Began implementing UTF-16 support in the 'Strings' operation.

2025-04-24 16:56:15 -04:00 · 2018-01-03 16:51:10 +00:00 · 2018-01-03 16:51:10 +00:00 · 56551712d6
commit 56551712d6
parent 0ba28dc891
9 changed files with 363 additions and 289 deletions
--- a/src/core/config/OperationConfig.js
+++ b/src/core/config/OperationConfig.js
@ -30,6 +30,7 @@ import NetBIOS from "../operations/NetBIOS.js";
 import PHP from "../operations/PHP.js";
 import PublicKey from "../operations/PublicKey.js";
 import Punycode from "../operations/Punycode.js";
+import Regex from "../operations/Regex.js";
 import Rotate from "../operations/Rotate.js";
 import SeqUtils from "../operations/SeqUtils.js";
 import Shellcode from "../operations/Shellcode.js";
@ -2058,7 +2059,7 @@ const OperationConfig = {
        args: []
    },
    "Find / Replace": {
-        module: "Default",
+        module: "Regex",
        description: "Replaces all occurrences of the first string with the second.<br><br> Includes support for regular expressions (regex), simple strings and extended strings (which support \\n, \\r, \\t, \\b, \\f and escaped hex bytes using \\x notation, e.g. \\x00 for a null byte).",
        manualBake: true,
        inputType: "string",
@ -2068,7 +2069,7 @@ const OperationConfig = {
                name: "Find",
                type: "toggleString",
                value: "",
-                toggleValues: StrUtils.SEARCH_TYPE
+                toggleValues: Regex.SEARCH_TYPE
            },
            {
                name: "Replace",
@ -2078,17 +2079,17 @@ const OperationConfig = {
            {
                name: "Global match",
                type: "boolean",
-                value: StrUtils.FIND_REPLACE_GLOBAL,
+                value: Regex.FIND_REPLACE_GLOBAL,
            },
            {
                name: "Case insensitive",
                type: "boolean",
-                value: StrUtils.FIND_REPLACE_CASE,
+                value: Regex.FIND_REPLACE_CASE,
            },
            {
                name: "Multiline matching",
                type: "boolean",
-                value: StrUtils.FIND_REPLACE_MULTILINE,
+                value: Regex.FIND_REPLACE_MULTILINE,
            },

