Added ELF extractor. You can now specific which categories to search for in file type operations.

2025-04-23 00:06:17 -04:00 · 2019-01-14 18:55:10 +00:00 · 2019-01-14 18:55:10 +00:00 · cd2c8078c8
commit cd2c8078c8
parent 2307325af8
5 changed files with 111 additions and 38 deletions
--- a/src/core/operations/DetectFileType.mjs
+++ b/src/core/operations/DetectFileType.mjs
@ -6,6 +6,7 @@

 import Operation from "../Operation";
 import {detectFileType} from "../lib/FileType";
+import {FILE_SIGNATURES} from "../lib/FileSignatures";

 /**
 * Detect File Type operation
@ -24,7 +25,13 @@ class DetectFileType extends Operation {
        this.infoURL = "https://wikipedia.org/wiki/List_of_file_signatures";
        this.inputType = "ArrayBuffer";
        this.outputType = "string";
-        this.args = [];
+        this.args = Object.keys(FILE_SIGNATURES).map(cat => {
+            return {
+                name: cat,
+                type: "boolean",
+                value: true
+            };
+        });
    }

    /**
@ -34,7 +41,13 @@ class DetectFileType extends Operation {
     */
    run(input, args) {
        const data = new Uint8Array(input),
-            types = detectFileType(data);
+            categories = [];
+
+        args.forEach((cat, i) => {
+            if (cat) categories.push(Object.keys(FILE_SIGNATURES)[i]);
+        });
+
+        const types = detectFileType(data, categories);

        if (!types.length) {
            return "Unknown file type. Have you tried checking the entropy of this data to determine whether it might be encrypted or compressed?";
--- a/src/core/operations/ExtractFiles.mjs
+++ b/src/core/operations/ExtractFiles.mjs
@ -8,6 +8,7 @@ import Operation from "../Operation";
 // import OperationError from "../errors/OperationError";
 import Utils from "../Utils";
 import {scanForFileTypes, extractFile} from "../lib/FileType";
+import {FILE_SIGNATURES} from "../lib/FileSignatures";

 /**
 * Extract Files operation
@ -27,7 +28,13 @@ class ExtractFiles extends Operation {
        this.inputType = "ArrayBuffer";
        this.outputType = "List<File>";
        this.presentType = "html";
-        this.args = [];
+        this.args = Object.keys(FILE_SIGNATURES).map(cat => {
+            return {
+                name: cat,
+                type: "boolean",
+                value: cat === "Miscellaneous" ? false : true
+            };
+        });
    }

    /**
@ -36,10 +43,15 @@ class ExtractFiles extends Operation {
     * @returns {List<File>}
     */
    run(input, args) {
-        const bytes = new Uint8Array(input);
+        const bytes = new Uint8Array(input),
+            categories = [];
+
+        args.forEach((cat, i) => {
+            if (cat) categories.push(Object.keys(FILE_SIGNATURES)[i]);
+        });

        // Scan for embedded files
-        const detectedFiles = scanForFileTypes(bytes);
+        const detectedFiles = scanForFileTypes(bytes, categories);

        // Extract each file that we support
        const files = [];
--- a/src/core/operations/ScanForEmbeddedFiles.mjs
+++ b/src/core/operations/ScanForEmbeddedFiles.mjs
@ -7,6 +7,7 @@
 import Operation from "../Operation";
 import Utils from "../Utils";
 import {scanForFileTypes} from "../lib/FileType";
+import {FILE_SIGNATURES} from "../lib/FileSignatures";

 /**
 * Scan for Embedded Files operation
@ -25,13 +26,13 @@ class ScanForEmbeddedFiles extends Operation {
        this.infoURL = "https://wikipedia.org/wiki/List_of_file_signatures";
        this.inputType = "ArrayBuffer";
        this.outputType = "string";
-        this.args = [
-            {
-                "name": "Ignore common byte sequences",
-                "type": "boolean",
-                "value": true
-            }
-        ];
+        this.args = Object.keys(FILE_SIGNATURES).map(cat => {
+            return {
+                name: cat,
+                type: "boolean",
+                value: cat === "Miscellaneous" ? false : true
+            };
+        });
    }

    /**
@ -41,21 +42,18 @@ class ScanForEmbeddedFiles extends Operation {
     */
    run(input, args) {
        let output = "Scanning data for 'magic bytes' which may indicate embedded files. The following results may be false positives and should not be treat as reliable. Any suffiently long file is likely to contain these magic bytes coincidentally.\n",
-            numFound = 0,
-            numCommonFound = 0;
-        const ignoreCommon = args[0],
-            commonExts = ["ttf", "utf16le", ""],
-            data = new Uint8Array(input),
-            types = scanForFileTypes(data);
+            numFound = 0;
+        const categories = [],
+            data = new Uint8Array(input);

+        args.forEach((cat, i) => {
+            if (cat) categories.push(Object.keys(FILE_SIGNATURES)[i]);
+        });
+
+        const types = scanForFileTypes(data, categories);

        if (types.length) {
            types.forEach(type => {
-                if (ignoreCommon && commonExts.indexOf(type.fileDetails.extension) > -1) {
-                    numCommonFound++;
-                    return;
-                }
-
                numFound++;
                output += "\nOffset " + type.offset + " (0x" + Utils.hex(type.offset) + "):\n" +
                    "  File extension: " + type.fileDetails.extension + "\n" +
@ -71,14 +69,6 @@ class ScanForEmbeddedFiles extends Operation {
            output += "\nNo embedded files were found.";
        }

-        if (numCommonFound > 0) {
-            output += "\n\n" + numCommonFound;
-            output += numCommonFound === 1 ?
-                " file type was detected that has a common byte sequence. This is likely to be a false positive." :
-                " file types were detected that have common byte sequences. These are likely to be false positives.";
-            output += " Run this operation with the 'Ignore common byte sequences' option unchecked to see details.";
-        }
-
        return output;
    }