Improved continueUntil, added consumeWhile and made the EVTX extractor more complete

2024-11-02 14:11:02 +01:00 · 2019-11-11 15:47:16 +00:00 · 2019-11-11 15:47:16 +00:00 · d240d65c5f
commit d240d65c5f
parent eb81b9217e
2 changed files with 58 additions and 11 deletions
--- a/src/core/lib/FileSignatures.mjs
+++ b/src/core/lib/FileSignatures.mjs
@ -3348,11 +3348,11 @@ export function extractEVTX(bytes, offset) {
    while (stream.hasMore()) {

        // Loop through ELFCHNKs.
-        if (stream.getBytes(7).join("") === [0x45, 0x6c, 0x66, 0x43, 0x68, 0x6e, 0x6b].join(""))
-            stream.moveForwardsBy(0xfff9);
-        else
-            break;
+        if (stream.getBytes(7).join("") !== [0x45, 0x6c, 0x66, 0x43, 0x68, 0x6e, 0x6b].join(""))
+            break;    
+        stream.moveForwardsBy(0xfff9);
    }
+    stream.consumeWhile(0x00);
    return stream.carve();
 }

--- a/src/core/lib/Stream.mjs
+++ b/src/core/lib/Stream.mjs
@ -155,19 +155,66 @@ export default class Stream {
        }

        // val is an array
-        let found = false;
-        while (!found && this.position < this.length) {
-            while (++this.position < this.length && this.bytes[this.position] !== val[0]) {
-                continue;
-            }
+
+
+        /**
+         * Build's the skip forward table from the value to be searched.
+         *
+         * @param val
+         * @param len
+         */
+        function preprocess(val, len) {
+            const skiptable = new Array();
+            val.forEach(function(element, index) {
+                skiptable[element] = len - index;
+            });
+            return skiptable;
+        }
+
+        const length = val.length;
+
+        const initial = val[length-1];
+
+        this.position = length;
+
+        // Get the skip table.
+        const skiptable = preprocess(val, length);
+        let found = true;
+
+        while (this.position < this.length) {
+
+            // Until we hit the final element of val in the stream.
+            while ((this.position < this.length) && (this.bytes[this.position++] !== initial));
+
            found = true;
-            for (let i = 1; i < val.length; i++) {
-                if (this.position + i > this.length || this.bytes[this.position + i] !== val[i])
+
+            // Loop through the elements comparing them to val.
+            for (let x = length-1; x != -1; x--) {
+                if (this.bytes[(this.position-length) + x] !== val[x]) {
                    found = false;
+
+                    // If element is not equal to val's element then jump forward by the correct amount.
+                    this.position += skiptable[val[x]];
+                    break;
+                }
+            }
+            if (found) {
+                this.position = (this.position - length);
+                break;
            }
        }
    }

+
+    /**
+     * Consume bytes if it matches the supplied value.
+     *
+     * @param val
+     */
+    consumeWhile(val) {
+        while ((this.position < this.length) && (this.bytes[this.position++] === val));
+    }
+
    /**
     * Consume the next byte if it matches the supplied value.
     *