Class: FilesHunter::Decoders::CFBF

Inherits:
BeginPatternDecoder show all
Defined in:
lib/fileshunter/Decoders/CFBF.rb

Constant Summary collapse

BEGIN_PATTERN_CFBF = 
"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".force_encoding(Encoding::ASCII_8BIT)
KNOWN_EXTENSIONS = 
{
  'MSWordDoc'.force_encoding(Encoding::ASCII_8BIT) => :doc,
  "P\x00o\x00w\x00e\x00r\x00P\x00o\x00i\x00n\x00t\x00".force_encoding(Encoding::ASCII_8BIT) => :pps,
  'Microsoft Excel'.force_encoding(Encoding::ASCII_8BIT) => :xls,
  "C\x00a\x00t\x00a\x00l\x00o\x00g\x00".force_encoding(Encoding::ASCII_8BIT) => :db,
  'Install,MSI,Framework'.force_encoding(Encoding::ASCII_8BIT) => :msi
}

Instance Method Summary collapse

Methods inherited from BeginPatternDecoder

#find_segments

Methods inherited from FilesHunter::Decoder

#segments_found, #setup

Instance Method Details

#decode(offset) ⇒ Object 



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/fileshunter/Decoders/CFBF.rb', line 21

def decode(offset)
  # Know if we are little or big-endian
  big_endian = (@data[offset+28..offset+29] == "\xFF\xFE")
  bindata32 = big_endian ? BinData::Uint32be : BinData::Uint32le
  bindata16 = big_endian ? BinData::Uint16be : BinData::Uint16le
  # Read sector size
  vector_size = 1 << bindata16.read(@data[offset+30..offset+31])

  # Count the number of sectors
  # Read the MSAT (first 109 entries)
  msat = @data[offset+76..offset+511]
  found_relevant_data(:doc) # Default
  first_sector_offset = offset + 512
  # Check if there are additional MSAT sectors
  next_msat_sector_id = bindata32.read(@data[offset+68..offset+71])
  while (next_msat_sector_id < 4294967292)
    # Read the MSAT
    msat.concat(@data[first_sector_offset+next_msat_sector_id*vector_size..first_sector_offset+(next_msat_sector_id+1)*vector_size-5])
    # The last sector ID is the next MSAT sector one
    next_msat_sector_id = bindata32.read(@data[first_sector_offset+(next_msat_sector_id+1)*vector_size-4..first_sector_offset+(next_msat_sector_id+1)*vector_size-1])
  end
  # Decode the MSAT and read each SAT sector
  sat_sector_ids = []
  log_debug "=== Size of MSAT: #{msat.size}"
  (msat.size / 4).times do |idx|
    sector_id = bindata32.read(msat[idx*4..idx*4+3])
    sat_sector_ids << sector_id if (sector_id < 4294967292)
  end
  # Read each SAT sector and get the maximum sector ID
  max_sector_id = -1
  sat_sector_ids.each do |container_sector_id|
    sector_offset = first_sector_offset + container_sector_id*vector_size
    (vector_size / 4).times do |idx|
      sector_id = bindata32.read(@data[sector_offset+idx*4..sector_offset+idx*4+3])
      if ((sector_id < 4294967292) and
          (sector_id > max_sector_id))
        max_sector_id = sector_id
      end
    end
  end
  # We got the number of sectors
  nbr_sectors = max_sector_id + 1
  log_debug "=== Number of sectors: #{nbr_sectors}"
  metadata(
    :msat_size => msat.size,
    :nbr_sectors => nbr_sectors
  )

  # Now find some info about the file extension
  found_extension = false
  nbr_sectors.times do |idx_sector|
    log_debug "=== Find extension @ sector #{idx_sector}"
    KNOWN_EXTENSIONS.each do |token, extension|
      if (@data[first_sector_offset+idx_sector*vector_size..first_sector_offset+(idx_sector+1)*vector_size-1].index(token) != nil)
        log_debug "=== Found extension #{extension}"
        found_relevant_data(extension)
        found_extension = true
        break
      end
    end
    break if found_extension
  end
  log_debug "@#{offset} - Unable to get extension from CFBF document." if (!found_extension)

  return first_sector_offset + nbr_sectors*vector_size
end

#get_begin_patternObject 



17
18
19
 
# File 'lib/fileshunter/Decoders/CFBF.rb', line 17

def get_begin_pattern
  return BEGIN_PATTERN_CFBF, { :offset_inc => 24 }
end