644 --- a/src/core/lib/Stream.mjs +++ b/src/core/lib/Stream.mjs @@ -155,19 +155,66 @@ export default class Stream { } // val is an array - let found = false; - while (!found && this.position < this.length) { - while (++this.position < this.length && this.bytes[this.position] !== val[0]) { - continue; - } + + + /** + * Build's the skip forward table from the value to be searched. + * + * @param val + * @param len + */ + function preprocess(val, len) { + const skiptable = new Array(); + val.forEach(function(element, index) { + skiptable[element] = len - index; + }); + return skiptable; + } + + const length = val.length; + + const initial = val[length-1]; + + this.position = length; + + // Get the skip table. + const skiptable = preprocess(val, length); + let found = true; + + while (this.position < this.length) { + + // Until we hit the final element of val in the stream. + while ((this.position < this.length) && (this.bytes[this.position++] !== initial)); + found = true; - for (let i = 1; i < val.length; i++) { - if (this.position + i > this.length || this.bytes[this.position + i] !== val[i]) + + // Loop through the elements comparing them to val. + for (let x = length-1; x != -1; x--) { + if (this.bytes[(this.position-length) + x] !== val[x]) { found = false; + + // If element is not equal to val's element then jump forward by the correct amount. + this.position += skiptable[val[x]]; + break; + } + } + if (found) { + this.position = (this.position - length); + break; } } } + + /** + * Consume bytes if it matches the supplied value. + * + * @param val + */ + consumeWhile(val) { + while ((this.position < this.length) && (this.bytes[this.position++] === val)); + } + /** * Consume the next byte if it matches the supplied value. * From 8e2345cf9e9e297c679baeac52855c84095b8a98 Mon Sep 17 00:00:00 2001 From: n1073645 Date: Mon, 11 Nov 2019 16:08:03 +0000 Subject: [PATCH 2/9] Improved continueUntil, added consumeWhile and made the EVTX extractor more complete --- src/core/lib/FileSignatures.mjs | 2 +- src/core/lib/Stream.mjs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs index da4509c8..c8397b03 100644 --- a/src/core/lib/FileSignatures.mjs +++ b/src/core/lib/FileSignatures.mjs @@ -3349,7 +3349,7 @@ export function extractEVTX(bytes, offset) { // Loop through ELFCHNKs. if (stream.getBytes(7).join("") !== [0x45, 0x6c, 0x66, 0x43, 0x68, 0x6e, 0x6b].join("")) - break; + break; stream.moveForwardsBy(0xfff9); } stream.consumeWhile(0x00); diff --git a/src/core/lib/Stream.mjs b/src/core/lib/Stream.mjs index dca390e5..e86dfc30 100644 --- a/src/core/lib/Stream.mjs +++ b/src/core/lib/Stream.mjs @@ -189,7 +189,7 @@ export default class Stream { found = true; // Loop through the elements comparing them to val. - for (let x = length-1; x != -1; x--) { + for (let x = length-1; x !== -1; x--) { if (this.bytes[(this.position-length) + x] !== val[x]) { found = false; From d3c13b118d99d7807143026172c5a781e0996b9b Mon Sep 17 00:00:00 2001 From: n1073645 Date: Tue, 12 Nov 2019 11:00:43 +0000 Subject: [PATCH 3/9] Improved continueUntil, added consumeWhile and made the EVTX extractor more complete --- .eslintrc.json | 1 + src/core/lib/FileSignatures.mjs | 18 +++++++++--------- src/core/lib/Stream.mjs | 2 +- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.eslintrc.json b/.eslintrc.json index e307112b..14e335a5 100755 --- a/.eslintrc.json +++ b/.eslintrc.json @@ -47,6 +47,7 @@ "block-spacing": "error", "array-bracket-spacing": "error", "comma-spacing": "error", + "spaced-comment": ["error", "always"], "comma-style": "error", "computed-property-spacing": "error", "no-trailing-spaces": "warn", diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs index c8397b03..b4d9e918 100644 --- a/src/core/lib/FileSignatures.mjs +++ b/src/core/lib/FileSignatures.mjs @@ -2577,21 +2577,21 @@ export function extractJPEG(bytes, offset) { export function extractGIF(bytes, offset) { const stream = new Stream(bytes.slice(offset)); - //Move to application extension block. + // Move to application extension block. stream.continueUntil([0x21, 0xff]); - //Move to Graphic Control Extension for frame #1. + // Move to Graphic Control Extension for frame #1. stream.continueUntil([0x21, 0xf9]); stream.moveForwardsBy(2); while (stream.hasMore()) { - //Move to Image descriptor. + // Move to Image descriptor. stream.moveForwardsBy(stream.getBytes(1)[0]+1); - //Move past Image descriptor to the image data. + // Move past Image descriptor to the image data. stream.moveForwardsBy(11); - //Loop until next Graphic Control Extension. + // Loop until next Graphic Control Extension. while (stream.getBytes(2) !