From 080886a2d1994530e802b7dc21efea6c194909a8 Mon Sep 17 00:00:00 2001 From: n1474335 Date: Thu, 4 Jul 2019 18:43:38 +0100 Subject: [PATCH 1/2] Added support for psb, hdr, arw, raf, mrw, bct, mdi, au, auf, aif, aifc, arj, ace, hqx, alz, kgb, and torrent file detection. --- src/core/lib/FileSignatures.mjs | 362 ++++++++++++++++++- src/core/operations/DetectFileType.mjs | 22 +- src/core/operations/ScanForEmbeddedFiles.mjs | 9 +- 3 files changed, 379 insertions(+), 14 deletions(-) diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs index 61e37b88..a5e0aca5 100644 --- a/src/core/lib/FileSignatures.mjs +++ b/src/core/lib/FileSignatures.mjs @@ -170,7 +170,7 @@ export const FILE_SIGNATURES = { mime: "image/vnd.adobe.photoshop", description: "", signature: { - 0: 0x38, + 0: 0x38, // 8BPS 1: 0x42, 2: 0x50, 3: 0x53, @@ -185,6 +185,28 @@ export const FILE_SIGNATURES = { }, extractor: null }, + { + name: "Photoshop Large Document", + extension: "psb", + mime: "application/x-photoshop", + description: "", + signature: { + 0: 0x38, // 8BPS + 1: 0x42, + 2: 0x50, + 3: 0x53, + 4: 0x0, + 5: 0x2, + 6: 0x0, + 7: 0x0, + 8: 0x0, + 9: 0x0, + 10: 0x0, + 11: 0x0, + 12: 0x0 + }, + extractor: null + }, { name: "Paint Shop Pro image", extension: "psp", @@ -233,10 +255,114 @@ export const FILE_SIGNATURES = { 5: 0x0, 6: [0x10, 0x20, 0x30, 0x40, 0x80], 7: [0x10, 0x20, 0x30, 0x40, 0x80], - 9: 0x00, + 9: 0x0, 10: [0x0, 0x1] }, extractor: null + }, + { + name: "Radiance High Dynamic Range image", + extension: "hdr", + mime: "image/vnd.radiance", + description: "", + signature: { + 0: 0x23, // #?RADIANCE + 1: 0x3f, + 2: 0x52, + 3: 0x41, + 4: 0x44, + 5: 0x49, + 6: 0x41, + 7: 0x4e, + 8: 0x43, + 9: 0x45, + 10: 0x0a + }, + extractor: null + }, + { + name: "Sony ARW image", + extension: "arw", + mime: "image/x-raw", + description: "", + signature: { + 0: 0x05, + 1: 0x0, + 2: 0x0, + 3: 0x0, + 4: 0x41, + 5: 0x57, + 6: 0x31, + 7: 0x2e + }, + extractor: null + }, + { + name: "Fujifilm Raw Image", + extension: "raf", + mime: "image/x-raw", + description: "", + signature: { + 0: 0x46, // FUJIFILMCCD-RAW + 1: 0x55, + 2: 0x4a, + 3: 0x49, + 4: 0x46, + 5: 0x49, + 6: 0x4c, + 7: 0x4d, + 8: 0x43, + 9: 0x43, + 10: 0x44, + 11: 0x2d, + 12: 0x52, + 13: 0x41, + 14: 0x57 + }, + extractor: null + }, + { + name: "Minolta RAW image", + extension: "mrw", + mime: "image/x-raw", + description: "", + signature: { + 0: 0x0, + 1: 0x4d, // MRM + 2: 0x52, + 3: 0x4d + }, + extractor: null + }, + { + name: "Adobe Bridge Thumbnail Cache", + extension: "bct", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x6c, + 1: 0x6e, + 2: 0x62, + 3: 0x74, + 4: 0x02, + 5: 0x0, + 6: 0x0, + 7: 0x0 + }, + extractor: null + }, + { + name: "Microsoft Document Imaging", + extension: "mdi", + mime: "image/vnd.ms-modi", + description: "", + signature: { + 0: 0x45, + 1: 0x50, + 2: 0x2a, + 3: 0x00 + }, + extractor: null } ], "Video": [ @@ -534,6 +660,97 @@ export const FILE_SIGNATURES = { }, extractor: null }, + { + name: "Audacity", + extension: "au", + mime: "audio/x-au", + description: "", + signature: { + 0: 0x64, // dns. + 1: 0x6e, + 2: 0x73, + 3: 0x2e, + + 24: 0x41, // AudacityBlockFile + 25: 0x75, + 26: 0x64, + 27: 0x61, + 28: 0x63, + 29: 0x69, + 30: 0x74, + 31: 0x79, + 32: 0x42, + 33: 0x6c, + 34: 0x6f, + 35: 0x63, + 36: 0x6b, + 37: 0x46, + 38: 0x69, + 39: 0x6c, + 40: 0x65 + }, + extractor: null + }, + { + name: "Audacity Block", + extension: "auf", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x41, // AudacityBlockFile + 1: 0x75, + 2: 0x64, + 3: 0x61, + 4: 0x63, + 5: 0x69, + 6: 0x74, + 7: 0x79, + 8: 0x42, + 9: 0x6c, + 10: 0x6f, + 11: 0x63, + 12: 0x6b, + 13: 0x46, + 14: 0x69, + 15: 0x6c, + 16: 0x65 + }, + extractor: null + }, + { + name: "Audio Interchange File", + extension: "aif", + mime: "audio/x-aiff", + description: "", + signature: { + 0: 0x46, // FORM + 1: 0x4f, + 2: 0x52, + 3: 0x4d, + 8: 0x41, // AIFF + 9: 0x49, + 10: 0x46, + 11: 0x46 + }, + extractor: null + }, + { + name: "Audio Interchange File (compressed)", + extension: "aifc", + mime: "audio/x-aifc", + description: "", + signature: { + 0: 0x46, // FORM + 1: 0x4f, + 2: 0x52, + 3: 0x4d, + 8: 0x41, // AIFC + 9: 0x49, + 10: 0x46, + 11: 0x43 + }, + extractor: null + } ], "Documents": [ { @@ -898,6 +1115,110 @@ export const FILE_SIGNATURES = { }, extractor: null }, + { + name: "ARJ Archive", + extension: "arj", + mime: "application/x-arj-compressed", + description: "", + signature: { + 0: 0x60, + 1: 0xea, + 8: [0x0, 0x10, 0x14], + 9: 0x0, + 10: 0x2 + }, + extractor: null + }, + { + name: "WinAce Archive", + extension: "ace", + mime: "application/x-ace-compressed", + description: "", + signature: { + 7: 0x2a, // **ACE** + 8: 0x2a, + 9: 0x41, + 10: 0x43, + 11: 0x45, + 12: 0x2a, + 13: 0x2a + }, + extractor: null + }, + { + name: "Macintosh BinHex Encoded File", + extension: "hqx", + mime: "application/mac-binhex", + description: "", + signature: { + 11: 0x6d, // must be converted with BinHex + 12: 0x75, + 13: 0x73, + 14: 0x74, + 15: 0x20, + 16: 0x62, + 17: 0x65, + 18: 0x20, + 19: 0x63, + 20: 0x6f, + 21: 0x6e, + 22: 0x76, + 23: 0x65, + 24: 0x72, + 25: 0x74, + 26: 0x65, + 27: 0x64, + 28: 0x20, + 29: 0x77, + 30: 0x69, + 31: 0x74, + 32: 0x68, + 33: 0x20, + 34: 0x42, + 35: 0x69, + 36: 0x6e, + 37: 0x48, + 38: 0x65, + 39: 0x78 + }, + extractor: null + }, + { + name: "ALZip Archive", + extension: "alz", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x41, // ALZ + 1: 0x4c, + 2: 0x5a, + 3: 0x01, + 4: 0x0a, + 5: 0x0, + 6: 0x0, + 7: 0x0 + }, + extractor: null + }, + { + name: "KGB Compressed Archive", + extension: "kgb", + mime: "application/x-kgb-compressed", + description: "", + signature: { + 0: 0x4b, // KGB_arch - + 1: 0x47, + 2: 0x42, + 3: 0x5f, + 4: 0x61, + 5: 0x72, + 6: 0x63, + 7: 0x68, + 8: 0x20, + 9: 0x2d + }, + extractor: null + } ], "Miscellaneous": [ { @@ -1041,6 +1362,43 @@ export const FILE_SIGNATURES = { }, extractor: null }, + { + name: "BitTorrent link", + extension: "torrent", + mime: "application/x-bittorrent", + description: "", + signature: [ + { + 0: 0x64, // d8:announce##: + 1: 0x38, + 2: 0x3a, + 3: 0x61, + 4: 0x6e, + 5: 0x6e, + 6: 0x6f, + 7: 0x75, + 8: 0x6e, + 9: 0x63, + 10: 0x65, + 11: 0x23, + 12: 0x23, + 13: 0x3a + }, + { + 0: 0x64, // d4:infod + 1: 0x34, + 2: 0x3a, + 3: 0x69, + 4: 0x6e, + 5: 0x66, + 6: 0x6f, + 7: 0x64, + 8: [0x34, 0x35, 0x36], + 9: 0x3a + } + ], + extractor: null + } ] }; diff --git a/src/core/operations/DetectFileType.mjs b/src/core/operations/DetectFileType.mjs index 2321cee8..0e2102c9 100644 --- a/src/core/operations/DetectFileType.mjs +++ b/src/core/operations/DetectFileType.mjs @@ -21,7 +21,12 @@ class DetectFileType extends Operation { this.name = "Detect File Type"; this.module = "Default"; - this.description = "Attempts to guess the MIME (Multipurpose Internet Mail Extensions) type of the data based on 'magic bytes'.