        ]
@ -2160,7 +2161,7 @@ const OperationConfig = {
        ]
    },
    "Strings": {
-        module: "Default",
+        module: "Regex",
        description: "Extracts all strings from the input.",
        inputType: "string",
        outputType: "string",
@ -2174,11 +2175,16 @@ const OperationConfig = {
                name: "Display total",
                type: "boolean",
                value: Extract.DISPLAY_TOTAL
+            },
+            {
+                name: "Encoding",
+                type: "option",
+                value: Extract.ENCODING_LIST
            }
        ]
    },
    "Extract IP addresses": {
-        module: "Default",
+        module: "Regex",
        description: "Extracts all IPv4 and IPv6 addresses.<br><br>Warning: Given a string <code>710.65.0.456</code>, this will match <code>10.65.0.45</code> so always check the original input!",
        inputType: "string",
        outputType: "string",
@ -2206,7 +2212,7 @@ const OperationConfig = {
        ]
    },
    "Extract email addresses": {
-        module: "Default",
+        module: "Regex",
        description: "Extracts all email addresses from the input.",
        inputType: "string",
        outputType: "string",
@ -2219,7 +2225,7 @@ const OperationConfig = {
        ]
    },
    "Extract MAC addresses": {
-        module: "Default",
+        module: "Regex",
        description: "Extracts all Media Access Control (MAC) addresses from the input.",
        inputType: "string",
        outputType: "string",
@ -2232,7 +2238,7 @@ const OperationConfig = {
        ]
    },
    "Extract URLs": {
-        module: "Default",
+        module: "Regex",
        description: "Extracts Uniform Resource Locators (URLs) from the input. The protocol (http, ftp etc.) is required otherwise there will be far too many false positives.",
        inputType: "string",
        outputType: "string",
@ -2245,7 +2251,7 @@ const OperationConfig = {
        ]
    },
    "Extract domains": {
-        module: "Default",
+        module: "Regex",
        description: "Extracts domain names.<br>Note that this will not include paths. Use <strong>Extract URLs</strong> to find entire URLs.",
        inputType: "string",
        outputType: "string",
@ -2258,7 +2264,7 @@ const OperationConfig = {
        ]
    },
    "Extract file paths": {
-        module: "Default",
+        module: "Regex",
        description: "Extracts anything that looks like a Windows or UNIX file path.<br><br>Note that if UNIX is selected, there will likely be a lot of false positives.",
        inputType: "string",
        outputType: "string",
@ -2281,7 +2287,7 @@ const OperationConfig = {
        ]
    },
    "Extract dates": {
-        module: "Default",
+        module: "Regex",
        description: "Extracts dates in the following formats<ul><li><code>yyyy-mm-dd</code></li><li><code>dd/mm/yyyy</code></li><li><code>mm/dd/yyyy</code></li></ul>Dividers can be any of /, -, . or space",
        inputType: "string",
        outputType: "string",
@ -2294,7 +2300,7 @@ const OperationConfig = {
        ]
    },
    "Regular expression": {
-        module: "Default",
+        module: "Regex",
        description: "Define your own regular expression (regex) to search the input data with, optionally choosing from a list of pre-defined patterns.",
        manualBake: true,
        inputType: "string",
@ -2303,7 +2309,7 @@ const OperationConfig = {
            {
                name: "Built in regexes",
                type: "populateOption",
-                value: StrUtils.REGEX_PRE_POPULATE,
+                value: Regex.REGEX_PRE_POPULATE,
                target: 1,
            },
            {
@ -2314,22 +2320,22 @@ const OperationConfig = {
            {
                name: "Case insensitive",
                type: "boolean",
-                value: StrUtils.REGEX_CASE_INSENSITIVE
+                value: Regex.REGEX_CASE_INSENSITIVE
            },
            {
                name: "Multiline matching",
                type: "boolean",
-                value: StrUtils.REGEX_MULTILINE_MATCHING
+                value: Regex.REGEX_MULTILINE_MATCHING
            },
            {
                name: "Display total",
                type: "boolean",
-                value: StrUtils.DISPLAY_TOTAL
+                value: Regex.DISPLAY_TOTAL
            },
            {
                name: "Output format",
                type: "option",
-                value: StrUtils.OUTPUT_FORMAT
+                value: Regex.OUTPUT_FORMAT
            },
        ]
    },
--- a/src/core/config/modules/Default.js
+++ b/src/core/config/modules/Default.js
@ -10,7 +10,6 @@ import Convert from "../../operations/Convert.js";
 import DateTime from "../../operations/DateTime.js";
 import Endian from "../../operations/Endian.js";
 import Entropy from "../../operations/Entropy.js";
-import Extract from "../../operations/Extract.js";
 import FileType from "../../operations/FileType.js";
 import Hexdump from "../../operations/Hexdump.js";
 import HTML from "../../operations/HTML.js";
@ -99,11 +98,9 @@ OpModules.Default = {
    "Format MAC addresses": MAC.runFormat,
    "Encode NetBIOS Name":  NetBIOS.runEncodeName,
    "Decode NetBIOS Name":  NetBIOS.runDecodeName,
-    "Regular expression":   StrUtils.runRegex,
    "Offset checker":       StrUtils.runOffsetChecker,
    "To Upper case":        StrUtils.runUpper,
    "To Lower case":        StrUtils.runLower,
-    "Find / Replace":       StrUtils.runFindReplace,
    "Split":                StrUtils.runSplit,
    "Filter":               StrUtils.runFilter,
    "Escape string":        StrUtils.runEscape,
@ -132,14 +129,6 @@ OpModules.Default = {
    "Translate DateTime Format": DateTime.runTranslateFormat,
    "From UNIX Timestamp":  DateTime.runFromUnixTimestamp,
    "To UNIX Timestamp":    DateTime.runToUnixTimestamp,
-    "Strings":              Extract.runStrings,
-    "Extract IP addresses": Extract.runIp,
-    "Extract email addresses": Extract.runEmail,
-    "Extract MAC addresses": Extract.runMac,
-    "Extract URLs":         Extract.runUrls,
-    "Extract domains":      Extract.runDomains,
-    "Extract file paths":   Extract.runFilePaths,
-    "Extract dates":        Extract.runDates,
    "Microsoft Script Decoder": MS.runDecodeScript,
    "Entropy":              Entropy.runEntropy,
    "Frequency distribution": Entropy.runFreqDistrib,
--- a/src/core/config/modules/OpModules.js
+++ b/src/core/config/modules/OpModules.js
@ -18,6 +18,7 @@ import HTTPModule from "./HTTP.js";
 import ImageModule from "./Image.js";
 import JSBNModule from "./JSBN.js";
 import PublicKeyModule from "./PublicKey.js";
+import RegexModule from "./Regex.js";
 import ShellcodeModule from "./Shellcode.js";
 import URLModule from "./URL.js";

@ -34,6 +35,7 @@ Object.assign(
    ImageModule,
    JSBNModule,
    PublicKeyModule,
+    RegexModule,
    ShellcodeModule,
    URLModule
 );
--- a/src/core/config/modules/Regex.js
+++ b/src/core/config/modules/Regex.js
@ -0,0 +1,30 @@
+import Extract from "../../operations/Extract.js";
+import Regex from "../../operations/Regex.js";
+
+
+/**
+ * Regex module.
+ *
+ * Libraries:
+ *  - XRegExp
+ *
+ * @author n1474335 [n1474335@gmail.com]
+ * @copyright Crown Copyright 2018
+ * @license Apache-2.0
+ */
+let OpModules = typeof self === "undefined" ? {} : self.OpModules || {};
+
+OpModules.Regex = {
+    "Regular expression":   Regex.runRegex,
+    "Find / Replace":       Regex.runFindReplace,
+    "Strings":              Extract.runStrings,
+    "Extract IP addresses": Extract.runIp,
+    "Extract email addresses": Extract.runEmail,
+    "Extract MAC addresses": Extract.runMac,
+    "Extract URLs":         Extract.runUrls,
+    "Extract domains":      Extract.runDomains,
+    "Extract file paths":   Extract.runFilePaths,
+    "Extract dates":        Extract.runDates,
+};
+
+export default OpModules;