== [0x21, 0xf9]) { stream.moveBackwardsBy(2); stream.moveForwardsBy(stream.getBytes(1)[0]); @@ -2599,7 +2599,7 @@ export function extractGIF(bytes, offset) { break; stream.moveBackwardsBy(1); } - //When the end of the file is [0x00, 0x3b], end. + // When the end of the file is [0x00, 0x3b], end. if (stream.getBytes(1)[0] === 0x3b) break; stream.moveForwardsBy(1); @@ -3000,7 +3000,7 @@ export function extractGZIP(bytes, offset) { export function extractBZIP2(bytes, offset) { const stream = new Stream(bytes.slice(offset)); - //The EOFs shifted between all possible combinations. + // The EOFs shifted between all possible combinations. const lookingfor = [ [0x77, 0x24, 0x53, 0x85, 0x09], [0xee, 0x48, 0xa7, 0x0a, 0x12], @@ -3014,12 +3014,12 @@ export function extractBZIP2(bytes, offset) { for (let i = 0; i < lookingfor.length; i++) { - //Continue until an EOF. + // Continue until an EOF. stream.continueUntil(lookingfor[i]); if (stream.getBytes(5).join("") === lookingfor[i].join("")) break; - //Jump back to the start if invalid EOF. + // Jump back to the start if invalid EOF. stream.moveTo(0); } stream.moveForwardsBy(4); diff --git a/src/core/lib/Stream.mjs b/src/core/lib/Stream.mjs index e86dfc30..58cb2d5b 100644 --- a/src/core/lib/Stream.mjs +++ b/src/core/lib/Stream.mjs @@ -189,7 +189,7 @@ export default class Stream { found = true; // Loop through the elements comparing them to val. - for (let x = length-1; x !== -1; x--) { + for (let x = length-1; x+1; x--) { if (this.bytes[(this.position-length) + x] !== val[x]) { found = false; From 4541d75f49f6ed6e1411834811a6688fba146993 Mon Sep 17 00:00:00 2001 From: n1073645 Date: Tue, 12 Nov 2019 13:17:04 +0000 Subject: [PATCH 4/9] Improved continueUntil, added consumeWhile and made the EVTX extractor more complete --- .eslintrc.json | 1 - 1 file changed, 1 deletion(-) diff --git a/.eslintrc.json b/.eslintrc.json index 14e335a5..e307112b 100755 --- a/.eslintrc.json +++ b/.eslintrc.json @@ -47,7 +47,6 @@ "block-spacing": "error", "array-bracket-spacing": "error", "comma-spacing": "error", - "spaced-comment": ["error", "always"], "comma-style": "error", "computed-property-spacing": "error", "no-trailing-spaces": "warn", From dfd4cca43fc0641470f64b162efb9d42a0bd039c Mon Sep 17 00:00:00 2001 From: n1073645 Date: Wed, 13 Nov 2019 09:02:36 +0000 Subject: [PATCH 5/9] Corrections --- src/core/lib/Stream.mjs | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/src/core/lib/Stream.mjs b/src/core/lib/Stream.mjs index 58cb2d5b..0230b26a 100644 --- a/src/core/lib/Stream.mjs +++ b/src/core/lib/Stream.mjs @@ -158,14 +158,15 @@ export default class Stream { /** - * Build's the skip forward table from the value to be searched. + * Builds the skip forward table from the value to be searched. * - * @param val - * @param len + * @param {Uint8Array} val + * @param {Number} len + * @returns {Uint8Array} */ function preprocess(val, len) { const skiptable = new Array(); - val.forEach(function(element, index) { + val.forEach((element, index) => { skiptable[element] = len - index; }); return skiptable; @@ -189,8 +190,8 @@ export default class Stream { found = true; // Loop through the elements comparing them to val. - for (let x = length-1; x+1; x--) { - if (this.bytes[(this.position-length) + x] !== val[x]) { + for (let x = length-1; x > -1; x--) { + if (this.bytes[this.position-length + x] !