Currently supports the following file types: 7z, amr, avi, bmp, bz2, class, cr2, crx, dex, dmg, doc, elf, eot, epub, exe, flac, flv, gif, gz, ico, iso, jpg, jxr, m4a, m4v, mid, mkv, mov, mp3, mp4, mpg, ogg, otf, pdf, png, ppt, ps, psd, rar, rtf, sqlite, swf, tar, tar.z, tif, ttf, utf8, vmdk, wav, webm, webp, wmv, woff, woff2, xls, xz, zip."; + this.description = "Attempts to guess the MIME (Multipurpose Internet Mail Extensions) type of the data based on 'magic bytes'.

Currently supports the following file types: " + + Object.keys(FILE_SIGNATURES).map(cat => + FILE_SIGNATURES[cat].map(sig => + sig.extension.split(",")[0] + ).join(", ") + ).join(", ") + "."; this.infoURL = "https://wikipedia.org/wiki/List_of_file_signatures"; this.inputType = "ArrayBuffer"; this.outputType = "string"; @@ -52,18 +57,19 @@ class DetectFileType extends Operation { if (!types.length) { return "Unknown file type. Have you tried checking the entropy of this data to determine whether it might be encrypted or compressed?"; } else { - let output = ""; - - types.forEach(type => { - output += "File extension: " + type.extension + "\n" + - "MIME type: " + type.mime + "\n"; + const results = types.map(type => { + let output = `File type: ${type.name} +Extension: ${type.extension} +MIME type: ${type.mime}\n`; if (type.description && type.description.length) { - output += "\nDescription: " + type.description + "\n"; + output += `Description: ${type.description}\n`; } + + return output; }); - return output; + return results.join("\n"); } } diff --git a/src/core/operations/ScanForEmbeddedFiles.mjs b/src/core/operations/ScanForEmbeddedFiles.mjs index ae88134f..4ae8a662 100644 --- a/src/core/operations/ScanForEmbeddedFiles.mjs +++ b/src/core/operations/ScanForEmbeddedFiles.mjs @@ -55,12 +55,13 @@ class ScanForEmbeddedFiles extends Operation { if (types.length) { types.forEach(type => { numFound++; - output += "\nOffset " + type.offset + " (0x" + Utils.hex(type.offset) + "):\n" + - " File extension: " + type.fileDetails.extension + "\n" + - " MIME type: " + type.fileDetails.mime + "\n"; + output += `\nOffset ${type.offset} (0x${Utils.hex(type.offset)}): + File type: ${type.fileDetails.name} + Extension: ${type.fileDetails.extension} + MIME type: ${type.fileDetails.mime}\n`; if (type.fileDetails.description && type.fileDetails.description.length) { - output += " Description: " + type.fileDetails.description + "\n"; + output += ` Description: ${type.fileDetails.description}\n`; } }); } From 4f70a79638ac9275915d03d162b367553677cebf Mon Sep 17 00:00:00 2001 From: n1474335 Date: Thu, 4 Jul 2019 18:43:47 +0100 Subject: [PATCH 2/2] 8.38.1 --- package-lock.json | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index d0706d44..d574e308 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "cyberchef", - "version": "8.38.0", + "version": "8.38.1", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index 911b13a6..b5ed15e6 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "cyberchef", - "version": "8.38.0", + "version": "8.38.1", "description": "The Cyber Swiss Army Knife for encryption, encoding, compression and data analysis.", "author": "n1474335 ", "homepage": "https://gchq.github.io/CyberChef",