== val[x]) { found = false; // If element is not equal to val's element then jump forward by the correct amount. @@ -199,7 +200,7 @@ export default class Stream { } } if (found) { - this.position = (this.position - length); + this.position -= length; break; } } @@ -209,10 +210,11 @@ export default class Stream { /** * Consume bytes if it matches the supplied value. * - * @param val + * @param {Number} val */ consumeWhile(val) { - while ((this.position < this.length) && (this.bytes[this.position++] === val)); + while ((this.position < this.length) && (this.bytes[(this.position++)] === val)) + this.position--; } /** From 3921b4f445417bee9fe6109e37ecfb9dba6d919c Mon Sep 17 00:00:00 2001 From: n1073645 Date: Wed, 13 Nov 2019 09:59:55 +0000 Subject: [PATCH 6/9] Small correction to continueWhile --- src/core/lib/Stream.mjs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/core/lib/Stream.mjs b/src/core/lib/Stream.mjs index 0230b26a..8e941716 100644 --- a/src/core/lib/Stream.mjs +++ b/src/core/lib/Stream.mjs @@ -213,8 +213,7 @@ export default class Stream { * @param {Number} val */ consumeWhile(val) { - while ((this.position < this.length) && (this.bytes[(this.position++)] === val)) - this.position--; + while ((++this.position < this.length) && (this.bytes[(this.position)] === val)); } /** From e9b7a43b9a8fd0fd50c7ee423184d63357c33461 Mon Sep 17 00:00:00 2001 From: n1073645 Date: Wed, 13 Nov 2019 17:11:04 +0000 Subject: [PATCH 7/9] Adjustment to consumeWhile --- src/core/lib/Stream.mjs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/core/lib/Stream.mjs b/src/core/lib/Stream.mjs index 8e941716..451698b9 100644 --- a/src/core/lib/Stream.mjs +++ b/src/core/lib/Stream.mjs @@ -190,7 +190,7 @@ export default class Stream { found = true; // Loop through the elements comparing them to val. - for (let x = length-1; x > -1; x--) { + for (let x = length-1; x >= 0; x--) { if (this.bytes[this.position-length + x] !== val[x]) { found = false; @@ -213,7 +213,12 @@ export default class Stream { * @param {Number} val */ consumeWhile(val) { - while ((++this.position < this.length) && (this.bytes[(this.position)] === val)); + while (this.position < this.length){ + if (this.bytes[this.position] !== val){ + break; + } + this.position++; + } } /** From c1878ca28b44e6e8935d163b341a6b1878f1605b Mon Sep 17 00:00:00 2001 From: n1073645 Date: Wed, 13 Nov 2019 17:15:54 +0000 Subject: [PATCH 8/9] Linting adjustments --- src/core/lib/Stream.mjs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/core/lib/Stream.mjs b/src/core/lib/Stream.mjs index 451698b9..da299b65 100644 --- a/src/core/lib/Stream.mjs +++ b/src/core/lib/Stream.mjs @@ -213,8 +213,8 @@ export default class Stream { * @param {Number} val */ consumeWhile(val) { - while (this.position < this.length){ - if (this.bytes[this.position] !== val){ + while (this.position < this.length) { + if (this.bytes[this.position] !== val) { break; } this.position++; From 03f474096895c604cef7b584ff82735de64c9479 Mon Sep 17 00:00:00 2001 From: n1474335 Date: Wed, 13 Nov 2019 18:04:36 +0000 Subject: [PATCH 9/9] Tidied up consumeWhile and consumeUntil --- src/core/lib/Stream.mjs | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/core/lib/Stream.mjs b/src/core/lib/Stream.mjs index da299b65..800d6b1a 100644 --- a/src/core/lib/Stream.mjs +++ b/src/core/lib/Stream.mjs @@ -156,7 +156,6 @@ export default class Stream { // val is an array - /** * Builds the skip forward table from the value to be searched. * @@ -173,9 +172,7 @@ export default class Stream { } const length = val.length; - const initial = val[length-1]; - this.position = length; // Get the skip table. @@ -183,7 +180,6 @@ export default class Stream { let found = true; while (this.position < this.length) { - // Until we hit the final element of val in the stream. while ((this.position < this.length) && (this.bytes[this.position++] !== initial)); @@ -191,7 +187,7 @@ export default class Stream { // Loop through the elements comparing them to val. for (let x = length-1; x >= 0; x--) { - if (this.bytes[this.position-length + x] !== val[x]) { + if (this.bytes[this.position - length + x] !== val[x]) { found = false; // If element is not equal to val's element then jump forward by the correct amount. @@ -208,7 +204,7 @@ export default class Stream { /** - * Consume bytes if it matches the supplied value. + * Consume bytes if they match the supplied value. * * @param {Number} val */ @@ -219,6 +215,7 @@ export default class Stream { } this.position++; } + this.bitPos = 0; } /**